Tufin Orchestration Suite Reviews

Our primary use case is firewall automation. We use SecureTrack and SecureChange. We have distribution serves, Remote Collectors, but what we primarily use is SecureChange integrated with ServiceNow for users to submit firewall requests. They then go to SecureChange which designs the rules and implements them.

When it comes to the turnaround of firewall rule requests, it used to take about a week to implement and have the customer test for firewall access. Now, it can take just one day. The implementation itself takes a minute or two. For the customer, it may take the rest of the day, by the time that the policy is installed and the customer tests, either that evening or the next day.

While I'm not involved in the leadership, I believe the solution has helped us to meet our compliance mandates: from a firewall perspective, as well as an audit perspective, as well as review of the rules and source and destination port requests.

As for ensuring that security policy is followed across the entire hybrid network, we're getting there. That's part of why we implemented Tufin. We are implementing that across our multiple offices. Once we get to that state, it will ensure that security policy is followed.

Finally, using the solution, our engineers are spending less time on manual processors.

In general, the automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product.

In terms of cleanup of our firewall policies, we don't officially use Tufin, but I, as an architect, do use the Automatic Policy Generator to review existing rules: high hit-count rules and open rules which aren't very secure. We use that to then build firewall rules which tighten up our firewall policy.

The change workflow process is flexible and customizable. We have had to edit and alter some of our workflow and it's pretty easy, pretty simple, pretty straightforward. We use Tufin support, their helpdesk, for that because we're a very new customer.

In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all.

We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.

My impression of the stability is positive. We haven't had any issues. We even went through an upgrade about a month ago and it was a smooth process.

As for scalability, we're finding that out right now. We're building out two new Remote Collectors for our global deployment of an additional 150 to 180 firewalls, plus additional Layer 3 appliances. We're working through that right now. Hopefully, it will be a smooth transition but I can't say for sure because we haven't actually implemented it yet.

I would rate tech support as "fair." Response time is a little slow, but when they do respond, and when time is available for them, we work through things pretty quickly to resolution.

I wasn't involved in the initial setup, but from what I've heard from others from whom I took it over, it was very straightforward.

I know they reviewed other solutions but I don't know which, for sure, since I inherited the project. I would assume AlgoSec and FireMon were reviewed as well.

Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation.

We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client.

I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.

We are using the SecureChange and SecureTrack components of this solution for rule re-certification and change automation. We are still in the implementation phase, but we expect to have this solution in our production environment by October 1st.

With respect to visibility, my impression is that it will do what we need it to do, but it will take some work.

We have tested the system to see if it will automatically check to see if a change request will violate any security policy rules, and it will do what we need. We intend to use this feature in production.

We expect that this solution will help us to meet our compliance mandates.

The most valuable features are the GUI interface and the API. 

We’ve found the change workflow process to be flexible and customizable. If it could not be customized then it would be very hard for us to make it work for our company.

The integration with different products needs to be improved.

For the most part, this solution will ensure that security policy is followed across the entire network. There are certain policies that are not baked into the product yet, like our proxy solution.

The options for certain things are pretty rigid, so they need to be more customizable.

So far, the stability of the solution has been good.

We have some work to do with scaling the product, so I don't yet know about the scalability.

Technical support for this solution has been great. They've been very responsive.

We will be using Tufin to clean up our firewall rules, but we currently use AlgoSec.

Our previous solution was an end-of-life product, so we had to evaluate the options that were out there.

The initial setup of this solution is straightforward, although we haven't done full-on production yet, so I don't know what we're going to run into.

Nexum assisted us with the deployment of this solution. They are good, and we use them for everything we can.

At this stage, we have not yet seen ROI.

We evaluated other solutions, but Tufin had a better workflow.

I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating.

Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes.

We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software.

My advice to anybody who is researching this solution is to pick what's right for you and do your homework.

I would rate this solution an eight out of ten.

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

Functioning monitors (not just marketing hype) for most types of firewalls and firewall managers, overall stability, scalability (could be better, but the still best on the market), and the ease of performing OS and software updates.

Having one vendor for both TOS operating system and TSS application makes it much easier to form relationships with Tufin sales, engineering and support, and improves product maintenance.

They should include a way for customers to add third party RPMs to expand system functionality that's retained across updates. A single central (master) database does not scale well past 1000 firewalls.

Also, it needs to expose a remote collector for central message (queues) metrics, monitor Java, Tomcat, web and database performance, to provide better intra-application data monitoring and alerting capabilities.

I've used it for seven years.

TufinOS 2.10 has been the easiest OS release to install to date. I haven't had the system running TSS R15-3 long enough yet to know if REST API improvements are usable.

None, so far with TufinOS 2.10 or SecureTrack R15-3. Postgres database (v9.0) should probably be updated to a newer version for improved performance and stability enhancements.

The SecureTrack R15-3 central-database shows significant performance strain, handling policy revisions, and rule/object usage updates from our 1600+ base of firewall devices. However, it continues to function, albeit slowly, day-in and day-out.

USA support M-F has been very good, and with pre-arrangement, weekend assistance is also available. Over the years, US Tufin support has had to escalate distributed application (remote-center db) performance problems to their Israeli R&D and developer teams for remediation. When this happens, mean time to repair can be measured in weeks instead of hours.

Very good, technical expertise from the US support staff, and exceptional technical expertise from the Israeli R&D people.

I have looked at other vendors, but we have been a Tufin customer since 2008, and have benefit from the maturity of their TOS and TSS products.

Upgrading from TOS 1.x to 2.x is a bit painful; the process requires wiping the system clean and reinstalling OS and applications, and then recovering data from a backup. But overall, the appliance approach that Tufin has taken greatly simplifies upgrades and patching.

Since 2008, we have purchased products through a Value Added Reseller. Our VAR intercedes for us on annual maintenance (support and update) calculations, and helps with unexpected contractual problems.

We have not calculated ROI, because we are always changing how we use the TSS application to obtain security information.

We have not performed a cost analysis on other similar products, but I'm confident that Tufin does and remains cost comparable.

In 2008-9, the choices were thin (Tufin, FireMon or AlgoSec); of those only Tufin offered the promise of an appliance based system that would scale large enough to warehouse data for reports and analysis from many hundreds of firewalls installed across the US.

Tufin is still growing and adding new features to its TSS applications suite. I don't believe your company would make the wrong choice if the products meet your company's requirements. Their latest product offerings of TOS run on virtual machines, and their near-future promise of a distributed central database (scalability improvements) should not be overlooked.

There are five people using this solution in my company. I manage the team that utilizes Tufin. I have had experience with the demos that my team has given me in relation to the auditing of our Palo Alto platform.

I'm a consumer of reports. The reports are clear as long as they're set up correctly. I'm able to see auditing changes, and changes in our firewall platform more clearly than with the native tools. It seems relatively useful. It can also provide guidance on different configurations that we have. 

The solution is on-premise.

The clarity around the auditing provides the most value for us.

They are a little bit behind on some of their support for the Palo Alto firewall platform. I'd like to see that catch up, specifically around importing certain objects.

From the Palo Alto platform, I remember hearing that Tufin required an update, so that would've been the only flash issue.

Their customer support is responsive.

The pricing is reasonable.

I would rate this solution 7 out of 10.

My advice is to look at what is currently supported in whatever security technology you have because some of the features may already be covered. However, if you identify a gap in what you currently have, specifically around auditing, then I would definitely suggest looking at Tufin.

Our primary use case is trying to make sure that when firewall rules are requested, they meet our compliance. Tufin has a notion of a universal security policy, where you line up the policies and we use the solution for that. We also use it to track all of the changes. I'm the executive director of the company. 

Tufin gives us the rule, definitions and things of that sort, which is great. All the basic functions work well. 

Our compliance goes through SecureChange and they give us the rule set and then the recommendation. Ideally we'd like to press a button and create a Terraform to put into the build and deploy. We can't do that yet and there are several manual steps which can lead to errors. We'd like that to change. 

I would also like to see the ingest of flow data enhanced, so that multiple flow data can be ingested from different points on the network and be mapped out. The basics work, the issue is when you have a complex network because maybe you want flow data from the firewall and with Tufin it's only from a single source.

I've been using this solution for over two years. 

Tufin is a good company. I think most of the products in this market have difficulty working across a multi-vendor solution, and that also applies with Tufin. It works really well when you have a single vendor solution but it's just not as intuitive if you have back-to-back firewalls or you have a complex topology. For simple topologies, it works really well.

There are currently some issues with this solution but if things improve with the new version, which apparently has some enhancements, I would give them a higher rating. For now, I rate this product a seven out of 10. 

I'm using the Fortinet firewalls, so I need the firewall manager tool to manage those files, together with the FortiManager. The Tufin guys provided a solution for our data center where we have a box server, which was specifically developed for Tufin. It would run the scan on the network, get to the firewall, or go to the router, run the scan and give me the compliance, and then send it to me. Then I get a report from there.

The features I have found most valuable are its capability to check on the firewall and the routers. Afterward, it checks out all the configs, checks the vulnerabilities, checks the risks - it checks everything that may end up causing our router to be compromised. In the end, it recommendations what we should do.

Then, if we apply the recommendations, it will scan again and give us a percentage. Sometimes we find out that at first that we didn't meet the compliance, getting a 46% maybe. Then, when after I apply the recommendations, after discussing with my team, and approving the recommendations, it is all remedied. After that, it goes to 80-something percent. And that is what we are looking for.

One area in which I need it to improve is that I need it to accommodate all the files and all the tools. For example, when I buy the firewall management tool, I want it to manage the firewall of every firewall I use across my organization. If I'm going to depend on only one vendor, and it looks likes a vendor or a catered tool, it can't help on any vendor to scan the technology and give the auditing compliance. This is something they can improve from their side.

The second thing I need is that if Tufin comes and deploys their solutions on my premises, I would like to have full support from them. Unfortunately, I didn't have their full support. So what worried me is that whenever the box is no longer working, then I'm no longer going to be able to see my compliance. I know I'm not going to charge whoever is not complying on my premises.

To sum up, the two main negative points with Tufin Orca are the absence of full support and that accommodation of files and tools is not provided in a good way.

Additionally, what Tufin should include in the next release is the ability to see the logical bullets points. In my case, I wanted to see the physical report because when things tripped and went wrong we needed to start fixing it on the physical side. So I would like to have the physical tool policy before we can have the looks side.

But on the looks side it was very good. We need to filter up to it regarding the beneficiaries in the policies. So it was very good on that side of the data, but when I'm using it as a firewall manager, and then find the firewall is down, I need to see it on the Tufin. Also, I need the capability for Tufin to start alerting me whenever there is a change on the firewall.

I can say that we didn't know about that function on Tufin and when we try to communicate with the Tufin guys, they are not able to assist us on that. So we end up having someone go to our firewall and start to make a change, and we end up not having the right thing and not being able to manage our firewall accordingly. The main point of using the same tool as a firewall manager is to have the daily health check of the box.

I have used Tufin for the last two years and then I left it when Skybox was introduced to me. Unfortunately, I didn't have the capacity to use Skybox because I didn't have the skills on my team, so I decided to leave it. But I am looking forward to getting the new tool which will help me to do what I need.

The initial setup was very complex. What worried us at first was that we didn't know how to integrate it with the network. We had to call the Tufin guys to help with that and they physically brought it to us for the integration to the network. So that was challenging.

When you ship the product to our country, to my organization, it is quite expensive. It's not cost-effective. It's quite expensive because we end up paying extra for accommodation, the transport, everything for that person to come and assist us on the integration to the network. 

Generally, you need to pay for everything -  for the support and the implementation with the integrator.

We can also add this to the areas for the improvement, that implementation is difficult and it would be great if they could simplify the way the person can implement the products.

On a scale of one to ten, I would give Tufin Orca a five. I would recommend it only if the organization has the skills and enough requirements so that they are able to run it. It is a very good tool when you use it because it basically gives you what you want. It is just hard in terms of support, patching, and upgrading. Overall, it's challenging if you don't have the skills or resources.

This product will work for those organizations that have the knowledge of how to install the solution.

The primary use case is role recertification.

We are trying to get into it for compliance, but we are having issues with that.

This solution helps us ensure that security policy is followed across our entire hybrid network.

We actually review our firewalls now. Before we started using Tufin, our firewalls never got reviewed and we had no idea what was on them.

We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong.

It removes things which shouldn't be there. It has helped with that. Things that don't get used anymore and nobody tells us that they have been retired, it helps us identify those items. Then, once we get the compliance piece going, it'll help us make sure nothing violates policies.

The most valuable feature are role and objects usage for individual objects and app usage.

If we could get the compliance part working, that would help out a lot.

Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one.

A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet.

The user interface needs to be redesigned because things are not where you would expect them to be.

Stability is sometimes good, and sometimes not so good. 

There is an issue with all of our Palo Alto devices, where if one gets disconnected in Panorama, they all show as disconnected or with errors or wrong arguments, which is very generic. They are supposed to have a fix for it now, but we haven't implemented it yet, because they are not releasing it until eleventh of this month.

We haven't had any issues with scalability yet. We can scale as much as we need to.

The technical support is good. The guy with whom we have been working the most with lately has been pretty on top of everything. We had a couple people in the past who were a little iffy, but we haven't had to talk with them in a long time. I don't know if they're still there.

Our licensing costs are pretty low. We were grandfathered in, so we are at about $35,000 per year.

Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections.

We just started a PoC on the change workflow process of the solution.

We are just now moving stuff to the cloud.