Security Analyst at a retailer with 10,001+ employees
Real User
Helpful with making sure all parts of our organization are following change management
Pros and Cons
  • "It provides a comprehensive overview of what our network looks like in terms of what is allowed and what is not, then how the traffic' is flowing with the Network Topology Map."
  • "I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab."

What is our primary use case?

The primary use case is monitoring routers, switches, firewalls, but mostly routers and firewalls.

We are just using SecureTrack, either version 18-2 or 18.3.

How has it helped my organization?

We use it to aid with firewall reviews. We don't have SecureChange active, but we can take the info and use it to help. We have found a lot to work with.

Tufin has been helpful with making sure all parts of our organization are following change management:

  • If you are changing rules, then you have tickets, and there is the approval process associated with it.
  • Seeing people are sticking with those temp rules, if they end up staying there for awhile. 
  • Sometimes, there are just bad rules where something that should've been "deny" and should not be allowed.

Those are more direct examples without getting too far into the weeds.

It is greatly aided in helping us meet our compliance mandates. There used to be manual reviews for certain compliance requirements. Now, this solution helps automate a lot of that, and even the parts which are still manual. It's a lot more comprehensive than trying to read raw text files of the configs and making sense of those.

The solution helps us ensure that security policy is followed across our entire hybrid network. It is like a centralized single pane of glass where comprehensively shows things, especially coupled with the Network Topology piece that they have. You can say, "Here's where the DMZ is, and here's that. These are the amount of firewalls crosses this through." Whereas before, it was this big spreadsheet of all the firewalls and zones. Except for like two or three legacy knowledge people, no one really understood how it flowed before Tufin.

It has helped us troubleshoot, e.g., why isn't this still working? "Oh, they put it on the wrong firewall or they typoed it." The solution has helped with that.

The firewall reviews for compliance used to be a more labor intensive process. It used to take a few months, and now, it's down to just a couple of weeks.

What is most valuable?

It provides a comprehensive overview of what our network looks like in terms of what is allowed and what is not, then how the traffic' is flowing with the Network Topology Map.

With the Unified Security Policy, the more you improve it, the more you will get out of it.

For the things that Tufin is able to work with, it is really great. It sort of provides a comprehensive view. It is easier to explain to people who don't really work with firewalls everyday:

  • Why this is an issue.
  • Why certain things are an issue.
  • Why some things are the way they are.

What needs improvement?

I wish they had a credentials vault or something. Right now, you have to manually add a username and password per device, and if they are using something like in a centralized, like an AD account, that password rotates eventually. Now, I have to go back and change information for all these hundreds of devices. Whereas, if they just had some credentials vault for credential one, two, and three, then you could just reference them per device and change it in one place. It would make our lives a lot easier.

I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab. 

Tufin covers a lot of vendors, but there are still some that they don't, like Radware. Some of these vendors that they don't cover are at critical points in our company, as far as explaining the full picture of our routing. Since it can't show the full picture, it can't support that. 

Buyer's Guide
Tufin Orchestration Suite
March 2024
Learn what your peers think about Tufin Orchestration Suite. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability is pretty good. We have run into repeat issues with Palo Alto Panorama, where it doesn't seem to play nice if we change the vice group names in Palo Alto or if one of the Palo Alto servers is down, but it is in Panorama, because we're pulling everything through Panorama. Sometimes, it'll freak out and cause everything else to stay and be unable to get configed. Then, our Palo Alto products will sort of cease, usually a good majority of them, which is not ideal.

What do I think about the scalability of the solution?

So far, scalability has been doing well. 

How are customer service and support?

The technical support is very good. They respond pretty fast. They are always available whenever I need it. It is usually my fault when there are delays because I just don't respond to an email. I forget, then a few days go by and email again like, "Oh, shoot." The technical support has always been on top of things.

How was the initial setup?

Someone before me had stood up the actual server on the network. They had one device, and it was monitoring. Then, I took it over. I've expanded it out to over 400 devices.

They made getting new monitoring devices in pretty easy. From the monitoring devices tab, it was pretty straightforward. You pick the vendor, then under there, this is a drop-down. I struggled a bit under the Cisco tab where they have a router, then a Nexus router. They have a lot of different vendors, and figuring out which category it falls under was confusing. The help docs don't exactly specify between the two or what commands it will be running. This is usually more for our older devices. 

What about the implementation team?

We had Professional Services hours. However, as far as getting the actual devices and scaling it out, that was all just me.

What other advice do I have?

Understand your DNS or network segment. What all these different subments and how they will fit into what categories, because you are going to directly take that info when you build out your USP. If it's too messy, your USP is not really going to do anything. You need to have a good dictionary for the USP to follow.

We aren't really using the cloud-native security features in our current environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Manager of Security Engineering at Global Payments inc
Real User
Increases your productivity and simplifies your workflow
Pros and Cons
  • "It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good."
  • "I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls."

What is our primary use case?

Right now, we are just using it for SecureTrack. Next year, we have plans to buy the license for SecureChange as well.

I think we're using version 18, and we are in the process of upgrading it to 19-2

How has it helped my organization?

We got Tufin from a company that we acquired, so its helping us do mitigations there. Now, we are extending the scope and implementing it in our HQ, as well. It has helped for PCI and compliance.

The solution helps us ensure that security policy is followed across our entire network. It is important to configure and define all the networks right.

One of the primary reasons why we want to use Tufin is currently we are having issues with companies from overseas who manage our firewalls. It is very inefficient where they say that they have implemented the rules, then later on we find out the implementation has not been done properly and they are missing firewalls. Hopefully, once we fully implement this tool, it should be able to tell us if firewall rules are missing. It should be able to tell them before they communicate with us. After the implementation, we can verify and make sure that everything is working and do all the validations.

What is most valuable?

It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good.

If we had the budget and money, the SecureChange is really great. What you can do and where you can push everything from one console. You can create a change and do the whole automation: create the change, implement the change, and close the change. Right now, I have to go to two, three, or four different consoles. Whereas if I had SecureChange, I could do everything in one place. From an auditing perspective, it becomes easy. Right now, I have to give a change ticket number, then show the auditor and tell them to search for that change ticket number in a different place. If everything is in one place, that makes your life easier.

The change workflow process is flexible and customizable.

What needs improvement?

I would like more API integration, API integration with the cloud, and API integration with other chain management solutions. I would also like more scripts, which would help us not have to write scripts. If you give me all this, I can use the scripts to automate stuff, making my life easier.

I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls.

What do I think about the stability of the solution?

I have seen some issues with the stability. One of the things that we noticed was when R18 was released about one or two years back, it couldn't discover the newer versions of firewalls, then we had to upgrade it. After the upgrade we ran into some other issues. However, it looks like with the patches it is getting there.

What do I think about the scalability of the solution?

With the scalability, you have to use different components: the reporting server and distribution server. When we implemented it earlier, we didn't design it properly, which I feel is our issue. Once we design it properly, the way that we are implementing it now, I feel the scalability should be there.

Which solution did I use previously and why did I switch?

I have used auditing tools in the past, so I was already aware of Tufin. When I saw the processes in my company where I worked were manual, I recommended a solution, saying, "We need to expand the solution from our other company to here, as well. It will simplify our processes."

How was the initial setup?

The initial implementation was done at an acquired company, so it was already installed. However, we are doing upgrades now.

What about the implementation team?

I think we will be using Tufin for the upgrades.

What was our ROI?

We have seen ROI:

  • The productivity has increased. The team is more productive.
  • It will decrease the time of firewall implementation, which will increase the productivity in the sense that now other teams don't have to wait for their projects. 
  • This helps us simplify our processes.

Our engineers are spending less time doing manual processing. Their productivity has at least increased by 50 percent.

What's my experience with pricing, setup cost, and licensing?

We haven't purchased the license yet for SecureChange. We do have plans to buy it next year.

The additional piece, which we are buying and doesn't include our other solution, is close to 300,000.

Which other solutions did I evaluate?

We did not have have time to evaluate other solutions. Also, we already had Tufin in place in our other company. 

This seems to be a better solution than AlgoSec, which I have used in the past. I have also seen FireMon, and Tufin gave us what we needed. I didn't see a reason to explore other solutions.

What other advice do I have?

It is a great tool. It will help you increase your productivity and simplifies your workflow.

We should use it to clean up our firewall policies since the tool is there.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Tufin Orchestration Suite
March 2024
Learn what your peers think about Tufin Orchestration Suite. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Senior Network Engineer at Commercial Bank of Romania
Real User
Top 10
Simple setup, overall better network visibility, and scales well
Pros and Cons
  • "The most valuable feature of Tufin is we have better visibility and management of our file infrastructure."
  • "We need to implement micro-segmentation in our infrastructure, and we are using Cisco ACI. However, we are facing an issue with Tufin, as it does not currently support integration with ACI for micro-segmentation, even though it is advertised as such."

What is our primary use case?

I am using Tufin for audits and for deploying changes. I am working with this solution in the financial industry.

How has it helped my organization?

The solution has made our operation a lot simpler. We are able to track changes in our network

What is most valuable?

The most valuable feature of Tufin is we have better visibility and management of our file infrastructure.

What needs improvement?

We need to implement micro-segmentation in our infrastructure, and we are using Cisco ACI. However, we are facing an issue with Tufin, as it does not currently support integration with ACI for micro-segmentation, even though it is advertised as such.

There should be a feature in Tufin that would make it easier to back up configurations and schedule changes, as well as make it easier to roll back changes if something goes wrong. This would make it less time-consuming and more efficient.

For how long have I used the solution?

I have been using Tufin for approximately one year. 

What do I think about the stability of the solution?

Tufin is stable. We did not have any large issues.

What do I think about the scalability of the solution?

The solution is scalable. You can onboard a lot of devices from different vendors. It only depends on the hardware resourcing and licensing. You have to purchase enough licenses.

We use Tufin a lot. I'm an administrator of the application, and we have people who open requests in Tufin. We use an internal ticket system to record these requests. We don't have an integration with an ITSM system yet, but we plan to do so with ServiceNow in the future. Until then, users will have to use Tufin to open their own requests. I've had two experiences with technical support and I find them to be too slow. I can't really say if they are good or not, as it seems to depend on the individual company and the engineers they employ.

How are customer service and support?

I've had two experiences with technical support and they are too slow. I can't say if they are good or not, as it seems to depend on the individual company and the engineers they employ.

Which solution did I use previously and why did I switch?

I have used CDO previously. Tufin is better than CDO. If you only have Cisco devices, Tufin isn't the better option. However, if you have a multi-vendor environment, Tufin is better than CDO. The limitation of CDO is that it can only be used with Cisco. However, CDO has a better user experience when processing applications than Tufin. Additionally, the network map of CDO looks more accurate to me than Tufin.

How was the initial setup?

The initial setup of Tufin was easy.

The partners we used from Tufin in Romania were not very experienced, which caused the deployment process to take an extended period of time - approximately one year. This was due to the implementor's lack of knowledge on how to deploy the product, despite knowing how to install and onboard. We had a lot of requests, and our network was very complex, so the implementor was unable to complete the requests in a timely manner. However, we are now in a good place. We believe this issue was specific to the Tufin partner that won the auction and not related to Tufin itself.

What about the implementation team?

We used a partner of the vendor with seven of our team members for the implementation of the solution. They have to be skillful people.

What was our ROI?

We have received a return on investment using Tufin.  Tufin saves us time. Our network team can make changes more quickly. We have better visibility and management of our file infrastructure. Before we didn't have this and it was time-consuming. We use Tufin to generate reports for different security teams, and for firewall operations. We also use it to integrate Cisco ACI and segment traffic between different IT processes and destinations. Tufin has been very helpful in allowing us to detect traffic between sources and destinations, and integrate our firewalls.

What's my experience with pricing, setup cost, and licensing?

I had a bad experience with the financial department, and the price is too high. The software does work and does the job. The solution is worth the money. If I had a different partner to implement the solution, it would have been worth the price.

The solution is paid monthly. We paid approximately €‎300,000.

What other advice do I have?

We use two people for the maintenance of the solution.

I rate Tufin an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Change Manager at a pharma/biotech company with 10,001+ employees
Real User
The ability to connect with other services and software solutions via APIs is very impressive
Pros and Cons
  • "One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful."
  • "I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes."
  • "There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful."
  • "A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time."

What is our primary use case?

The primary use case is processing change requests.

While our organization has implemented SecureChange and SecureTrack, we are not using either tool rather extensively. Therefore, we are trying to put together a plan for the organization to adopt these tools more firmly.

The idea is to be using SecureChange as the primary portal for entering change requests on both the perimeter and shop floor network firewalls. The way we are approaching this is to do a pilot first among a few sites, then bringing it out to a larger group once we feel more comfortable with how the pilot went.

The pilot will probably last for a couple weeks. After that, we will roll it out in buckets or groups to the rest of the sites. Then, the primary use case will be using tool for change management and SecureChange, while SecureTrack will be used by our security monitoring group who is tracking for threats.

My engagement to date and going forward will be to assist in the planning of the rollout and helping with the rollout. I make sure teams and users who will be using this tool are actually using it, including processes from: 

  • Submitting a firewall change request.
  • Price or rule requests.
  • Opening a port.
  • Firewall maintenance or maintenance processes, e.g., rule cleanup.

How has it helped my organization?

The additional visibility into network path analysis is really helpful. The ability to provide assistance with role clean up will be helpful as well.

Part of the work that one of our firewall implementation teams is doing is a justification process right now. I think that a clean up is included as part of that effort.

What is most valuable?

One of the things that we really like is the ability to customize work flow. It seems like there are ways to make a workflow robust and capture multiple different types of things that you would want to do when you are maintaining a set of shop floor network firewall rules. These include things decommissioning a server and performing a common rule maintenance process, like a recertification process. 

The linkage between SecureTrack and SecureChange is nice. The way that you can identify a rule in SecureTrack that needs to be recertified, then create a ticket in SecureChange, which can essentially implement that, and complete the recertification process for workflow. This helps us keep organized, in a big way, a complex, large set of network firewall rules. Otherwise, there is no way for us to track who the business approver or owner is for each of those rules and when the last time each of the rules was looked at. In terms of keeping this set of rules clean, it goes a long way in helping with that.

I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes.

One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful.

From the training that I've done at the conference, I like the ability to visualize the network paths between different endpoints and servers. I thought that was cool.

I have been impressed with the range of capabilities. The ability to connect with other services and software solutions via APIs is very impressive. In terms of breadth of market coverage, that seems pretty robust.

What needs improvement?

I would like a USP that was a little like an interface and a bit more intuitive. It seems like the 2.0 version did that better. 

I know when I was performing a search, like in the policy query area, some of those options as your typing could be better defined. That was one thing that came up. I would like it if there was some way to provide real-time feedback or context for each option as you are typing in search fields and search parameters.

Even somebody with relatively little experience like I have should be able to come in and have more intuition towards how to operate the solution. That would be a bit more helpful. There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful.

A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time.

For how long have I used the solution?

We are using it on a more regular basis now.

What do I think about the stability of the solution?

The Tufin products seem very long-term oriented. The ability to be customized seems good. It seems like there is a good roadmap for what features need to be added.

We did a USP upload earlier this week into SecureTrack, and the upload process was okay. Some of the definitions around the columns and the formatting could be more clearly defined.

What do I think about the scalability of the solution?

The scalability seems good. It is overwhelming to think about how to define a USP potentially for the amount of networks that we have for shop floor firewalls. However, in terms of scalability, it seems like once the information is in there, it can operate well and help speed up change requests.

How are customer service and technical support?

I don't think we've worked a lot with the technical support teams yet.

Which solution did I use previously and why did I switch?

It was clear that no one was managing the shop floor network firewalls. 

Right now, there are no tools to do that. As we are hardening and locking down firewalls, the requirement to maintain and manage them becomes increasingly more challenging.

I don't think there was any tool before Tufin. The rules were historically stored in CSM and operated out of CSM. Before that, there wasn't any other way to perform a regular analysis and maintenance of firewall rules in this way from a security and policy perspective.

How was the initial setup?

The initial setup seemed like it required a lot of effort. I wasn't super close to the project during the initial setup. Now that I've gone through the training it seems a little less overwhelming.

For the initial setup, I was only involved slightly on the SecureChange side. The API integration process with BMC Remedy seems difficult. I don't know if that is a result of the way the SecureChange application is designed, or if it's a result of a challenging resource environment for focusing on the implementation and the integration of it with Remedy. But, it seems like a challenging effort.

What about the implementation team?

We used WTT for the deployment. My coworker, Dorothy, had a good experience with them. They were engaged before I joined the project.

The rollout was accomplished largely with an in-house team. The vendor that we purchased it through provided a little bit of support, but very minimal. Then, there is the team who is doing implementation with a lot of the firewall rule changes. Booz Allen has been helping a lot with the rollout, as well. I have been helping to design the rollout and adoption.

For our current implementation, which is temporary, once we move the cleanup process from this implementation team to the permanent team that is when I will be performing the work. That is when I'll be a bit more involved.

Which other solutions did I evaluate?

The company a good comparison of the different tools. I don't know if they were working with Booz Allen at the time, but Booz Allen seems to feel pretty strongly about the quality of Tufin and their user experience. It does seem like Tufin has reputation regarding its user interface that it is more friendly than other competitors.

I am aware of two other competitors who were possibly considered.

What other advice do I have?

There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that.

It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well.

Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change request will violate any security policy. However, we are not doing that yet.

The program that I am supporting is not engaged in any of the firewalls affecting the cloud, so I didn't have a lot of context with that.

Once we have it up and running, this solution should help reduce the time that it takes to make changes and our engineers should spend less time on manual processes.

I did training at Tufin two weeks ago.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Dominic Salzmann - PeerSpot reviewer
Senior Manager - Network-& Systems-Management at a computer software company with 201-500 employees
Real User
Top 10
Issue-free and straightforward to set up but is missing some features
Pros and Cons
  • "It is very stable."
  • "There are some missing features we'd like to see them add in the future."

What is our primary use case?

We are just using the solution as a tool for network migration management, primarily on the firewall side and inside, and to ensure we have some central view.

What is most valuable?

We discuss the solutions every year in terms of budgeting and the team has convinced me that it's necessary to spend this money on this solution. It provides value.

The initial setup is very straightforward. 

It is very stable. 

What needs improvement?

We haven't really had issues with the product.

There are some missing features we'd like to see them add in the future. 

For how long have I used the solution?

We've been using the solution for four years. 

What do I think about the stability of the solution?

The solution is stable. It doesn't have bugs or glitches. It doesn't crash or freeze. It is reliable.

What do I think about the scalability of the solution?

I can't speak to the scalability. I'm not sure if it will scale. 

We only have eight people using the product right now. They are just engineers. 

How are customer service and support?

I've never been in touch with technical support. 

Which solution did I use previously and why did I switch?

I've also used Cisco Defence Orchestrator.

How was the initial setup?

The setup is straightforward. We have a very small and streamlined setup since we use it just for specific use cases. It isn't hard for us to get it up and running. 

The deployment only takes a few days. It can take anywhere from a few days to up to two weeks, however, never more than that.

The maintenance is very minimal. We need less than one person to handle it. 

What about the implementation team?

We handled the setup in-house. We did not need to get any help from integrators or consultants. 

What was our ROI?

It's really difficult to really have KPIs which shows return on investment on such tools. While there is a return on investment, it's not quantified.

What's my experience with pricing, setup cost, and licensing?

I can't speak to the exact cost of the licensing. The pricing is somewhere in the middle. It's quite normal and not overly costly. I'd rate it a three out of five in terms of affordability. There are no extra costs involved. 

What other advice do I have?

We are customers and end-users. 

I'm not sure which version of the solution we're using. 

I do not work directly with the solution.

I'd rate the solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
CyberSecurity Supervisor at a energy/utilities company with 10,001+ employees
Real User
Helps with compliance and drastically cuts down on the time it takes us to make changes
Pros and Cons
  • "A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you."
  • "We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket."

What is our primary use case?

We use this solution for firewall rule management.

How has it helped my organization?

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

What is most valuable?

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

What needs improvement?

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

What do I think about the stability of the solution?

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

What do I think about the scalability of the solution?

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

How are customer service and technical support?

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

Which solution did I use previously and why did I switch?

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

What about the implementation team?

We used a consultant from Tufin, itself, for our deployment.

What was our ROI?

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

Which other solutions did I evaluate?

I believe that FireMon was considered before we chose this solution.

What other advice do I have?

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Security Consultant at Deutsche Telekom Security GmbH
Consultant
Top 10
Effective security auditing, simple implementation, and helpful support
Pros and Cons
  • "The most valuable feature of Tufin is security auditing. We are able to check the rules and compliance of the company, for example, what is allowed or not. We are able to check the rules over different gateways and set over firewalls."
  • "The reporting function could improve in Tufin. For our clients with companies that have strong compliance, reporting privacy data is mostly a problem. In the IT department, private data needs a function that one person can analyze it. It requires multiple people to analyze the data."

What is our primary use case?

Tufin is used for the design proposals process.

What is most valuable?

The most valuable feature of Tufin is security auditing. We are able to check the rules and compliance of the company, for example, what is allowed or not. We are able to check the rules over different gateways and set over firewalls.

What needs improvement?

The reporting function could improve in Tufin. For our clients with companies that have strong compliance, reporting privacy data is mostly a problem. In the IT department, private data needs a function that one person can analyze it. It requires multiple people to analyze the data.

Tufin currently supports various firewall gateways, such as Checkpoint, Palo Alto, Fortinet, and Cisco. However, it would be beneficial if they expanded their support to include other security providers. For example, in Germany, government agencies often use specialized firewalling components from companies, such as Genua and Rohde & Schwarz. It would be a valuable addition for Tufin to include support for these solutions to better serve the German market.

For how long have I used the solution?

I have been using Tufin for approximately five years.

What do I think about the stability of the solution?

I rate the stability of Tufin an eight out of ten.

What do I think about the scalability of the solution?

Tufin is more suitable for enterprise companies. The benefits of the solution come when you have 10 to 50 gateways, and you have to control all the rule sets and do a revision over this installation. This is when you see the benefit of a central auditing tool, such as Tufin.

I rate the scalability of Tufin a seven out of ten.

How are customer service and support?

Tufin's support is helpful. However, it can take some time to get a resolution to a problem. My colleagues have had some success with Tufin's support, but they often have to start at the first level of support and work their way up to the second or third level before they reach someone with a deeper knowledge of the issue. It would be more efficient if there was a way to reach higher-level support directly, as it can take a lot of time to get to the experts. The first two levels of support are not very helpful, as they often just ask a lot of questions without providing solutions.

Which solution did I use previously and why did I switch?

I have previously used AlgoSec. However, Tufin suits my customer's use case better.

How was the initial setup?

The initial setup of Tufin is simple. I receive feedback from my customers that they don't need much time to be familiar with the software.

The implementation typically can be done in one day. However, it depends on the number of gateways in the management system.

What about the implementation team?

My team gives our customers an introduction to Tufin, helps with the initial configuration, and then the handover. If it is a large implementation we will use three people to assist.

What's my experience with pricing, setup cost, and licensing?

Tuffin is expensive, and we have to explain to our customers the benefit for them to purchase. If we explain the benefits in the correct way they do not mind the price. We typically do costing for the customer for three to five years. We make the general total cost of ownership at the beginning of a project for our customers.

What other advice do I have?

Tufin is the most useful when working with multiple gateways and different administrators who manage firewall rules. It can also be beneficial for security operations centers that are responsible for monitoring and maintaining the rule sets. This is the message we convey to our customers when recommending Tufin.

I rate Tufin an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer:
PeerSpot user
Works at Daimler AG
Real User
Tufin is a great tool to automate Firewall change
Pros and Cons
  • "There are a lot of benefits to using the reporting. It gives us duplicate objects, duplicate services, shadow firewall rules, and the firewall rules not needed for a given number of days or months."
  • "There are pros and cons to the workflow. You cannot customize it fully and there are some limitations. You cannot create a pure object, a firewall, IP, or service (single layer) object. You can only create a firewall object group. That is one of the challenges."

What is our primary use case?

Automate the firewall change via SecureChange Workflow

How has it helped my organization?

1. Policy Optimization by using Tufin APG under SecureTrack. If you have a wide open policy, and you want to restrict it into fewer lines of policy based on last 30 or 90 days hits, you can use APG tool to build restrictive policy.

2. Firewall Cleanup: Deletering unused Rules, unsed objects, duplicate objects from firewall database, by using the report created by Tufin under SecureTrack. You can run this report on Tufin SecureChange to delete all the unwanted space. This will save tons of space on your Firewall database.

3. SecureChange Workflow: You can link Tufin to ticketing system to upload the firewall change ticket, and use the workflow to fully automate the firewall change process, from start to finish

4. Topology: If you a good topology, you don't need to see routing table on Firewall, or going through any visio network design to find the L3 networks in your enterprise. Topology under SecureTrack helped me a lot

6. Enterprise Unified Security Policy: Once I do have an Approved Unified Security Policy from the CISO, I don't need to ask approval for each low risk firewall change. USP not only saved CISO busy time, but also increased the efficiency of firewall team. The firewall change request doesn't have to stay in Approver Pending steps

What is most valuable?

SecureChange Workflow: It is Firewall Admin Robot, which handles the ticket right from receiving until the implementing process with documenting all the approvals.

What needs improvement?

1. Tufin workflow doesn't support IPS module, Identity Awareness Module, Policy Inline layer (Checkpoint)

2. Limitation on edit/create Group object: You can't create group Service object

3. You have to run Designer to Assign Firewall Rule Name, and Rule Number. By default, Tufin uses topology

For how long have I used the solution?

3

What do I think about the stability of the solution?

Tufin is very stable. There have been no major outages. 

Sometimes there is an SSL correction between Tufin and the management server. Sometimes it gets broken but I don't why. Apart from that, it is very stable.

What do I think about the scalability of the solution?

We can add as many firewalls as we need. It's just a matter of purchasing the licenses. It has good scalability.

How are customer service and technical support?

Tech support is very bad. I would give a zero rating to tech support. Compared to Check Point and Fortinet, Tufin tech support is worse. Even the Professional Services team doesn't like to respond to email. It is poor.

My team doesn't have a good relationship with Tufin. The Professional Services and even our Tufin account manager are not friendly. They're not helpful to us. But the Tufin product is fine.

How was the initial setup?

The initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

I believe our cost is more than $100,000 per year.

Which other solutions did I evaluate?

We haven't evaluate any competitors or consider other products.

What other advice do I have?

Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help.

We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Tufin Orchestration Suite Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Tufin Orchestration Suite Report and get advice and tips from experienced pros sharing their opinions.