What is Tufin?
Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment. Customers gain visibility and control across their network, ensure continuous compliance with security standards and embed security enforcement into workflows and development pipelines.
Tufin Buyer's Guide
Download the Tufin Buyer's Guide including reviews and more. Updated: March 2021
3M, AT&T, Blue Cross Blue Shield, BNP Parabas, ConocoPhillips, Deutsche Bank, GE, IBM, Pfizer, United States Postal Service
What users are saying about Tufin pricing:
- "For us it's around $40,000 or so."
- "There are ways to deploy the license to different types of firewall. However, if we decide to change the physical brand of the firewall, we need to go back to Tufin and modify the licensing. This is a hassle."
- "The licensing costs are around $250,000 to $300,000."
- "I just wrote a purchase order for it. It is a $150,000 a year."
- Highest Rating
- Lowest Rating
- Review Length
Showingreviews based on the current filters.
Director at Visa Inc.
Jul 28, 2019
We can process more rules on a daily basis, which is a definite time saver
What is our primary use case?The primary use cases are firewall support and generating rules.
Pros and Cons
- "We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them."
- "The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless."
What other advice do I have?Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well. We're not really using the cloud parts…
Senior Network Engineer at a financial services firm with 10,001+ employees
Helps with auditing by proving what changes were done, when, and by whom
What is our primary use case?We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.
Pros and Cons
- "The best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, 'Hey, where's my server?' I can just go to Tufin and say, 'Hey, where is that server?' and very quickly it tells you where it is, what policy it's on. That is a life saver."
- "For me, there are two things that can make Tufin a bit better... [It needs] a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it."
What other advice do I have?I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin. We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this…
Learn what your peers think about Tufin. Get advice and tips from experienced pros sharing their opinions. Updated: March 2021.
475,208 professionals have used our research since 2012.
Change Manager at a pharma/biotech company with 10,001+ employees
Jul 29, 2019
The ability to connect with other services and software solutions via APIs is very impressive
What is our primary use case?The primary use case is processing change requests. While our organization has implemented SecureChange and SecureTrack, we are not using either tool rather extensively. Therefore, we are trying to put together a plan for the organization to adopt these tools more firmly. The idea is to be using SecureChange as the primary portal for entering change requests on both the perimeter and shop floor network firewalls. The way we are approaching this is to do a pilot first among a few sites, then bringing it out to a larger group once we feel more comfortable with how the pilot went. The pilot will… more »
Pros and Cons
- "One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful."
- "I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes."
- "There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful."
- "A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time."
What other advice do I have?There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that. It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well. Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change…
Network Security Operations at a insurance company with 10,001+ employees
We use this product to sharpen our change cycle
What is our primary use case?The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment. It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated. We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.
Pros and Cons
- "We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack."
- "In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play."
- "The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it."
- "Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America, causing a slightly complicated approach."
What other advice do I have?It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product. Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit. We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that…
Network/Security Engineer at a leisure / travel company with 51-200 employees
May 6, 2019
Firewall automation saves us hours of time, but the platform stability needs work
What is our primary use case?We are doing firewall automation through Tufin.
Pros and Cons
- "The change workflow process is flexible and customizable... If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix... That is one of its useful tools."
- "When it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again."
What other advice do I have?My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin. Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day. We have three or four teams…
Service Engineer at G2 Deployment Advisors
Jul 24, 2019
Provides powerful integration with ServiceNow and other solutions using APIs
What is our primary use case?We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control. We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation. I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of… more »
Pros and Cons
- "The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions."
- "I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that."
What other advice do I have?The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation. The benefit that our customers have realized in terms of time savings has largely depended on how willing they are…
Network Security Engineer at Customer Worldpay
The most valuable feature is the Network Map
What is our primary use case?Primarily, it is being used as a type of security auditing control on our firewalls. We are in the middle of a new project acquiring dedicated new hardware while building out SecureTrack and SecureChange. After this initial project, and building out all that infrastructure is done, then there will be a project to kick off some of the automation and orchestration type stuff to try and improve some of those processes for the IT group. The goal is to use it to revalidate, clean up, and optimize firewall policies, but we are not there yet. The company has had the product in place for a while. I am… more »
Pros and Cons
- "In our current environment, the most valuable feature from Tufin is their Network Map."
- "The biggest area where I see a need for improvement is some of the documentation and training stuff. It does a really good job of hitting the big concepts, but it needs like another layer deeper of actually getting into some of the details of how to do some of the things. Conceptually, I understand how the product works, but now how do I start building stuff and integrating it into my environment."
What other advice do I have?If someone was looking for this type of solution, I would tell them, "Here are the top four solutions that I know of and the places that I worked on each of them. Here are the benefits, gossip, and downsides that I've seen for each one." Tufin has the best solution as far as it being self-contained, reliable, and integrating with the other things that you want it to integrate with. The customer service is also not arrogant like some of the other solutions. We need to utilize it to its capacity and capabilities, and we're not doing that yet. It will eventually reduce the time it takes to make…
Network Engineer Lead at a energy/utilities company with 10,001+ employees
Jul 28, 2019
We can find rules that are too broad and pull those out, putting more specific rules in
What is our primary use case?Currently, we're an electric utility. We use it for NERC CIP for validating rules into ESPs, which makes it easier for us to pull out the rules and justifications for auditors. We are using either Tufin 18-2 or 18-3 and testing 19-2. As a company, we don't have anything in the cloud.
Pros and Cons
- "The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously."
- "The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor."
What other advice do I have?Give Tufin a good, hard look. From my experience, it is the best of breed. Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.
See 46 more Tufin Reviews
Product CategoriesFirewall Security Management
Download our free Tufin Report and get advice and tips from experienced pros sharing their opinions.