Tufin Orchestration Suite Reviews

My company primarily uses this solution for reporting and enforcing policy. My role has to do with developing applications to allow integration with our other tools.

When I was using Tufin for analysis, there was a tool that would tell me which rules could be consolidated. It was amazing and helped me to clean up the firewall policies.

We use this solution to automatically check to see if change requests will violate any security policy rules, but I do not have any specific details or examples.

Tufin is the only multi-vendor firewall tool that is available, and it helps to bring everything together and report on what all of the rules are.

This solution helps to ensure that security policy is followed across the network because it is the main tool that non-technical security people use to keep track of firewall rules. Without it, they wouldn't even know where to begin. 

In my current role, the most valuable features are the API and the accessing. In my previous job, the analysis was my favorite.

I would like to see API access into every aspect of Tufin. For example, every feature and everything that's in the database, I would like to have programmatic access to. This would give me the ability to do anything that the product can do but from a script. This way, we are not beholden to the GUI in any way. If an operation requires that somebody click somewhere into the interface, manually, especially if it's just part of many other things that they have to do, then we want to fully automate that.

Some of the manual processes are taking longer because, without the proper API access, there are a lot of tickets coming in. These are from people who need to perform a task, but only a handful of them have access to it. This is because we're too afraid to give access to all of the people who actually need it.

In every instance that I've ever worked with it, it was stable.

I have not dealt with technical support.

In my previous company, I handled the deployment of this solution myself.

Turning on certain options in the solution comes at an additional cost.

My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close.

For what this product does, it does well. There are, however, things that are missing.

Overall, I would rate this solution a seven out of ten.

We are a reseller and solution provider. We have this product running in our lab, and what differentiates us is that we are able to take our client's use cases and execute them in our environment. 

This solution has helped our clients because it allows them to leverage the tools so that they can actually reduce their overall expenses for the environment. The push is operational, and they've been able to eliminate a number of contractors, thus saving quite a bit of money by using the automation capabilities of Orchestration.

The full Orchestration Suite is what we've been primarily driving because many of our customers want to move into automation, or at least some aspects of it.

The audit portion of this solution has made a really big difference for us. Also, the flexibility of change has allowed us to really drive the product into the marketplace for a large clientele.

This solution provides great visibility, for both our customers from a primary firewall perspective, as well as for the other solutions that they tie into. For example, it gives us an ability to view what’s going on with full plant environments in various parts of the world.

The change workflow process is extremely customizable. We really like it from the standpoint that we can push it from department to department for approvals. It’s not contained within a single solution set, but rather, it moves across the silos of an organization for the approval process.

This solution has helped our clients to meet compliance mandates across the globe, including, for example, GDPR and SOX requirements.

We would like to see more in terms of integration with other application types within the context, such as next-generation firewalls or next-generation threat devices that are out there. It's not just about firewalls anymore. A lot of convergence is happening at that enforcement point, so we'd like to see a little bit more attention on that. Examples would be integration with IPS, Application Control, Anti-Bot, and Anti-Malware.

We have found that this solution is quite stable. We do have some RFPs in to increase performance capabilities, but from our perspective, it's quite stable. If this were not true then our largest companies would not be buying the product.

This solution is extremely scalable, globally across thousands of firewalls, switches, and proxy devices. We look for scalability in a product. We have a small portfolio of solution providers, Tufin being one of them, and we choose them based on their scalability. There are other factors, but scalability is critical for us.

Technical support for this solution is good. We don't really use it too much because of our strong engineering team, but it's always been very responsive. We are sending two more engineers to the Cleveland area office next month.

We chose this solution a long time ago. We've been a partner for almost nine years. Because they spun off and many of the individuals who were part of the envelopment of products within the security space, like Ruby, came out of the Check Point environment. We're a very, very strong Check Point enterprise player, so we feel that anybody who understands product development and product distribution across large environments has to be a key for us.

We really weren't interested in products from other resellers, or we weren't interested in products from auditors. We were interested in products from people who knew how to develop products for the marketplace. So that's been a key for us. The other piece is the ability to scale, and then finally, the ability to automate with that scalability. We just don't find others as scalable as Tufin is.

The initial setup of this solution is straightforward. Obviously, with its flexibility, you really have to know what you're doing. In order to be able to leverage the product, it requires some expertise.

ROI is a little bit hard to measure in the security space, so our focus is on reducing TCO. For example, one of our clients was able to eliminate fifteen contractors that they had on an annual basis. This was a cost savings of $1,200,000 USD for the first year. Ultimately, we want to reduce TCO as much as possible.

Licensing is available in both perpetual and subscription models, and it appears to be good for our scalable environments. We have also needed to work with what we call small enforcement point pricing, which we'll probably get more into as people expand.

We do not yet have a great deal of experience with the cloud side of this solution. However, we're actually moving into our first contract around that and we'll be digging in deep. We find it, at least from our lab environment, highly successful, whether it's AWS or Azure, and we're looking at the Kubernetes side of things as well. So far, so good, from a lab perspective, but we will be rolling out our first, into a full Cloud environment for one of our global clientele.

For our clientele, this solution has, without question, saved them time when it comes to making changes. The whole idea is to be able to initiate a change and have it proliferate across thousands of devices. It's critical. So, just in that alone, we can save six months' worth of man-hours just in making a single change for some of the environments that we work with.

Tufin is really a leader in the space for taking manual processes and eliminating them as much as possible.

My advice to anybody researching this or a similar solution is to look for longevity in the field. Also, look for product development expertise and a legacy of that. Finally, look for scalability, stability, and growth within the marketplace across device sets.

I would rate this solution a nine out of ten.

The biggest value for me is the ease of implementation. I'm newer to the company, only been there a year, but the fact that I could could win and recommend this product within six hours of getting the license installed shows that there's immediate ROI to my CSO.

I've been trying to clean up the firewall policies that I inherited from different iterations across topology changes -- from Cisco to Juniper to where we are now -- that have never been cleaned up. We're not publicly traded, so there's not a mandate to do so. When I worked in the energy sector, though, there were such mandates, but we weren't properly staffed.

Our current firewall policies never had a full, comprehensive risk rating of every rule, but we have that now. I've implemented different zones for setup so that we're able to get reporting immediately for our PCI environment. We know whether or not we're in compliance. If not, we can fix it immediately without waiting for an outside auditor. We can be proactive.

I'd like to see more work done on the topology side. Although the tool has gotten progressively better, topology still needs work. If it could be improved, that would really make the tool much more powerful. You can then have non-firewall people using it for troubleshooting.

I've used it now with various companies for over 10 years.

We've had no issues with deployment.

It's never failed or completely gone down. It's one of those set-it-and-forget-it tools.

I'm very impressed with the scalability. Previously, we used appliances sitting on our network. This time, we went with a VM and our technical rep said we could put up to 80 licenses on it. That's way more scalability that I anticipated.

Customer service is very good. I haven't worked with than much other than for the license, but they're very responsive.

Technical support is excellent. They're good at answering questions, very helpful, and responsive.

I've also used FireMon. We liked the Tufin UI better.

The initial setup was very straightforward. Our VM team installed the image for me and then I installed the license. From start to finish, it took about 24 hours, and most of that was paperwork.

In-House

I was able to create initial tuning reports within an hour of populating the system with my firewalls. Within one week, I was able to create my PCI zones and configure automated reports for compliance

We looked at FireMon, which is an excellent product, but for me it came down to getting everything stood up and running within a minimum amount of time. I needed it to look really good because I was putting my name on it. Plus, my manager loves the web UI over the FireMon UI, which for him was the key.

You're going to be really shocked with the first couple of reports that show stuff about which you had no idea. Let it go and get buy-in from as many other groups as you can. If security and network are separate, get network involved to access devices that will provide a clear picture of everything, especially of topology. Build those bridges ahead of time and present it more as a collaborative tool and not a "I'm watching you" tool.

The most valuable features for us are object looking, rule documentation, and reports. We use it for cyber security as well, so risk features and violations features are huge.

Even just looking up rules before we can make changes is a lifesaver. Previously, we'd have to go to the CMS of whatever firewalls we had. So instead of having to do that, now we can go to one location and search the rules that way.

Another major thing is the topology feature for the network part. Also, the SecureChange and automation means that the checkpoints can be done automatically, and they do the provisioning throughout the process. Looking up rules and understanding how they affect your environment.

It's also quite easy to use - there's nothing hidden, it's all laid out and that is much appreciated.

From a security standpoint, we have it in place where it will notify us if an engineer inadvertently violates a high-risk rule, and it even does this if they pre-stage a rule, so before they push it we can find out.

From an auditing standpoint, because we get audited three or four times a year, our auditors have access to see exactly what's happening in each firewall, and we've had fewer issues with auditing because of it.

For us, in man hours, it saves about 70 hours a week on checking rules and implementing the changes.

For implementing the rules of SecureChange, and trying to implement it with all of the software we have on our side, change management, and workflow management, we need better integration with our existing tools that will make these changes a lot faster. We have so many things on our side that we need to integrate. We now have HP Switches, so we'd like to have those covered as well in order to monitor them.

We've used it for three years.

No issues.

We had one bug - a year or so ago - and Tufin had an update that addressed the issue. The long implementation time was on our side. No other problems.

No issues.

Both customer service and technical support have improved during the three years we've used it. They're really quick to get back to us for both customer and technical support. They get on calls with us, WebEx, anything.

We were going through a major OS upgrade. We ran into some problems on our end with four appliances. It was a weekend and we opened a case on-line. We were able to get together with someone in 30 minutes, share the screen, and they walked us through implementing a fix within an hour or less.

Even though we have a remote collector, a distributed collector, and a central server, it was pretty straightforward.

We did it internally ourselves, but with some input on architecture from Tufin's professional services.

As far as licensing goes, the good thing is that the licensing for the firewalls is great. The licensing changes for the routers has improved because we no longer have to pay for topology monitoring.

We also looked at AlgoSec and FireMon. Algosec was good, but Tufin had the edge in the automation process and the reporting was even better. So it was basically between AlgoSec and Tufin.

We deployed the solution based on the preferences and needs of our clients. The solution was deployed on cloud and on-premises. However, it was primarily deployed on cloud.

The firewall security was very valuable.

The firewall management is complex for beginners, and the solution could be improved by including icons that provide insight into what they are and how they function. For example, the ability to understand what an icon does by hovering over it.

We have been using this solution for three months.

The solution is stable.

The solution is scalable.

We have had a good experience with customer service and support.

I rate the initial setup a seven out of ten. Deployment on cloud is done through a web platform, and deployment on-premises takes two to three days.

We implemented it in-house but got assistance from someone with hands-on experience with the product.

The licensing costs for this solution are decent for the services provided. From my perspective, the prices should be higher because the organization that often uses this solution is critical.

I rate this solution a ten out of ten. The solution is good, and no clients complained about it. Therefore, I recommend this solution for people seeking to use it, as they can never go wrong with it. However, for a beginner, it could be tricky to implement.

We use the solution on-premises.

Policy management and the cartography of the network have been the most valuable features.

The network part of the solution could be improved, specifically the licensing model for routing devices. Customers need to get the license easily in order to have the cartography of the network and build the other solution of Tufin, such as a secure change and secure application. To do that, we need the licenses for the network devices in complex environments where customers have a lot of network devices. It is too hard to get a license for each device, so Tufin should remodel the license model for these kinds of devices.

For the license for the security devices, it's okay that Tufin has a model for physical devices and for virtual devices. For the network devices, the main reason to have a license is to get topological information, routing information, and so on. With Tufin, it's a bit hard to tag all the devices that you need to build the topology of your network. 

We have already talked to Tufin in order to simplify the license model for the routing devices because these devices are the main technology. The RN is just for routing information, not for the security and building access list, and building VPNs, and stuff.

In order to have that topological view, you need a license for each device. For that, the cost of the solution rises exponentially. Because there are a lot of routing devices for your network, in order to build the topology of your network, you have to spend a lot of money just on licenses for devices that aren't security but do routing work only.

They have to rebuild their licensing model in order to fit the needs of their customers.

For routing devices, we would like to have something related to the orchestration for the solution because we know that there is one for Tufin, but I don't know how it works, if it has to work with all the models installed, what the features are for that orchestration, and what the needs are for that model to work properly in a complex environment. 

For example, we work in complex banking environments where there are a lot of bricks to communicate with. For that, what is the information needed for the orchestration in order to have an extensive look at the topology of our network, and after that, how the orchestration is going to implement the right accesses to main privileges on security devices all around the topology of our employment.

I have been using this solution for five years.

We didn't have a lot of problems regarding the solution. It's a stable solution.

In order to have it running correctly, we had to dedicate a person to manage the solution. I work on it with Tufin and with some of our partners in the group. We have our Société Générale in the group. We have some other partners inside the group with Tufin in order to build this kind of model for the time to market objectives.

We didn't have a lot of problems concerning maintenance. We had two or three hardware problems that were solved remotely by support and for the upgrade and the OS upgrade because there are two kinds of upgrades to operate. The OSTs and the secure channel also have upgrades, which we did ourselves.

Tufin has a policy of publishing new versions of the Dell OS, so two versions a year. One is a final version, and the other one is a beta version. In a year, you get two or three updates. It's not very hard to follow the stream of changes in one year.

We didn't have to expand the solution, but management has had thoughts about expanding the solution for other environments, for other clients, and for the customers.

Technical support was present and responsive for our needs. We had some problems with the appliances. They were very quick to respond to our support tickets and to give the right solutions for the problems we had.

On a scale of one to give, I would give technical support a four.

We needed someone from Tufin in order to get it installed. It's not a straightforward process from scratch. You have to build your own network with someone from the PS, and after that, you have to give a lot of information about your network, your devices, where they are located, what is the networking scheme of your network so that the PS can implement all that. After that, they can build the model for you.

On a scale of one to five, I would rate initial setup a three.

We used engineers from Tufin for setup. They were responsive. They were experienced with the solution they sell.

There is a permanent license for devices, but it's not relative to a device itself. Once you purchase 10 licenses for virtual appliances or virtual context, you can put them into different virtual firewalls, but you can reuse these licenses for other devices if you don't need them for the old ones. 

For example, if you deploy new ones, and you don't need these licenses for the old context, you can redeploy them in another one relative to a device, like a Mac address.

The problem is that once you redeploy the license for another context, another rhythm, or another virtual appliance, you lose all the history and reports from the Syslog from the old one.

I haven't looked into the competition because we don't have the ability to choose between solutions for central management.

I would rate this solution 7 out of 10. 

The main brick in order to build your solution is the first step, which is having a good understanding of your network and good people to talk to when you want to build your topology. Once it is done, the solution runs by itself. Exporting, reporting, topology, and changes are all handled by this solution.

After the initial deployment, it is a stable solution. It can suit customer needs in complex environments.

A con is that it is very needy in terms of implementation such as small configurations. We had that problem with networking devices. We had to implement it to get all the information from all the routing devices. Even if they don't belong to our network, we had to have the information from MPLS devices on the telecom operator. Sometimes it was difficult to build the solution from scratch.

The Syslog part was a little difficult to handle. For the appliance we have right now, it handles the management, the Syslog, and all the needed modules in order to operate the solution. Sometimes, it is a little bit hard for the appliance to get straight to all the models it runs. Maybe with the new models of the appliances, it's easier for the appliances to run all the models. With the newer generations of the OS, I suppose that now it's more effective and less of a time-consuming process, but it's okay for us to upgrade after that in order to get all the new features in the new OS.

We're using this solution mainly to get some audit reports regarding the policy installations on our firewalls. We aren't using any changes or other features, and we're not installing policies automatically. We're just using it to collect some log data like who installed something and what they did.

It's user-friendly. It's easy to understand menus on the web GUI. That's a good feature for us. I can say that it's doing what it's supposed to do. It also integrates well with other products like Check Point.

It would be better if they modernized the web GUI. The web interface GUI is simple and not complicated, but it's also too old. It would also be better if they had an SMS gateway integration. I would like to have some integrations with other products like Jira for change management and incident management.

I have been using Tufin for about three years.

Tufin is a stable product. We're not having any issues. Sometimes we do have problems with the product, but it wasn't related to Tufin. Sometimes when we had an upgrade on the firewall product itself, we encountered some problems.

It's a scalable product. We have about 50 gateways, and Tufin collects data from all of them. We also have a management server, and we've integrated two important classes of databases. We're only using three instances, and we're not having any issues.

Tufin support is good, and we managed to implement this solution by ourselves. But it would be better if some engineers from Tufin joined a session and did stuff together with us. That would have been much appreciated. I would expect them to organize the session and provide some support, at least in the beginning.

I also have AlgoSec, and it seems to be much more complicated. I would say that Tufin is much more compatible with Check Point firewalls. That was the main reason for choosing Tufin over AlgoSec.

The initial setup is complex. I didn't have any Linux knowledge in my past, but I could say Tufin support is good at it. When we need to get some support, they respond quickly. They explained everything to finalize issues regarding the installation.

We implemented this solution by ourselves. It took us one or two hours to install and deploy this solution.

The price is on the cheaper side. I'm not planning on adding additional resources, and I don't expect any additional costs.

Not before but after using tufin actively about a year, we have evaluated algosec as an alternative solution. It was also well designed alternative but it was not well integrated as tufin did with Checkpoint

There aren't many products like Tufin and AlgoSec. I think both products are good, but when people are using Check Point applications, we recommend Tufin.

On a scale from one to ten, I would give Tufin a ten.

We are a solution provider and this is one of the products that we implement for our clients. We also use it ourselves.

We have this solution installed in our data center, where we have a box specifically for Tufin. It scans our network, looks at the firewalls and the routers, assesses compliance and sends me a report.

The most valuable feature is the compliance check and the recommendations that it makes. This solution will connect with the firewalls and routers to check out the vulnerabilities, risks, and anything that can lead the organization to be compromised. From there it will make recommendations about what is required in order to ensure compliance. My team discusses the recommendations and then we remedy the issues.

My worry with Tufin is that it cannot connect to Fortinet, which is what I want to do. In order for this solution to be useful, it needs to be able to manage every type of firewall that I come across in my organization. I do not want to be tied to one vendor. Integration with all types of firewalls and related tools is necessary.

When Tufin deploys solutions on-premises then they should provide full support, but this was not the case in my organization.

The implementation, including integration with other solutions, is complex and should be simplified.

I want to see the physical topology of the network in order to help with troubleshooting.

I would like Tufin to alert me whenever there is a change in the firewall.

I have used Tufin Orca for the past two years.

We do not have full support for Tufin and it was expensive to have support visit us during our deployment.

The initial setup was very complex because we needed help to integrate it with the network. Unfortunately, we needed to have an engineer come to assist us, which is why it was challenging. Getting an engineer to visit our country is quite expensive because you have to pay extra for accommodation, transport, and everything. It is not cost-effective.

This is a solution that I would recommend, but only in cases where the organization has the skills. I would rate this solution in the middle because it meets my requirements, it is a very good tool, and it immediately gives you what you want. At the same time, when it comes to the support, setting it up, and upgrading it, it is challenging if you don't have skilled resources.

I would rate this solution a five out of ten.