Tufin Orchestration Suite Reviews

We use SecureChange for change management, and the SecureTrack component for reporting and the summary.

We use this solution to clean up firewall policy, although I do not personally do it very often.

The change workflow process is flexible and customizable. We have a couple of custom components, and my colleague was able to put them together in five minutes, so it seems pretty flexible to me.

The solution automatically checks to see if our change request will violate any of our security policy rules. This helps with general risk assessments, and when we transfer data between security zones over certain ports. It really benefits us, as well as the users who submit the rules, because they're not all familiar with all of the rules that are in place.

Implementing this solution has made everything faster. With the introduction of SecureChange, I think it has been easier for the average person to become a firewall rule setter.

Using this solution helps us to meet our compliance mandate. It does this by making everything quicker, which makes it easier to meet our SLAs.

This solution helps to ensure that the security policy is followed across our entire network. It leaves less wiggle room for people to venture out and make exceptions because it does the thinking for us. We follow it's recommendations, so there is less compromise.

The most valuable feature of this solution is reporting.

This solution has helped to reduce the time it takes to make changes. I don't think that we were ever slow, but we can now say that changes are completed within twenty-four hours.

I think that the interface could be cleaner, and easier to use. There are some things that I think are varied. Some of the reports, when you try pulling them out, I think that you've got to jump through too many hoops to get the results that you want to find.

I would like to have the ability to view multiple "handled by" names. Right now, it's either one, or we and the customer see nothing. I would like to clean that up because I am part of those phone calls.

I think that with respect to end-user operation, the whole-space users, the communication is lacking.

For the most part, stability is alright. It works well until we do an update and it breaks everything. But, it gets fixed, and it's good again until the next update. 

We have not tested scalability because we're set at where we are right now, although that is not to say that we won't be expanding in the future.

Technical support for this solution is really good. They are pretty quick at responding to our tickets. When the update breaks everything, they're pretty quick at sending someone to fix it and bring us back up within a couple of days.

Prior to implementing this solution, we used a home-grown, internal request process. It was very frustrating, across the board.

We used a consultant to assist with our deployment, and we had no problems.

My advice to anybody who is implementing this solution is to take the time to learn the product, in and out, right away.

I would rate this solution an eight out of ten.

We are using Tufin to generate reports on unused rules and for compliance reporting.

In our environment we have two data centers which have the same IP address for service in both. This means that in data center A, server X's IP address is the same as server X's IP address in data center B, but it's sitting in a different firewall. So we are exploring SecureChange to automate the pushing of rules in both gateways at the same time. That way we will be able to track to which firewall, in which data center, we have pushed rules.

It helps us to meet our compliance mandates because we are able to define whatever compliance we are subject to. We are a financial institution so we have to comply with PCI DSS, we have to comply with certain financial rules and regulations. We are able to do that with Tufin.

It also helps ensure that security policies are followed across our entire hybrid network. So far there have been no complaints from the auditor who is checking our firewall rules. The only exception is that, because we have so many requests in a day, some of them are not used yet by the requester. What our auditor sees is only the unused part. But we are 80 to 90 percent compliant.

Finally, I expect it will help our engineers to spend less time on manual processes, that it will cut half of the time spent looking at all the rules and validation. Currently, 70 percent of my engineers' load is looking at rule validation and requests that are not being made correctly.

We are still using only one-third of the functions that Tufin has, but SecureTrack is among the most valuable.

The most valuable function is the SecureChange where it is able to automate everything from the validation of the rules to the pushing of the rules. We are mainly using Checkpoint and Tufin together.

In addition, it's helpful that we can generate accurate and detailed rule-usage reports. That enables quick clean up.

In terms of visibility, Tufin does show all the schedules based on the usage.

Another feature I like in Tufin is that we are able to track the flow of the source and destination, passing through which level of device and which firewall. It makes our operation, our daily tasks, much easier than doing it manually for each and every request.

There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow. They need to improve how they do their database indexing. That is the main fault of Tufin right now for us. It's slow. Even though we are allocating 64 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise, it would be a perfect tool.

The stability is great. It has never gone down. The only problem is the slowness.

The stability is dependent on the devices. The part where we are having a problem now is the result of migrating to RAT which is using APIs which keep going down when our MDS has a heavy load.

In terms of scalability, the only issue is the licensing part. You have to have the correct license to go to a larger installment.

This solution is the first of its kind in our bank.

The initial setup was straightforward. I was able to deploy Tufin in a few minutes only. Integrating with devices - as we are using Checkpoint, API, Syslog - is simple.

For now, we have only installed one server, not distributed. Soon we will go for distributed, because we need to collect all the logs from all our overseas sources.

I was the only one involved in the deployment and am the only one who takes care of the maintenance and day-to-day configuration. Our firewall team will be using Tufin but they don't do the maintenance. At the moment there are about 15 users. Half of them are the firewall team and then there are a few auditors and a few people in the business unit who are monitoring the rules.

ROI is measured in engineers having time for their families and being able to have more time to do other things. It is not a specific figure, it is more a matter of how time is spent.

The current licensing scheme is quite confusing but it is clearer than the old one. If you have one MDS you just buy the MDS license and the gateway license. That's most of it.

Before this, they broke it down into VS, virtual environment, physical environment, single boxes, cluster boxes. Now the licensing part is much more straightforward. If you have ten gateways you don't need to define one as a single and another as a cluster gateway.

Pricing is quite high. We did compare it with AlgoSec but the pricing is not much different between the two.

The decision was made before I joined the organization. I don't know if they looked at competitors or not. Currently, we are looking at AlgoSec, if it can replace Tufin or compete with Tufin in terms of features.

The main differences between the two are only in the pricing and the look and feel. They both do the same thing. Both will be able to achieve our organization's targets. But in terms of look and feel, our engineers are already used to what we have. And I do prefer Tufin.

If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy.

We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet.

Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests.

We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.

The visibility of the changes that are being made on the network. From a firewall perspective and router perspective, we have all our network devices in Tufin. We monitor all the changes that are made constantly. Prior to changes being made, they get approved by our IT security department, and then they're monitored after they're changed as well.

We haven't used it to push configuration yet, but we do have a third party network vendor that does our network changes for us. We immediately know if something was typed wrong or configured incorrectly. We'll get an email from Tufin, and we'll know that they typed something in wrong or incorrectly because that's the email that we receive from Tufin. A lot of times they'll transcribe things, and rules will get set in different directions. We'll know immediately when something happens.

Being the Director of Networking, that's what I'm primarily concerned about. It's to make sure that all the network changes that are being made are the correct changes, we're not opening things up to vulnerabilities that we shouldn't have, as well as making sure that we're locking down what we need to lock down.

I like what's there today. I don't use the product that heavily as much as our IT security department does. Right now the product is doing exactly everything that I want to see it done. I would like to see the ability to have the changes in the configurations pushed out more easily and managed through Tufin to eliminate that human error factor more.

We haven't run out of room with the product yet. It's very scalable. We fly to 115 different locations,we have 3 different data centers, and we monitor all our network devices, firewalls and routers through Tufin.

If you don't have a product like Tufin, get a product like Tufin because it's amazing. It gives you insight into all changes that are done within your network. It's awesome, and it gives you the ability to manage it even though we haven't rolled that piece out ourselves yet.

We use SecureTrack for troubleshooting, APG (Automatic Policy Generator), implementation of new requests, change monitoring, rule and object usage reports.

This solution provides an unified display of rules across vendors.

We use this solution e.g. for cleanup and processing of shadowed rules.

Using this solution saves us time and money. The Automatic Policy Generator saves time because we are able to identify the required policy when a client doesn't know what he needs.

We are able to perform an inventory analysis for colleagues.

The most valuable feature of this solution is APG, the Automatic Policy Generator. Further there are very good capabilities for policy browsing and reporting implemented.

I would like to see better report integration in this solution.

I would rate the stability of this solution a nine out of ten.

The scalability of this solution is ok.

The technical support team for this solution is very polite.

There was some functionality in the integration with Check Point that was initially working not in the best matter, and it was only fixed after Check Point got involved.

We did not use another solution prior to this one.

The initial setup of this solution was not complex. It was simple.

Our in-house team handled the implementation and deployment of this solution.

Tufin is expensive but it is very good.

We did evaluate other options. However, Tufin was the best one that we tried.

Following installation, we mentioned to the SE what ports were on the rule already, and he responded that those were the right ports. So immediately, Tufin already saved us work. And there was already traffic to the destination of a requested rule that needed to just be added to another group. Previously, we would have had to make a new rule and type in the source destination ports. With Tufin, however, the group already existed and we just needed to add it to another group.

Object look-up is also valuable. When someone needs to know about a particular endpoint and what's allowed to it, we only need to type in the IP address and are then able to see every rule associated with that address line by line.

From the very beginning, Tufin has kept our rule set compact so that we don't have to keep stacking up rule after rule. We still have to analyze and find rules that are too open, but it helps use make the right rules in the right places.

It's also a huge deal to us to be able to see the configurations as they change over time, and to know which firewall is responsible for which segments. It allows us to look at all our firewalls at the same time and not have to SSH one after another. We've got it all right there with Tufin -- one pane of glass that shows us everything.

With new engineers to the company, I pull them aside and show them Tufin. Within one hour, they have all the information they need to start creating firewall rules. It's incredibly easy to use. I can't imagine life should it if it should go offline. It's made a huge difference for us.

I'd like to see code provisioning.

It's been up for two years.

We had no issues with deployment.

I believe we had one reboot due to a code upgrade. This was only a single incident.

Our current machine handles all firewalls for one of our business units. We're at a point where we've ordered a larger one to handle 200 firewalls. We'll take the smaller one to have an additional collector. The scalability is very good.

Excellent.

These guys have been amazing. They will work tirelessly. I've only had a few calls, but every time I've had a call, the answer came through in a timely fashion and we got things sorted out. Usually it was user error, they told us, and they didn't lecture us about it.

We simply turned it on, gave it an IP address, and logged into that IP address. Getting it set up with other firewall was straightforward, as was setup for interoperation with Active Directory. We now have group-managed logins.

We looked at FireMon because it's able to analyze rules. But for daily, operational stuff, such as finding rules that already exist and which firewalls are involved, Tufin is much easier and more efficient to use. It was a no-brainer.

It already does traffic analysis and secure change. We've got the secure app so we can keep track of the business critical things. They shouldn't change that. I love the left-hand pane, and being able to navigate that and being able to see things in the split pane on the right-hand side. There are other vendors out there who will decide I need to just have everything at the top and scroll down.

The best thing to do would be get all your firewalls in there and let it bake overnight. It does take some time to collect the data in the config files. Once that's done, teach your help desk staff and the firewall operators how to use this to look up existing conditions and to determine right away whether a rule needs to be made, or whether a group needs to be added, or whether the rule already exists.

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

There have been no stability issues whatsoever. It’s rock solid.

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

I would rate it a nine out of ten, since there's room for improvements, as always.

Some of our customers has Tufin, and we manage it. We're also planning to have our own Tufin that we're going to use as a leveraged service for all of our customers.

Visibility is its largest and most valuable feature. You can see everything or all the devices on the network for each customer. It provides you a larger view of what might be wrong with the network and how you can improve it with firewall rules, etc. 

If you are talking about secure change, being able to automate the entire change process is pretty much the winner for us. It is going to really reduce the time that it takes for us to do changes, and we can just go out and get more customers.

They've got such a large number of APIs, and it is so easy to use their APIs. Effectively, they allow us to use it with anything. The only way to improve it more is by offering support for implementing their APIs into certain hardware or software that we might use. They can provide support for implementing APIs.

We have been using this solution for three months.

I have not contacted their technical support.

We didn't work with any similar product, but we are just going with secure track and secure change, not secure cloud and secure app. That's all that we really need at this time, and obviously, we will work with Tufin in the future if we need more.

A few of our clients have decided to implement Tufin themselves, whilst we just manage their firewalls. We were not involved in the setup of the management suite. However, after seeing the benefits of this, we have heavily considered the use of Tufin on a number of our other clients we manage.

We have identified that setup is a part of this and in our conversations with Tufin sought to address this. They offer a service for the full setup of the platform for use as an MSSP, and then providing a hand off service towards the end of this setup process which teaches engineers how to setup the remaining required devices.

For the full functionality, Tufin utilises all L3 devices on the network, so setup can be quite daunting. However, we identified that it would take ~30 minutes per L3 device, some of which can be done simultaneously. This is the biggest drawback to Tufin integration. However, Tufin can be used to some degree without this, meaning you can reap the benefits of it sooner rather than later.

What we found is that the return on investment will be pretty quick. This is because of the time saving that Tufin offers in FW changes, we can implement more changes at a faster rate. This has huge savings for employee's workload and the cost of their work. We have freed up a large majority of our FW engineer's time. The huge ROI we witnessed has resulted in us identifying that we can go to market to gain more customers and really broaden our customer base without the 'con' of hiring more people.

Because we're quite a large company, the initial price wasn't too much of a factor for us. This is because the ROI was so significant for us.

We identified others, like Firemon and Skybox, however we found that they were not as mature as Tufin, not offering the same range of Firewall Vendors, e.g. Palo Alto, Check Point, etc., and the same level of automation.

I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future.

I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.

In my group, we use Tufin to prove recourse. With firewalls, in terms of searching for existing rules, if we are looking for a particular rule, it shows whether an object exists, the network objects that exist. And if it does, it shows what is already in place and if we need to add something here and there. It's basically research analysis.

We use it for pulling your own reports, and checking the existing rule database from different firewalls from different managers.

I think they can improve the speed, although our speed issues might not be related to Tufin. Sometimes it is slow generating the reports, but I guess it depends on your infrastructure, if you have a good enough server. If you have more servers, the better.

If your infrastructure is big, and you're pulling a lot of metrics from many devices, it can be slow. But, if you add more servers, like a database service that reports are being pulled from, that speeds up the report generation a lot.

I know Tufin is great tool and can offer a lot more. I'm sure other groups or other people use it for what my group needs.

We are big, but I don't really know about scalability issues. I don't work on Tufin. I just utilize it. We just added a few more servers. In the last few weeks, the reports were coming pretty fast from busy firewalls.

I didn’t really use customer support. It's pretty self-explanatory when it comes to running reports and pulling metrics.

I was not part of the decision to use it.

We have not thought of using any other solutions. We have had Tufin since I joined the company.

It would be beneficial to get some kind of training from someone who knows the product, maybe from Tufin or someone else familiar with the product and the features. I know it can offer a lot, and you want to use its full potential.