Tufin Orchestration Suite Reviews

Primarily, it is being used as a type of security auditing control on our firewalls. We are in the middle of a new project acquiring dedicated new hardware while building out SecureTrack and SecureChange. After this initial project, and building out all that infrastructure is done, then there will be a project to kick off some of the automation and orchestration type stuff to try and improve some of those processes for the IT group.

The goal is to use it to revalidate, clean up, and optimize firewall policies, but we are not there yet.

The company has had the product in place for a while. 

I am giving up the web proxy stuff, so I can become the SME on the Tufin.

The plan is to integrate it into things, like ServiceNow, then use the automation. That was one of the strengths in the decision to stay with Tufin and invest more resources into it. 

My hope is to use this solution to automatically check if a change request will violate any security policy rules. It is not doing any of that right now.

Right now, our compliance mandates are all over the place, but previously, what they were doing is they were just taking screenshots of something, and I don't know how we passed our audits.

I was shocked and appalled that the current network team isn't even using it right now. In previous roles in previous companies, this product (or one of the competing products) was like the lifeblood of how we worked. It was like step two, after picking up a ticket. We went to use this tool to see where we needed to make changes. That they're not doing that explains why they're probably having to do rework 60 percent or higher limitation tickets, because they're missing devices or it is not being implemented properly.

In our current environment, the most valuable feature from Tufin is their Network Map because our network team can't give us a network map. Tufin has given me more than what the network team have ever given me, as far as documenting the network infrastructure. So, I'm thrilled.

The visibility is good.

The biggest area where I see a need for improvement is some of the documentation and training stuff. It does a really good job of hitting the big concepts, but it needs like another layer deeper of actually getting into some of the details of how to do some of the things. Conceptually, I understand how the product works, but now how do I start building stuff and integrating it into my environment. 

Just being a bit more upfront and honest about issues, as far as like HA, distributed stuff, and the need for load balancers, if you want to do HA. Nobody ever likes talking about the fact that their solution really isn't truly HA, you got buy an F5 to sit in front of it if you want to do HA, or something like that. Everybody shies away from talking about that, but if you get that out upfront, then the engineers can be prepared for it, then they can try and figure it out and make it work. This is not unique to Tufin. Everybody is like, "Oh yeah, we do HA." Then, three months later, after you have bought some stuff, now you're just like, "Oh no, we got to have an F5 in front of this. That didn't even come up in our discussions. So, how do I get resources away for that? Because I don't have an F5 in this environment, and I need one." 

I just found out some of the things that I need to use right now, like the reports from the report package are only available on 17-3 and above, and I need that as soon as possible. Hopefully, we will upgrade to 19-1 or 19-2 even before I go to bed tonight.

It is sort of an uphill battle right now to ensure that it has all the visibility that it needs, so we can be assured that it is doing what it will do.

The stability is solid.

The scalability is good.

I have not used the technical support yet.

I've used Tufin, Firemon, AlgoSec, and all the other solutions at other companies before, and seen what we've been able to do with them. So, when I came to this company, it was just like, "Okay what's our tool? Oh, it's Tufin. What do you mean nobody's using it?"

The initial setup is not even complete yet. We bought some stuff, then had it shipped. There are some additional discussions which are going on next week after this, where there will be some design tweaks which will occur. At first, we were thinking of using VMs for the distributed stuff and collectors, but we can't get those level of resources from the server team. So, we will be better off just buying smaller hardware boxes and having them completely managed by us that way it will be easier. Also, we'll be able to complete it much faster in our environment.

We are using a reseller, but I'm not exactly sure how that relationship even works right now. It is really early. Our stuff has been bought and shipped. We are still trying to complete internal documentation, so we can start doing stuff.

I wasn't part of the bake-off. I think the company went in the right direction, and I am glad that they didn't even look at FireMon.

While our UK side has Skybox, which I have never even seen, the orchestration piece was really the key to solidifying us on the Tufin solution.

I was talking to somebody earlier today who said that Skybox has a more powerful Network Map than what Tufin has, but I haven't even seen Skybox,

If someone was looking for this type of solution, I would tell them, "Here are the top four solutions that I know of and the places that I worked on each of them. Here are the benefits, gossip, and downsides that I've seen for each one." Tufin has the best solution as far as it being self-contained, reliable, and integrating with the other things that you want it to integrate with. The customer service is also not arrogant like some of the other solutions.

We need to utilize it to its capacity and capabilities, and we're not doing that yet.

It will eventually reduce the time it takes to make changes. I don't know how much time it will save, since a lot of the manual processes are done by another team. I am still building my team underneath me.

The cloud stuff is great, but I am sort of scared to look at it because we still trying to work out our traditional stuff being compliant and under control, then doing what it's supposed to be doing. I can't even imagine what the developers are doing in the cloud stuff.

We use it with SecureTrack, mainly for auditing purposes. We also use SecureChange for workflows on temporary firewalls.

We use Tufin to clean up our firewall policies. From an auditing perspective, it is centrally managed in one place for all of our firewall vendors.

One of the biggest quick wins that we had with Tufin was cleaning up our firewall policies and rules. We cleaned out a lot of rules which helped our devices, longevity-wise, as well as speed-wise.

• Easability
• Audit features
• SecureTrack
• Change of work allowance
• It is very open to changing it and making it do what we need it do. 
• We get a holistic view of the infrastructure, as well as automation workflows.

The visibility is great, so far. We are still building it out because we have a lot of firewalls from different vendors. Overall, it's a good product in the way it works.

The change workflow process is flexible and customizable. We use this process a lot. We have developers do custom integrations with different vendors, especially ones that are technically supported, as well as doing some custom integrations with our Juniper products, which are not officially supported.

The solution’s cloud-native security feature is definitely welcome. We are starting to embrace the cloud. We are a little more legacy and timid in our approach, considering the amount of data that we have and the way that we want it to be accessed. However, the cloud-native applications are going to be big, so I definitely think that's a welcome feature that they're working on.

We would like Tufin to have interoperability with Juniper products, along with official support.

They could maybe update the interface. However, I know there is an interface update coming, I just haven't seen it yet.

There is room for improvement, as far as making the product easy to use and having training available.

In my training with the workflow, it always kicks me back every time that I do a step backwards. I think that automatically it should take you to the next step in the workflow, that would be appreciated.

So far, the stability has been great. One of my colleagues just did an upgrade from the previous version to 19.1, which had a bit of database issues. Those have now been resolved.

The scalability seems good. We have a distributed system right now, and it seems like it can scale up or scale out, as needed.

So far, the technical support has been good. I haven't had to deal with support a lot yet. We have weekly check-ins with our account manager where we go through what we can do with it. Overall, I think it's adequate.

We didn't have a previous solution.

It is nice to see the capabilities that Tufin has, and we look forward to building it out.

I wasn't there for the initial setup, but from what I've seen, it was pretty straightforward for the engineers who set it up.

The solution has helped us reduce the time it takes us to make changes. From the auditing perspective, it definitely saves a lot of time. Once we get our USP built out with the automatic calculations, as well as having validation and seeing where the roles need to go in place, this solution will be very helpful. 

It is helping engineers spend less time on manual processes.

We did look at a few other vendors.

The power that Tufin has behind it is the reason they chose it. They saw that it had a lot of capability compared to its competition.

Check out this product and see what it can do for you. Talk with the marketing team and account reps and see what direct benefit the platform gives you. Then, see what strengths it has compared to the competition, as well as its value proposition.

We are not to the point of using the solution to automatically check if a change request will violate any security policy rules, but it is coming.

We are building the security policy part of it out across out hybrid network, especially with the USP.

Our primary use case was firewall policy management. We did a PoC with Tufin.

There was no issue with slowness, especially when it came to pulling the data in real-time.

Tufin was able to automatically check if a change request would violate any security policy rules. During our PoC I tested it by trying to do unauthorized changes and Tufin met our requirements.

We are looking to become ISO 27001 certified for information security management. We need a solution like this for the audit side. They need to be able to check our firewall policies.

The goal was policy management and Tufin's policy management features met our requirements. It allowed us to crosscheck policies.

I like the fact that Tufin was able to integrate with our firewalls, which include Palo Alto and FortiGate.

I work on the network and security sides. The network visibility side needs improvement. I need to be able to see what the configuration changes are inside. On the firewall side, there are no visibility issues.

Also, I'm not sure if it integrates with Riverbed.

So far we have had no issues. We're running it on a VM and there are no issues with the VM.

We had no issues with scalability.

We are a big company and our network is complex. We have a lot of servers and we have about 700-plus branches connecting to HQ. HQ is our main site to go with the ISP. But we only implemented Tufin at our HQ and two of our main branches.

There were only four users on my team.

I did not engage with Tufin's technical support. We used a third-party.

The setup was not too complex but not completely straightforward. It was so-so, at least for our environment.

We had an issue with how to push the policy changes. It took about a week, during which our engineer conferred with Tufin. Tufin had to do some fine-tuning.

In terms of an implementation strategy, at that time we were only doing a PoC to see the policy management functionality. Tufin can also integrate networking and security to show an overall network mapping, from site to site. We have a lot of branches. And we are now moving to SD-WAN, to see the mapping. We need to see if Tufin can integrate with that.

On the technical side, the Tufin solution was very helpful for my team. It would save my team time. Using Tufin they could check all the firewall policies in one console, for both Palo Alto and FortiGate, at the same time.

There is no issue with the pricing because we used a VM. That kept the cost low, as compared to an appliance. The licensing cost quote met our budget.

We have done other PoCs with AlgoSec and FireMon. But as we compared Tufin with them I preferred Tufin rather than AlgoSec. They were basically the same, but then Tufin came out with a lot of changes in their recent update. Also, Tufin is real-time while AlgoSec is near-real-time, for policy management.

In terms of advice, it depends on what a user's needs are. For us, we only considered Tufin for the security and the network parts, especially the network mapping. I need to see the hop-by-hop, from this site to that site, how many hops for a transfer packet. 

Tufin is good for beginners. Tufin filters based on rules, even if a beginner doesn't know what to do, how to configure the firewall. Tufin can then monitor based on those rules.

It's a good value for what it does. We had no issues with this product. It was good for us. We could deploy it in our environment without any issue.

I rate it at eight out of ten because we are still evaluating Tufin. Our project is running on Riverbed for SDN. I don't know if Tufin can integrate with Riverbed. Other than that, I have no issues with this product.

It is an important application for controlling and monitoring firewall rules. It is useful for making and monitoring the changes.

Its price is reasonable, but it could be lower. 

It could have a more effective approach for creating and changing rules. It could provide advice or suggestions for a better understanding of rules and changing the rules. There should be suggestions for the rules that need to be changed to make them less risky.

I have been using this solution for eight months. We have recently done an upgrade, and we are using the latest version.

It is stable.

We have not been using it for a long time. So far, it is scalable for us. We have more or less ten people.

Their technical support is good.

We have worked with AlgoSec but in a restricted topology of the network. Both of these solutions are useful. It mainly comes down to the price. Even though Tufin is more costly, it has been more cost-effective for us, but it is not the same for all companies. It also depends on the integrator.

Its initial setup has medium complexity. It was not complex, but it was also not easy. We had some problems because it was a fresh installation.

Its price is reasonable, but it could be lower. It has been cost-effective for us. We have a contract for three years.

I would rate Tufin a nine out of ten. 

We were primarily using the solution in order to grade the firewall rules.

How the solution benefits the organization is something that is currently being tested. We're considering doing something different, as we just used this product as a POC.

The compliance aspect of the solution is its most valuable aspect.

The stability is very good.

You can easily scale the solution if you need to.

The number of features is very robust - and there are a large number of features. That's a huge selling point, which is why its popularity is where it is.

I have heard many people complain that there is a high level of complexity. It may make it difficult to work with for some people. That said, I don't have those issues with the product.

The initial setup can be tough.

The product could use better integration with the cloud.

I've been using the solution for years at this point, It's been a long time.

The stability is very, very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. The performance is good.

The scalability of the product is excellent. If a company needs to expand it, it can do so relatively easily.

In our case, while I don't have an exact user count, I can say that there were quite a lot of people on the product.

We're talking about shifting potentially away from Tufin, however, if we had kept it would have been used extensively.

While other people have the opinion that it could be better, I've mostly been satisfied with the level of support we've received. They've been okay. I've had three or four run-ins with them and they were all positive experiences.

I also work with AlgoSec. We use both solutions currently.

The initial setup is not straightforward. It's a little difficult, a little tough. New users need to expect this before they get started.

Often, a consultant is involved in the process, as there is a large learning curve, and many companies don't have the bandwidth to ramp up the staff. Bringing on a consultant can speed up the processes a bit.

The deployment took about a month or so.

We're still working on how many people we actually require to handle the maintenance aspect of the product.

Typically, we get a consultant for everything, however, this last deployment, in particular, seemed to be more challenging for the consultant and for the staff.

That said, our experience with the consultant was very good overall.

While we are getting what we need out of the solution in terms of functionality, I haven't really looked into an exact ROI. We got what we were looking to get out of it. 

The billing and licensing aspect of the product is not something I'm a part of. I don't have any insights into the costs involved in using the solution. I cannot see if there's just a flat licensing fee or if there are other costs needed on top of that.

We are considering moving away from the solution currently. We're looking for other options. We might shift towards FireMon, however, nothing is set in stone.

We're just a customer and end-user.

We're likely not using the latest version of the solution. Currently, there is a team that directly supports it. I can't remember the exact version number off-hand.

I'd advise organizations considering the solution to do their homework first and see if they can find out from industry associations and professionals what their experience has been.

In general, I would rate the solution at a nine out of ten.

We implement Tufin for other customers and help set it up. 

I'm not the end user. I just set it up for the end user.

We are using the latest version from 2018.

We use Tufin to clean up our firewall policies. They already have the compliance policies sort of prepopulated in there to point out violations.

Most customers will go through and check the USP to see if it violated with the designer tool.

We are in the process of working with a customer right now to set up the Unified Security Policy (USP). We got all the violations from the first phase and will go through to do the mediations, then run the scan again to show the progression of the clients.

The preconfigured PCI compliance USPs are the best part for me. These make things a lot easier.

The visualizer for the Network Topology is really good. You can see all the routes throughout your entire environment.

The change workflow process is very easy to customize. You can do a workflow however you want, so you can have an approval every single step. Or, you can remove approvals on certain steps, automating some steps.

It capabilities are very good.

Sometimes, the user interface is a little cumbersome, trying to navigate between them. In the new version, it looks like they resolved those issues. 

We have had a couple issues with the VMs, but I think it was just because they were starving for resources. A recommendation on what the virtual appliances should have for resources would be appreciated.

We have done PR strategies and added Tufin appliances. It is super easy to just back up and restore to a new one. You can get a new appliance up and running in 20 minutes.

We worked with their professional support before, but we have not worked with their Professional services.

The initial setup is straightforward.

We are a reseller.

We've install it to make money.

Tufin does make the process faster for customers, depending on if they use SecureChange to automate their process. Everything is all in one then.

Licensing is on a customer by customer basis.

Try Tufin out. Make a PoC of it. That is how we sell most of our products because it works well.

Our customers do not have a hybrid network.

The primary use case is for compliance with PCI regulation for local and country regulations.

We are using the latest version of the product.

We use Tufin to clean up our firewall policies because it is so fast. A report about compliance and the clean-up process used to take about one month up before. With Tufin, it takes only one day.

Implementing roles in the firewall used to take two days, but now, it takes two hours.

The audit and policy relation reports have helped me show compliance to managers.

The product helps my cybersecurity team. Now, my cybersecurity team spends their time creating new controls for new technologies.

The workflow is the most valuable feature.

The visibility that the solution provides is amazing.

The change workflow process is flexible and customizable. I can send one request to an IT Manager and another one to a Development Manager, making them customized.

I would like to see more about the cloud in the next release. They need a large plan to deploy the cloud into the solution and a way to implement it.

The web service for integration with other solutions needs improvement.

The stability is okay.

At this moment, it is not necessary to expand the solution.

I don't really use the technical support.

We did not have a previous solution. I was looking for a solution to optimize time in security policy management. Then, I found the Tufin and contacted a reseller.

The initial setup was super easy. It was fast to implement the firewall. The Check Point was very fast.

We used a reseller for the implementation. It was the first time for the reseller to do this implementation.

It saves us a lot of time. People can devote their time to other more important tasks. 

The seller of Tufin, when I wanted the solution, was very flexible because the cost on the lease was very high in Latin America. So, he was able to reduce the cost.

We considered Algosec and Firemon, but Tufin was the best.

A powerful tool for a security team to optimize time.

The primary use case is firewall analysis.

We use SecureTrack, which is great.

The solution has helped us to meet our compliance mandates. We have to be PCI and SOX compliant. Some of these rules and systems might meet those requirements. Knowing which system can talk with which system is definitely helpful in that sense.

This solution has helped us reduce the time it takes to make changes.

Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall.

The visibility is great.

When you make changes, you have to enter the password each time for each firewall. This is sort of annoying.

They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.

It is very stable.

It seems pretty scalable. From what I have seen in the training, you can use it on multiple firewalls. It seems like a solution which was built for very large enterprise level networks.

I haven't dealt with the technical support yet.

If you want to be able to manage your firewalls efficiently and securely, then use Tufin.

It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good.

We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.