We just raised a $30M Series A: Read our story

Tufin OverviewUNIXBusinessApplication

Tufin is the #2 ranked solution in our list of top Firewall Security Management tools. It is most often compared to AlgoSec: Tufin vs AlgoSec

What is Tufin?

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment. Customers gain visibility and control across their network, ensure continuous compliance with security standards and embed security enforcement into workflows and development pipelines. 

Tufin Buyer's Guide

Download the Tufin Buyer's Guide including reviews and more. Updated: September 2021

Tufin Customers

3M, AT&T, Blue Cross Blue Shield, BNP Parabas, ConocoPhillips, Deutsche Bank, GE, IBM, Pfizer, United States Postal Service 

Tufin Video

Archived Tufin Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1188195
User
Real User
Improves visibility, saves time, and assists with compliance

Pros and Cons

  • "The filtering of lots of criteria is very valuable."
  • "I would like to see more configuration options on next-generation firewalls, defining possible standards for devices."

What is our primary use case?

We use this solution for recertifying connections, application-based automation, and compliance with regulations.

How has it helped my organization?

The workflows save time and speed up the authorization processes for applications. For network operators, it enhanced visibility. For application operators, it increased knowledge of dependencies and also provided them with impact awareness.

What is most valuable?

Before this solution, we used Excel sheets. This approach did not provide ways to filter the options for implementing changes. The filtering of lots of criteria is very valuable.

What needs improvement?

I would like to see more configuration options on next-generation firewalls, defining possible standards for devices.

For how long have I used the solution?

We have been using this solution for more than three years.

What do I think about the stability of the solution?

The tool is highly reliable.

What do I think about the scalability of the solution?

We have not run into limitations around scalability. Depending on the devices, it is better to have a sizing discussion with the sales engineer.

How are customer service and technical support?

In the beginning, we did not have a dedicated support handler and it caused some issues because the service requests were interrelated. When we later obtained a central contact in support, it improved the handling.

Which solution did I use previously and why did I switch?

Prior to this solution, we used Excel and firewall vendor consoles.

How was the initial setup?

The initial setup was fairly complex because of the agreement with the network provider.

What about the implementation team?

We implemented this solution in-house with the support of Tufin Professional Services.

What's my experience with pricing, setup cost, and licensing?

I suggest talking with Tufin about the flexibility of the pricing structure.

Which other solutions did I evaluate?

We did not perform our own evaluation. However, one of the daughter companies evaluated multiple products (Tufin, FireMon, and AlgoSec) and selected Tufin. We relied on their research.

What other advice do I have?

Implementing the tool is easy, but introducing the changes within the company can be challenging.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
reviewer1185804
User
Real User
APG saves us enorm time providing a new policy from millions rows of logs

Pros and Cons

  • "The Automatic Policy Generator saves time because we are able to identify the required policy when a client doesn't know what he needs."
  • "I would like to see better report integration in this solution."

What is our primary use case?

We use SecureTrack for troubleshooting, APG (Automatic Policy Generator), implementation of new requests, change monitoring, rule and object usage reports.

This solution provides an unified display of rules across vendors.

We use this solution e.g. for cleanup and processing of shadowed rules.

How has it helped my organization?

Using this solution saves us time and money. The Automatic Policy Generator saves time because we are able to identify the required policy when a client doesn't know what he needs.

We are able to perform an inventory analysis for colleagues.

What is most valuable?

The most valuable feature of this solution is APG, the Automatic Policy Generator. Further there are very good capabilities for policy browsing and reporting implemented.

What needs improvement?

I would like to see better report integration in this solution.

For how long have I used the solution?

I have been using this solution for ten years.

What do I think about the stability of the solution?

I would rate the stability of this solution a nine out of ten.

What do I think about the scalability of the solution?

The scalability of this solution is ok.

How are customer service and technical support?

The technical support team for this solution is very polite.

There was some functionality in the integration with Check Point that was initially working not in the best matter, and it was only fixed after Check Point got involved.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

The initial setup of this solution was not complex. It was simple.

What about the implementation team?

Our in-house team handled the implementation and deployment of this solution.

What's my experience with pricing, setup cost, and licensing?

Tufin is expensive but it is very good.

Which other solutions did I evaluate?

We did evaluate other options. However, Tufin was the best one that we tried.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Tufin. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
541,708 professionals have used our research since 2012.
reviewer1185783
User
Real User
Reduces effort required for audits and automated reporting helps with compliance

Pros and Cons

  • "The automated reporting on a regular basis is helping us to be compliant with legal requirements."
  • "I would like to see the setup of the Unified Security Policy simplified."

What is our primary use case?

We are using Tufin to manage our multi-vendor firewall environment.

We are using the Secure Change workflow to request, asses, and implement Firewall requests. Secure Track is used from our Security and Audit department for regular policy reviews.

How has it helped my organization?

Due to the usage of Tufin, we reduced the manual effort during audits to a minimum. The central place to request Firewall Rule Changes supports our Operation teams in a multi-supplier environment on a daily basis.

What is most valuable?

The automated reporting on a regular basis is helping us to be compliant with legal requirements.

What needs improvement?

We would like to see granular user permissions on SecureTrack.

The topology should be made easier to configure.

I would like to see the setup of the Unified Security Policy simplified.

For how long have I used the solution?

We have been using this solution for six years.

What do I think about the stability of the solution?

We have had no outages over the last six years, so this solution is very stable.

What do I think about the scalability of the solution?

This solution is highly scalable.

How are customer service and technical support?

Customer support reacts very fast. Due to the complexity, sometimes additional support levels need to get involved.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

The initial setup was complex.

What about the implementation team?

A mix of Tufin Professional Services and in-house.

Which other solutions did I evaluate?

We evaluated other options before choosing this solution.

What other advice do I have?

I recommend getting Tufin Professional Services involved when implementing automation.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PC
Owner at SIS International HK Limited
Reseller
Interactive Map helps us improve efficiency and maintain our internal network topology

Pros and Cons

  • "Tufin assists us in maintaining a robust view of our internal network topology."
  • "The product should integrate with the UTM features."

What is our primary use case?

We use Tufin for firewall management, firewall compliance monitoring, and unified policy implementation.

How has it helped my organization?

Tufin assists us in maintaining a robust view of our internal network topology. This topology may be built with a certain period, but it saves lots of operational and audit time in the long run.

What is most valuable?

The most valuable feature of this solution is the Interactive Map. The interactive map would show our network topology, which would benefit in terms of understanding our environment (especially for new staff) and first-level investigation (including end-to-end firewall path analysis).

What needs improvement?

The product should integrate with the UTM features. It may benefit the firewall implementation and migration.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
EJ
Manager at PG&E Corporation
Real User
The Unified Security Policy has helped enforce our compliance requirements

Pros and Cons

  • "This solution has helped us to meet our compliance mandates. We implemented the Unified Security Policy (USP). This helped enforce what compliance requirements that we had. We have mitigated and remediated issues that have been brought forth due to that USP showing us issues."
  • "The metrics need improvement. They need more consistency or understanding of automation, along lines of customization of automation."

What is our primary use case?

  • Firewall audits
  • Firewall rule processing
  • Path analysis

How has it helped my organization?

We use Tufin to clean up your Firewall policy. We can look at the historical rules and find out what is violating our USP, then make a change accordingly.

This solution has helped us to meet our compliance mandates. We implemented the Unified Security Policy (USP). This helped enforce our compliance requirements. We have mitigated and remediated issues that have been brought forth due to that USP showing us issues.

What is most valuable?

Firewall rule processing and compliance are its most valuable features.

The visibility is good. Overall, I can see the rules and headcount.

The change workflow process is flexible and customizable. I made my own custom workflow.

What needs improvement?

The metrics need improvement. They need more consistency or understanding of automation, along lines of customization of automation.

Going forward, we would like a whole bunch of stuff regarding metrics and reporting. Also, a whole bunch of stuff regarding stopping SLAs when it goes back to the user or requester.

I'm struggling with cloud right now.

What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

We own nearly two million dollars worth of equipment. It is scalable.

How are customer service and technical support?

I have not placed a technical support query.

What about the implementation team?

We used Professional Services with consultants for the deployment.

What was our ROI?

I'm saving 20 man-hours a week, so I am seeing some ROI.

In January, it took us 25 days to process a firewall rules request. By June, it took us eight and half days using the solution.

This solution helped reduce the time it takes us to make changes by 66 percent.

What's my experience with pricing, setup cost, and licensing?

The licensing costs are a significant amount of money.

Which other solutions did I evaluate?

I am a previous FireMon customer. Tufin beats FireMon hands down.

What other advice do I have?

Give it a try. Get a full list of Layer 3 devices available, import it into Tufin, look at the topology, and work forward from there.

Currently, we are still not provisioning.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GK
Network Engineer at a healthcare company with 10,001+ employees
Real User
Change workflow process is flexible, customizable, easy to set up, and super-efficient

Pros and Cons

  • "It's hard to pick the most valuable feature. All of them are valuable, they're all critical for us... ChangeTrack obviously has a lot of very good features, like the risk analysis, the USP, and the Policy Browser."
  • "The Topology Map, which feeds into our SecureChange - the latter being an automation platform - there's a lot of synergy between the two."
  • "Tufin has come a long way when it comes to visibility. What we would like to see is a little bit more on the discovery level, network discovery, which Tufin does not have today."
  • "More API integration with third-party platforms is something that we would definitely like to see in upcoming releases."

What is our primary use case?

Our goal is to move towards a completely automated system within our organization. We also want to integrate different business units, see what our vision is from an automation standpoint. In addition, we want to get complete visibility across all the different platforms that we have.

How has it helped my organization?

We use Tufin to clean up our firewall policies. It makes our firewalls and our security-stack devices a little bit more bulletproof. We are in constant compliance and it's nice for us to know what's out there and what's actually being used, from a business standpoint and also from an operational standpoint.

Also, what used to take us a few days to implement from inception to final, is now accomplished within a day. But our goal is to move it to a matter of a few minutes. Overall, holistically, it gives everybody a chance to focus on the more important tasks at hand and to be cognizant of automation as it comes along.

It has also helped reduce the time it takes to make changes. The process used to take a few days to a week. In some cases, given the complexity of our projects, it used to be a little bit more than a week. Now, it has come down to a day or two at the most. We want to shorten that as well, to bring it down even more. But it's far better than what we had many years ago.

Our engineers are spending a little less time on manual processes. There's always that constant time spent to keep the product and the platform up to date but, overall, they're spending a little bit less time.

What is most valuable?

It's hard to pick the most valuable feature. All of them are valuable, they're all critical for us. It depends on which application we're talking about. ChangeTrack obviously has a lot of very good features, like the risk analysis, the USP, and the Policy Browser. The Topology Map, which feeds into our SecureChange - the latter being an automation platform - there's a lot of synergy between the two. All the features that we have used are critical and are good.

The change workflow process is flexible and customizable. It's not 100 percent but it's definitely in the high 90s. It is very customizable, it's easy to set it up. There are certain fields that we feel might require some enhancements but, overall, it is customizable. It's very easy to use and super-efficient.

What needs improvement?

Tufin has come a long way when it comes to visibility. What we would like to see is a little bit more on the discovery level, network discovery, which Tufin does not have today. It does a pretty good job when you statically define the endpoints; it goes and discovers them. But an auto-discovery feature on the network would be awesome.

More API integration with third-party platforms is something that we would definitely like to see in upcoming releases.

Enhanced reporting and enhancements to some of the dashboard features would be good too.

What do I think about the stability of the solution?

The solution is very stable so far. Within our environment it doesn't cause major outages. There have been a few instances where we did run into issues but they were things that we could fix relatively easily, with less of an impact to the business.

What do I think about the scalability of the solution?

The scalability is pretty good. Right now, our solution is a little bit more contained, given our business requirements. But we don't see scalability as a roadblock if we do have to expand it out or scale out. No complaints there.

How are customer service and technical support?

Tech support has been phenomenal. It's very easy to get someone on the call and resolve an issue. They've been really good.

Which solution did I use previously and why did I switch?

We knew we needed to switch based on past lessons we learned. The overall goal was to have a better and efficient system going forward. With automation on the grid, this was a win-win solution for us. It was able to provide us everything that we were looking for and also help us meet our roadmap goals as well.

How was the initial setup?

Very straightforward. There was nothing complex about the initial setup. It's easy to get it up and going in a matter of a few hours.

What about the implementation team?

We pretty much did everything on our own with a little bit of help from Professional Services. When it came to customization we did leverage some of their expertise. But most of the solution was rolled out in-house.

What was our ROI?

We do see some return on investment but the financial toll, the prices, are always going to be up there. Tufin does a pretty job in working with us to reduce the cost or give better discounts so there definitely is an ROI.

What's my experience with pricing, setup cost, and licensing?

The cost is pretty high. It's close to seven figures. That only goes to show our commitment to using the solution and the products to reach our goals.

Which other solutions did I evaluate?

We did look at one other solution but the other solution was not close to what Tufin was able to provide, given our enterprise requirements. That basically helped us move in the direction of Tufin.

What other advice do I have?

Tufin provides a very comprehensive solution. Anyone looking to go down the path of automation should not look any further because Tufin will be able to meet their requirements and scale out really effectively.

We don't yet use the solution to automatically check if a change request will violate any security policy rules. We are in the process of building that. Similarly, we are still working on having the solution ensure that security policy is followed across our entire hybrid network.

We are in the cloud but we haven't yet started using the Tufin solution actively in the cloud. We are still in a trial phase as of now, but so far the results have been pretty good. We tend to test things out a little bit more but the results have been positive and favorable for us to move forward.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Michael Utech
Network Security Engineer at Customer Worldpay
Real User
The most valuable feature is the Network Map

Pros and Cons

  • "In our current environment, the most valuable feature from Tufin is their Network Map."
  • "The biggest area where I see a need for improvement is some of the documentation and training stuff. It does a really good job of hitting the big concepts, but it needs like another layer deeper of actually getting into some of the details of how to do some of the things. Conceptually, I understand how the product works, but now how do I start building stuff and integrating it into my environment."

What is our primary use case?

Primarily, it is being used as a type of security auditing control on our firewalls. We are in the middle of a new project acquiring dedicated new hardware while building out SecureTrack and SecureChange. After this initial project, and building out all that infrastructure is done, then there will be a project to kick off some of the automation and orchestration type stuff to try and improve some of those processes for the IT group.

The goal is to use it to revalidate, clean up, and optimize firewall policies, but we are not there yet.

The company has had the product in place for a while. 

I am giving up the web proxy stuff, so I can become the SME on the Tufin.

How has it helped my organization?

The plan is to integrate it into things, like ServiceNow, then use the automation. That was one of the strengths in the decision to stay with Tufin and invest more resources into it. 

My hope is to use this solution to automatically check if a change request will violate any security policy rules. It is not doing any of that right now.

Right now, our compliance mandates are all over the place, but previously, what they were doing is they were just taking screenshots of something, and I don't know how we passed our audits.

I was shocked and appalled that the current network team isn't even using it right now. In previous roles in previous companies, this product (or one of the competing products) was like the lifeblood of how we worked. It was like step two, after picking up a ticket. We went to use this tool to see where we needed to make changes. That they're not doing that explains why they're probably having to do rework 60 percent or higher limitation tickets, because they're missing devices or it is not being implemented properly.

What is most valuable?

In our current environment, the most valuable feature from Tufin is their Network Map because our network team can't give us a network map. Tufin has given me more than what the network team have ever given me, as far as documenting the network infrastructure. So, I'm thrilled.

The visibility is good.

What needs improvement?

The biggest area where I see a need for improvement is some of the documentation and training stuff. It does a really good job of hitting the big concepts, but it needs like another layer deeper of actually getting into some of the details of how to do some of the things. Conceptually, I understand how the product works, but now how do I start building stuff and integrating it into my environment. 

Just being a bit more upfront and honest about issues, as far as like HA, distributed stuff, and the need for load balancers, if you want to do HA. Nobody ever likes talking about the fact that their solution really isn't truly HA, you got buy an F5 to sit in front of it if you want to do HA, or something like that. Everybody shies away from talking about that, but if you get that out upfront, then the engineers can be prepared for it, then they can try and figure it out and make it work. This is not unique to Tufin. Everybody is like, "Oh yeah, we do HA." Then, three months later, after you have bought some stuff, now you're just like, "Oh no, we got to have an F5 in front of this. That didn't even come up in our discussions. So, how do I get resources away for that? Because I don't have an F5 in this environment, and I need one." 

I just found out some of the things that I need to use right now, like the reports from the report package are only available on 17-3 and above, and I need that as soon as possible. Hopefully, we will upgrade to 19-1 or 19-2 even before I go to bed tonight.

It is sort of an uphill battle right now to ensure that it has all the visibility that it needs, so we can be assured that it is doing what it will do.

For how long have I used the solution?

I've only been with the company about a year and a half now.

What do I think about the stability of the solution?

The stability is solid.

What do I think about the scalability of the solution?

The scalability is good.

How are customer service and technical support?

I have not used the technical support yet.

Which solution did I use previously and why did I switch?

I've used Tufin, Firemon, AlgoSec, and all the other solutions at other companies before, and seen what we've been able to do with them. So, when I came to this company, it was just like, "Okay what's our tool? Oh, it's Tufin. What do you mean nobody's using it?"

How was the initial setup?

The initial setup is not even complete yet. We bought some stuff, then had it shipped. There are some additional discussions which are going on next week after this, where there will be some design tweaks which will occur. At first, we were thinking of using VMs for the distributed stuff and collectors, but we can't get those level of resources from the server team. So, we will be better off just buying smaller hardware boxes and having them completely managed by us that way it will be easier. Also, we'll be able to complete it much faster in our environment.

What about the implementation team?

We are using a reseller, but I'm not exactly sure how that relationship even works right now. It is really early. Our stuff has been bought and shipped. We are still trying to complete internal documentation, so we can start doing stuff.

Which other solutions did I evaluate?

I wasn't part of the bake-off. I think the company went in the right direction, and I am glad that they didn't even look at FireMon.

While our UK side has Skybox, which I have never even seen, the orchestration piece was really the key to solidifying us on the Tufin solution.

I was talking to somebody earlier today who said that Skybox has a more powerful Network Map than what Tufin has, but I haven't even seen Skybox,

What other advice do I have?

If someone was looking for this type of solution, I would tell them, "Here are the top four solutions that I know of and the places that I worked on each of them. Here are the benefits, gossip, and downsides that I've seen for each one." Tufin has the best solution as far as it being self-contained, reliable, and integrating with the other things that you want it to integrate with. The customer service is also not arrogant like some of the other solutions.

We need to utilize it to its capacity and capabilities, and we're not doing that yet.

It will eventually reduce the time it takes to make changes. I don't know how much time it will save, since a lot of the manual processes are done by another team. I am still building my team underneath me.

The cloud stuff is great, but I am sort of scared to look at it because we still trying to work out our traditional stuff being compliant and under control, then doing what it's supposed to be doing. I can't even imagine what the developers are doing in the cloud stuff.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PM
Senior Network Engineer at a financial services firm with 10,001+ employees
Real User
Helps with auditing by proving what changes were done, when, and by whom

Pros and Cons

  • "The best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, 'Hey, where's my server?' I can just go to Tufin and say, 'Hey, where is that server?' and very quickly it tells you where it is, what policy it's on. That is a life saver."
  • "For me, there are two things that can make Tufin a bit better... [It needs] a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it."

What is our primary use case?

We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.

How has it helped my organization?

It has improved our organization through the beginning of automation. It has also helped in terms of auditing. Tufin is a convenient way for us to show and prove what changes were done, when they were done, and by whom they were done.

Tufin also helps ensure that security policies are followed across our entire hybrid network. We use the USP, Universal Security Profile, which is governed by our cyber team. That team sets up the parameters and then, through the automation, when a request comes in, the first thing it does is check if it meets or violates. If it violates, it sends it right back to the requester. Another way we do it is that when somebody puts a request in, it goes through the USP. Then the cyber team combs through it to make sure that whatever service they're asking for can happen. For example, if someone wants Dev going to the internet, of course that's not going to happen. They'll filter all that out before it comes to us. Once it comes to us, we'll implement it, and then we comb through all the reports and make sure that nobody missed anything.

It also helps expedite changes.

What is most valuable?

The reports are very valuable. In terms of cleaning up firewall policies, we use Tufin to gather information in the reports. However, we don't automate Tufin to do the work. It's still done by a firewall engineer.

But the best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, "Hey, where's my server?" I can just go to Tufin and say, "Hey, where is that server?" and very quickly it tells me where it is, what policy it's on. That is a life saver. Without that, I'd be a janitor.

The visibility it provides is also very good.

The change workload process is flexible and customizable. For example, we have it working with ServiceNow. When somebody requests to have a rule in place or requests a firewall, they will first go to ServiceNow and put all their information in. ServiceNow then sends that over to Tufin and Tufin does its magic - verifies the USPs and does the design. That part is simplified. However, there are little mechanics in between that could be a lot better.

We use the solution to automatically check if a change request would violate any security policies or rules. Our cyber team is on it as well. We comb through all the changes done for that rule and verify. Before we do a push, we verify that there was no compromise to our security posture.

What needs improvement?

For me, there are two things that can make Tufin a bit better. This could be something on my end that I don't understand or maybe it can already be done and I don't know, but the two things that I am hoping to get out of this couple of days here at Tufinnovate 2019 are: have a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it.

In my industry, the banking industry, we're heavily regulated. Auditors are everywhere and they want everything accounted for. When I do a rule re-certification, I have to justify why that rule still there, who is using the rule, what's going on. Or if it hasn't been used, I want to get rid of it. But I don't want the onus to be on the firewall team. I want that onus to be on the person who requested the rule. I'm trying to figure out a way that I can have Tufin say, "Hey, look, John or Joan, your rules haven't been used in a year," or "Do you still require these rules or these servers?" and it would give them buttons to click, either "yes" or "no".

If they hit "no," Tufin would say, "Thanks very much," and disable them for 30 days, in case they made a mistake, and after 30 days, it would remove them. That type of automation would save us so much time. Right now, there are three people doing that job.

As an example with rules, when I look at a rule it will tell me how many days it was hit, when the last hit was, when it was last modified, but I can't get a creation date. What date was it created? It must know when it was created because it created an OUI for the rule. I asked support and they said, "Well, go here, go there, do this, spin your head and tap three times, and if you're lucky..." And I'm thinking, "Can you not just tell me the date it was created?" Then I could filter on those as well. Right now, I can't filter on rules that are over five years old, for example. Even when they're in use, I still want to see old rules. Maybe they've got old services that shouldn't be working anymore.

I would also like to see better logging.

SecureChange could be a bit better, at least with integration with ServiceNow or some of the other ticketing tools.

What do I think about the scalability of the solution?

The scalability is amazing. We have it in two data centers. We have full redundancy with it. I have no qualms about its scalability, whatsoever.

How are customer service and technical support?

Technical support has been very good. I've dealt with Professional Services and I dealt with a programmer when we did our ServiceNow with Tufin. They were really good; two of the best guys. Top-notch. My Professional Services guy is awesome. He's my go-to guy. The other gentleman, whose name is Neil, was really good. He was very kind, very accommodating, top-notch.

Which solution did I use previously and why did I switch?

The switch to Tufin was done before I got to this company, but if I had to guess, I imagine somebody tried to jump out of the window or thought, "I'm going to go nuts if I have to look up one object in a pool of 30,000 and 8,000 rules." It's over 80 firewalls.

How was the initial setup?

The initial setup was complex because we had to integrate with ServiceNow. That's what made it complex. Tufin would say, "Hey, we can do this," and ServiceNow would say, "Yeah, we can't do that." Or ServiceNow would say, "We do it this way," and Tufin would reply, "Yeah, that's not going to happen."

If it was just a stand-up and write some custom workflows, that would have been a lot easier.

What about the implementation team?

We had a vendor or reseller with us, but they didn't have much experience with the size of network we have, so they were more listening in and trying to get experience while things were going on. I'm okay with that. At the end of the day, it was the Tufin guys who actually brought it all together.

What was our ROI?

If we look at the cost of a firewall engineer and the time saved as return on investment, we have seen a return. If we didn't have Tufin at all and the work that I'm doing now had to be done manually, those hours are about a four-to-one ratio. So that is a return on investment.

What's my experience with pricing, setup cost, and licensing?

The cost is too much. For us it's around $40,000.

What other advice do I have?

I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin.

We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year.

In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management.

Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction.

I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
CM
Consultant at Critical Design Analytics
Reseller
The change workflow process is very easy to customize

Pros and Cons

  • "The change workflow process is very easy to customize. You can do a workflow however you want, so you can have an approval every single step. Or, you can remove approvals on certain steps, automating some steps."
  • "We have had a couple issues with the VMs, but I think it was just because they were starving for resources. A recommendation on what the virtual appliances should have for resources would be appreciated."

What is our primary use case?

We implement Tufin for other customers and help set it up. 

I'm not the end user. I just set it up for the end user.

We are using the latest version from 2018.

How has it helped my organization?

We use Tufin to clean up our firewall policies. They already have the compliance policies sort of prepopulated in there to point out violations.

Most customers will go through and check the USP to see if it violated with the designer tool.

We are in the process of working with a customer right now to set up the Unified Security Policy (USP). We got all the violations from the first phase and will go through to do the mediations, then run the scan again to show the progression of the clients.

What is most valuable?

The preconfigured PCI compliance USPs are the best part for me. These make things a lot easier.

The visualizer for the Network Topology is really good. You can see all the routes throughout your entire environment.

The change workflow process is very easy to customize. You can do a workflow however you want, so you can have an approval every single step. Or, you can remove approvals on certain steps, automating some steps.

It capabilities are very good.

What needs improvement?

Sometimes, the user interface is a little cumbersome, trying to navigate between them. In the new version, it looks like they resolved those issues. 

What do I think about the stability of the solution?

We have had a couple issues with the VMs, but I think it was just because they were starving for resources. A recommendation on what the virtual appliances should have for resources would be appreciated.

What do I think about the scalability of the solution?

We have done PR strategies and added Tufin appliances. It is super easy to just back up and restore to a new one. You can get a new appliance up and running in 20 minutes.

How are customer service and technical support?

We worked with their professional support before, but we have not worked with their Professional services.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

We are a reseller.

What was our ROI?

We've install it to make money.

Tufin does make the process faster for customers, depending on if they use SecureChange to automate their process. Everything is all in one then.

What's my experience with pricing, setup cost, and licensing?

Licensing is on a customer by customer basis.

What other advice do I have?

Try Tufin out. Make a PoC of it. That is how we sell most of our products because it works well.

Our customers do not have a hybrid network.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Viktor Vera
Head of IT Security at Banco Privado
Real User
A powerful tool for a security team to optimize time

Pros and Cons

  • "We use Tufin to clean up our firewall policies because it is so fast. A report about compliance and the clean-up process used to take about one month up before. With Tufin, it takes only one day."
  • "I would like to see more about the cloud in the next release. They need a large plan to deploy the cloud into the solution and a way to implement it."

What is our primary use case?

The primary use case is for compliance with PCI regulation for local and country regulations.

We are using the latest version of the product.

How has it helped my organization?

We use Tufin to clean up our firewall policies because it is so fast. A report about compliance and the clean-up process used to take about one month up before. With Tufin, it takes only one day.

Implementing roles in the firewall used to take two days, but now, it takes two hours.

The audit and policy relation reports have helped me show compliance to managers.

The product helps my cybersecurity team. Now, my cybersecurity team spends their time creating new controls for new technologies.

What is most valuable?

The workflow is the most valuable feature.

The visibility that the solution provides is amazing.

The change workflow process is flexible and customizable. I can send one request to an IT Manager and another one to a Development Manager, making them customized.

What needs improvement?

I would like to see more about the cloud in the next release. They need a large plan to deploy the cloud into the solution and a way to implement it.

The web service for integration with other solutions needs improvement.

What do I think about the stability of the solution?

The stability is okay.

What do I think about the scalability of the solution?

At this moment, it is not necessary to expand the solution.

How are customer service and technical support?

I don't really use the technical support.

Which solution did I use previously and why did I switch?

We did not have a previous solution. I was looking for a solution to optimize time in security policy management. Then, I found the Tufin and contacted a reseller.

How was the initial setup?

The initial setup was super easy. It was fast to implement the firewall. The Check Point was very fast.

What about the implementation team?

We used a reseller for the implementation. It was the first time for the reseller to do this implementation.

What was our ROI?

It saves us a lot of time. People can devote their time to other more important tasks. 

What's my experience with pricing, setup cost, and licensing?

The seller of Tufin, when I wanted the solution, was very flexible because the cost on the lease was very high in Latin America. So, he was able to reduce the cost.

Which other solutions did I evaluate?

We considered Algosec and Firemon, but Tufin was the best.

What other advice do I have?

A powerful tool for a security team to optimize time.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JS
IT Security Analyst at a retailer with 10,001+ employees
Real User
Comparing the rules and policy browser is valuable, but having to enter the password each time for each firewall is annoying

Pros and Cons

  • "Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall."
  • "They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern."

What is our primary use case?

The primary use case is firewall analysis.

We use SecureTrack, which is great.

How has it helped my organization?

The solution has helped us to meet our compliance mandates. We have to be PCI and SOX compliant. Some of these rules and systems might meet those requirements. Knowing which system can talk with which system is definitely helpful in that sense.

This solution has helped us reduce the time it takes to make changes.

What is most valuable?

Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall.

The visibility is great.

What needs improvement?

When you make changes, you have to enter the password each time for each firewall. This is sort of annoying.

They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.

For how long have I used the solution?

I just opened the tool about four weeks ago.

What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

It seems pretty scalable. From what I have seen in the training, you can use it on multiple firewalls. It seems like a solution which was built for very large enterprise level networks.

How are customer service and technical support?

I haven't dealt with the technical support yet.

What other advice do I have?

If you want to be able to manage your firewalls efficiently and securely, then use Tufin.

It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good.

We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
DY
Associate Director Program Management at a pharma/biotech company with 10,001+ employees
Real User
Helps us meet our compliance mandates by providing visibility into firewall rules

Pros and Cons

  • "We were hit by the NotPetya attack. Therefore, our whole company and all its sites were down for several months. So, you don't have an attack like that and not need something like Tufin. Other companies can prevent these attacks, or at least slow them down, by having this type of a tool. We will never go back."
  • "We actually had a key issue, which was a bug, that the development team didn't want to fix. We escalated it, then it got fixed. So, the management level seems very responsive at least, but at a support level, they are just regular support people and not outstanding."

What is our primary use case?

The primary use case is locking down the firewalls to Zero Trust and automating the risk assessments.

How has it helped my organization?

We use Tufin to clean up our firewall policies. It very easily shows us what is not used, so we can take it out. It shows us head counts as well, so if something is used once or twice a year, that might not be something we want to keep. Thus, we can have the conversation. We also like how it has a business owner of the firewall policy, so we'll be filling that in. So, those people will be involved ongoing with the approvals.

This solution has helped us meet our compliance mandates by providing visibility into firewall rules.

Today, we can check to see how our lockdowns have gone and what unusuals are still there. We have a long way to go, but we've done a lot already.

We were hit by the NotPetya attack. Therefore, our whole company and all its sites were down for several months. So, you don't have an attack like that and not need something like Tufin. Other companies can prevent these attacks, or at least slow them down, by having this type of a tool. We will never go back.

In the future, we will be using this solution to automatically check if a change request will violate any security policy rules.

What is most valuable?

  1. Being able to see all the firewall rules in one place. 
  2. Being able to query them. 
  3. SecureChange will automate and put the rules into Remedy.

The visibility is incredible. It has never been there before.

What needs improvement?

The UI was a little clunky at the first. It was confusing. They are working on that. The new one is better.

What do I think about the stability of the solution?

We haven't really overburdened it yet. What we have has been very stable. There have been no issues that I have seen.

What do I think about the scalability of the solution?

It seems very scalable.

We have 40 consultants and too many people.

How are customer service and technical support?

The regular technical people seem okay when you put in a help call, and they do get back to you. We actually had a key issue, which was a bug, that the development team didn't want to fix. We escalated it, then it got fixed. So, the management level seems very responsive at least, but at a support level, they are just regular support people and not outstanding.

Which solution did I use previously and why did I switch?

I asked our firewall team if they had the tools that they needed to do their job, and they said, "No."

We did not have a previous solution.

How was the initial setup?

The initial setup was pretty straightforward. The problem was getting people to pay attention to it.

It is a lot of work to implement.

What about the implementation team?

We used Tufin for the deployment.

What was our ROI?

We have not seen ROI yet. What we are going to see is fewer cyberattacks. When you have a multimillion dollar cyberattack, you don't care about three million dollars in a one time cost.

Engineers are spending less time on manual processes by weeks. Huge amounts of time have been saved.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are three million total and then we pay for maintenance, which is an additional cost for three years.

Which other solutions did I evaluate?

We did a comparison of three products and Tufin was recommended at the time. We got quotes from Tufin and another product, and Tufin came in under.

I just talked to two people who switched to Tufin from another product. It seems to be the leader of the pack.

What other advice do I have?

Tufin seems like a high quality product from a company that cares. It focuses on exactly what we need.

We would like to get to having Tufin make changes on firewall rules, but we are going to need help convincing our management of that we should be using Tufin to do that. It looks very promising, but we can't use it for that yet.

We haven't implemented the change workflow process yet.

While we didn't buy it for the solution’s cloud-native security features. I'm interested in that, but it is not in my mandate right now.

The product has been fabulous.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MH
Network Security Operations at a insurance company with 10,001+ employees
Real User
We use this product to sharpen our change cycle

Pros and Cons

  • "We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack."
  • "In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play."
  • "The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it."
  • "Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America, causing a slightly complicated approach."

What is our primary use case?

The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment.

It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated.

We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.

How has it helped my organization?

We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack. 

At this stage, we are doing only manual checks. We are only using SecureTrack to verify the flows through Tufin. At a later stage, when we will also automate certain types of rules to be done through SecureChange, this will tremendously help us. We are not there yet, but this will help us in terms of time and resource costs.

In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play. 

We use Tufin to help us clean up the firewall policies. It provides very easy reporting. We get all the aged or unused rules listed very quickly, as soon we run the report. It's a quite easy way of doing it. However, we have not automated our process. We are hoping that at some point that we will be in a position to automate that process.

We use the solution to automatically check if a change request will violate any security policy rules. If a request comes in, and it is from an Internet zone going straight out to an inside secure zone, then we definitely flag it. There are other policies that we find in our USP, which we flag. These are the type of things that we check.

We definitely use the compliance reports, which has simplified things. However, we haven't fully integrated it into the GRC process with Tufin yet. The desire is to make sure our GRC resources are fully aware and engaged in our Tufin deployment.

We are leveraging some components to provide reports for our GRC process, but there is no plan to integrate those processes. Those are run by different teams. We were planning to integrate our ticketing system (ServiceNow) with Tufin, which is ongoing. We are working on that now.

What is most valuable?

The central repository of information provides a consistent way of doing things, eventually shortening the time period to make changes. This is the most valuable thing at this point in time. 

I'm very happy with the visibility component. It gives us a reasonable insight into the most of the application flows. Obviously, most east-west application flows are missing from what we have. That is a component which we will need to eventually fill in the gaps.

Between the cloud and physical data centers, we definitely share Tufin policies. That definitely gives us visibility into both.

What needs improvement?

I would like to drive value from is to getting to a point where we are almost like a DevOps operation for security changes.

We have put in a lot of requests. Some of them are high level related to cloud. Others relate to some of the reporting structures that we have. E.g., some of the automated reporting capabilities for specifics on certain regulations. Certain countries have certain regulations, and with GRC, if we can associate that on certain regulations, then we can spit out reports from that.

We would like to see integration of the different versions of this product, e.g., SecureChange and SecureTrack. They eventually need to start amalgamating all these into an end-to-end product for visibility. 

What do I think about the stability of the solution?

We do have an ongoing issue with capacity. If one of our resources is working on it, nobody else can do anything. If a particular report is being run on the server, nothing else seems to work. We haven't done anything about it as of yet. Maybe some of my team members have opened tickets to Tufin for it.

What do I think about the scalability of the solution?

I am not sure about the scalability. The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it. 

We have a global implementation.

How are customer service and technical support?

Whenever we have had a problem, some of my engineers contact Tufin and they have been very easy to get a hold of. From my team, they have not had any problems with the technical support.

Which solution did I use previously and why did I switch?

We were using Tufin before, as well, but it was not the same. It was separated into localized instances and regions.

We sort of saw that the volume of changes were coming in high. The patience from the business side was getting low to invest the time that it used to take to make firewall changes. Therefore, it was inevitable that we need to purchase a solution.

How was the initial setup?

Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America (US and Canada), causing a slightly complicated approach.  Prior to Tufin, we had three instances which were separately managed, so we did not have end-to-end visibility. Therefore, we rearchitected the Tufin environment and created one global Tufin instance. The retail instances became local collectors, which reported back to the single environment.

From the start of the project to the end of the project, the deployment took us a while, at least five to six months. Most of the time involved was not because of Tufin. It was primarily for us to handle all of our separate service providers and outsourcers globally, so they could all provide us with read-only access to the firewalls that they manage.

What about the implementation team?

We deployed the solution in-house. It was pretty straightforward to deploy.

What was our ROI?

The solution has helped us reduce the time it takes us to make changes from weeks to days.

Engineers are spending less time on manual processes by about 15 to 20 percent. I would like to get a bigger number.

We didn't buy this based on ROI, so we didn't measure ROI. Overall, from a time savings perspective though, it is definitely there.

What's my experience with pricing, setup cost, and licensing?

The licensing costs are around $250,000 to $300,000.

There are ways to deploy the license to different types of firewall. However, if we decide to change the physical brand of the firewall, we need to go back to Tufin and modify the licensing. This is a hassle.

Which other solutions did I evaluate?

We did not consider anyone else, because we already had an unused, unimplemented Tufin license. We eventually thought to start consolidating everything into one place.

We decided on Tufin because:

  • It was an existing tool.
  • It served our purposes. It provided us the essential components for managing a varied environment of different types of firewalls. 
  • We felt that there was enough potential in the organization to grow with us and provide capabilities, like cloud, VM environments, etc., under the same umbrella.

What other advice do I have?

It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product.

Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit.

We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that.

Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments.

All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BB
Network Engineer at a healthcare company with 10,001+ employees
Real User
Provides a holistic view of the infrastructure, as well as automation workflows

Pros and Cons

  • "One of the biggest quick wins that we had with Tufin was cleaning up our firewall policies and rules. We cleaned out a lot of rules which helped our devices, longevity-wise, as well as speed-wise."
  • "We would like Tufin to have interoperability with Juniper products, along with official support."

What is our primary use case?

We use it with SecureTrack, mainly for auditing purposes. We also use SecureChange for workflows on temporary firewalls.

How has it helped my organization?

We use Tufin to clean up our firewall policies. From an auditing perspective, it is centrally managed in one place for all of our firewall vendors.

One of the biggest quick wins that we had with Tufin was cleaning up our firewall policies and rules. We cleaned out a lot of rules which helped our devices, longevity-wise, as well as speed-wise.

What is most valuable?

  • Easability
  • Audit features
  • SecureTrack
  • Change of work allowance
  • It is very open to changing it and making it do what we need it do. 
  • We get a holistic view of the infrastructure, as well as automation workflows.

The visibility is great, so far. We are still building it out because we have a lot of firewalls from different vendors. Overall, it's a good product in the way it works.

The change workflow process is flexible and customizable. We use this process a lot. We have developers do custom integrations with different vendors, especially ones that are technically supported, as well as doing some custom integrations with our Juniper products, which are not officially supported.

The solution’s cloud-native security feature is definitely welcome. We are starting to embrace the cloud. We are a little more legacy and timid in our approach, considering the amount of data that we have and the way that we want it to be accessed. However, the cloud-native applications are going to be big, so I definitely think that's a welcome feature that they're working on.

What needs improvement?

We would like Tufin to have interoperability with Juniper products, along with official support.

They could maybe update the interface. However, I know there is an interface update coming, I just haven't seen it yet.

There is room for improvement, as far as making the product easy to use and having training available.

In my training with the workflow, it always kicks me back every time that I do a step backwards. I think that automatically it should take you to the next step in the workflow, that would be appreciated.

What do I think about the stability of the solution?

So far, the stability has been great. One of my colleagues just did an upgrade from the previous version to 19.1, which had a bit of database issues. Those have now been resolved.

What do I think about the scalability of the solution?

The scalability seems good. We have a distributed system right now, and it seems like it can scale up or scale out, as needed.

How are customer service and technical support?

So far, the technical support has been good. I haven't had to deal with support a lot yet. We have weekly check-ins with our account manager where we go through what we can do with it. Overall, I think it's adequate.

Which solution did I use previously and why did I switch?

We didn't have a previous solution.

It is nice to see the capabilities that Tufin has, and we look forward to building it out.

How was the initial setup?

I wasn't there for the initial setup, but from what I've seen, it was pretty straightforward for the engineers who set it up.

What was our ROI?

The solution has helped us reduce the time it takes us to make changes. From the auditing perspective, it definitely saves a lot of time. Once we get our USP built out with the automatic calculations, as well as having validation and seeing where the roles need to go in place, this solution will be very helpful. 

It is helping engineers spend less time on manual processes.

Which other solutions did I evaluate?

We did look at a few other vendors.

The power that Tufin has behind it is the reason they chose it. They saw that it had a lot of capability compared to its competition.

What other advice do I have?

Check out this product and see what it can do for you. Talk with the marketing team and account reps and see what direct benefit the platform gives you. Then, see what strengths it has compared to the competition, as well as its value proposition.

We are not to the point of using the solution to automatically check if a change request will violate any security policy rules, but it is coming.

We are building the security policy part of it out across out hybrid network, especially with the USP.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SE
Security Analyst at a retailer with 10,001+ employees
Real User
Helpful with making sure all parts of our organization are following change management

Pros and Cons

  • "It provides a comprehensive overview of what our network looks like in terms of what is allowed and what is not, then how the traffic' is flowing with the Network Topology Map."
  • "I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab."

What is our primary use case?

The primary use case is monitoring routers, switches, firewalls, but mostly routers and firewalls.

We are just using SecureTrack, either version 18-2 or 18.3.

How has it helped my organization?

We use it to aid with firewall reviews. We don't have SecureChange active, but we can take the info and use it to help. We have found a lot to work with.

Tufin has been helpful with making sure all parts of our organization are following change management:

  • If you are changing rules, then you have tickets, and there is the approval process associated with it.
  • Seeing people are sticking with those temp rules, if they end up staying there for awhile. 
  • Sometimes, there are just bad rules where something that should've been "deny" and should not be allowed.

Those are more direct examples without getting too far into the weeds.

It is greatly aided in helping us meet our compliance mandates. There used to be manual reviews for certain compliance requirements. Now, this solution helps automate a lot of that, and even the parts which are still manual. It's a lot more comprehensive than trying to read raw text files of the configs and making sense of those.

The solution helps us ensure that security policy is followed across our entire hybrid network. It is like a centralized single pane of glass where comprehensively shows things, especially coupled with the Network Topology piece that they have. You can say, "Here's where the DMZ is, and here's that. These are the amount of firewalls crosses this through." Whereas before, it was this big spreadsheet of all the firewalls and zones. Except for like two or three legacy knowledge people, no one really understood how it flowed before Tufin.

It has helped us troubleshoot, e.g., why isn't this still working? "Oh, they put it on the wrong firewall or they typoed it." The solution has helped with that.

The firewall reviews for compliance used to be a more labor intensive process. It used to take a few months, and now, it's down to just a couple of weeks.

What is most valuable?

It provides a comprehensive overview of what our network looks like in terms of what is allowed and what is not, then how the traffic' is flowing with the Network Topology Map.

With the Unified Security Policy, the more you improve it, the more you will get out of it.

For the things that Tufin is able to work with, it is really great. It sort of provides a comprehensive view. It is easier to explain to people who don't really work with firewalls everyday:

  • Why this is an issue.
  • Why certain things are an issue.
  • Why some things are the way they are.

What needs improvement?

I wish they had a credentials vault or something. Right now, you have to manually add a username and password per device, and if they are using something like in a centralized, like an AD account, that password rotates eventually. Now, I have to go back and change information for all these hundreds of devices. Whereas, if they just had some credentials vault for credential one, two, and three, then you could just reference them per device and change it in one place. It would make our lives a lot easier.

I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab. 

Tufin covers a lot of vendors, but there are still some that they don't, like Radware. Some of these vendors that they don't cover are at critical points in our company, as far as explaining the full picture of our routing. Since it can't show the full picture, it can't support that. 

What do I think about the stability of the solution?

The stability is pretty good. We have run into repeat issues with Palo Alto Panorama, where it doesn't seem to play nice if we change the vice group names in Palo Alto or if one of the Palo Alto servers is down, but it is in Panorama, because we're pulling everything through Panorama. Sometimes, it'll freak out and cause everything else to stay and be unable to get configed. Then, our Palo Alto products will sort of cease, usually a good majority of them, which is not ideal.

What do I think about the scalability of the solution?

So far, scalability has been doing well. 

How are customer service and technical support?

The technical support is very good. They respond pretty fast. They are always available whenever I need it. It is usually my fault when there are delays because I just don't respond to an email. I forget, then a few days go by and email again like, "Oh, shoot." The technical support has always been on top of things.

How was the initial setup?

Someone before me had stood up the actual server on the network. They had one device, and it was monitoring. Then, I took it over. I've expanded it out to over 400 devices.

They made getting new monitoring devices in pretty easy. From the monitoring devices tab, it was pretty straightforward. You pick the vendor, then under there, this is a drop-down. I struggled a bit under the Cisco tab where they have a router, then a Nexus router. They have a lot of different vendors, and figuring out which category it falls under was confusing. The help docs don't exactly specify between the two or what commands it will be running. This is usually more for our older devices. 

What about the implementation team?

We had Professional Services hours. However, as far as getting the actual devices and scaling it out, that was all just me.

What other advice do I have?

Understand your DNS or network segment. What all these different subments and how they will fit into what categories, because you are going to directly take that info when you build out your USP. If it's too messy, your USP is not really going to do anything. You need to have a good dictionary for the USP to follow.

We aren't really using the cloud-native security features in our current environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nathan Hulsey
Firewall Architect at a financial services firm with 10,001+ employees
Real User
Helps us tighten up our firewall policy, but reporting should include automation metrics

Pros and Cons

  • "The automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product."
  • "We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules."

What is our primary use case?

Our primary use case is firewall automation. We use SecureTrack and SecureChange. We have distribution serves, Remote Collectors, but what we primarily use is SecureChange integrated with ServiceNow for users to submit firewall requests. They then go to SecureChange which designs the rules and implements them.

How has it helped my organization?

When it comes to the turnaround of firewall rule requests, it used to take about a week to implement and have the customer test for firewall access. Now, it can take just one day. The implementation itself takes a minute or two. For the customer, it may take the rest of the day, by the time that the policy is installed and the customer tests, either that evening or the next day.

While I'm not involved in the leadership, I believe the solution has helped us to meet our compliance mandates: from a firewall perspective, as well as an audit perspective, as well as review of the rules and source and destination port requests.

As for ensuring that security policy is followed across the entire hybrid network, we're getting there. That's part of why we implemented Tufin. We are implementing that across our multiple offices. Once we get to that state, it will ensure that security policy is followed.

Finally, using the solution, our engineers are spending less time on manual processors.

What is most valuable?

In general, the automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product.

In terms of cleanup of our firewall policies, we don't officially use Tufin, but I, as an architect, do use the Automatic Policy Generator to review existing rules: high hit-count rules and open rules which aren't very secure. We use that to then build firewall rules which tighten up our firewall policy.

The change workflow process is flexible and customizable. We have had to edit and alter some of our workflow and it's pretty easy, pretty simple, pretty straightforward. We use Tufin support, their helpdesk, for that because we're a very new customer.

What needs improvement?

In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all.

We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.

For how long have I used the solution?

We've been using Tufin for about four months.

What do I think about the stability of the solution?

My impression of the stability is positive. We haven't had any issues. We even went through an upgrade about a month ago and it was a smooth process.

What do I think about the scalability of the solution?

As for scalability, we're finding that out right now. We're building out two new Remote Collectors for our global deployment of an additional 150 to 180 firewalls, plus additional Layer 3 appliances. We're working through that right now. Hopefully, it will be a smooth transition but I can't say for sure because we haven't actually implemented it yet.

How are customer service and technical support?

I would rate tech support as "fair." Response time is a little slow, but when they do respond, and when time is available for them, we work through things pretty quickly to resolution.

How was the initial setup?

I wasn't involved in the initial setup, but from what I've heard from others from whom I took it over, it was very straightforward.

Which other solutions did I evaluate?

I know they reviewed other solutions but I don't know which, for sure, since I inherited the project. I would assume AlgoSec and FireMon were reviewed as well.

What other advice do I have?

Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation.

We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client.

I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
AB
Manager of Security Engineering at Global Payments inc
Real User
Increases your productivity and simplifies your workflow

Pros and Cons

  • "It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good."
  • "I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls."

What is our primary use case?

Right now, we are just using it for SecureTrack. Next year, we have plans to buy the license for SecureChange as well.

I think we're using version 18, and we are in the process of upgrading it to 19-2

How has it helped my organization?

We got Tufin from a company that we acquired, so its helping us do mitigations there. Now, we are extending the scope and implementing it in our HQ, as well. It has helped for PCI and compliance.

The solution helps us ensure that security policy is followed across our entire network. It is important to configure and define all the networks right.

One of the primary reasons why we want to use Tufin is currently we are having issues with companies from overseas who manage our firewalls. It is very inefficient where they say that they have implemented the rules, then later on we find out the implementation has not been done properly and they are missing firewalls. Hopefully, once we fully implement this tool, it should be able to tell us if firewall rules are missing. It should be able to tell them before they communicate with us. After the implementation, we can verify and make sure that everything is working and do all the validations.

What is most valuable?

It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good.

If we had the budget and money, the SecureChange is really great. What you can do and where you can push everything from one console. You can create a change and do the whole automation: create the change, implement the change, and close the change. Right now, I have to go to two, three, or four different consoles. Whereas if I had SecureChange, I could do everything in one place. From an auditing perspective, it becomes easy. Right now, I have to give a change ticket number, then show the auditor and tell them to search for that change ticket number in a different place. If everything is in one place, that makes your life easier.

The change workflow process is flexible and customizable.

What needs improvement?

I would like more API integration, API integration with the cloud, and API integration with other chain management solutions. I would also like more scripts, which would help us not have to write scripts. If you give me all this, I can use the scripts to automate stuff, making my life easier.

I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls.

What do I think about the stability of the solution?

I have seen some issues with the stability. One of the things that we noticed was when R18 was released about one or two years back, it couldn't discover the newer versions of firewalls, then we had to upgrade it. After the upgrade we ran into some other issues. However, it looks like with the patches it is getting there.

What do I think about the scalability of the solution?

With the scalability, you have to use different components: the reporting server and distribution server. When we implemented it earlier, we didn't design it properly, which I feel is our issue. Once we design it properly, the way that we are implementing it now, I feel the scalability should be there.

Which solution did I use previously and why did I switch?

I have used auditing tools in the past, so I was already aware of Tufin. When I saw the processes in my company where I worked were manual, I recommended a solution, saying, "We need to expand the solution from our other company to here, as well. It will simplify our processes."

How was the initial setup?

The initial implementation was done at an acquired company, so it was already installed. However, we are doing upgrades now.

What about the implementation team?

I think we will be using Tufin for the upgrades.

What was our ROI?

We have seen ROI:

  • The productivity has increased. The team is more productive.
  • It will decrease the time of firewall implementation, which will increase the productivity in the sense that now other teams don't have to wait for their projects. 
  • This helps us simplify our processes.

Our engineers are spending less time doing manual processing. Their productivity has at least increased by 50 percent.

What's my experience with pricing, setup cost, and licensing?

We haven't purchased the license yet for SecureChange. We do have plans to buy it next year.

The additional piece, which we are buying and doesn't include our other solution, is close to 300,000.

Which other solutions did I evaluate?

We did not have have time to evaluate other solutions. Also, we already had Tufin in place in our other company. 

This seems to be a better solution than AlgoSec, which I have used in the past. I have also seen FireMon, and Tufin gave us what we needed. I didn't see a reason to explore other solutions.

What other advice do I have?

It is a great tool. It will help you increase your productivity and simplifies your workflow.

We should use it to clean up our firewall policies since the tool is there.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BB
Network Engineer at a energy/utilities company with 10,001+ employees
Real User
We use the rule set analysis reporting day in and day out for doing rule cleanup and policy analysis

Pros and Cons

  • "Our engineers are spending less time on manual processes, specifically for the reporting functionality. For doing the rule cleanup and policy analysis, it would be a nightmare to do that manually. So, it is saving our engineering teams time from not having to do manual log reviews."
  • "We built the policy comparison reporting into our processes that before we push any change to production, an engineer will stage actual date rule changes and policy changes. Another engineer will go in and do a comparison report of the last push policy to the last save, making sure what has been changed is what is expected to. From an operational excellence, it's huge for us. We have huge policies. All it takes is one accidental right click, delete, or backspace button, which could impact our business. So, this is something that we use almost day in and day out."
  • "We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange."

What is our primary use case?

We are using it mostly for reporting, as well as NERC CIP compliance for rule documentation. The primary use case is for doing rule cleanup, knocking down overly permissive rules, and cleaning up old unused rules. Basically, we are using the reporting functionality out of SecureTrack.

How has it helped my organization?

We use Tufin to clean up our firewall policies. We use an automatic policy generator. This is huge for us because certain rules, especially if they're overly permissive rules, have to have an analyst go through log file after log file, which is just impossible. Versus just setting Tufin, letting it run for a couple of weeks, then going back and looking at the results. That has definitely been a big win for us.

The policy comparison reporting has been a definite big improvement for our organization. 

We've used it to give read only access to look at actual policies for different departments who might not necessarily need access to the actual firewalls. This has created some efficiencies for us because an engineering team can go in and check to see if they need to engage us for firewall rule changes without having to engage us first, because they have the direct access. 

The solution has helped us meet our compliance mandates. We use the policy browser metadata to do documentation for rule justifications. That is what we supply to our external auditors.

What is most valuable?

The most valuable features are the rule set analysis reporting that you can do. We use it day in and day out for doing rule cleanup and policy analysis.

The policy comparison reporting is one of the more basic functions that it has, but it is very critical for us. We built it into our processes that before we push any change to production, an engineer will stage actual date rule changes and policy changes. Another engineer will go in and do a comparison report of the last push policy to the last save, making sure what has been changed is what is expected to. From an operational excellence, it's huge for us. We have huge policies. All it takes is one accidental right click, delete, or backspace button, which could impact our business. So, this is something that we use almost day in and day out.

We're definitely happy with the visibility. It gives us a lot more visibility and can do a lot more reporting that just wouldn't be possible for a human to do, who might just be looking at traditional log files.

What needs improvement?

We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange.

What do I think about the stability of the solution?

Stability has been rock solid. We were joking about that last night. There was a good amount of time where we weren't running reoccurring backups on a couple of our older appliances. They ran into no problems, whatsoever, for hardware or software for years. So, we were sort of joking, "The product's so good that we don't even have to back ours up half the time." Thus, stability has been very good for us.

What do I think about the scalability of the solution?

Scalability is to be determined at this point for us. Right now, we have five or six isolated instances, and we're going to collapse those down to a single front-end. Then, we'll scale up to how many devices that we're monitoring. At this point, we haven't had any issues with scalability, but we haven't really pushed the appliances too hard yet. 

Making sure that you are designing or coming up with a solution and architecture which is scalable and as holistic as possible. We had some discussions yesterday with some other customers, and having the complete visibility of your entire environment rather than just a subset like we do today at our company will make or break your functionality of the product. Being as all inclusive as possible is probably critical, especially if you're looking at things like SecureChange.

How are customer service and technical support?

The few times that we have had to engage tech support, they have been good to work with. They were pretty simple cases in both instances for us.

What was our ROI?

Our engineers are spending less time on manual processes, specifically for the reporting functionality. For doing the rule cleanup and policy analysis, it would be a nightmare to do that manually. So, it is saving our engineering teams time from not having to do manual log reviews.

What other advice do I have?

We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network.

We don't use any workflows because we're not using SecureChange.

We haven't used the solution’s cloud-native security features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MJ
Lead Engineer at a insurance company with 1,001-5,000 employees
Real User
USP and rule design are key features for us, but the business workflow needs improvement

Pros and Cons

  • "It provides a real-time sense of how the policies are configured and whether there are any shadow rules. Another great thing is that it provides greater reporting based on how the rules have been set up."
  • "There are at least two things that need improvement. One is the business workflow and the second is the integration with logging solutions."

What is our primary use case?

We are using SecureTrack and SecureChange to make policy changes.

What is most valuable?

For us, it's all the features that Tufin provides, including the 

  • USP
  • rule design
  • documentation
  • implementation
  • auditing.

They're all important. We could not have one without the others.

In addition, it provides greater visibility, once the setup is configured correctly. It provides a real-time sense of how the policies are configured and whether there are any shadow rules. Another great thing is that it provides greater reporting based on how the rules have been set up.

What needs improvement?

There are at least two things that need improvement. One is the business workflow and the second is the integration with logging solutions.

What do I think about the stability of the solution?

The product is stable. Regardless of the software we are running, the current or the new one, it is stable.

What do I think about the scalability of the solution?

The solution is scalable if we have to add more devices, more distinct resources, or also high availability. That's part of the solution. It's not like after-thought, it's there.

How are customer service and technical support?

Tech support is very helpful. If there are any issues, we bring them to support and they get addressed immediately.

What other advice do I have?

You should definitely be looking at this as in your top-two choices, before even considering any other solutions.

We are in the midst of a transition, going to a newer version. All the features which I talked about above, we want to implement them in a new production infrastructure. We are working with Tufin and Professional Services very closely, so we can enable it. There is the old way - the way we are using it - versus the way we want to. It is not there yet. 

Currently, it's not helping us meet compliance mandates, but the new way will definitely help us to meet them. In addition, once we go with the new way of doing things, the solution will ensure that security policy is followed across our entire hybrid network. At that point it will follow business practices.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BB
Networking Engineer at a comms service provider with 1,001-5,000 employees
Real User
Handling firewall rule request tickets are more centralized and easier to manage, but its cloud-native security features are lacking in support

Pros and Cons

  • "Tufin has made handling firewall rule request tickets more centralized and easier to manage."
  • "I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there."

What is our primary use case?

The primary use case is tickets.

How has it helped my organization?

Tufin has made handling firewall rule request tickets more centralized and easier to manage.

We have previously use Tufin to clean up our firewall policies, but we are not doing that currently.

What is most valuable?

The workloads are the most valuable feature right now, as it stands.

We find that the change workflow process is flexible and customizable. We change our workflow several times a year.

What needs improvement?

The visibility is good for the most part, but there are limitations to it. E.g., there is a lack of certain routing/networking protocols across all the vendors that they support.

The solution is not sophisticated enough for us to automatically check if a change request will violate any security policy rules.

Tufin's cloud-native security features are lacking in support.

I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there.

I would like more support for Juniper and Junos Space. I would like more of the features which are offered for other platforms being extended to the Juniper platform.

The USP needs improvement. It is pretty much not usable right now for us. It is all IP-based. The issue with that is we may have one subnet, but we have multiple things that would go in different zones all in that same subnet. Therefore, to use the USP, we would have to bring it out in tons of /32s, and it's not usable. Whereas, it would be far better if we could just put tags associated with IPs, then do USP based on tags.

What do I think about the stability of the solution?

In the sense of operating, the stability is good, but in the sense of performance efficiency, it is bad.

What do I think about the scalability of the solution?

The scalability is bad.

Which solution did I use previously and why did I switch?

We did not have a previous solution that we were using. We were looking to work towards improving the whole requesting of firewall policies.

What about the implementation team?

We used a reseller for the deployment. Our experience was not that great, which has more to do with how our supply chain works and why we picked them. However, I don't ever really talk to them or hear from them.

What was our ROI?

We have seen ROI from the side of operations, and we'll probably get to more of that as time goes on. However it took a while to get to that point.

The solution has helped us reduce the time it takes us to make changes by at least a day.

It did reduce the time part of engineers manually spending time on processes from the aspect of manually having to go through the network and finding the path that a request would take to know where to put the rules. We have had some issues with topology, so not all of our tickets get that advantage. Probably 40 percent of them are that way, so that's why right now it is not as big of a gain.

Which other solutions did I evaluate?

We did consider other solutions.

What other advice do I have?

Do proper research. Look at Tufin and all of the other products.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JP
Network Security Analyst at a energy/utilities company with 10,001+ employees
Real User
Helps us review our firewalls and firewall policies for issues, but we would like the user interface to be redesigned

Pros and Cons

  • "The most valuable feature are role and objects usage for individual objects and app usage."
  • "We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong."
  • "A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet."
  • "Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one."

What is our primary use case?

The primary use case is role recertification.

We are trying to get into it for compliance, but we are having issues with that.

This solution helps us ensure that security policy is followed across our entire hybrid network.

How has it helped my organization?

We actually review our firewalls now. Before we started using Tufin, our firewalls never got reviewed and we had no idea what was on them.

We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong.

It removes things which shouldn't be there. It has helped with that. Things that don't get used anymore and nobody tells us that they have been retired, it helps us identify those items. Then, once we get the compliance piece going, it'll help us make sure nothing violates policies.

What is most valuable?

The most valuable feature are role and objects usage for individual objects and app usage.

What needs improvement?

If we could get the compliance part working, that would help out a lot.

Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one.

A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet.

The user interface needs to be redesigned because things are not where you would expect them to be.

What do I think about the stability of the solution?

Stability is sometimes good, and sometimes not so good. 

There is an issue with all of our Palo Alto devices, where if one gets disconnected in Panorama, they all show as disconnected or with errors or wrong arguments, which is very generic. They are supposed to have a fix for it now, but we haven't implemented it yet, because they are not releasing it until eleventh of this month.

What do I think about the scalability of the solution?

We haven't had any issues with scalability yet. We can scale as much as we need to.

How are customer service and technical support?

The technical support is good. The guy with whom we have been working the most with lately has been pretty on top of everything. We had a couple people in the past who were a little iffy, but we haven't had to talk with them in a long time. I don't know if they're still there.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are pretty low. We were grandfathered in, so we are at about $35,000 per year.

What other advice do I have?

Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections.

We just started a PoC on the change workflow process of the solution.

We are just now moving stuff to the cloud.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Tom Loeber
Services Engineer at AccessIT Group
Real User
Reduces human error and speeds up the whole change process

Pros and Cons

  • "This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add."
  • "I would like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action."

What is our primary use case?

We do risk, cleanup, and change.

How has it helped my organization?

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

What is most valuable?

  • Cleanup
  • Visibility
  • Scalability

Cleanup is its most valuable feature. We use Tufin to cleanup our firewall policies. You can see unnecessary, unused objects. A lot of times, you will create a host, then it's not used. It's like, "Delete that, because we don't need that in the database." Or, it's a rule that is not needed: unused rules.

Its cloud-native security features are good. They add even more visibility to your environment.

What needs improvement?

I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing.

I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action.

We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.

What do I think about the stability of the solution?

The stability is very good, especially now that they are developing a lighter weight operating system on top of the OS with 2.0 coming out this year. 

The current version is slow. I deal with a lot of large environments, which is mostly what Tufin has. It is slow because it is a database, Tomcat Server, and web server. Reports are slow. If you're generating manually on the fly, you can set them to run at night, then it's not a big deal.

What do I think about the scalability of the solution?

The scalability is good, because you can have a central server, distributed server, and remote collectors. You can have remote land sites or branch offices. You can have the collectors collect the data for you. You don't have to rely on just one server.

How are customer service and technical support?

The technical support is very good. It is a lot better than the firewall vendors themselves.

Which solution did I use previously and why did I switch?

There were not enough resources to do the changes themselves. We definitely went offshoring. Now, you see a lot of that coming back because there is not enough people. We needed a system to do it.

How was the initial setup?

At first, the initial setup is complex. Once you know it, the initial setup is straightforward.

First, you have to install the operating system. Then, you have to install the application, where there are certain version requirements. You can't just go right to the latest OS version. You have to go back to the older one, then upgrade those as well. It is a little cumbersome.

What about the implementation team?

I am an integrator. Sometimes, we have to use Tufin on the back-end.

What was our ROI?

We have seen ROI just in the time savings and knowledge. Knowledge is power. Having the solution do it automatically for you without you doing the work is huge. If you are spending $50,000 a year, it could have cost you a $100,000 in man-hours without it, especially if you are working with a team..

This solution has helped reduce the time it takes our customers to make changes by 50 percent.

Engineers are spending less time on manual processes by 50 percent.

What's my experience with pricing, setup cost, and licensing?

While licensing varies greatly, it is about $50,000 a year.

Which other solutions did I evaluate?

We did consider other vendors, but Tufin is the market leader. We only deal with the best of breed. We like to go with the best.

What other advice do I have?

Do a proof of concept or proof of value. You will see the value right there.

The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
BW
Change Manager at a pharma/biotech company with 10,001+ employees
Real User
The ability to connect with other services and software solutions via APIs is very impressive

Pros and Cons

  • "One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful."
  • "I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes."
  • "There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful."
  • "A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time."

What is our primary use case?

The primary use case is processing change requests.

While our organization has implemented SecureChange and SecureTrack, we are not using either tool rather extensively. Therefore, we are trying to put together a plan for the organization to adopt these tools more firmly.

The idea is to be using SecureChange as the primary portal for entering change requests on both the perimeter and shop floor network firewalls. The way we are approaching this is to do a pilot first among a few sites, then bringing it out to a larger group once we feel more comfortable with how the pilot went.

The pilot will probably last for a couple weeks. After that, we will roll it out in buckets or groups to the rest of the sites. Then, the primary use case will be using tool for change management and SecureChange, while SecureTrack will be used by our security monitoring group who is tracking for threats.

My engagement to date and going forward will be to assist in the planning of the rollout and helping with the rollout. I make sure teams and users who will be using this tool are actually using it, including processes from: 

  • Submitting a firewall change request.
  • Price or rule requests.
  • Opening a port.
  • Firewall maintenance or maintenance processes, e.g., rule cleanup.

How has it helped my organization?

The additional visibility into network path analysis is really helpful. The ability to provide assistance with role clean up will be helpful as well.

Part of the work that one of our firewall implementation teams is doing is a justification process right now. I think that a clean up is included as part of that effort.

What is most valuable?

One of the things that we really like is the ability to customize work flow. It seems like there are ways to make a workflow robust and capture multiple different types of things that you would want to do when you are maintaining a set of shop floor network firewall rules. These include things decommissioning a server and performing a common rule maintenance process, like a recertification process. 

The linkage between SecureTrack and SecureChange is nice. The way that you can identify a rule in SecureTrack that needs to be recertified, then create a ticket in SecureChange, which can essentially implement that, and complete the recertification process for workflow. This helps us keep organized, in a big way, a complex, large set of network firewall rules. Otherwise, there is no way for us to track who the business approver or owner is for each of those rules and when the last time each of the rules was looked at. In terms of keeping this set of rules clean, it goes a long way in helping with that.

I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes.

One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful.

From the training that I've done at the conference, I like the ability to visualize the network paths between different endpoints and servers. I thought that was cool.

I have been impressed with the range of capabilities. The ability to connect with other services and software solutions via APIs is very impressive. In terms of breadth of market coverage, that seems pretty robust.

What needs improvement?

I would like a USP that was a little like an interface and a bit more intuitive. It seems like the 2.0 version did that better. 

I know when I was performing a search, like in the policy query area, some of those options as your typing could be better defined. That was one thing that came up. I would like it if there was some way to provide real-time feedback or context for each option as you are typing in search fields and search parameters.

Even somebody with relatively little experience like I have should be able to come in and have more intuition towards how to operate the solution. That would be a bit more helpful. There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful.

A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time.

For how long have I used the solution?

We are using it on a more regular basis now.

What do I think about the stability of the solution?

The Tufin products seem very long-term oriented. The ability to be customized seems good. It seems like there is a good roadmap for what features need to be added.

We did a USP upload earlier this week into SecureTrack, and the upload process was okay. Some of the definitions around the columns and the formatting could be more clearly defined.

What do I think about the scalability of the solution?

The scalability seems good. It is overwhelming to think about how to define a USP potentially for the amount of networks that we have for shop floor firewalls. However, in terms of scalability, it seems like once the information is in there, it can operate well and help speed up change requests.

How are customer service and technical support?

I don't think we've worked a lot with the technical support teams yet.

Which solution did I use previously and why did I switch?

It was clear that no one was managing the shop floor network firewalls. 

Right now, there are no tools to do that. As we are hardening and locking down firewalls, the requirement to maintain and manage them becomes increasingly more challenging.

I don't think there was any tool before Tufin. The rules were historically stored in CSM and operated out of CSM. Before that, there wasn't any other way to perform a regular analysis and maintenance of firewall rules in this way from a security and policy perspective.

How was the initial setup?

The initial setup seemed like it required a lot of effort. I wasn't super close to the project during the initial setup. Now that I've gone through the training it seems a little less overwhelming.

For the initial setup, I was only involved slightly on the SecureChange side. The API integration process with BMC Remedy seems difficult. I don't know if that is a result of the way the SecureChange application is designed, or if it's a result of a challenging resource environment for focusing on the implementation and the integration of it with Remedy. But, it seems like a challenging effort.

What about the implementation team?

We used WTT for the deployment. My coworker, Dorothy, had a good experience with them. They were engaged before I joined the project.

The rollout was accomplished largely with an in-house team. The vendor that we purchased it through provided a little bit of support, but very minimal. Then, there is the team who is doing implementation with a lot of the firewall rule changes. Booz Allen has been helping a lot with the rollout, as well. I have been helping to design the rollout and adoption.

For our current implementation, which is temporary, once we move the cleanup process from this implementation team to the permanent team that is when I will be performing the work. That is when I'll be a bit more involved.

Which other solutions did I evaluate?

The company a good comparison of the different tools. I don't know if they were working with Booz Allen at the time, but Booz Allen seems to feel pretty strongly about the quality of Tufin and their user experience. It does seem like Tufin has reputation regarding its user interface that it is more friendly than other competitors.

I am aware of two other competitors who were possibly considered.

What other advice do I have?

There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that.

It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well.

Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change request will violate any security policy. However, we are not doing that yet.

The program that I am supporting is not engaged in any of the firewalls affecting the cloud, so I didn't have a lot of context with that.

Once we have it up and running, this solution should help reduce the time that it takes to make changes and our engineers should spend less time on manual processes.

I did training at Tufin two weeks ago.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
NK
Firewall Administrator Security Engineer at a comms service provider with 1,001-5,000 employees
Real User
Gives our firewall administrators visibility into the total infrastructure

Pros and Cons

  • "It gives our firewall administrators visibility into the total infrastructure."
  • "It is extremely scalable. It really addresses the scale of a company's firewall footprint."
  • "The stability is bulletproof."
  • "The initial setup was time consuming."
  • "I would like something that addresses security in the cloud."

What is our primary use case?

The primary use case is data flow analysis.

How has it helped my organization?

We use Tufin to clean up our firewall policies of unused policies.

It gives our firewall administrators visibility into the total infrastructure.

What is most valuable?

The most valuable feature is troubleshooting.

What needs improvement?

I would like something that addresses security in the cloud.

What do I think about the stability of the solution?

The stability is bulletproof. 

What do I think about the scalability of the solution?

It is extremely scalable. It really addresses the scale of a company's firewall footprint.

How are customer service and technical support?

The technical support is excellent.

Our account manager and Tufin support have been a big help to us.

Which solution did I use previously and why did I switch?

We were getting to the size where manual administration of firewalls did not make sense anymore.

How was the initial setup?

The initial setup was straightforward, but time consuming.

What was our ROI?

This solution has helped us reduce the time it takes us to make changes. We have seen the reduction on the front end, when doing an analysis of the data flow.

Which other solutions did I evaluate?

We also considered AlgoSec.

What other advice do I have?

I would recommend taking a look at the solution.

I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes.

This solution has sort of helped us to meet our compliance mandates.

The cloud-native security features will be more important in the future. I am just learning about them now.

I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
CD
Security Engineer at a insurance company with 201-500 employees
Real User
Every change is tracked down to the person and time

Pros and Cons

  • "This solution has helped us meet our compliance mandates. Everything is all auditable. Every change is tracked down to the person and time."
  • "We are using the visibility with notifications on every firewall change and what those changes were. We have visibility to see who is making the changes, and when."
  • "With scalability, we are going to run into some issues. We have been talking about converting over to actual hardware as opposed to virtual. Therefore, I don't think we are scalable at this time, especially with the updates coming. I'm told that they're going to need a lot more horsepower to push them."

What is our primary use case?

The primary use case is automation.

We are using the latest version.

How has it helped my organization?

We find that the change workflow process is flexible and customizable. If we want to change approvers, that is very easy. If we wanted to add a step or get rid of a step, this is easily customizable.

We are using the visibility with notifications on every firewall change and what those changes were. We have visibility to see who is making the changes, and when. This is the biggest thing because we are underutilizing the product right now.

This solution has helped us meet our compliance mandates. Everything is all auditable. Every change is tracked down to the person and time.

What is most valuable?

The auditing is a valuable feature. We can be audited, because it has the ability for approvals to be set up and to put in policies. It is all automated.

For how long have I used the solution?

We bought it about a year ago, but we have been doing other projects. We haven't fully implemented it.

What do I think about the stability of the solution?

So far, the stability is good.

What do I think about the scalability of the solution?

With scalability, we are going to run into some issues. We have been talking about converting over to actual hardware as opposed to virtual. Therefore, I don't think we are scalable at this time, especially with the updates coming. I'm told that they're going to need a lot more horsepower to push them. 

As far as scalability, it is great for adding network objects and so on.

How are customer service and technical support?

i have not talked to technical support.

As we start to dive in, I'll be reaching out to the customer success team.

How was the initial setup?

The initial setup was straightforward. We did it in three days.

What about the implementation team?

We used a reseller for the deployment. They were very good.

Which other solutions did I evaluate?

There was one other solution that we evaluated, but it didn't stack up. Tufin was the best solution.

What other advice do I have?

Everything is good right now.

Reach out to whoever does your implementation and support. Ask as many questions as you can and do research.

We haven't got to the point where we've used the solution to clean our firewall policies yet. That is the next phase.

This solution won't help us ensure that our security policy is followed across our entire hybrid network until the next stage.

We're not in the cloud.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
TH
Team Lead of Border Protection at a manufacturing company with 1,001-5,000 employees
Real User
Cleans up our firewall policies, giving us better security policy and less junk on firewalls

Pros and Cons

  • "The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days."
  • "We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls."
  • "We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting."
  • "At least in our environment, the dynamic learning of the topology needs improvement."

What is our primary use case?

We use SecureTrack and SecureChange to manage all of our firewalls. 

We use the latest version.

How has it helped my organization?

The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days.

We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls.

Risk analysis is automatically in our policy.

What is most valuable?

The most valuable feature is automation.

The visibility of the policies are very good. It sees different things. The recordings are very good.

We use a lot of workflows and have a lot of custom things developed by Professional Services. It is very customizable.

What needs improvement?

We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting.

At least in our environment, the dynamic learning of the topology needs improvement.

What do I think about the stability of the solution?

If you would have asked me two weeks ago, I would have said the stability was excellent. However, we had some upgrade problems. They were worked out and the support was excellent in helping us get it fixed. In general, the stability is very good.

What do I think about the scalability of the solution?

We have a very big environment. The scalability works well.

How are customer service and technical support?

Pretty good. They know when to escalate. We never put in easy tickets, They know to escalate quickly if they have to. We have our own technical account manager too.

Which solution did I use previously and why did I switch?

We invested in SecureChange to do automated workloads. When we deployed SecureChange, part of it was to automate our workloads to have more time to do more things, like making the ticketing process shorter.

What was our ROI?

Firewall rule changes went from a week and a half to around three and a half days.

Which other solutions did I evaluate?

We have not recently evaluated any new solutions.

What other advice do I have?

Tufin is not perfect, but it's really good.

Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies.

The approval process is a lot more automated, but the implementation process didn't change.

We don't use Tufin in the cloud yet.

We don't have compliance mandates.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jim Robinson
Senior Specialist at Cigna
Real User
Allows non-technical people to keep track of firewall rules, but the API needs to be improved

Pros and Cons

  • "Tufin is the only multi-vendor firewall tool that is available, and it helps to bring everything together and report on what all of the rules are."
  • "I would like to see API access into every aspect of Tufin."

What is our primary use case?

My company primarily uses this solution for reporting and enforcing policy. My role has to do with developing applications to allow integration with our other tools.

How has it helped my organization?

When I was using Tufin for analysis, there was a tool that would tell me which rules could be consolidated. It was amazing and helped me to clean up the firewall policies.

We use this solution to automatically check to see if change requests will violate any security policy rules, but I do not have any specific details or examples.

Tufin is the only multi-vendor firewall tool that is available, and it helps to bring everything together and report on what all of the rules are.

This solution helps to ensure that security policy is followed across the network because it is the main tool that non-technical security people use to keep track of firewall rules. Without it, they wouldn't even know where to begin. 

What is most valuable?

In my current role, the most valuable features are the API and the accessing. In my previous job, the analysis was my favorite.

What needs improvement?

I would like to see API access into every aspect of Tufin. For example, every feature and everything that's in the database, I would like to have programmatic access to. This would give me the ability to do anything that the product can do but from a script. This way, we are not beholden to the GUI in any way. If an operation requires that somebody click somewhere into the interface, manually, especially if it's just part of many other things that they have to do, then we want to fully automate that.

Some of the manual processes are taking longer because, without the proper API access, there are a lot of tickets coming in. These are from people who need to perform a task, but only a handful of them have access to it. This is because we're too afraid to give access to all of the people who actually need it.

What do I think about the stability of the solution?

In every instance that I've ever worked with it, it was stable.

How are customer service and technical support?

I have not dealt with technical support.

What about the implementation team?

In my previous company, I handled the deployment of this solution myself.

What's my experience with pricing, setup cost, and licensing?

Turning on certain options in the solution comes at an additional cost.

What other advice do I have?

My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close.

For what this product does, it does well. There are, however, things that are missing.

Overall, I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AA
Infrastructure Engineer Specialist at a healthcare company with 10,001+ employees
Real User
Helps us with our approval process, but their technical support could be improved

Pros and Cons

  • "The reports that this solution provides are very useful."
  • "This solution increases the time it takes to make changes."

What is our primary use case?

We make use of the SecureChange and SecureTrack modules. In SecureChange, we use the Workflow, and we use the USP to see if there are any rule violations.

How has it helped my organization?

Using the workflow has made it easier to get approval from the manager or the CISO. Whereas earlier we used to send an email, it is now a very easy process to get approval.

I have not used the Tufin workflow to clean the firewall rules, but I have used the reports to assist me. I have built reports based on six months worth of data, then selected the rules that were not needed and performed the firewall cleanup accordingly. Now that we have SecureChange and the workflow, I think that I should use the workflow to clean the firewall rules. However, to this point, I have been using the Tufin report.

The rule cleanup and checking for rule violations are not any easier for a technical person, as they are firewall operators. At the same time, it is very much easier for the management team, such as the CISO or company managers, to perform these tasks.

With respect to visibility, many vendors claim that they are number one on the market. What I can say is that Tufin works with the Check Point firewall and the Fortinet firewalls, and this is helping us.

This solution has helped us with meeting our compliance mandates. Based on the company standards and guidelines, we configure the USP. When somethings violates it, we can make a decision whether to approve it or not, based on whether it is complying with company policies.

What is most valuable?

The most valuable feature is the workflow.

Using this solution makes it easier to manage the firewall policy.

The reports that this solution provides are very useful. The report includes information about duplicate objects, duplicate services, shadowed firewall rules, and the firewall rules that have not been needed for a specified number of days or months. It sets my Check Point database.

What needs improvement?

My team does not have a good relationship with Tufin because the provisioning team, and even our Tufin account manager, are not friendly or helpful to us. The product, itself, is fine.

I would like to see Tufin as a standalone product that does not strictly manage other firewalls, such as Check Point, but works independently. Ideally, it should not have to rely on other products.

This solution increases the time it takes to make changes. It is easy to manage the firewall policy with the Check Point management server, so the time spent with Tufin is extra.

The fact that all of the firewall policies are pushed to the CMA is a major drawback of the schedule window.

What do I think about the stability of the solution?

Tufin is very stable, and I would say that there are no major outages. Sometimes the connection between Tufin and the management servers gets broken, and I don't know the reason, but apart from that, it is very stable.

What do I think about the scalability of the solution?

We can add as many firewalls as we need to, as long as we purchase the licenses, so it has good scalability.

How are customer service and technical support?

Technical support for this solution is the worst. I would give it a zero ranking. Compared to Check Point and Fortinet, Tufin technical support is the worst.

Even the provision service team does not like to respond to email, which is poor service.

Which solution did I use previously and why did I switch?

Prior to this solution, we used email to request approval, and it is now handled by the Tufin workflow.

How was the initial setup?

The initial setup of this solution was straightforward.

What's my experience with pricing, setup cost, and licensing?

Our licensing fees are more than $100,000 USD per year.

Which other solutions did I evaluate?

We did not evaluate other products before choosing this solution.

What other advice do I have?

I do find that the change workflow process is flexible and customizable, but not fully. I would say that it is seventy percent customizable, as there are pros and cons in the workflow. You cannot fully customize the workflow by yourself. There are certain limitations in the workflow, such as the inability to create a Firewall object or an IP object. You can only create or modify the Firewall object group. The other problem is the schedule window, as it pushes all of the firewalls on the CMA.

For us, this solution is a supplement. Tufin is partners with Check Point and Fortinet firewalls, but I can manage firewalls without using it. At the same time, while it is not mandatory, it is helping us.

For anybody who is considering this solution, I would say that Tufin helps you to get approval and it will help you to push your firewall policies. In the long run, when you have to manage hundreds of firewalls, it is a good thing to have.

I would rate this solution a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
DS
Network Engineer Lead at a energy/utilities company with 10,001+ employees
Real User
We can find rules that are too broad and pull those out, putting more specific rules in

Pros and Cons

  • "The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously."
  • "The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor."

What is our primary use case?

Currently, we're an electric utility. We use it for NERC CIP for validating rules into ESPs, which makes it easier for us to pull out the rules and justifications for auditors.

We are using either Tufin 18-2 or 18-3 and testing 19-2.

As a company, we don't have anything in the cloud.

How has it helped my organization?

It has helped us immensely on the compliance side. We are able to look for overly broad rules. E.g., rules with any-any using the USP to see if we have violations. This was pretty impossible to do before by just looking at the CLI on the firewall and spreadsheets.

We use Tufin to clean up our firewall policies. The biggest use in the last couple of months has been to pull rules out of firewalls rather than putting them in. We're cleaning up and pulling rules out.

We use this solution to automatically check if a change request will violate any security policy rules. Even though we've been using the product for several years, we've just now started rolling out SecureChange, updating our USPs, and building USPs. We are using those to do security checks.

This solution helped us meet our compliance mandates. With the USPs, we can control what is being put in, then we know when violations are occurring ahead of time.

What is most valuable?

The ability to write reports to figure out what ports and services are allowed into specific zones. For instance, we know that there are certain devices which are only allowed to have interactive remote access into an electronic security perimeter (ESP). We've written reports which can tell us if someone inadvertently opened something up that shouldn't have been, then we can pull it out. Now that we are using SecureChange, it can alert us to that fact as the rules are being built, which is huge for us.

The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously.

It makes it a whole lot easier for rule clean up because we can find rules that haven't been used. We can find rules that are too broad and pull those out, putting more specific rules in, which could be done before but this cuts the time way down to do it.

What needs improvement?

The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor.

I got a sneak peek of a release or two. There are some new features coming out that we could use today. E.g., SecureChange won't allow us to put in more readable ACLs rather than try to compress them. Sometimesm we don't want it to full optimization of a rule set. I would love the ability to tell it, "Thank,s but no thanks. I don't want to optimize this rule. Please put it in the way that I want it." Right now, that's hard to do. It's almost impossible.

What do I think about the stability of the solution?

It is a very stable product. There have been a few times where we have had to call support and have something fixed. It has happened, but it's very rare.

What do I think about the scalability of the solution?

It seems to scale very well. We have had the same servers in for four years now, and everything's keeping up. We haven't had any issues yet, and we are probably monitoring around 400 firewalls today.

How are customer service and technical support?

The technical support has been very responsive. If they can't figure it out, they are not afraid to go to Israel, back to the developers, and find an answer to the problem. Typically, within a day or two, they have the answer and we are back up and running. They've been great to work with.

Which solution did I use previously and why did I switch?

We knew that we had to invest in something which could help us clean up our rule sets. 

How was the initial setup?

We took baby steps, so the initial setup was pretty straightforward. We just started with SecureTrack, getting it talking to the firewalls, and initially using it to document justification for rules on our compliance firewalls. We have been doing more with it over the years.

What about the implementation team?

We used Tufin for the deployment.

What was our ROI?

This solution has helped us reduce the time it takes to make changes. We have been using SecureChange for the last six months, and it has streamedlined the process. We can usually do changes now within two or three days, where sometimes it used to take a week or more.

Engineers are spending less time on manual processes. We can push the changes to the firewalls. The engineers don't have to log onto the firewalls, then cut and paste.

What's my experience with pricing, setup cost, and licensing?

I just wrote a purchase order for it. It is a $150,000 a year.

Which other solutions did I evaluate?

We looked at three solutions at the time, then chose Tufin. We felt that Tufin was one of the more customizable solutions and had the best price. They came in cheaper than everyone else, and at our company, that means a lot. Thankfully, they were the best. We felt they were best of breed at the time.

What other advice do I have?

Give Tufin a good, hard look. From my experience, it is the best of breed.

Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Robert Letson
Director at Visa Inc.
Real User
We can process more rules on a daily basis, which is a definite time saver

Pros and Cons

  • "We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them."
  • "The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless."

What is our primary use case?

The primary use cases are firewall support and generating rules.

How has it helped my organization?

It is definitely a time saver. We can process more rules on a daily basis. It allows the customers to request their own rules. Sometimes, they need a little help, but they can submit it. As long as it passes the risk analysis, because it has to get through our NSA group. We just apply and push it that night.

We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them.

The change workflow process is flexible and customizable. When we first got it, Tufin created a workflow based on our requirements. Since then we have modified and tweaked it. We added in Palo Alto, and we just keep adding steps. We can also add scripts. We have multiple scripts for a workflow, which makes it very flexible. You write the script and plug it into the workflow, then it's working.

We use the Unified Security Policy to automatically check if a change request will violate any security policy rules.

This solution has helped us ensure that our security policy is followed across our entire hybrid network. It is the same Unified Security Policy editing each request. It is the same set of rules. If it's good enough for Check Point, then it will be good enough for Palo Alto, and it's all zone based.

What is most valuable?

The rule provisioning is the most valuable feature. We had a ticketing system, like Remedy, which had a homegrown product. It would take your source destination port and do a bit of analysis, then give us a ticket with the spreadsheet. Then, we had to take the information from the spreadsheet and enter it into the firewall. Now, with Tufin, it identifies which firewalls, generates the rules, and you just apply them. It is a big time saver.

When it comes to searching our firewalls for things, I prefer the Policy Browser as opposed to going to the GUI. It seems just easier to search. I can start off with our Provider-1 for Check Point, search there, and get the information. Then, I can change the little drop down to say, "Okay, now go search Palo Alto." I don't have to change my search criteria, the platform pulls it right up.

What needs improvement?

We like what we have seen out of SecureTrack 2.0 with its improved search capabilities, where you can do greater than, less than, not equal, etc. Right now, if you're in there and you want to do a search, you have to write it in a specific way, since you can't use a not statement, less than, or greater than. Therefore, it will be a lot easier to maintain your USP because it has the new editor. It looks more like a spreadsheet online. I am just a little disappointed to hear because we are using SecureChange that we can't go to SecureTrack 2.0 yet. We have to wait for a couple of more versions.

On Palo Alto, we were told that you want to go with the panorama. Then, all the gateways are under it, so everything you create has to be as a shared object. When we first brought this to Tufin, Tufin said, "No, it's more secure to only have local objects." However, it sounds like Palo Alto has now convinced Tufin that shared objects is more the way to go. Otherwise, you have a lot of stuff filtering down to all the firewalls. Tufin gave us a script to plug into our workflow to make things shared, but I am expecting this will become more a part of our base product.

They have found some things, like our database is huge, which they finally realize. I guess they didn't really have in their plans to do much with shared objects on Palo Alto, but they are saying that this is what is really making our database swell. They are saying it's on their side and are putting in their fixes to fix it, which is good.

The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless.

What do I think about the stability of the solution?

It seems stable. We've had problems always with the same box, which is our SecureTrack primary. We are probably on our seventh one. The last one, Tufin took it to their site. They shook it out, tested it, and beat it up, then gave it back to us. Since we were already on the standby box, we just had it up there running. It was in the HA cluster. As soon as somebody did some switch work, it failed over. Within a couple of hours of being on that box, it crapped out. 

What do I think about the scalability of the solution?

We have definitely added gear, so it is scalable. We've added two more distribution servers and probably seven or eight more collectors. It is definitely scalable.

How are customer service and technical support?

We'll get somebody who is our main person, then all of a sudden they will be doing something else. One guy used to be our support person, and now, he is a TAM. 

We are a tough account. With some of the issues that we have, the support team has told us, "You are the only ones who have ever had this." We are like, "Really? Why?"

They usually come up with a solution. It may take a little longer, but they do come up with a solution.

Which solution did I use previously and why did I switch?

The previous solution was written in-house. 

We had a product called Skybox and whoever wrote the app would query Skybox for compliance, etc. Then, it would generate a spreadsheet, and we had to work off the spreadsheets. They sort of knew that this wasn't very efficient.

How was the initial setup?

The guy doing the initial setup made it look very easy, but it took us a little while to get up to speed on it.

What about the implementation team?

We used Tufin for the deployment.

What was our ROI?

This solution has helped reduce the time it takes us to make changes. Previously, it was taking up to seven days. Now, unless there is an issue with the request, we usually have it done in a day.

Which other solutions did I evaluate?

We did PoCs. We looked at FireMon, AlgoSec, etc. Tufin came out on top, so we started implementing it, as it was the product that we chose.

With AlgoSec, you had to pay them for all of your workflows. So, if you wanted the workflows, you had to pay them. I don't know how quick that would be as a turnaround, because we would have had to do the whole, "Here's what I want." We didn't like that at all.

Tufin has been a good investment. Unfortunately. We've got some people in our organization who are in love with Skybox and think Skybox can do no wrong. They are trying very hard to replace Tufin with Skybox, even though Skybox hasn't even done any provisioning. I think they're just misguided. It's a product that they love, and maybe it is good at compliance, but as far as provisioning, I haven't seen it. 

What other advice do I have?

Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well.

We're not really using the cloud parts of it yet.

Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
William Temple
CyberSecurity Supervisor at a energy/utilities company with 10,001+ employees
Real User
Helps with compliance and drastically cuts down on the time it takes us to make changes

Pros and Cons

  • "A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you."
  • "We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket."

What is our primary use case?

We use this solution for firewall rule management.

How has it helped my organization?

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

What is most valuable?

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

What needs improvement?

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

What do I think about the stability of the solution?

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

What do I think about the scalability of the solution?

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

How are customer service and technical support?

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

Which solution did I use previously and why did I switch?

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

What about the implementation team?

We used a consultant from Tufin, itself, for our deployment.

What was our ROI?

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

Which other solutions did I evaluate?

I believe that FireMon was considered before we chose this solution.

What other advice do I have?

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JY
Security Compliance at Caterpillar Inc.
Real User
Speeds things up, and makes it easier for the average person to create firewall rules

Pros and Cons

  • "I don't think that we were ever slow, but we can now say that changes are completed within twenty-four hours."
  • "I think that the interface could be cleaner, and easier to use."

What is our primary use case?

We use SecureChange for change management, and the SecureTrack component for reporting and the summary.

How has it helped my organization?

We use this solution to clean up firewall policy, although I do not personally do it very often.

The change workflow process is flexible and customizable. We have a couple of custom components, and my colleague was able to put them together in five minutes, so it seems pretty flexible to me.

The solution automatically checks to see if our change request will violate any of our security policy rules. This helps with general risk assessments, and when we transfer data between security zones over certain ports. It really benefits us, as well as the users who submit the rules, because they're not all familiar with all of the rules that are in place.

Implementing this solution has made everything faster. With the introduction of SecureChange, I think it has been easier for the average person to become a firewall rule setter.

Using this solution helps us to meet our compliance mandate. It does this by making everything quicker, which makes it easier to meet our SLAs.

This solution helps to ensure that the security policy is followed across our entire network. It leaves less wiggle room for people to venture out and make exceptions because it does the thinking for us. We follow it's recommendations, so there is less compromise.

What is most valuable?

The most valuable feature of this solution is reporting.

This solution has helped to reduce the time it takes to make changes. I don't think that we were ever slow, but we can now say that changes are completed within twenty-four hours.

What needs improvement?

I think that the interface could be cleaner, and easier to use. There are some things that I think are varied. Some of the reports, when you try pulling them out, I think that you've got to jump through too many hoops to get the results that you want to find.

I would like to have the ability to view multiple "handled by" names. Right now, it's either one, or we and the customer see nothing. I would like to clean that up because I am part of those phone calls.

I think that with respect to end-user operation, the whole-space users, the communication is lacking.

What do I think about the stability of the solution?

For the most part, stability is alright. It works well until we do an update and it breaks everything. But, it gets fixed, and it's good again until the next update. 

What do I think about the scalability of the solution?

We have not tested scalability because we're set at where we are right now, although that is not to say that we won't be expanding in the future.

How are customer service and technical support?

Technical support for this solution is really good. They are pretty quick at responding to our tickets. When the update breaks everything, they're pretty quick at sending someone to fix it and bring us back up within a couple of days.

Which solution did I use previously and why did I switch?

Prior to implementing this solution, we used a home-grown, internal request process. It was very frustrating, across the board.

What about the implementation team?

We used a consultant to assist with our deployment, and we had no problems.

What other advice do I have?

My advice to anybody who is implementing this solution is to take the time to learn the product, in and out, right away.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JJ
InfoSec Consultant at a insurance company with 10,001+ employees
Consultant
Saves time making changes in our hybrid environment, but the visibility could be better

Pros and Cons

  • "The time that we require to makes changes has been reduced from weeks to days."
  • "The GUI is limited with respect to how much you can develop and visualize the process."

What is our primary use case?

Our primary use case for this solution is firewall automation for rule requests.

How has it helped my organization?

We use Tufin to clean up our firewall policies, and it has benefited us by reducing our policy set. It has sped up the change request process as an overall whole.

This solution helps to ensure that our security policy is followed across the entire hybrid network. We are able to see both on-prem and cloud, and whether there are things preventing on one side or the other.

The time that we require to makes changes has been reduced from weeks to days.

Our engineers are spending less time on manual processes, with the majority of our tickets being same-day.

What is most valuable?

The most valuable feature of this solution is the ability to develop it further than what's out of the box.

What needs improvement?

The visibility is not as good as it should be. There are certain things that it doesn't have visibility to yet, but I'm hoping that it's coming. Once it has greater, fuller visibility, we can do more.

The change workflow process is flexible and customizable to a certain extent. The GUI is limited with respect to how much you can develop and visualize the process. However, there is good flexibility in the number of fields and text that you can add.

SecureTrack needs improvement, and access to SecureChange needs improvement.

Some of the features that I would like to see in the next release of this solution are:

  • I would like Tufin to be supported on a container that is based in the cloud.
  • I would like the database to be separated from the backend.
  • I would like better automation support for Palo Alto.

What do I think about the stability of the solution?

This is a pretty stable solution. I won't say that there are no issues, but it does what they say it's going to do.

What do I think about the scalability of the solution?

I think that the way it is architected, currently, is limited in its scalability. In the future, it should be more scalable.

How are customer service and technical support?

Technical support for this solution is good. For a lot of the issues we have, we go directly to R&D.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

The initial setup of this solution seemed to be straightforward until we got into the details. At that point, we found it to be complex. Once you start thinking about the things you want to do and how you want to do them, because it's so customizable, it can become complex quickly. However, not in a bad way.

What about the implementation team?

We used G2 to assist us with our deployment, and they are great to work with. They're easy.

What was our ROI?

We have seen ROI, but I do not have any data points that I can share.

What's my experience with pricing, setup cost, and licensing?

Our licensing fees are approximately $100,000 USD yearly.

Which other solutions did I evaluate?

We considered other products, but Tufin came with the best out-of-the-box solution, and with the greatest flexibility to change in the future.

What other advice do I have?

We do not yet use this solution to automatically check if a change request will violate any security policy rules. We have not yet utilized this solution to help with compliance.

With respect to the cloud-native security features, we are not leveraging the cloud as much as we should with Tufin.

There could be better things out-of-the-box; However, I know that it is a solution that has to cover a wide range of industry and supportability, so therefore it's a challenge to get everyone's wants and needs.

My advice to anybody who is implementing this solution is to spend more time than you think you need on SecureTrack because it sets the standard for using SecureChange in all of the other products.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AM
Infrastructure Analyst at a manufacturing company with 10,001+ employees
Real User
A nice GUI and powerful API

Pros and Cons

  • "The most valuable features are the GUI interface and the API."
  • "The integration with different products needs to be improved."

What is our primary use case?

We are using the SecureChange and SecureTrack components of this solution for rule re-certification and change automation. We are still in the implementation phase, but we expect to have this solution in our production environment by October 1st.

How has it helped my organization?

With respect to visibility, my impression is that it will do what we need it to do, but it will take some work.

We have tested the system to see if it will automatically check to see if a change request will violate any security policy rules, and it will do what we need. We intend to use this feature in production.

We expect that this solution will help us to meet our compliance mandates.

What is most valuable?

The most valuable features are the GUI interface and the API. 

We’ve found the change workflow process to be flexible and customizable. If it could not be customized then it would be very hard for us to make it work for our company.

What needs improvement?

The integration with different products needs to be improved.

For the most part, this solution will ensure that security policy is followed across the entire network. There are certain policies that are not baked into the product yet, like our proxy solution.

The options for certain things are pretty rigid, so they need to be more customizable.

For how long have I used the solution?

Still implementing / pre-production.

What do I think about the stability of the solution?

So far, the stability of the solution has been good.

What do I think about the scalability of the solution?

We have some work to do with scaling the product, so I don't yet know about the scalability.

How are customer service and technical support?

Technical support for this solution has been great. They've been very responsive.

Which solution did I use previously and why did I switch?

We will be using Tufin to clean up our firewall rules, but we currently use AlgoSec.

Our previous solution was an end-of-life product, so we had to evaluate the options that were out there.

How was the initial setup?

The initial setup of this solution is straightforward, although we haven't done full-on production yet, so I don't know what we're going to run into.

What about the implementation team?

Nexum assisted us with the deployment of this solution. They are good, and we use them for everything we can.

What was our ROI?

At this stage, we have not yet seen ROI.

Which other solutions did I evaluate?

We evaluated other solutions, but Tufin had a better workflow.

What other advice do I have?

I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating.

Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes.

We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software.

My advice to anybody who is researching this solution is to pick what's right for you and do your homework.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JB
Security Consultant at a insurance company with 10,001+ employees
Consultant
Reduces time to make changes and helps with compliance mandates, but it is resource-heavy

Pros and Cons

  • "The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes."
  • "USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it."

What is our primary use case?

We primarily use this solution for Change automation. We do not use USP, yet.

How has it helped my organization?

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

What is most valuable?

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

What needs improvement?

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

What do I think about the stability of the solution?

This solution is stable. We don't have any issues with it, but it's a resource hog.

What do I think about the scalability of the solution?

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

How are customer service and technical support?

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

How was the initial setup?

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

What about the implementation team?

We used a G2 reseller for our deployment and it was a good experience.

What's my experience with pricing, setup cost, and licensing?

Our licensing fees are approximately $250,000 USD.

What other advice do I have?

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
EA
Senior Network Engineer at a pharma/biotech company with 10,001+ employees
Real User
Firewall rule maintenance in our hybrid environment saves us time that we don't have

Pros and Cons

  • "Our engineers save quite a bit of time that was previously spent on manual processes."
  • "The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not."

What is our primary use case?

We use the SecureTrack component for several things including the maintenance of firewall rules. Examples of this are identifying rules that are no longer in use and identifying shadowed rules that can be consolidated. We also use this solution to look for violation policies, as well as unused rules.

We use this solution in AWS and in our on-prem firewall.

How has it helped my organization?

The number one benefit this solution provides is time savings. Both I and another engineer save hours upon hours of work spent creating reports, which Tufin now does for us. This is reclaimed time now well spent on other things.

Tufin has done a very good job in improving upon the USP policy for violations.

Our engineers save quite a bit of time that was previously spent on manual processes.

What is most valuable?

The most valuable feature is the ability to gather all of the firewall information without having to do it manually. It makes it much easier and saves time.

We use Tufin to clean up our firewall policies. By doing so, we don’t have a bloated firewall policy that can, in the end, cost more in terms of processor overhead.

What needs improvement?

The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not.

The USP can be improved, as far as I can tell.

I would like to see better integration and compatibility with the Azure cloud. We are not using Azure today, but I've asked questions about it and there are limitations.

What do I think about the stability of the solution?

This solution is solid, as far as I can tell.

What do I think about the scalability of the solution?

We haven't pushed this product to the point where we have to scale out.

How are customer service and technical support?

I haven't had the opportunity to use technical support.

Which solution did I use previously and why did I switch?

The driving force behind implementing this solution was to obtain reports that help us get to the heart of the matter, ultimately saving time.

How was the initial setup?

I have worked with Tufin before, so I found it to be straightforward, out of the box.

What about the implementation team?

We used a reseller and an integrator, and we are working with an integrator right now. They are G2 Deployment Advisors LLC.

Which other solutions did I evaluate?

I am not aware of any other solutions that were evaluated before choosing this one.

What other advice do I have?

The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals.

We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are.

In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise.

My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you.

This solution saves us a lot of time that we don't have, but there is always room for improvement.

I would rate this solution a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
BS
Service Engineer at G2 Deployment Advisors
Real User
Provides powerful integration with ServiceNow and other solutions using APIs

Pros and Cons

  • "The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions."
  • "I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that."

What is our primary use case?

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

How has it helped my organization?

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

What is most valuable?

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

What needs improvement?

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

What do I think about the stability of the solution?

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

What do I think about the scalability of the solution?

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

How are customer service and technical support?

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Which solution did I use previously and why did I switch?

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

How was the initial setup?

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

What about the implementation team?

We handle the installation and configuration of this solution for our clients.

Which other solutions did I evaluate?

There are certainly clients that consider FireMon and AlgoSec.

What other advice do I have?

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
JN
Security Engineer at a government with 10,001+ employees
Real User
Provides important rule and policy visibility for teams outside of the firewall group

Pros and Cons

  • "This has helped us to better clean up and audit changes to the firewall policy."
  • "We use a lot of inline rules, and it would be beneficial to see those from within Tufin."

What is our primary use case?

We primarily use SecureTrack for viewing and tracking changes to policies.

How has it helped my organization?

This has helped us to better clean up and audit changes to the firewall policy. Also, giving access to the other teams without giving them direct access to the firewalls, themselves, is very helpful.

This solution has also saved our architects time. They are unable to view the firewall policy directly, so they use this product to find the rules that they need. If something is being moved then they can easily create a document that has all of the existing rules.

What is most valuable?

The most valuable feature is to give people outside of the firewall group access to view the policy. Tracking is the most useful feature for us, right now. It saves time but I cannot give an estimate as to how much.

The visibility is good. We can see the policies and what changes need to be made, based on the report.

What needs improvement?

When viewing the policy there are a lot of Check Point user's inline rules, and you don't see those in our policies. It just labels them from top-down. We use a lot of inline rules, and it would be beneficial to see those from within Tufin. 

What do I think about the stability of the solution?

Overall the system is stable, and we have had no issues configuring it with our firewalls, or otherwise.

What do I think about the scalability of the solution?

It is scalable in the sense that we use a lot of policies and we haven't run into any limits yet.

How are customer service and technical support?

The solution has been pretty straightforward and I haven't had to contact tech support. Again, we're not using all of the features so perhaps that is why. I do know that there are plans to use the SecureApp and SecureChange in the future, but the trust isn't there yet for us to push down those changes.

Which solution did I use previously and why did I switch?

We did not use a solution prior to this one, but we needed Tufin to give access to other teams to view the policies. We did not want to give them direct access to the firewall management system.

How was the initial setup?

I would say that the initial setup was of medium difficulty. I and one other engineer completed it, and it wasn't too difficult.

The deployment, in total, took more than a year. This included bringing in every single firewall policy and making sure that it was updating and tracking.

What about the implementation team?

We handled the deployment in-house.

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution, and I don't know who else is competing in this space with exactly the same features as Tufin.

What other advice do I have?

We don't use SecureChange at the moment, although hopefully, we can get to it in the future.

With respect to having this solution automatically clean up our firewall policies, we run the report but we don’t always push those changes on. We consider the recommendations but review it manually ourselves. This does point out what we can get rid of, and where we can optimize it. Once we have the trust of our team to push these changes automatically it will be implemented, but we're not ready for that yet.

Part of the reason is that we want to be in control of the firewall policy changes. We don't want developers or anybody recommending what we should be doing.

If somebody is looking to integrate a ticketing system, and not push changes directly through their firewall management system, and they would like a third-party verifier and checker then I don't know any other products that can do that. This is especially true for Check Point firewalls, and Palo Alto.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
John_Ford
Managing Director at Midpoint Technology
Consultant
A flexible and customization solution that reduces dependency on contractors

Pros and Cons

  • "This solution has helped our clients because it allows them to leverage the tools so that they can actually reduce their overall expenses for the environment."
  • "We would like to see more in terms of integration with other application types within the context, such as next-generation firewalls or next-generation threat devices that are out there."

What is our primary use case?

We are a reseller and solution provider. We have this product running in our lab, and what differentiates us is that we are able to take our client's use cases and execute them in our environment. 

How has it helped my organization?

This solution has helped our clients because it allows them to leverage the tools so that they can actually reduce their overall expenses for the environment. The push is operational, and they've been able to eliminate a number of contractors, thus saving quite a bit of money by using the automation capabilities of Orchestration.

What is most valuable?

The full Orchestration Suite is what we've been primarily driving because many of our customers want to move into automation, or at least some aspects of it.

The audit portion of this solution has made a really big difference for us. Also, the flexibility of change has allowed us to really drive the product into the marketplace for a large clientele.

This solution provides great visibility, for both our customers from a primary firewall perspective, as well as for the other solutions that they tie into. For example, it gives us an ability to view what’s going on with full plant environments in various parts of the world.

The change workflow process is extremely customizable. We really like it from the standpoint that we can push it from department to department for approvals. It’s not contained within a single solution set, but rather, it moves across the silos of an organization for the approval process.

This solution has helped our clients to meet compliance mandates across the globe, including, for example, GDPR and SOX requirements.

What needs improvement?

We would like to see more in terms of integration with other application types within the context, such as next-generation firewalls or next-generation threat devices that are out there. It's not just about firewalls anymore. A lot of convergence is happening at that enforcement point, so we'd like to see a little bit more attention on that. Examples would be integration with IPS, Application Control, Anti-Bot, and Anti-Malware.

For how long have I used the solution?

Almost nine years.

What do I think about the stability of the solution?

We have found that this solution is quite stable. We do have some RFPs in to increase performance capabilities, but from our perspective, it's quite stable. If this were not true then our largest companies would not be buying the product.

What do I think about the scalability of the solution?

This solution is extremely scalable, globally across thousands of firewalls, switches, and proxy devices. We look for scalability in a product. We have a small portfolio of solution providers, Tufin being one of them, and we choose them based on their scalability. There are other factors, but scalability is critical for us.

How are customer service and technical support?

Technical support for this solution is good. We don't really use it too much because of our strong engineering team, but it's always been very responsive. We are sending two more engineers to the Cleveland area office next month.

Which solution did I use previously and why did I switch?

We chose this solution a long time ago. We've been a partner for almost nine years. Because they spun off and many of the individuals who were part of the envelopment of products within the security space, like Ruby, came out of the Check Point environment. We're a very, very strong Check Point enterprise player, so we feel that anybody who understands product development and product distribution across large environments has to be a key for us.

We really weren't interested in products from other resellers, or we weren't interested in products from auditors. We were interested in products from people who knew how to develop products for the marketplace. So that's been a key for us. The other piece is the ability to scale, and then finally, the ability to automate with that scalability. We just don't find others as scalable as Tufin is.

How was the initial setup?

The initial setup of this solution is straightforward. Obviously, with its flexibility, you really have to know what you're doing. In order to be able to leverage the product, it requires some expertise.

What was our ROI?

ROI is a little bit hard to measure in the security space, so our focus is on reducing TCO. For example, one of our clients was able to eliminate fifteen contractors that they had on an annual basis. This was a cost savings of $1,200,000 USD for the first year. Ultimately, we want to reduce TCO as much as possible.

What's my experience with pricing, setup cost, and licensing?

Licensing is available in both perpetual and subscription models, and it appears to be good for our scalable environments. We have also needed to work with what we call small enforcement point pricing, which we'll probably get more into as people expand.

What other advice do I have?

We do not yet have a great deal of experience with the cloud side of this solution. However, we're actually moving into our first contract around that and we'll be digging in deep. We find it, at least from our lab environment, highly successful, whether it's AWS or Azure, and we're looking at the Kubernetes side of things as well. So far, so good, from a lab perspective, but we will be rolling out our first, into a full Cloud environment for one of our global clientele.

For our clientele, this solution has, without question, saved them time when it comes to making changes. The whole idea is to be able to initiate a change and have it proliferate across thousands of devices. It's critical. So, just in that alone, we can save six months' worth of man-hours just in making a single change for some of the environments that we work with.

Tufin is really a leader in the space for taking manual processes and eliminating them as much as possible.

My advice to anybody researching this or a similar solution is to look for longevity in the field. Also, look for product development expertise and a legacy of that. Finally, look for scalability, stability, and growth within the marketplace across device sets.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
David Higgins
Senior IT Analyst at Exelon Corporation
Real User
Speeds up our review process and assists with compliance

Pros and Cons

  • "This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas."
  • "One of the areas that I've had challenges with is making complicated reports."

What is our primary use case?

We use this solution for firewall compliance reviews.

How has it helped my organization?

This solution has helped us to speed up our review process. After we do make a change, we're able to quickly review what has actually changed. 

This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas.

What is most valuable?

From our perspective, the most valuable features are the compliance and firewall reporting modules. Indirectly, we use Tufin to clean up our firewall policies. We run reports, and then use those reports to drive improvement in the firewall rules. The visibility into the Check Point firewall rules is a lot easier to look at using a Tufin report as opposed to a Check Point report.

This provides good visibility of our firewall rules. Using Check Point is a little cumbersome to get what you need, so with this solution, we’re able to filter through and better get the information.

What needs improvement?

Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance.

One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in.

I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.

What do I think about the stability of the solution?

The stability of this solution is fine. We don't have any issues with it, at least as far as I know.

What do I think about the scalability of the solution?

It seems to be really scalable once you have all of the modules working together. We have a broad array of subgroups that we're working on compliance with, from really small to really large, and it works well with all of them.

How are customer service and technical support?

I've never had to deal with their technical support.

How was the initial setup?

I was not part of the initial setup of this solution.

What other advice do I have?

Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent.

This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP.

For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SS
Automation Engineer at Cox Communications
Real User
Improves our efficiency and assists with compliance, although many features are yet unsupported

Pros and Cons

  • "This solution provides a more organized manner for us to track towards compliance for our PCI audits."
  • "One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled."

What is our primary use case?

We use this solution for workflow intake and policy cleanup. It is also used for firewall policy requests.

How has it helped my organization?

We make use of the ability to automatically validate changes to security policy rules. For example, we have four workflows currently in SecureChange, and for two of these workflows, the very first thing that we do in response to a policy request is to evaluate it. We check to see if the new policy is needed or not, and we determine how to proceed from there.

The biggest benefit for us is from an efficiency perspective. The longest part of our firewall policy implementation has been verifying the network and finding out where policy needs to be put in place. Tufin takes this job down from a day, to sometimes five minutes.

This solution provides a more organized manner for us to track towards compliance for our PCI audits.

What is most valuable?

The most valuable feature for us is the topology validation that is part of the workflow.

This visibility that this solution provides is better than that of the competitors that I have looked at.

When this solution works in the way that we need it to, my impressions of the change impact analysis are very good. The hardest thing for us is the inefficiencies with topology. This often means that the results we get are inaccurate.

What needs improvement?

One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled.

For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising.

We have had issues with the stability of this solution, and the basic technical support is not very good.

In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.

What do I think about the stability of the solution?

So far, our impressions of stability are not very good. We have already had to RMA one of our boxes, and it was not being utilized very heavily. We've had different issues on some of our other devices, as well.

What do I think about the scalability of the solution?

Scalability is hard for me to say based on what we have deployed so far. We do have issues, but it's hard for me to say whether they are because of the hardware, or are an issue of scale.

How are customer service and technical support?

The basic technical support for this solution is not very good. However, the Critical Situation Team is actually very good. I would say that the support experience depends on which group you get put under.

Which solution did I use previously and why did I switch?

Prior to implementing this solution, the majority of our security engineering's time was spent working with these policy requests. It was a manual process where a requester would submit and Excel sheet, and the changes were being done from there. This was not leaving time for that team to work on projects and initiatives that were furthering or bettering the company. We started looking into Tufin as a way to automate some of that process and free up some of their time.

How was the initial setup?

The initial setup of this solution is very complex. Putting all of the devices into the topology, and then getting it to a place where it can provide meaningful and accurate results, and then building the USP on top of that, are all very complex. Out of the box, I don't think that Tufin really provides very much until you get through a lot of those complexities.

What about the implementation team?

We handled the deployment in-house.

What was our ROI?

I'm sure that there is ROI with the time savings that we received, or that we get as part of working the secure change workflows, but I couldn't speak to any hard numbers.

Which other solutions did I evaluate?

The shortlist included both Tufin and AlgoSec. Our evaluation showed that Tufin's features were on par with AlgoSec, but Tufin was the better financial choice.

What other advice do I have?

Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days.

For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally.

My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network.

This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
HS
Security Analyst at Equifax Inc.
Real User
Provides important visibility and saves us considerable time when making changes

Pros and Cons

  • "The most valuable feature is that it extends security entries in the firewall policies."
  • "I would like the ability to export information in other formats including PDF, HTML, or Excel."

What is our primary use case?

We use this solution for auditing our security and system access entries, then alerting us to problems.

How has it helped my organization?

The auditing reports generated by this solution help us to find issues.

This solution has helped us to meet our compliance mandates. We have very strict standards and security policies that we must follow. This tool is very flexible for the management team. It also helps us to ensure that our security policy is followed across our entire hybrid network, but we have a lack of security in some points.

What is most valuable?

The most valuable feature is that it extends security entries in the firewall policies. Given the number of entries in the access control, this would take a lot of time, so this feature is very valuable for us.

The visibility this solution provides us is great. At the moment, we are in the process of continuous improvement, and we need to include these new features.

The change workflow process is okay.

What needs improvement?

I would like the ability to export information in other formats including PDF, HTML, or Excel.

For how long have I used the solution?

We are still implementing.

What do I think about the stability of the solution?

The stability is very good. It's better than the other tools that we have in the company.

What do I think about the scalability of the solution?

To this point, we have only used the basic functionality. We have several teams working with the tools.

How are customer service and technical support?

Technical support for this solution is excellent. At the moment, we have very good communication with support.

How was the initial setup?

The initial setup was good and we had no trouble with it.

What about the implementation team?

We handled the deployment of this solution internally.

Which other solutions did I evaluate?

We did not evaluate other solutions before choosing this one.

What other advice do I have?

This tool is excellent in the specific areas where it is applied. We are spending less time on manual processes and at some point, we will be stopping them.

This solution definitely helps to reduce the time it takes to make changes. With other tools, I have spent five or six hours or even days, but with this solution, it takes me thirty minutes. It can take even less, depending on the complexity of the firewall.

My only complaint is that I would like to be able to export data to different formats.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
FG
IT Manager at a financial services firm with 10,001+ employees
Real User
Valuable reporting helps us to satisfy our audit requirements

Pros and Cons

  • "The most valuable feature is the reporting of our risk poster in our firewall."
  • "I would like to see improved role-based access."

What is our primary use case?

Our primary use case for this solution is risk visibility.

How has it helped my organization?

We use this solution to clean up our firewall policies.

Prior to using this solution, and according to our best practices, we didn't have a baseline of the security poster that we have with our rule sets. Now, with this reporting, we're able to provide that to our management.

It has helped us meet your compliance mandates. We are getting this from the data and reports. This was one of our requirements.

What is most valuable?

The most valuable feature is the reporting of our risk poster in our firewall. We clean up our firewall rules using this solution. The reporting helps us carry this out quickly.

This visibility is good and I would say that the change workflow process is average to good.

We expect that SecureChange will help us to reduce the time it takes to make changes. It is on our roadmap.

What needs improvement?

The reporting still has a lot of improvements to be made.

I would like to see improved role-based access. 

For how long have I used the solution?

We are still implementing.

What do I think about the stability of the solution?

For us, this product has been very stable. We don't have any trouble with it.

What do I think about the scalability of the solution?

Our deployment is quite small, so I cannot speak to the scalability yet.

How are customer service and technical support?

Technical support for this solution needs improvement. We usually get a callback from an engineer, but the escalation of support should be faster.

Our account manager at Tufin is very engaged and has been super helpful.

Which solution did I use previously and why did I switch?

Adopting this solution was an easy decision for us because it is an audit requirement.

How was the initial setup?

The initial setup of this solution is straightforward. Installing SecureTrack was not difficult, after browsing through the knowledge base. With the documentation that is available, it is easy to deploy.

What about the implementation team?

We implemented this solution ourselves.

What was our ROI?

We have not yet seen ROI, but when we go with the SecureChange model, we will automate and reduce overtime hours. At this point, we will see a very valuable return on investment. For the time being, it is on our roadmap.

Which other solutions did I evaluate?

We did evaluate other solutions before choosing Tufin. This solution is used by many large companies, which is one of the reasons that we selected it.

What other advice do I have?

There is always room for improvement, but with the performance and the day to day stability that we have, I think that it's a very good product. Overall, I am very happy and satisfied with the product, and I am looking forward to a lot of new features.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mohd Majmi Mohamad
Regional OSH at Pos Malaysia Berhad
Real User
Gives us real-time firewall policy management

Pros and Cons

  • "I like the fact that Tufin was able to integrate with our firewalls, which include Palo Alto and FortiGate."
  • "Our project is running on Riverbed for SDN. I don't know if Tufin can integrate with Riverbed. Other than that, I have no issues with this product."

What is our primary use case?

Our primary use case was firewall policy management. We did a PoC with Tufin.

How has it helped my organization?

There was no issue with slowness, especially when it came to pulling the data in real-time.

Tufin was able to automatically check if a change request would violate any security policy rules. During our PoC I tested it by trying to do unauthorized changes and Tufin met our requirements.

We are looking to become ISO 27001 certified for information security management. We need a solution like this for the audit side. They need to be able to check our firewall policies.

What is most valuable?

The goal was policy management and Tufin's policy management features met our requirements. It allowed us to crosscheck policies.

I like the fact that Tufin was able to integrate with our firewalls, which include Palo Alto and FortiGate.

What needs improvement?

I work on the network and security sides. The network visibility side needs improvement. I need to be able to see what the configuration changes are inside. On the firewall side, there are no visibility issues.

Also, I'm not sure if it integrates with Riverbed.

What do I think about the stability of the solution?

So far we have had no issues. We're running it on a VM and there are no issues with the VM.

What do I think about the scalability of the solution?

We had no issues with scalability.

We are a big company and our network is complex. We have a lot of servers and we have about 700-plus branches connecting to HQ. HQ is our main site to go with the ISP. But we only implemented Tufin at our HQ and two of our main branches.

There were only four users on my team.

How are customer service and technical support?

I did not engage with Tufin's technical support. We used a third-party.

How was the initial setup?

The setup was not too complex but not completely straightforward. It was so-so, at least for our environment.

We had an issue with how to push the policy changes. It took about a week, during which our engineer conferred with Tufin. Tufin had to do some fine-tuning.

In terms of an implementation strategy, at that time we were only doing a PoC to see the policy management functionality. Tufin can also integrate networking and security to show an overall network mapping, from site to site. We have a lot of branches. And we are now moving to SD-WAN, to see the mapping. We need to see if Tufin can integrate with that.

What was our ROI?

On the technical side, the Tufin solution was very helpful for my team. It would save my team time. Using Tufin they could check all the firewall policies in one console, for both Palo Alto and FortiGate, at the same time.

What's my experience with pricing, setup cost, and licensing?

There is no issue with the pricing because we used a VM. That kept the cost low, as compared to an appliance. The licensing cost quote met our budget.

Which other solutions did I evaluate?

We have done other PoCs with AlgoSec and FireMon. But as we compared Tufin with them I preferred Tufin rather than AlgoSec. They were basically the same, but then Tufin came out with a lot of changes in their recent update. Also, Tufin is real-time while AlgoSec is near-real-time, for policy management.

What other advice do I have?

In terms of advice, it depends on what a user's needs are. For us, we only considered Tufin for the security and the network parts, especially the network mapping. I need to see the hop-by-hop, from this site to that site, how many hops for a transfer packet. 

Tufin is good for beginners. Tufin filters based on rules, even if a beginner doesn't know what to do, how to configure the firewall. Tufin can then monitor based on those rules.

It's a good value for what it does. We had no issues with this product. It was good for us. We could deploy it in our environment without any issue.

I rate it at eight out of ten because we are still evaluating Tufin. Our project is running on Riverbed for SDN. I don't know if Tufin can integrate with Riverbed. Other than that, I have no issues with this product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
HM
Network/Security Engineer at a leisure / travel company with 51-200 employees
Real User
Firewall automation saves us hours of time, but the platform stability needs work

Pros and Cons

  • "The change workflow process is flexible and customizable... If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix... That is one of its useful tools."
  • "When it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again."

What is our primary use case?

We are doing firewall automation through Tufin.

How has it helped my organization?

In terms of the change impact analysis capabilities of this solution, we get a lot of CNR queues and it has saved a lot of time when making changes. And the analysis tells us that we have made a particular change and it sends out a lot of alerts. We can analyze them and do some auditing stuff as well with Tufin.

We have a lot of teams that do stuff in Tufin, management teams, auditing staff, and a team for implementation. So the time it saves us across that whole scenario is hard to pin down, but it has saved us a lot of hours in implementing the CNR queues, approximately 20 to 30 hours a week. That a big time savings.

The solution will automatically check if a change request will violate any security policy rules. We have an auditing staff using this feature within Tufin. If we have an open rule, it will send us an alert and we can see why this alert has been sent and take action on it.

Tufin helps us ensure that security policy is followed across our entire hybrid network. We can set up rules and policies for this and we can do a lot of auditing as a result.

What is most valuable?

The topology and the config backup that we see for devices are key features we get from Tufin.

The change workflow process is flexible and customizable. We went through a lot of difficulties while doing stuff, and it now provides a lot of flexibility while making changes. We can go back and implement the changes again and that is one of the things that is very flexible. If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix. A break-fix is one of the things that we can use to redo things on Tufin, itself. That is one of its useful tools.

Auditing is another good tool within Tufin. The automation stuff and searching of reports are good for auditing as well.

What needs improvement?

I have gone over compliance issues in Tufin, but compliance is one of the things which might not be that clear in Tufin. It just shows the configuration. That is one of the things they have to work on. It is one of the constraints, in my opinion.

The topology is good but they could work on it and get something better out of it.

If we talk about the complexity of getting more nodes over Tufin, Tomcat or web services become flat. This is one of the constraints that I have seen. The web services are not that stable. This has to be checked and taken care of.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

If you have a normal load in Tufin it works perfectly fine. But they need to work on the stability because if a certain amount of load is put in Tufin it just breaks downs, from what I've seen lately. That has to be taken care of. The parameters for the platform also matter in that situation, but if they can work on the stability, that would be great.

What do I think about the scalability of the solution?

The scalability is fine but when it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again. The scalability is perfectly fine but, performance-wise, they have to work on the platform or the base of Tufin to make it more robust. In a bad situation, if a lot of guys are logging in, it breaks down.

How are customer service and technical support?

Although I am in India, we have U.S. support. I haven't had any interactions directly with tech support, but one of my counterparts in the U.S. talks to them and sorts things out for us. I haven't had any discussions with them where I can analyze their work.

It was challenging at the time because we wanted to implement a lot of things which Tufin doesn't have as default. There was a lot of customization required and it took a lot of time - one or two months - to sort that out.

Which solution did I use previously and why did I switch?

We did not have a previous solution. We were moving towards automation and we wanted something that would save time in doing firewall queues and creating firewall rules. We were looking for a good tool and Tufin was one of them. It is a multipurpose tool that gives us topologies, and auditing and alerting.

How was the initial setup?

I don't think we had any issues installing it. That was not a problem. It is not that difficult but it is not easy either. The setup was normal and I wouldn't complain about it.

Our deployment took about ten to 15 days to get things onboarded. There were many other guys who were also involved in it and I don't remember entirely, but I think that's how long it took to onboard things.

The number of people involved in the deployment depends on the infrastructure and what kind of services you are looking for. If you're looking at server management, that would require one or two guys. If you're looking at onboarding of devices, you would need another one or two guys. For the auditing stuff, again, another one or two guys could do it. So for each of these areas, one or a maximum of two guys could handle it. Once you are done with onboarding, managing it takes two guys.

Regarding our implementation strategy, our primary motive was to get firewall automation in place. With that in mind, we worked to bring in all the devices and all the firewalls. Then we started talking about getting the different packages over to it and working to get the firewall automation done. There were a lot of things we had to do - it took months - when we had to bring in new patches or requests.

What about the implementation team?

It was Tufin only and one or two guys within our team. There was no third-party involved.

What was our ROI?

Firewall automation was one of the biggest concerns we had, and we have largely sorted that out with this tool. If we are saving hours, then we are saving money.

What's my experience with pricing, setup cost, and licensing?

I was involved with the pricing at the start. But then management took over that issue. In terms of affordability, this company is using it, so it seems they are fine with it. We just provide management with our requirements and it's their concern and responsibility to bring us what we need. Since we still have this solution, I think they are fine with it. But it's a management call.

What other advice do I have?

My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin.

Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day.

We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it.

As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future.

I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
CG
Security Engineer at BCBSMA
Real User
Enables us to perform self-audits and use rule-based accountability

What is our primary use case?

Our primary use case for this solution is for audit and firewall rule base management. 

How has it helped my organization?

Tufin allows us to perform self-audits and use rule-based accountability. 

What is most valuable?

The most valuable features are the Security Risks and Best Practices reporting/Rule base cleanup.

What needs improvement?

I feel that the user interface is a bit dated. The product version updates should be automated, and the reports could be a bit cleaner.

For how long have I used the solution?

More than five years.

What is our primary use case?

Our primary use case for this solution is for audit and firewall rule base management. 

How has it helped my organization?

Tufin allows us to perform self-audits and use rule-based accountability. 

What is most valuable?

The most valuable features are the Security Risks and Best Practices reporting/Rule base cleanup.

What needs improvement?

I feel that the user interface is a bit dated. The product version updates should be automated, and the reports could be a bit cleaner.

For how long have I used the solution?

More than five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Arturo Morante
Network Architect at a transportation company with 10,001+ employees
Real User
SecureChange feature enables firewall rule automation, but Security Groups are pricey

Pros and Cons

  • "SecureChange is the most interesting part. It all comes down to having the user request firewall access and SecureChange, based on workflows, takes care of it, sending two or three emails to the business approvers. With one click, you can automate a firewall rule."
  • "The change workflow process is flexible and customizable. I was really impressed with it. It's pretty easy. You can add automatic validation steps. Depending on the security matrix, you can pre-allow whatever flow you want."
  • "The interface is like a 1990s kind of thing. It's a little ugly. There are many things that you cannot tweak, little things like the column width and how you display the information. You end up exporting everything to an Excel file and doing your work there."
  • "The documentation site is horrible as well. It has a tree structure, and you really get lost quite easily."

What is our primary use case?

We deployed a proof of concept. We added most of our firewall base to Tufin, although not all. We checked and tested Check Point, Palo Alto, Juniper, Cisco routers, Juniper routers, and F5 load balancers. Mostly we grabbed one instance of each of our technology devices, added it to Tufin, and tried different things. We tried SecureTrack and some basic SecureChange to try to automate our firewall partitions, the firewall "tickets." We presented a form to users to enter the source, destination, service, etc. This was our PoC.

Right now, we're in the process of purchasing Tufin.

How has it helped my organization?

With path analysis, you can specify a source, a destination, and a port and it will tell you whether it's blocked or not, and where; which firewall is doing the blocking or the allowing, or whatever. That part is very useful. When you have feedback from the user and you have your source, destination, and port, instead of trying to search on the Check Point console or the Panorama console or the Juniper console to figure out where that packet being dropped, you go to Tufin, put it in and, in 30 seconds, you have your answer. 

It saves time on each ticket. Instead of playing around for 15 or 20 minutes, it's down to 30 seconds. Any first-line of support can go to Tufin, put in the source, destination, and port and they can at least know what to look for, who to involve to further troubleshoot the issue. It's a first-step investigation that saves time.

It also helps us ensure that our security policies are followed across our entire hybrid network.

What is most valuable?

SecureChange is the most interesting part. It all comes down to having the user request firewall access and SecureChange, based on workflows, takes care of it, sending two or three emails to the business approvers. With one click, you can automate a firewall rule. We have many problems like, I imagine, the whole industry, with delays in implementing firewall rules.

SecureTrack provides all these regulations, PCI kinds of things, so you can try to match all your security policies and firewall configuration to the standard. 

There is also a feature to optimize firewall policies that will delete duplicate objects and rearrange the rules so the machine will function faster.

In addition, the change impact analysis capabilities allow you to do automatic checks of whatever rules you are implementing.

Finally, the change workflow process is flexible and customizable. I was really impressed with it. It's pretty easy. You can add automatic validation steps. Depending on the security matrix, you can pre-allow whatever flow you want. You can do your change analysis automatically or risk analysis automatically; whichever steps you want. It's pretty cool.

What needs improvement?

The visibility that Tufin provides us with is improvable. The interface is like a 1990s kind of thing. It's a little ugly. There are many things that you cannot tweak, little things like the column width and how you display the information. You end up exporting everything to an Excel file and doing your work there. They tried to put too much stuff on the screen. It's a little difficult to find what we want. It's a design issue, it's not a functionality issue.

The web interface is really like going back in time 20 years. You have to move columns back and forth and make them big to see the whole text in them. If you hover over a name, it won't show the content. You have to click on it and open it. It's a bit cumbersome.

The documentation site is horrible as well. It has a tree structure, and you really get lost quite easily. If you have the patience to browse through that hell of documentation, you will find what you need, but it is hell to browse and search. The information is there, it's just difficult to filter and search it. Documentation is one thing they can improve on.

What do I think about the stability of the solution?

I haven't found any issues with the stability. In the beginning, it was our problem, our mistake, because we configured the box with eight gigs of RAM. Then we checked and, obviously, we needed 16. After enlarging it to 16, there was no issue whatsoever. It was pretty responsive. Obviously, it was only one user, me, doing things, but I didn't find any issues performance-wise or stability-wise.

What do I think about the scalability of the solution?

We don't have that big of an environment. We added some 20 pairs of firewalls and another 20 or 30 routers, and one F5. I don't think we have scaled Tufin sufficiently to put it under some stress. Our DC is pretty small, we don't have many devices.

How are customer service and technical support?

Tufin's technical support is excellent. In my old job, I also implemented Tufin, and I was in touch with their Israeli people, the technicians; they're really good. They really know their stuff. In Spain, for southern Europe, they have a couple of people. The technician there is excellent, and the commercial guy is fun. It's the perfect combination.

How was the initial setup?

The setup was straightforward, absolutely. The only problem we had was with Check Point, but I think it's a Check Point problem, not a Tufin problem. Check Point is horribly configured. Managing it is hell. You have to define the OPSEC server with a user name and password, and you have to create the same thing on the provider one. They have to be same user but have different passwords. It's a little difficult. You have to pay close attention so you don't make a mistake. But I think that's a Check Point issue, not a Tufin issue.

The whole Tufin deployment took us about four months, with SecureChange, etc.

Up to the point with Check Point, it was easy. We created a read-only user for our infrastructure, and once we had connectivity from the Tufin box to all the devices, it was pretty simple. It was just IP address of the device, username, password, and go. Except Check Point. We needed to spend a day or two on that.

In terms of our implementation strategy, we wanted to test each of our technology manufacturers: F5, Check Point, Palo Alto, etc. We left our main public-facing networks out of the equation for the PoC. Whenever we implement the whole thing, we will include those. We made SecureTrack work well. We will define our security matrix correctly with all our networks, as granular as we would like it to be. Once we have that, we will go to SecureChange. So it's SecureTrack, do a good security matrix and, once we're confident with that, we'll go to SecureChange.

For deployment, it was just myself and the people who deployed the VM, with the help of Tufin's team. I'm the only one who was involved in maintaining it.

What about the implementation team?

Tufin's team helped us mainly with the Check Point stuff when we ran into some problems.

What was our ROI?

In a PoC it's difficult to see ROI. Seeing how the tool performs, I think we will see a return on investment, of course.

What's my experience with pricing, setup cost, and licensing?

It's not that expensive, except for Security Groups. For us, just the Security Groups were about half of the total price. The total was about €500,000 a year, of which €200,000 was for Security Groups. For the rest, it's not that expensive, given all the benefits we will get and all the time we will save.

Which other solutions did I evaluate?

We could only test AlgoSec for a little while. Our group is part of a larger group of products. When we were doing our PoC for AlgoSec, we were told to stop. The decision was made to move to Tufin because it has group-wise technology, chosen for the acclimation of firewall policies.

AlgoSec is much prettier, it's much simpler, and has a cleaner interface. Functionality-wise, it's pretty similar, from what I read in the AlgoSec documentation. Tufin has a few extra features, but AlgoSec is much cleaner, it's prettier.

Going with Tufin was not a technical decision, it was "politics." The largest group uses Tufin, so other group members have to use Tufin as well. It's mandatory.

What other advice do I have?

Don't bother with the web interface, calm down, don't worry, everything will be fine. They will improve it. The rest of it, I don't have any issues. They're technically prepared, the tool does its thing. The only two things I would be patient with are the web interface and that documentation which is not really well organized. Besides that, it's pretty easy. It's pretty easy to configure and, once you start using it, you will see the potential. AlgoSec, Skybox, and all those tools probably have the potential as well. But Tufin is easy enough for everybody.

What we don't use, and what we are not planning to use, is the third module, the SecureApp. We haven't played with it and we're not planning on using it, for the moment.

In terms of using Tufin to automatically check if change requests will violate any security policy rules, we would love to do that. What we didn't do is build the security matrix. That part is the one that takes a lot of time to build. You have to work with the security team and all the players involved. Because we did not design the security matrix, we couldn't match a firewall rule with the security matrix and say, "Okay", or "Not okay," and do some automation there.

What we did is prepare a form for a firewall petition, and some automatic steps. For instance, in the first step, you enter the request and it sends an email to a business approver. Depending on whether that firewall or that flow is predefined as allowed or not, you can skip that step and go to the next step. We did a little bit of logic with the change-request form. It worked pretty well for us.

The purchasing process takes a little bit of time because of all the different groups involved. But we're planning on implementing it and to finish around next summer, 2020; to have both SecureTrack and SecureChange up and running.

As for compliance, we don't have many requirements. Of course, we are bound to some ISO certifications, because it's the car industry, but we don't have any specific PCI. We don't sell cars over the internet, so we don't have to do that.

When it comes to Tufin's cloud-native security features, what we have is our landing zone in AWS - a VPN tunnel from on-premise to Amazon, with Transit VPC. We have a couple of Palo Altos, securing the track from on-premise to the cloud. And we added those Palo Altos to Tufin. We needed to tweak and include some virtual devices in Tufin so the routing would be okay. But that was quite easy. It was well-documented as well.

The only problem is that we got our quotation from our supplier, and the Security Groups are extremely expensive. They bill you $1,200 dollars per Security Group per year, which is really high. We're not that big, we may have 100 or 150 Security Groups. That's would be about $200,000 just to manage Security Groups. We were put off by that. From the start, we won't have the Security Group feature. We think it's too expensive.

As for increasing our usage of Tufin, we'll go day by day and see how it responds to our requirements. SecureTrack at the beginning, then SecureChange. Maybe, if everything goes well, we will think about SecureApp. It's not in the scope at the moment, but maybe we will implement it.

I would rate Tufin a seven out of ten. It will get better once they get their act together with the documentation and the interface.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Syahrul Fitri
Specialist in Network Security Operations Support at a financial services firm with 10,001+ employees
Real User
SecureChange automates everything from the validation to the pushing of rules

Pros and Cons

  • "The most valuable function is the SecureChange where it is able to automate everything from the validation of the rules to the pushing of the rules."
  • "There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow... Even though we are allocating 130 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise it would be a perfect tool."

What is our primary use case?

We are using Tufin to generate reports on unused rules and for compliance reporting.

How has it helped my organization?

In our environment we have two data centers which have the same IP address for service in both. This means that in data center A, server X's IP address is the same as server X's IP address in data center B, but it's sitting in a different firewall. So we are exploring SecureChange to automate the pushing of rules in both gateways at the same time. That way we will be able to track to which firewall, in which data center, we have pushed rules.

It helps us to meet our compliance mandates because we are able to define whatever compliance we are subject to. We are a financial institution so we have to comply with PCI DSS, we have to comply with certain financial rules and regulations. We are able to do that with Tufin.

It also helps ensure that security policies are followed across our entire hybrid network. So far there have been no complaints from the auditor who is checking our firewall rules. The only exception is that, because we have so many requests in a day, some of them are not used yet by the requester. What our auditor sees is only the unused part. But we are 80 to 90 percent compliant.

Finally, I expect it will help our engineers to spend less time on manual processes, that it will cut half of the time spent looking at all the rules and validation. Currently, 70 percent of my engineers' load is looking at rule validation and requests that are not being made correctly.

What is most valuable?

We are still using only one-third of the functions that Tufin has, but SecureTrack is among the most valuable.

The most valuable function is the SecureChange where it is able to automate everything from the validation of the rules to the pushing of the rules. We are mainly using Checkpoint and Tufin together.

In addition, it's helpful that we can generate accurate and detailed rule-usage reports. That enables quick clean up.

In terms of visibility, Tufin does show all the schedules based on the usage.

Another feature I like in Tufin is that we are able to track the flow of the source and destination, passing through which level of device and which firewall. It makes our operation, our daily tasks, much easier than doing it manually for each and every request.

What needs improvement?

There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow. They need to improve how they do their database indexing. That is the main fault of Tufin right now for us. It's slow. Even though we are allocating 64 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise, it would be a perfect tool.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

The stability is great. It has never gone down. The only problem is the slowness.

The stability is dependent on the devices. The part where we are having a problem now is the result of migrating to RAT which is using APIs which keep going down when our MDS has a heavy load.

What do I think about the scalability of the solution?

In terms of scalability, the only issue is the licensing part. You have to have the correct license to go to a larger installment.

Which solution did I use previously and why did I switch?

This solution is the first of its kind in our bank.

How was the initial setup?

The initial setup was straightforward. I was able to deploy Tufin in a few minutes only. Integrating with devices - as we are using Checkpoint, API, Syslog - is simple.

For now, we have only installed one server, not distributed. Soon we will go for distributed, because we need to collect all the logs from all our overseas sources.

I was the only one involved in the deployment and am the only one who takes care of the maintenance and day-to-day configuration. Our firewall team will be using Tufin but they don't do the maintenance. At the moment there are about 15 users. Half of them are the firewall team and then there are a few auditors and a few people in the business unit who are monitoring the rules.

What was our ROI?

ROI is measured in engineers having time for their families and being able to have more time to do other things. It is not a specific figure, it is more a matter of how time is spent.

What's my experience with pricing, setup cost, and licensing?

The current licensing scheme is quite confusing but it is clearer than the old one. If you have one MDS you just buy the MDS license and the gateway license. That's most of it.

Before this, they broke it down into VS, virtual environment, physical environment, single boxes, cluster boxes. Now the licensing part is much more straightforward. If you have ten gateways you don't need to define one as a single and another as a cluster gateway.

Pricing is quite high. We did compare it with AlgoSec but the pricing is not much different between the two.

Which other solutions did I evaluate?

The decision was made before I joined the organization. I don't know if they looked at competitors or not. Currently, we are looking at AlgoSec, if it can replace Tufin or compete with Tufin in terms of features.

The main differences between the two are only in the pricing and the look and feel. They both do the same thing. Both will be able to achieve our organization's targets. But in terms of look and feel, our engineers are already used to what we have. And I do prefer Tufin.

What other advice do I have?

If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy.

We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet.

Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests.

We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ET
Business Director at a tech services company with 201-500 employees
Real User
Gives our customer the ability to centrally monitor and view all changes made in the network

Pros and Cons

  • "The policy overview is valuable."
  • "Our customer has the ability to centrally monitor and view all changes that have been made in the network, and they are able to revert any problems that they encounter, if somebody has made a problematic change."
  • "The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin."

What is our primary use case?

For us, it's more about managing the policies and having an overview of all the policies that are available, that we currently implement, and bringing them to a central console so that we can have an overview of what's going on. We deploy Tufin for one of our customers, it's not for ourselves.

How has it helped my organization?

The key, convincing element that made our customer go with Tufin is that they have the ability to centrally monitor and view all changes that have been made in the network, and they are able to revert any problems that they encounter, if somebody has made a problematic change.

What is most valuable?

The policy overview is valuable.

What needs improvement?

The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin. Half of the network is F5 and there were a couple of other firewalls and they're trying to centrally manage them. There were issues in terms of managing the policies for F5. It's not as seamless as it should be.

Documentation to help users integrate to an F5-type of environment would be great, so that users would understand and know the limitations, rather than having to go through a PoC and then realize that it's just not suitable for integrating F5 products.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

So far, the stability has been reasonably good. We haven't encountered any major issues. Even when integrating to overseas central management systems, it has been quite seamless.

What do I think about the scalability of the solution?

Scalability is something the customer will be exploring in the next phase.

I think that the major limitation is its ability to integrate into more products. With the common products, the older products, it integrates very well. But with the newer products, like I said, F5 for example, they do have some issues. I'm not too sure about other firewall products and other DDoS products that could be in the network.

For now, the customer is trying to integrate the product into the rest of the group. That's currently being studied by some of their overseas counterparts to see if it's suitable. The plan is that the customer intends to proliferate this across the entire network, but that step will take place over five years' time.

How are customer service and technical support?

Technical support is excellent, I would give a big thumbs-up to the technical support team.

Which solution did I use previously and why did I switch?

We didn't use a previous solution, this is our main solution.

How was the initial setup?

The initial setup is reasonably straightforward and the support team is quite good. They're very helpful and they're very knowledgeable.

The deployment, overall, took about three months, in terms of studying the customer's environment and doing some consultation and a deep-dive with the Tufin consultancy team.

What about the implementation team?

We are an integrator, so we have a fairly decent understanding of the product and it wasn't that difficult to deploy.

What's my experience with pricing, setup cost, and licensing?

Pricing played a big part here. We didn't present AlgoSec or FireMon. We got good support from Tufin directly. We managed to position it with an effective price for the customer. The customer had evaluated other products but, due to price as well as support, they chose Tufin.

Which other solutions did I evaluate?

We evaluated Tufin together with FireMon and AlgoSec.

What other advice do I have?

The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin.

In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users.

We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade.

We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support.

From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator.
CL
Senior Adviser Cyber Security at a comms service provider with 10,001+ employees
Real User
It's pretty useful when you have an audit going on, but I don't like the way the reports are shown

Pros and Cons

  • "It provides a great visibility around the roots: Root implementing which can be done, roots that have changed, and what has been done. So, it's pretty useful when you have an audit going on."
  • "I would rate their reports as a four out of ten. I don't like the way that they are shown. It is too hard to export and send them to our clients."

What is our primary use case?

We use it for advanced reporting and root analysis. In some cases for clients, we use it for root deployment. 

How has it helped my organization?

Some clients wanted to have more latitude with root deployment. Instead of deploying through us every time, they want to deploy a new root, making quick roots or small roots, like adding an object to a root. They now have the possibility to go direct.

It has helped our clients to meet their compliance mandates. They will ask us for evidence that we can provide them.

What is most valuable?

The analysis is the most valuable feature. People see it first and that is why they want in their enterprises, then they start explore the other features.

It provides a great visibility around the roots: Root implementing which can be done, roots that have changed, and what has been done. So, it's pretty useful when you have an audit going on. 

What needs improvement?

I would rate their reports as a four out of ten. I don't like the way that they are shown. It is too hard to export and send them to our clients.

We are switching to AlgoSec. It's a corporate decision. There's probably room for improvement. 

What do I think about the stability of the solution?

It is pretty stable. We have more issues with the VMs than with the software.

What do I think about the scalability of the solution?

We have not had any issues with scalability. When we needed more power, we just added a new server, and that was straightforward. So, it is pretty scalable. 

How are customer service and technical support?

I have not personally used Tufin's technical support.

How was the initial setup?

The last time that we initialed setup, it was straightforward. 

If you want to install a new root automatically using the tool, the change impact analysis capabilities are useful.

What about the implementation team?

We deployed it in-house. 

What was our ROI?

This solution helps us to reduce the time it takes to make changes (by 10 to 15 percent).

Which other solutions did I evaluate?

We are going to keep Tufin as is, but we are going to add AlgoSec. The prices are comparable. We have corporate pricing with AlgoSec. The ease of use of AlgoSec is one of the reasons why we considered using it.

What other advice do I have?

You need a product like this, but look at difference solutions in the market. I would rate it a seven out of ten.

We do not use the product across our entire network. We do not use the cloud native security features.

In the future, we will use the solution to check if a change request will violate any security policy rules.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
DM
Professional Services Engineer at a tech services company
Reseller
While the product was a little slow, it did look full-featured

Pros and Cons

  • "The initial setup was straightforward."
  • "I needed more help getting the product to work in the lab."

What is our primary use case?

Our primary use case for this solution is firewall remediation.

I didn't get very far with it because I didn't used Tufin in production, only during the evaluation phase.

How has it helped my organization?

I tested it for the change orchestration. That is what my evaluation recently was specifically for. While the product was a little slow, it did look full-featured. 

What is most valuable?

The firewall remediation and compliance pieces are the most valuable features. 

What needs improvement?

I couldn't get it to work in the lab, even with help, on multiple occasions, from one of Tufin's engineers. It was set up in my private lab per all their instructions, and I gave them control of the system. However, they were unable to make it install the policies to Check Point in an automated fashion. So, I unfortunately gave up on the proof of concept at that point.

What do I think about the stability of the solution?

In terms of stability, the version I tested in the lab was okay.

What do I think about the scalability of the solution?

I don't know about the scalability, as I never got it out a very small VM.

How are customer service and technical support?

Their technical support was okay. I needed more help getting the product to work in the lab. 

Which solution did I use previously and why did I switch?

We did not have an automated provisioning solution. At that time, all firewall changes were being implemented manually by administrators.

How was the initial setup?

The initial setup was straightforward. 

What about the implementation team?

I was working directly with Tufin's sales team and SEs.

Which other solutions did I evaluate?

We looked at AlgoSec and Tufin. However, we did not chose Tufin because of the issues.

What other advice do I have?

Check the product out for yourself.

I wasn't using it for visibility into my firewall infrastructure, because I have other avenues.

I wasn't using the compliance portion when I was testing it, only the orchestration.

I want to look at Tufin for remediation and compliance in the future.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PB
Security Architect at a manufacturing company with 10,001+ employees
Real User
Does not natively support all of the Check Point functions

Pros and Cons

  • "We've scaled it to hundreds of firewalls."
  • "It does not natively support all of the Check Point functions which is a big deal."

What is most valuable?

It is customizable.

What needs improvement?

It does not natively support all of the Check Point functions, which is a big deal. The solution doesn't recognize traffic and impede it.

What do I think about the stability of the solution?

We have had a ton of issues with stability. The database is weirdly designed. Things just go wrong with it where we have to call the tech guys. They come in and clean the database fairly regularly.

What do I think about the scalability of the solution?

We've scaled it to hundreds of firewalls. We haven't had a scalability issue. 

How are customer service and technical support?

If you don't buy their premium support, their technical support is not great and you can only call during daytime hours. So, we ended up purchasing their premium support.

Which solution did I use previously and why did I switch?

The reason that we purchased the solution is because of the visibility that it provides.

How was the initial setup?

The SecureChange implementation was straightforward. 

The SecureApp implementation was very complicated. The topology was so complicated that we threw it away after months of having Tufin people come out to try and make it work. 

What about the implementation team?

We bought deployment services from Tufin. 

What was our ROI?

We are seeing ROI in terms of having SecureApp. However, we made a significant investment to get there.

What other advice do I have?

The topology doesn't work and SecureApp doesn't seem to be a strategic product for Tufin anymore. Proceed cautiously with that in mind.

I would rate their SecureChange an eight out of ten. I would give their vision an eight, but for their execution I would give a three out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MM
Technical Team Lead at Paragon
Real User
We have a better view of our compliance status

Pros and Cons

  • "We have a better view of our compliance status."
  • "It is very easy to use. We can get results back quickly."
  • "We found some bugs on the software, but we're working with tech support to fix them."
  • "I would like an improved reporting module which can be flexible (custom reports) and allow us to generate our own reports, because the data is already there."

How has it helped my organization?

We have a better view of our compliance status. Most of our network is on-premise, so we don't have a cloud. We don't have a hybrid network, but it provides visibility for what we do have right now.

What is most valuable?

The USB is its most valuable feature. Inside of Tufin, we plan to leverage the USB in solutions.

The change workflow process is flexible and customizable.

It is very easy to use. We can get results back quickly.

What needs improvement?

I would like an improved reporting module which can be flexible (custom reports) and allow us to generate our own reports, because the data is already there.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It has been very stable since 2017. We haven't had any power problems. As far as hardware goes, it's been very stable. As for software, we found some bugs, but we're working with tech support to fix them, which is normal.

What do I think about the scalability of the solution?

The scalability is very good. Hopefully, this year we are planning to add more entities with our custom platform. The more controller options would be something which will provide more flexibility.

How was the initial setup?

The initial setup was very straightforward.

What about the implementation team?

We used a boutique software with services at the time. For most of our onboarding, we did everything ourselves.

Which other solutions did I evaluate?

We also looked at AlgoSec and FireMon.

We did look at less expensive solutions than Tufin, but being a corporation, this solution made sense.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RP
Chief Information Security Officer at a tech services company with 1,001-5,000 employees
Real User
We are able to stay compliant with many of the regulations

What is our primary use case?

We do firewall reviews on a quarterly basis.

How has it helped my organization?

It provides me great insight into my firewalls across my organization. We are able to stay compliant with many of the regulations. 

What is most valuable?

The rules, as they change over time, are the most valuable feature. Its capabilities help me grow trust back and have less in-depth experience to go faster.

What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

It is very scalable.

How are customer service and technical support?

The technical support has been on point.

Which solution did I use previously and why did I switch?

The previous solution was all manual.

How was the

What is our primary use case?

We do firewall reviews on a quarterly basis.

How has it helped my organization?

It provides me great insight into my firewalls across my organization.

We are able to stay compliant with many of the regulations. 

What is most valuable?

The rules, as they change over time, are the most valuable feature.

Its capabilities help me grow trust back and have less in-depth experience to go faster.

What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

It is very scalable.

How are customer service and technical support?

The technical support has been on point.

Which solution did I use previously and why did I switch?

The previous solution was all manual.

How was the initial setup?

There was some complexity during the initial setup, but otherwise, it was fairly straightforward.

What about the implementation team?

I used a partner for the integration, who was very good to work with.

What was our ROI?

Our engineers are spending less time on manual processes: 20 to 30 hour plus.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Davison Marques
Regional Manager at a tech services company with 11-50 employees
Real User
The product is flexible and the visibility is fantastic

How has it helped my organization?

The solution helps us meet our compliance needs.

What is most valuable?

The visibility is fantastic. The product is flexible.

What do I think about the scalability of the solution?

The scalability is the best.

Which solution did I use previously and why did I switch?

We previously used a different solution. We switched because of the value the solution could provide us in conjunction with Check Point.

How was the initial setup?

The initial setup was complex. We have a big environment which contributed to the setup's complexity.

How has it helped my organization?

The solution helps us meet our compliance needs.

What is most valuable?

The visibility is fantastic.

The product is flexible.

What do I think about the scalability of the solution?

The scalability is the best.

Which solution did I use previously and why did I switch?

We previously used a different solution. We switched because of the value the solution could provide us in conjunction with Check Point.

How was the initial setup?

The initial setup was complex. We have a big environment which contributed to the setup's complexity.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
SK
Senior Network Engineer at a financial services firm with 1,001-5,000 employees
Real User
SecureChange makes our lives easier with automation

Pros and Cons

  • "SecureChange makes our lives easier with automation."
  • "We will be using the appliance based product, which cannot be scaled as much. It is a limitation in the hardware."

What is our primary use case?

Tufin is the product which we do our compliance under. That's one of the requirements. We also do change control tracking: who does what and the impact. 

The users have reports for best practices and clean up.

The primary use case going forward will be automation, changing the internal process by trying to eliminate human errors.

How has it helped my organization?

Change management tracking is important: Who does what when. We know if something happens by checking the reports and comparing. We know exactly what mistakes were made and corrections. 

In a financial organization, there are so many approval processes. At the designing levels, you can add any number of layers (for approval/decline), add qualifications, and traffic flow analysis.

Because it is a predefined customized, we can define whatever we want it to be and add the exceptions.

What is most valuable?

SecureChange makes our lives easier with automation. 

It provides a granular report, like what is there or not and what is required or not in the clean up. This makes our lives operationally easier. 

It is very easy to learn and is user friendly. The GUI is user-friendly.

What needs improvement?

I'm looking for the backup change. I want a predefined backup plan.

For how long have I used the solution?

Still implementing.

What do I think about the stability of the solution?

The stability is a pretty standard. It is working, and not like other products where it is breaking the system. It is pretty stable.

What do I think about the scalability of the solution?

We will be using the appliance based product, which cannot be scaled as much. It is a limitation in the hardware.

How are customer service and technical support?

The technical support is very good and helpful. We have not encountered that many issues in any one place. 

How was the initial setup?

The initial setup was very straightforward because the documentation was straightforward.

What about the implementation team?

We did it ourselves. Tufin support helped us with the configuration.

Which other solutions did I evaluate?

We are also evaluated Skybox and AlgoSec.

Tufin is meeting one of our requirments, which is why we are looking to the future with the product.

What other advice do I have?

There is room for the product to grow.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
FG
IT Manager at a financial services firm with 10,001+ employees
Real User
Helps us meet our compliance mandates and has excellent visibility

Pros and Cons

  • "It has helped us to meet our compliance mandates. We have some requirements that we need to provide more visibility on the risk levels of our firewall base and Tufin helped us with that requirement."
  • "I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data's already there."

What is our primary use case?

Our primary use case if for risk compliance. 

How has it helped my organization?

The change workflow process is flexible and customizable. 

It has helped us to meet our compliance mandates. We have some requirements that we need to provide more visibility on the risk levels of our firewall base, and Tufin helped us with that requirement. 

What is most valuable?

The USB is the most valuable feature for us. Inside of Tufin, we are planning to leverage the USB solution.

The visibility is excellent. We have a better view of our compliance status. 

What needs improvement?

I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data is already there. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It has been very stable since 2017. We haven't had any power problems. As far as hardware goes, it's been very stable. In the software, we found some bugs, but we're working with support to fix them.

What do I think about the scalability of the solution?

Scalability is very good. We are planning to add more entities this year. 

How are customer service and technical support?

Technical support is satisfactory at the moment. 

How was the initial setup?

The initial setup was very straightforward. 

What about the implementation team?

We did most of the onboarding ourselves. 

Which other solutions did I evaluate?

We also looked at AlgoSec. 

I was part of the decision-making process.

What other advice do I have?

I would rate it an eight out of ten. It's very easy to use and you can get good results very quickly. 

We don't use the cloud native security features yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
CM
Manager at a manufacturing company with 10,001+ employees
Real User
Enables us to automatically check if a change request will violate any security policy rules but they should get rid of the REST APIs

Pros and Cons

  • "The change workflow process is flexible and customizable. We have one guy who has never logged into Tufin ever in his life. He sits down and in 30 minutes had written an automation routine, then went back and changed it. He did that with no training. For me, that is a major benefit."
  • "I would like to see them get rid of the REST APIs and use something more modern."
  • "I would also like to see them do more cloud integration within the Tufin Orchestration Suite, not within a SaaS solution."

What is our primary use case?

Our primary use case is for automation and orchestration.

How has it helped my organization?

We use Tufin to automatically check if a change request will violate any security policy rules. One of the things we want to do is to have a blacklist/whitelist policy. A blacklist of things that can never be allowed and a whitelist of things which are always allowed. I want this tool to block or report ports that should not be used, putting somebody in a change. In addition to that, I want it to be able to block people from mapping IP addresses in North Korea, Iran, or whatever is on the blacklist.

Our corporate policy mandates that we can only make changes to our firewalls daily. Once we get ServiceNow integrated with our whitelist policy, Tufin should be able to initiate the change and get us to reduce time.

It should help us meet our compliance mandates going forward. It is replacing AlgoSec.

What is most valuable?

The ease of use is the most valuable feature. 

The change workflow process is flexible and customizable. We have one guy who has never logged into Tufin ever in his life. He sits down and in 30 minutes had written an automation routine, then went back and changed it. He did that with no training. For me, that is a major benefit.

The two reasons that we wanted Tufin

  1. The single pane of glass, so our Tier 1 and Tier 2 could make changes.
  2. The network mapping which is something that we have never had before.

What needs improvement?

  • I would like to see them get rid of the REST APIs and use something more modern. 
  • I would also like to see them do more cloud integration within the Tufin Orchestration Suite, not within a SaaS solution. 
  • I would like them to move their community support off of Google and onto something more long-term.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

So far, stability has been good. 

What do I think about the scalability of the solution?

It has already pulled in all our Layer 3 switches and routers across the company.

I don't know if I can expand on the cloud yet.

How are customer service and technical support?

We bought premium support. I have heard from my team that they are great. 

Which solution did I use previously and why did I switch?

We switched from AlgoSec because they had horrible customer support, and difficult change management and processes. 

How was the initial setup?

The initial setup was very straightforward. It was done in five days, which is pretty cool.  

What about the implementation team?

We used Tufin for the deployment. We had a positive experience with them. 

Which other solutions did I evaluate?

We compared AlgoSec, Tufin, and Skybox side-by-side. Originally, the team chose Skybox. They threw in what a lot of other groups had wanted, like the network team, security team, and DevOps team. When I sat them down (because I voted Tufin), I asked them why and they gave me all of the explanations that were all somebody else's reasons, not ours. I told them that this tool is for us and we needed a true orchestration automation tool. Not one that supports everyone else's automation, and we need one for firewalls.

What other advice do I have?

I would rate it a seven out of ten. 

I would advise someone considering this type of solution to not listen to the sales teams among the competitors. They all throw each other under the bus and a lot of it is not true. Tufin's competitors will tell you how bad of a company that Tufin is and how you can't trust them, and how their stuff doesn't work. Then, Tufin doesn't say anything bad about their competitors. So, don't trust everything that you hear. 

Do your own research. Do a proof of concept. Get all of the vendors in. Give it a month to test drive. Set it up and let them prove it out. In the end, the correct tool, not the better salesman, will win.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Samuel Taxis
Information Security Engineer at a tech company with 1,001-5,000 employees
Real User
Reduces the time it takes to solve a problem, which reduces the time of an outage

Pros and Cons

  • "My team uses it heavily to audit the changes made by junior engineers, going back and figuring out what they messed up, and correcting their mistakes. We generate reports for customer compliance and audits, as well as for regulatory audits."
  • "The reports could be easier to read and more customizable. Also, capturing some of the different versions, and being able to dig through them could be a bit better."

What is our primary use case?

Our primary use case is for change audit.

How has it helped my organization?

My team uses it heavily to audit the changes made by junior engineers, going back and figuring out what they messed up, and correcting their mistakes. We generate reports for customer compliance and audits, as well as for regulatory audits.

We use it to generate reports that we are in compliance, but don't necessarily use it to mitigate any compliancy requirements then only to report on them.

What is most valuable?

The historical reporting is the most useful feature that I use the most often. 

For what we use it for (change auditing), the visibility works great.

What needs improvement?

We don't have any issues with it, but the reports could be easier to read and more customizable. Also, capturing some of the different versions, and being able to dig through them could be a bit better.

What do I think about the stability of the solution?

The stability works, for what we've been using it for. The system has been up and running for at least a year and a half without any issues. The only time we do anything with it is when we upgrade it or patch it, but we have never had any performance issues or it falling over.

What do I think about the scalability of the solution?

The way we deployed it is sufficient for what we're using it for. We haven't really had to scale it.

How are customer service and technical support?

We tend to not have any issues with it, so we don't need to use support very often. For what we are using it for, it does exactly what it is supposed to, and we don't have any issues with it. 

We did contact technical support when we had an appliance, then we migrated it over to a VM and it was moving some of the data from the old code format to the new one. We have also had upgrade problems with it randomly breaking on us. 

My team has had a pretty good response from the technical support.

Which solution did I use previously and why did I switch?

We had a bunch of issues with junior engineers causing problems and people not knowing what was changed or what happened. We needed a solution that produced very easy to understand and quantifiable change reports. 

We had a home-built solution before Tufin had maintenance issues because it was our own,  and we had support issues with it. It sometimes worked, and sometimes didn't work. Tufin was a very easy shoe-in replacement for that solution.

How was the initial setup?

The setup was pretty straightforward. The documentation was pretty clear in terms of what you had to do. It was just the case of executing it.

What about the implementation team?

We deployed it ourselves. 

What was our ROI?

For our numerous cases where outages had been caused by engineering errors, our ROI is in the ability to quickly go and see what the person did and fix it. Tufin reduced the time it takes to solve a problem, which reduces the time of the outage. It does have a cascading effect, but I can't quantify it to dollar amounts.

Which other solutions did I evaluate?

It has been a few years since I've looked at anything else.

What other advice do I have?

I would rate it a seven out of ten mainly because it does everything really well. In general, it still does what it's supposed to do, and we don't have any issues with it. 

I would advise someone considering this solution to know exactly what you need before you start the process. Be very thorough, because the devil is in the details and you need to know exactly what you want and need. Then you'll be able to tell which solution is better, and which one gives you the better return on investment. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JR
Security Engineer at Allegiant Air
Real User
The revision reports are phenomenal, as they really help us to see what was changed and when

Pros and Cons

  • "Tufin is our audit trail for all changes. We have to be PCI compliant, and it's the tool we go to for enforcing PCI on the network side."
  • "I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do."
  • "The policy browser has had trouble working. We have experienced bugs."

What is our primary use case?

We use Tufin for two purposes: 

  1. To track all changes on our network equipment, our Cisco gear, F5s, and Check Point. 
  2. We use SecureChange. So, we submit any firewall change through SecureChange, then we use that for the approval process. We are trying to have it end-to-end, where it provisions the device, but we're not there yet. 

How has it helped my organization?

Tufin is our audit trail for all changes. We have to be PCI compliant, and it is the tool that we go to for enforcing PCI on the network side.

The change workflow process has customizable and functional for us.

It has helped us meet our compliance mandates.

What is most valuable?

The revision reports are phenomenal. They really help us out to see what changed, when, and who, most importantly. Some of the other reporting that we audit and clean up have been really valuable for us. 

The visibility is great. We have found the policy browser to be very useful. It is a fairly new feature. 

What needs improvement?

I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do. We would like more examples and use cases.

The cloud is fairly new to Tufin. We have AWS. Their first steps into providing audits on the cloud have been really helpful, but we ourselves don't know how we're going to manage the cloud. One of the features that we didn't like is the controlling of the security groups. We can read them but there's no way to change them or to really control them through Tufin. That would be a nice addition.

We are currently working on a bunch of automation to include Tufin. We need security group management (security group modification for Cisco devices). That is what we need from Tufin going forward. We can't go live with the total automation because there are pieces missing, e.g., you cannot update the service group.

What do I think about the stability of the solution?

It has been very stable. Though, the policy browser has had trouble working. We have experienced bugs.

What do I think about the scalability of the solution?

We have a lot of devices on it now.

How are customer service and technical support?

The technical support is hit or miss. More miss than hit. It takes them awhile to understand what the issue is. They don't know where to go in the product right away. A lot of stuff gets escalated to R&D, and even that is a very slow process. When it goes to R&D, it's really slow. We've had the same issue for months. They say it'll be fixed in the next release, then we'll get the next release, and it's even worse.

What about the implementation team?

We deployed it ourselves.

What other advice do I have?

We are really interested in the Tufin Orca product.

  • For visibility in the network, I would rate the product as a nine out of ten. 
  • For usability, I would rate the product as a seven out of ten. 
  • For liability, I would rate the product as a nine out of ten. 
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SB
Senior Consulting Manager at a tech services company with 10,001+ employees
Real User
Ensures the security policy is followed across our entire hybrid network, but there are a lot of improvements which can be done in terms of visibility

Pros and Cons

  • "Tufin has improved my organization with its configuration management. It has tremendously improved the operation's success and has made life easier."
  • "I don't get the full visibility. There are a lot of improvements which can be done in terms of visibility."

What is our primary use case?

Our primary use case is configuration management and change management.

How has it helped my organization?

Tufin has improved my organization with its configuration management. It has tremendously improved operation's success and has made life easier. 

It has also increased the amount of gateways there, which has really helped us. Information is readily visible.

Tufin has ensured that the security policy is followed across our entire hybrid network in the way that it has given us what is in place now. We're trying to impose the security policies of the organization. There is still time to get in there.

What is most valuable?

  • Configuration management
  • Change management

What needs improvement?

I don't get the full visibility. There are a lot of improvements which can be done in terms of visibility.

We have had challenges implementing the change workflow process. We were trying to do and end-to-end automation part and standard services, like Active Directory, through a couple of customers and internal applications. We had challenges that we couldn't overcome, even with help. We are still trying to achieve this.

Change management is something which is currently difficult. It should work seamlessly, not have too many integration points. It should be simple.

What do I think about the stability of the solution?

Stability is good, so far it hasn't given us any trouble.

What do I think about the scalability of the solution?

We've never really had the opportunity to check the scalability. Our company's growth at the moment is stagnant and normal.

How are customer service and technical support?

Their customer service is better than it used to be.

What about the implementation team?

We implemented through a consultant from Tufin, who was helpful.

What was our ROI?

We have seen ROI in operational aspects, in terms of how long it takes to resolve incidences which arise. 

What other advice do I have?

I would rate it seven out of ten. I would recommend Tufin if someone is considering it.

We are still in the process of phasing it in to help us with our compliance mandates.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
JS
Security Engineer at a manufacturing company with 10,001+ employees
Real User
We leverage the Unified Security Policy to automate some of our decision-making. The cloud-native security features are lackluster.

Pros and Cons

  • "It has allowed us to be more efficient in our processing of firewall requests."
  • "The change impact analysis doesn't even get close to actually solving our problems. I am not impressed with it."

What is our primary use case?

Firewall automation and orchestration.

How has it helped my organization?

It has allowed us to be more efficient in our processing of firewall requests.

We use this solution to automatically check if a change request will violate any security policy rules. Every change request has to go through a security approval step, but we also leverage the Unified Security Policy to automate some of that decision-making.

What is most valuable?

Workflows that help continue automation.

The change workflow process is flexible and customizable. Just about every step has some flexibility to it. While there is room for it to improve, it is very flexible to our needs.

What needs improvement?

The change impact analysis doesn't even get close to actually solving our problems. I am not impressed with it.

The solution's cloud-native security features are lackluster. They need to catch up to where the industry is at.

Our engineers still require quite a bit of manual digging to find the data that they need. It would be nice if the product would allow more flexibility around that and the workflow to present more data to correct this.

There are tons of things that the solution needs. They just need to prioritize them and get some of their customers satisfied.

What do I think about the stability of the solution?

It's not a very stable product. It doesn't stay up as often as I would like. It crashes at very inopportune times that we just can't afford.

What do I think about the scalability of the solution?

It is not very good. It scales but not eloquently. It is complex and not easy for our organization to stay on top of managing it.

How are customer service and technical support?

The technical support is okay. It's not the best, but it's not the worst.

Which solution did I use previously and why did I switch?

Tufin is our first solution of this type.

How was the initial setup?

It was pretty straightforward. It was not too challenging to get it going. This issue is just maintaining it.

What about the implementation team?

We worked with Tufin Professional Services to do some deployment. Most of it was internal, in-house customization and put together.

What was our ROI?

I have seen ROI with this product.

We've seen a decrease of about 50 percent in the overall time it takes to complete a firewall change.

Which other solutions did I evaluate?

We chose Tufin because its flexibility at the time was much greater than their competition.

We did not evaluate less costly solutions.

What other advice do I have?

While it has its highlights, it has deep issues that need to be addressed.

This solution help us ensure that security policy is followed across our hybrid network.

Our company doesn't really have federal or regulatory compliance requirements.

Spend a lot of time testing and doing a PoC for it, before you make the final decision to go for it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
QL
Senior Information Security Architect at First Citizens Bank
Real User
Provides a single pane of glass to see what all our different policies are doing

Pros and Cons

  • "One of the main things is to look at what policies haven't been hit, so we can remove those remnant policies when people come in, use it, and it's still left on the Check Point. So when a couple of users say, "This is not needed anymore." We'll remove it."
  • "We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better."

What is our primary use case?

We use it to manage our policies, consolidate them, and if we see anything missing, we can use it to track that, as well.

Right now, we're mainly on-premise. S,o the cloud piece is not being used right now. However, in the future, we will use it. I think it will help tremendously to get a good picture across the board.

How has it helped my organization?

One of the main things is to look at what policies haven't been hit, so we can remove those remnant policies when people come in, use it, and it's still left on the Check Point. So when a couple of users say, "This is not needed anymore." We'll remove it.

What is most valuable?

The capability to manage: We have different domains, so we want to have a single pane of glass to see what all the different policies are doing.

What needs improvement?

We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better.

Right now, it is being used retroactively. There was talk with the rep this morning that they can do this proactively. In other words, we see the policy, and if it's not needed, then it can be removed, or add new policies, as needed.

What do I think about the stability of the solution?

We feel that it is a very good solution. So, we'll probably use it going forward.

What do I think about the scalability of the solution?

This is one of the things that we do like about the solution, which is why we went with it.

How are customer service and technical support?

The technical support has been very good. I would like it to be a little faster, but it's good.

How was the initial setup?

There were some hiccups in the initial setup. In using the new features, there was a learning curve. However, for the most part, it was fairly straightforward.

What about the implementation team?

We hired people that have done the deployment in the past. So, we did it all ourselves.

What was our ROI?

Manually looking at the policies is very time-consuming. With this product, I think we've streamlined the process tremendously.

Which other solutions did I evaluate?

We like the visibility. That's why we went with this solution over other competitors.

What other advice do I have?

It does what it needs to do for our needs.

We are in the process of doing a PoC for the new changes.

Currently, it's all reactive. We do the changes, then we review it at a later time.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PD
IT Security Professional at a pharma/biotech company with 10,001+ employees
Real User
It provides good visibility because we have a lot of gateways globally, but the product could be more intuitive to use

Pros and Cons

  • "Tufin allows our say junior guys to learn how to view policies. It gives them a tool that will help them consolidate and optimize."
  • "It could be a little more intuitive."

What is our primary use case?

The primary use case is firewall management, consolidation, and optimization.

How has it helped my organization?

Our company has a grid, and there are different blocks of public domains and internal domains. It checks all that on our security grid. That has been customized by our administrator.

Tufin allows our say junior guys to learn how to view policies. It gives them a tool that will help them consolidate and optimize.

What is most valuable?

We use SecureChange. SecureChange is most valuable to me because I have customers out there that know the process now. 

It provides good visibility because we have a lot of gateways globally, so it consolidates them nicely.

What needs improvement?

It could be a little more intuitive. I haven't used it a lot, but it gives me the info I need, I just have to find it.

What do I think about the stability of the solution?

The stability is fine.

How are customer service and technical support?

I have not had to use the technical support. Maybe I should.

How was the initial setup?

I was not involved in the initial setup.

What was our ROI?

This solution helps us reduce the time it takes us to make changes. We're probably saving time by 25%.

What other advice do I have?

It is a really good product. It does exactly what you want it to do.

Get the training. I didn't get the training. I assume they provide training.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
John Fulater
Security Engineering at a financial services firm with 10,001+ employees
Real User
We can review rules and do searches, as it has its own database which pulls all the information in regularly

Pros and Cons

  • "We just got done with major audits. Tufin was able to provide information to give back to people, and say, "Hey, this is what I need to do, and what we're doing.""
  • "We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected."

What is our primary use case?

We use Tufin to do the review of rules, best practices, changes, and usage. So, it's an outside entity looking in to see what's happening on the rules sides. Then, we can do recertification for our rules, so they can be used again. Tufin puts it together really well, saying what's needed or not, then cleaning things up. We've been a customer for a very long time with them, and we're pretty pleased.

How has it helped my organization?

The solution's visibility is excellent for Check Point.

There's a new feature that validates standards. It allows the checks and balances against it, so it doesn't even go forward. It just says, "You're not right. Do it again."

We just got done with major audits. Tufin was able to provide information to give back to people, and say, "Hey, this is what I need to do, and what we're doing."

It's working on helping us meet our compliance mandates. We're a bank, so we're always chasing it, but it is helping us a lot. Rule recertifications are our biggest thing. However, what happens in the world of firewalls is people will put in rules to get what they need but don't ever clean them up when they stop using them.

What is most valuable?

The reporting is very good and provides in-depth knowledge for Check Point. We can write the rules as we see them. We can review rules and do searches. It has its own database which pulls all the information in regularly. This is very nice, and it is a good product for us.

I like the change impact analysis. It tells you what is going on,so you can review what has changed. In case you have to go backwards, and say, “Oops, that wasn't supposed to happen. How do I go get it?”

What needs improvement?

We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected.

What do I think about the stability of the solution?

It is a very stable product. 

What do I think about the scalability of the solution?

It has very good growth. The scalability is very nice. We're doing a distributed environment right now. So, it has met our needs, which is nice.

How are customer service and technical support?

The technical support has been excellent.

How was the initial setup?

We were the first North American company to do this product, a long time ago. So, I don't know how the initial setup went. It's been a while. However, every time we go back and do stuff, it has been a pretty straightforward installation.

What about the implementation team?

We used an integrator and professional services.

The overall experience was very good. I liked it.

What was our ROI?

We have seen ROI.

What other advice do I have?

Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it.

We're just getting started on the change workflow. So, we're learning it, and it's working well.

It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors.

We are automating, so we are getting to a place where our engineers are spending less time on manual processes.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
OJ
Consultant at Sirius Computer Solutions
Consultant
It saves a lot of work, time, and effort required to do all of our manual work

Pros and Cons

  • "The automation because it is saving a lot of work, time, and effort required to do all of our manual work. The change impact analysis is pretty good, and with the automation, it takes care of a lot of things which we would be doing manually."
  • "The change workflow process is flexible and customizable to some extent, but there is room for improvement. In some cases, we've found it difficult to get the exact thing which we were looking for. Then, we end up having to go and do the thing manually."

What is our primary use case?

It's mainly for the automation of policies.

How has it helped my organization?

The visibility is pretty good because it's a cross-vendor platform, so it provides visibility across different vendors.

We use this solution to automatically check if a change request will violate any security policy rules. We have a huge policy base, and we have certain compliancy requirements which we have to meet for the rules that we have. If we are planning to have a change in the policy base which could possibly violate the compliancy requirements, then we'd get the help of the tool to alert us in a way, which would make us aware of that.

It makes us aware when there will be any compliance violations possibly, and we can pro-actively prevent those violations from happening.

What is most valuable?

The automation because it is saving a lot of work, time, and effort required to do all of our manual work. The change impact analysis is pretty good, and with the automation, it takes care of a lot of things which we would be doing manually.

What needs improvement?

The change workflow process is flexible and customizable to some extent, but there is room for improvement. In some cases, we've found it difficult to get the exact thing which we were looking for. Then, we end up having to go and do the thing manually.

I would like them to have more focus on the whole compliance across the globe, like PCI DSS. These things keep on updating very frequently. If they can be on top of it and keep updating more frequently, getting more updates, that would be something good.

What do I think about the stability of the solution?

It's very stable. We haven't encountered any major issues, so it's pretty good.

What do I think about the scalability of the solution?

It's pretty scalable. That's a good thing. 

How are customer service and technical support?

Sometimes the technical support is able to help us quickly, and sometimes it just goes on for quite some time. Something complex or a new functionality requirement takes time, but if it's something simple, then they're pretty quick to resolve it. 

What about the implementation team?

We didn't really do the deployment ourselves. So, it was someone else.

What was our ROI?

Tufin makes things a little easier. It lessens the amount of manual work which we have to do. It has a lot of benefits in terms of revenues, profits, employee costs, and operational costs. We have already seen return on investment.

The solution has helped us reduce the time it takes to make changes.

Which other solutions did I evaluate?

I also know that we evaluated AlgoSec.

What other advice do I have?

I would suggest looking at not just the features and functionality which are specific to the environment which you are working in, but to be aware of the other features which the product has to offer. Because companies grow and things change, so it's always good to have at least a complete idea of what the product does and how it does it.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
SM
Security Analyst at a government with 1,001-5,000 employees
Real User
We are able to design and monitor different rule sets in the three different domains that we control

Pros and Cons

  • "Its ability to detect changes within our firewall."
  • "I would like a better reporting feature and automatic alerting based upon rule changes."

What is our primary use case?

Our primary use case is firewall monitoring, rule changes, and logging.

How has it helped my organization?

The change work flow process is flexible and customizable. We found it pretty easy, particularly when we were implementing new rules and with our cleanup. We found that the rule change was fairly easy to implement.

It has allowed us to monitor rule changes. This way we know exactly what would happen behind the scenes in the event of an after-hours change.

What is most valuable?

Its ability to detect changes within our firewall.

What needs improvement?

We had some issues initially with the initial reporting and alerting system.

While the visibility was pretty good initially, we have had issues with configuring and reporting.

I would like a better reporting feature and automatic alerting based upon rule changes.

Our engineers still have plenty of manual processes to work with.

What do I think about the stability of the solution?

The product seems stable from when we implemented it at the time.

What do I think about the scalability of the solution?

We're pretty small scale, so I don't know how much larger it would go. We're about a 4,000 device network.

How are customer service and technical support?

I haven't interacted with the technical support.

How was the initial setup?

The initial setup was straightforward, but then it became complex due to our rule set.

What about the implementation team?

We used a reseller, who was fine to work with.

What was our ROI?

The solution has helped reduce the time it takes us to make changes. It helps make overall integrated changes immediately. It allows us to cut down at least a few hours in the week in regards to changes and monitoring.

What other advice do I have?

Really dig deep and understand your use cases, then what exactly you're looking for out of the solution.

It has allowed us to maintain particular rules in regards to CJIS and HIPAA compliance.

We have multiple networks connected to this solution. So, we are able to design and monitor different rule sets in the three different domains that we control.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ST
Network Security at a tech services company with 5,001-10,000 employees
Real User
We can have automated reports, even with security and compliance

Pros and Cons

  • "We can get reports with Tufin at anytime. We can have automated reports, even with security and compliance."
  • "I would like to simplify the reports, and maybe have another view besides the charts. Possibly they could be more graphical."

What is our primary use case?

The primary case is to get more compliance and security with good performance. We use Tufin to use some Check Point products. The product is for the way we manage our security, performance, and boxes.

How has it helped my organization?

The change impact analysis has been very good. We continue to improve. 

The change workflow process is flexible and customizable. Right now, we are using SecureChange, which is improving the rules that get applied to Check Point.

We use the solution to automatically check if a change request will violate any security policy rules by generating a Sunday email report in these type of situations.

Using the Tufin reports, for internal and external audits, is a way we can demonstrate how we made compliance. After any of the observation that we get from the audits, we just run the reports one more time to see if our changes are being successfully applied and everything is working according to the requirements.

Tufin has been very helpful to get a lot of groups changed and getting all the information inputted on a tool, then later to applied on the device. 

What is most valuable?

We can get reports with Tufin at anytime. We can have automated reports, even with security and compliance.

The visibility is very good, as it incorporates graphics with some charts and comparisons. So, we have very good visibility for the entire tool.

What needs improvement?

I would like to simplify the reports, and maybe have another view besides the charts. Possibly they could be more graphical.

I would like to see them continue improving the versions.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The stability has been improved, even person by person. It is even stronger in a way.

What do I think about the scalability of the solution?

The scalability is according to performance that we are experience. Therefore, we are getting more devices on this tool, so it has been very helpful for us.

How are customer service and technical support?

I haven't used their technical support.

How was the initial setup?

The initial setup was very simple. We could obtain deep knowledge information from Tufin's knowledge base (KB).

What was our ROI?

The solution has helped us to reduce the time it takes to make changes. With Tufin, it takes ten to 15 minutes. Before, it was 30 minutes or more.

What other advice do I have?

I would recommend Tufin. They are very helpful for IT organizations, as they continue improving SecureChange.

With our security plan, we can see how Tufin meets the basic requirements. Then, we can go and customize if there is any risk, which might be interfering with ports or external networks.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BN
Network Security at a insurance company with 1,001-5,000 employees
Real User
The product streamlines our change management process

Pros and Cons

  • "The product streamlines our change management process."
  • "The product is good at auditing the changes that we make in our environment."
  • "There were some hiccups here and there with the initial setup."

What is our primary use case?

The primary use case is for firewall auditing. We use it for audit monitoring, login changes, and firewall changes. We are looking at automation, but not yet.

How has it helped my organization?

The product is good at auditing the changes that we make in our environment.

We use this solution to automatically check if a change request will violate any security policy rules. For example, if the engineer is making a change that hasn't been authorized, we will know about it.

The product streamlines our change management process. It assists us in reporting on some of the compliance for our auditing department. It helps us in managing the process and having some auditing capabilities.

What is most valuable?

  • The reporting is its most valuable feature.
  • The change impact analysis capabilities of this solution are good. 
  • It is able to detect our changes, email, and alert us.

What needs improvement?

There are features that we haven't used, and we need to understand them first.

What do I think about the stability of the solution?

Product seems to be stable. We haven't had any outages yet.

How are customer service and technical support?

I personally haven't called into support yet, but some of my peers have. They seem to get their questions resolved.

Which solution did I use previously and why did I switch?

We previously had FireMon, but FireMon kept giving us inaccurate information and not up-to-date information. Therefore, we thought we would try out Tufin, which has provided us with the information that we needed.

How was the initial setup?

There were some hiccups here and there with the initial setup, but we used Tufin's support to assist us with that.

What about the implementation team?

We deployed it in-house.

Which other solutions did I evaluate?

On the shortlist was AlgoSec, which was the only one that we actually tested.

Tufin and AlgoSec were pretty much in the competitive price range, but this one provided us better integration into the Check Point environment.

What other advice do I have?

Seriously Tufin for your final decision.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Shawn Babinyecz
Cyber Security Engineer at a healthcare company with 10,001+ employees
Real User
It has very good visibility with all our devices

Pros and Cons

  • "We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it."
  • "I would like easier integration with more automation."

What is our primary use case?

Our primary use case is firewall management and policy management.

How has it helped my organization?

It has very good visibility with all our devices. We can see how they interact with each other, and if we're doing the right things or not.

We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it.

We are still in the beginning phases of it, but we're hoping that it can change how all of our policies are determined and implemented.

What is most valuable?

The most valuable feature is the consolidation of firewall products.

The change impact analysis capabilities of this solution are pretty good. We like the product a lot.

What needs improvement?

I would like the following additional features:

  • Easier integration with more automation.
  • Ability to get better results from rule-based requests.
  • Ability to do some policy browsing and find out where they're hitting, specifically.
  • Ability to pull hit count reports more easily. 

For how long have I used the solution?

Still implementing.

What do I think about the stability of the solution?

It's pretty stable. I haven't had any issues with it.

What do I think about the scalability of the solution?

The scalability is pretty good. All we have to do is just add another device and buy another license. It seems pretty straightforward.

How are customer service and technical support?

I personally haven't worked with them, but I've heard good things about how responsive they are. They've always been able to find the answer that we needed.

Which solution did I use previously and why did I switch?

We had no solution previously. So, we needed something that would help make our decisions on better securing our network.

How was the initial setup?

The initial setup was straightforward. It was very easy to setup and integrate. We had no issues.

What about the implementation team?

Most of the work was done by us. However, we worked closely with Tufin support, and we have good things to say about that.

Which other solutions did I evaluate?

We also evaluated FireMon. We did not go with them because the solution was not as easy to install or incorporate in our organization. To us, Tufin just seemed to be the better product.

What other advice do I have?

It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots.

Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end.

We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet.

We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JD
Network Security at a transportation company with 10,001+ employees
Real User
The change impact analysis capabilities of this solution are good

Pros and Cons

  • "The visibility is very good. We have managers who are overseeing it, and they are approving things through it."
  • "The hardest piece is getting the matrix built."

What is our primary use case?

We are using SecureChange to start orchestrating a lot of our changes. Our users can then request changes instead of having to go directly to us. We are trying to automate some of those pieces.

How has it helped my organization?

The visibility is very good. We have managers who are overseeing it, and they are approving things through it.

The whole process is flexible and customizable. We are building the matrix, then we're putting in exceptions. We have to add manual exceptions into it, and they have to come to us first before they can get it approved, which is good.

We use this solution to automatically check if a change request will violate any security policy rules. Similar to what we are doing with Azure, where they request a change, and if it violates policies, it gets kicked back. Then, we have to review it and figure out what they're doing. We can then move forward with it, if it's approved.

What is most valuable?

  • The Orchestration
  • The way that users can access it directly.
  • The change impact analysis capabilities of this solution are good.

What needs improvement?

  • The hardest piece is getting the matrix built.
  • Room for improvement includes how we are pulling the routing cables and getting SNMP enabled.
  • Tufin could provide a train for running its reports and showing people how to use them.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The solution is very stable. We've upgraded several times and not had any issues. For stability, it's perfect.

What do I think about the scalability of the solution?

We're in the process of scaling it. We started off small, and now, we're enlarging it to cover more of the enterprise. The scalability is good.

How are customer service and technical support?

I haven't used technical support. My colleague has, and they are very good. They work through solutions.

How was the initial setup?

The initial setup was pretty straightforward. It communicating with the firewalls and management server were the big pieces.

What about the implementation team?

Well when we first started, it was through a reseller. Then, as we're bringing in SecureChange, we have been doing it all that ourselves.

The reseller was Structured Communications, who is in Portland. It was part of a package deal that we built with them. Our experience with them was good. We used them a lot.

What was our ROI?

We don't have to go through our firewall group, who actually does the rules. They don't have to create tickets to send to us, then take a couple of days to get all that stuff built and put in place. Now, it is usually the same day, or within a day.

This solution helped us to reduce the time it takes to make changes. We used to spend up to an hour to do a change, and now, it's around five minutes.

Engineers are spending less time on manual processes. They are now spending half their time on manually processes, 20 to 30 minutes, because we don't have to go out and touch things anymore.

We're still in the process of implementing things, so we haven't really seen a lot of return yet, but we're hoping.

What other advice do I have?

It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it.

I don't think we're using cloud native security quite yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Valentino Kusmic
Owner at Concepts Solutions Informatiques
User
The designer gives the ability to know where to add a rule or if a rule is already in place

Pros and Cons

  • "The designer gives the ability to know where to add a rule, or if the rule is already in place."
  • "It would be great to add a link to Visio to create shapes directly from Tufin, as it has the configuration."

What is our primary use case?

Firewall policy management over all firewalls from one single point. We browse policies, objects, and their usage. The report gives us an image of where risks are.

How has it helped my organization?

We now spend less time auditing rules with reports: 

  1. The designer helps us in creating rules
  2. It tells us what rule is missing and where to put it. 
  3. The predefined reports are then sent to administrators.
  4. It provides an exact image of how to improve security.

What is most valuable?

  • The policy browser gives the ability to browse all firewalls from a single point. It's possible to see where an IP is inserted in rules. 
  • The designer gives the ability to know where to add a rule, or if the rule is already in place. 
  • The reports are personalized now and the cleanup is helpful for administrators.

What needs improvement?

It would be great to add a link to Visio to create shapes directly from Tufin, as it has the configuration. 

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MT
Network Engineer at a tech services company with 11-50 employees
Consultant
Enables us to query the rules and understand in which files the rules are configured

Pros and Cons

  • "Valuable features include a central pane of management for all the firewalls and the ability to do queries on the rules and understand in which files the rules are configured."
  • "It needs better reporting with more graphics and more pie charts, so management can understand details. The reports that are done now are full of data and management would like to have an image to help understand, right away, what the reports are saying."

What is our primary use case?

We use it for compliance, and the performance is good.

How has it helped my organization?

Before, we had to manage each file individually. Now, they can all be managed as a single entity.

What is most valuable?

  • Central management for all the firewalls.
  • The ability to do queries on the rules and understand in which files the rules are configured.

What needs improvement?

It needs better reporting with more graphics and more pie charts, so management can understand details. The reports that are done now are full of data and management would like to have an image to help understand, right away, what the reports are saying.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

Stability is good.

What do I think about the scalability of the solution?

Scalability is good.

How is customer service and technical support?

I have been in contact with technical support. Sometimes they are slow but they get to a solution.

What other advice do I have?

Plan ahead because the implementation of Tufin is hard if you don't have an idea of what you want to do. Without a plan, it will be hard to get it working.

When I'm selecting a vendor, I read the opinion of other people who use the product. I want to learn if it is buggy and if it is doing what people need it to do.

I rate Tufin at about eight out of 10 because they really need to improve the reporting.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MT
Network Engineer at a tech services company with 11-50 employees
Consultant
We are able to discover firewall rules that are too broad and widen the security footprint

What is our primary use case?

We were looking for a solution to provide firewall rule management that would enable us to choose which firewall rules to keep and which to eliminate.

How has it helped my organization?

Now we can confidently remove firewall rules that are not needed and make the configuration of firewalls more strict.

What is most valuable?

We are able to discover firewall rules that are too broad and widen the security footprint.

What needs improvement?

This solution would benefit from an improved reporting functionality with graphing so that reports can be presented to management.

For how long have I used the solution?

One to three years.

What is our primary use case?

We were looking for a solution to provide firewall rule management that would enable us to choose which firewall rules to keep and which to eliminate.

How has it helped my organization?

Now we can confidently remove firewall rules that are not needed and make the configuration of firewalls more strict.

What is most valuable?

We are able to discover firewall rules that are too broad and widen the security footprint.

What needs improvement?

This solution would benefit from an improved reporting functionality with graphing so that reports can be presented to management.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Founder at a tech services company
Consultant
The product suite itself brings together organizational units. They can have their own interface and ability to understand what different parts of the company are doing.

What is most valuable?

From my perspective, I think that it’s hard to break it down to a single feature. The visibility it gives and the customizability it provides is invaluable and the change automation is the most powerful capability, at least for now. The application awareness component is a close second. As more organizations adopt this revolutionary way of visualizing enterprise connectivity, SecureApp will fundamentally change the way connectivity is provisioned and decommissioned.

How has it helped my organization?

The product suite itself brings together organizational units. So when you talk about operations, development, management and auditing, all of these organizations have their own interface and abilitie to understand what different parts of the company are doing.

What needs improvement?

I think Tufin is continuously moving towards broader support for other platforms. Including a significant focus on the cloud. This approach is critical to the model of normalizing policy management across the environment - regardless of platform.

For how long have I used the solution?

We've used it for nearly eight years.

What do I think about the stability of the solution?

It's absolutely stable and this is why I always promote it. They have the finest set of coders and developers you can find.

What do I think about the scalability of the solution?

The distributed architecture capabilities allows this solution to scale to anybody’s needs.

How is customer service and technical support?

The support team is second to none. They have multiple offices in multiple countries. They're always available. I know the support teams and leaders personally and they are of great quality.

How was the initial setup?

It’s very easy to get up and running. With anything that is so feature rich and customizable, the installations range from a couple of days to more complex with many days and script writing. It just depends.

What's my experience with pricing, setup cost, and licensing?

Spend the time to evaluate all of the components of the Tufin suite. When you bundle different features together and you bundle components, you get a better price.

What other advice do I have?

We often find customers that have purchased this product for a specific purpose and they limit its use to only that purpose. Do yourself a favor and really explore the entire product and maximize the features and functionality of what you have purchased.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: I used to work for Tufin. My current company is a Tufin Partner.
it_user376773
Global Network Security Specialist at a pharma/biotech company with 10,001+ employees
Vendor
Object look-up is valuable. When someone needs to know about a particular endpoint, we only need to type in the IP address.

What is most valuable?

Following installation, we mentioned to the SE what ports were on the rule already, and he responded that those were the right ports. So immediately, Tufin already saved us work. And there was already traffic to the destination of a requested rule that needed to just be added to another group. Previously, we would have had to make a new rule and type in the source destination ports. With Tufin, however, the group already existed and we just needed to add it to another group.

Object look-up is also valuable. When someone needs to know about a particular endpoint and what's allowed to it, we only need to type in the IP address and are then able to see every rule associated with that address line by line.

How has it helped my organization?

From the very beginning, Tufin has kept our rule set compact so that we don't have to keep stacking up rule after rule. We still have to analyze and find rules that are too open, but it helps use make the right rules in the right places.

It's also a huge deal to us to be able to see the configurations as they change over time, and to know which firewall is responsible for which segments. It allows us to look at all our firewalls at the same time and not have to SSH one after another. We've got it all right there with Tufin -- one pane of glass that shows us everything.

With new engineers to the company, I pull them aside and show them Tufin. Within one hour, they have all the information they need to start creating firewall rules. It's incredibly easy to use. I can't imagine life should it if it should go offline. It's made a huge difference for us.

What needs improvement?

I'd like to see code provisioning.

For how long have I used the solution?

It's been up for two years.

What was my experience with deployment of the solution?

We had no issues with deployment.

What do I think about the stability of the solution?

I believe we had one reboot due to a code upgrade. This was only a single incident.

What do I think about the scalability of the solution?

Our current machine handles all firewalls for one of our business units. We're at a point where we've ordered a larger one to handle 200 firewalls. We'll take the smaller one to have an additional collector. The scalability is very good.

How is customer service and technical support?

Customer Service:

Excellent.

Technical Support:

These guys have been amazing. They will work tirelessly. I've only had a few calls, but every time I've had a call, the answer came through in a timely fashion and we got things sorted out. Usually it was user error, they told us, and they didn't lecture us about it.

How was the initial setup?

We simply turned it on, gave it an IP address, and logged into that IP address. Getting it set up with other firewall was straightforward, as was setup for interoperation with Active Directory. We now have group-managed logins.

Which other solutions did I evaluate?

We looked at FireMon because it's able to analyze rules. But for daily, operational stuff, such as finding rules that already exist and which firewalls are involved, Tufin is much easier and more efficient to use. It was a no-brainer.

What other advice do I have?

It already does traffic analysis and secure change. We've got the secure app so we can keep track of the business critical things. They shouldn't change that. I love the left-hand pane, and being able to navigate that and being able to see things in the split pane on the right-hand side. There are other vendors out there who will decide I need to just have everything at the top and scroll down.

The best thing to do would be get all your firewalls in there and let it bake overnight. It does take some time to collect the data in the config files. Once that's done, teach your help desk staff and the firewall operators how to use this to look up existing conditions and to determine right away whether a rule needs to be made, or whether a group needs to be added, or whether the rule already exists.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489207
Security Architect at a healthcare company with 1,001-5,000 employees
Vendor
Improved policy management. With SecureTrack, I can track the policy and find all the policies that we're not using.

Valuable Features:

Policy management.

Improvements to My Organization:

A lot of policy is legacy. With SecureTrack, I can track the policy and find all the policies that we're not using. Basically, we create a process out of it and actually get rid of those legacy policies.

I don't have a real idea of how many policies we’ve found, but the outcome for that policy management is usually better for our file work because it runs much more smoothly because of less policy, less memory usage, and less CPU.

We try to make the file work much more efficient. We also do auditing for file work, such as who made changes on the file work. You can use it for accountability, if needed. 

We also use some of the compliance features. We define policy on what is compliant. If anyone tries to create certain stuff that is not compliant, we get notified. I haven't fully utilized Tufin yet and I'm working toward that area. Hopefully I can give it a higher rating as we explore more functions. We know the capability; we just need to get to that point. If we reach that point, it'll be much better actually. We’re just not there yet.

Room for Improvement:

We’re hoping to be able to share the data Tufin’s collecting with other platforms so they can be more integrated with those metrics, because the governance tool is where we create policy. And then using Tufin’s metric, we can actually know what kind of policy we can create. That would help out.

Stability Issues:

It's good. I haven't rebooted.

Scalability Issues:

We are big, but we are only using a fraction of what Tufin is capable right now. I'm hoping that we can explore a lot more and then try to utilize more on Tufin because my big way to look at Tufin is this ability to gather all that data. If Tufin doesn't have that footprint, you won't get that data. So right now, I'm working on that.

Initial Setup:

For my current company, I inherited it.

Other Solutions Considered:

I haven’t thought of using any other solution, so, I haven't looked at other solutions yet.

Other Advice:

Let Tufin help you see what can be. Make the tool work for you and be creative.

You can't always use it in a certain way. There are many ways to use a tool. You just have to be creative on how you use the tool. Find holes and ways to use it.

Figure out how you use the tool, and then figure out if you can create a process out of it, so you are not only using it when you are free. You want to use it as a process because it has to be repeatable. If something is not repeatable, there's no way to improve the process.

If I'm going to find a policy right now and I don't repeat that process, those policies will continue to become legacy, so you have to repeat using the tool.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489222
Security Engineer at a retailer with 1,001-5,000 employees
Vendor
We like the side-by-side policy revision comparisons and the ability to list all policies. I’d like to see it work with F5.

Valuable Features

It can compare policy revisions side by side to see when you've made a change, and what the change is. It also lists the detail of the objects and policies. In other words, it has the ability to list all the policies as well as having side by side revisions.

Improvements to My Organization

I think we knew we needed to invest in the solutions because of a replacement we had to do last year. We had no other way of gathering the information. It wasn’t replacing anything.

Room for Improvement

I would like to be able to see the changes made on the software blades that Check Point has, such as URL filtering, IPS.

I’d like to see it work with F5. It's supposed to work and it doesn't. The problems we have with the F5 is what brings the rating down, because that was a big part of the reason we purchased it. If they fix the F5 issue, I’d probably rate it an 8 or a 9.

Use of Solution

We have been using it for one year. When we first implemented Tufin, we were replacing firewalls that had been in place for so long, there was absolutely no way of migrating the policy over so we had to recreate it from scratch. We were able to use the information provided from Tufin to do that.

We’ve used the recording tools a little bit, but just for Check Points, not the F5s. They're helpful in a way. Sometimes it seems like they're giving you partial information, like it wants to give you some information that you've made a change to, but it's really hard to track down where that change actually was made. It’s more like configuration-level changes are difficult to read on the report.

Deployment Issues

We've had issues with using Tufin for the F5 load balancers. We can't get our information out of our F5s.

Customer Service and Technical Support

Using technical support was kind of cumbersome. They couldn't figure out what the problem was with the F5s. After they thought they found the problem, we set up another set of F5s. The problem that they thought was causing it, was no longer in place with the other set of F5s, but they didn't work either.

Initial Setup

I was involved in the initial setup a year ago. It was straightforward. It was pretty easy to set up.

Other Solutions Considered

We weren’t comparing it to anybody else.

Other Advice

Keep in mind that you're only going to get the network security layer of the Check Point showing up on the recording. You're not going to get all of the software blades that come along with it. One of the things my manager was disappointed to find was that we weren't able to gather that information.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489249
Network Security Engineer at a pharma/biotech company with 10,001+ employees
Vendor
I like how it optimizes your policy, and does a compliance check and risk analysis.

Valuable Features:

I like how it's able to optimize your policy, look at the objects, and other similar functions. We only have Check Point integrated with Tufin SecureTrack, so that's a key benefit of using it. We can check policies against past policies. It does a kind of compliance check or risk analysis if there are unused policies or unused objects. It highlights them and it gives you a good view of what doesn't need to be there.

Room for Improvement:

It would be better if Tufin could integrate with the Cisco routers, FireEye, and other devices like that, so you can do the routing changes and so on straight from SecureChange. That would be good.

I haven't looked at their latest versions or releases, what's new, and what's not. We're still running a version that's at least a year old, so I still have to look at it. If they have added integration with Cisco routers already, that's good, but we don't have that in the version that we have. It doesn't support Cisco routers at all.

Stability Issues:

It's been stable in our multi-domain environment. We have more than 20 or 30 policies.

Other Solutions Considered:

When we were looking at products that can do this, I think we only looked at Tufin. Its integration with Check Point is what led us to Tufin. That was the main reason why we looked at it.

Other Advice:

I hope that Tufin just keeps doing what they’ve been doing. We look forward for future enhancements.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489240
Consulting Information Security Engineer at HCA
Vendor
Automated reporting is quite valuable. I also like the ability to get visibility without giving someone admin rights in the Check Point consoles.

Valuable Features:

The biggest thing that we have been using is the automated reporting. I work on a very specific portion of our network enclaving strategy. For the initial ones we’re working on, I get a big report every Monday that has a full listing of volumes and changes on all the rules. It means I don't have to log into the firewall to see how we're doing as far as progress and what we're doing.

We also use the on-demand stuff every time they make a change, I get a report of the change that's happening. We don't necessarily do the operational side but we have a sort of governance and policy oversight, and consulting oversight. We can determine whether this is the right thing to do for what they're doing. I don’t even have to log in and I don't have to go look for the information. I don’t have to go in to the Check Point console, log in, and do a lot of stuff. I get these reports in my email and I can analyze them and look at them when I want to. That's very helpful for me.
We also use it in the field for the people that have oversight over their zones. They get a change report and a risk analysis report out of Tufin. They don't have to log in every time something happens. It gets pushed to their email. To me that's a big value.

The other thing that brings a lot of value is the ability to get visibility without giving someone admin rights in the Check Point consoles. We are able to specify for these roles. While we're doing policy and strategy in consulting, we don't need admin rights to be able to make changes. That's a big help also. We can get to the info without having to log into the consoles and get those type of permissions that we really don't need in our role.

Improvements to My Organization:

We've used some of the rules recommendation modules. You can give it a certain data feed and it will recommend a rule set to accommodate that. That's the other tool that has been helpful for us. Our biggest problem is that we have a very complex environment. It can get a little crazy when we throw it at the rule engine. 

Room for Improvement:

I haven't seen where they've gotten recently with the whole zone policy matrix that they showed us a year or so ago, but to me that's going to be one of the big things, it's going to drive us.

There was a feature they were working on that will allow you to go in and set up your zones, and you do a to-and-from policy for each zone. It uses that when it evaluates the rules that you try to put in to determine whether it complies with the zone policy. We need to be able to build out a business decision model with the zone policy that lives on without someone having to look at it every time. I think that's going to be one of the better things for us. So that we can see the zone policy management and we can be assured that policy is being enforced. If they get outside of that, we get notified. We know that nothing can happen unless we get notified. Even if they declare emergency, which sometimes you have to do, that we will get notified. Nothing can happen without us getting notified. To me, that's going to be one of the big things to try and keep the whole environment in the level of security posture that we want to try to get done.

The biggest thing for a very, very complex environment like ours is to keep everything in line with what we're trying to do.

I’m rating the product an 8 mainly because I want it to get into the zone area and those kinds of things. I think it's a great product, but there's a couple of spaces that would be very helpful if they could improve on. It is a good product. Don't think 8 is really bad. It's really good.

Other Advice:

Learn it and dig into it, because it's got some great capabilities. For me, it's been great.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489237
Network Security Operations Manager at a non-tech company with 1,001-5,000 employees
Vendor
We use it to record policy changes, and the speed is good.

Improvements to My Organization

We're using it to write down policy changes. We have lots of jobs making firewall changes. We track down all of those in the reports and we can see what is going on. If something goes wrong, we can track down the latest changes and determine how to fix it.

Room for Improvement

We would like to use Tufin through the cloud. We don't want to keep the hardware or all those devices on premises, where we have to manage them and upgrade them. If we could use Tufin through the cloud, we could just tweak the firewalls, keep the changes, and then track them.

Right now, Tufin is on premises, which means we have to manage it, we have to upgrade it, and we have to take care of the devices. The infrastructure is not very critical for us, and we just need to use it, so we would prefer to use it through the cloud. Everything is in the cloud.

Stability Issues

I have not found it to be slow at all. The speed is good. At first, we installed Tufin in one of our offices, but now we are using it everywhere.

Customer Service and Technical Support

Technical support has been good.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489234
Staff Specialist at a financial services firm with 10,001+ employees
Vendor
We're a Check Point shop and it works well.

Valuable Features:

The way we've set up our policies are pretty unique in what they do, so there's not a lot of compare between them. But, historic is really important. We look at them and we say what is and what isn't important. We run through the compliance and the best practices. We're just starting to look at real usage and integration. That way, we would be able to say, "Okay, if this hasn't been used in a long time, maybe it's time to get rid of it." And we would be able to do our own cleanup because the tool will then tell us the value on long-term usage so we can take more advantage of it in real time.

Improvements to My Organization:

We perform a lot of compares that show what was and what is now in our rule sets. In case there are issues or when somebody says, "Hey, this was working but now it doesn't," or, "Oh, I'm pretty sure that was in there and you must have removed it," we can validate those changes and go back in the history, say yes or no and do compares. There's a lot of new features that we're hoping to utilize, learn more about, and take advantage of. It's a timing thing and it's also education. We've been a Tufin customer for a long time and really like the product. We need to grow as much as the product is growing. 

There's tons of stuff in the product. The issue is more about what I don't know about it than what I am using it for. They definitely have kept up with the product and kept it moving forward. It looks like a really great partnership with Check Point and a lot of vendors. We're a Check Point shop, so it works very well.

Room for Improvement:

We’ve asked them how to shorten the length of the change reports for global rules. They're going to try to allow us to select whether the global rule is reporting, or they're going to tell us how to do it a different way. We just brought it to their attention, so we're going to bring it to engineering. We’d like the reporting to be something similar to the reporting that Check Point puts out. There's some functionality that is very simple. I'll call it human reporting, such as a shared secret for a VPN change. Tufin does a really great job providing technical reporting, but it is unreadable to the average person. You look at it and think, "Yeah, I don't know what that did." We're asking Tufin to look at it, go over it with us, and say, "Is there a better way?" Either we're doing it wrong or they can improve the product to make it a little more usable, or at least readable.

Stability Issues:

It's been a very strong, reliable product.

Scalability Issues:

As long as we keep up with the revisions, it's been very scalable. We just did another upgrade because we considered it a little slow. We were running an old version. Once we upgraded, it's been rock-solid. It's always been there, it's always been good.

Customer Service:

We've been with Tufin for a long time. They’ve been very responsive to us. There was some changeover, and we have a new sales team. They called up, we had a meeting, and then, boom, we said, “Okay, let's schedule our upgrades.” That happened within two weeks.

The sales team so far has been great. We mentioned to them we're not educated enough on the product, they've already started talking to us about how to fix that. They're very responsive to our needs. It's a time and place issue, like anything. Unfortunately, we have to make the time and effort just as much as they have. They want to know when we want it. So they've been great for us, we've been very pleased with Tufin as a company.

They've been great. We have a good relationship with them and the product does a lot of things that we want. When I get challenged or it doesn't do what I want, it very easily could be me. I may be using it in the wrong fashion. 

We learned how to use it by just going and figuring it out ourselves. The way I'm doing a lot of things might not be the way they were designed to be done. But, as far response times from the company and everything else like that, I've been really pleased.

Initial Setup:

We've had it for a very long time. We've just been upgrading it as long as I've been with the company. It was in place before I joined the company.

Other Solutions Considered:

At the moment, we’re not thinking of switching to another vendor. I know there's a couple of other monitoring solutions, like FireMon, or a couple of other systems that people have looked at.

Other Advice:

Try it. It's a great relationship, but it's also a great product to work with.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489219
Senior Security Engineer at a hospitality company with 1,001-5,000 employees
Vendor
We use SecureTrack for tracking unused rules. I’d like to see the application topology developed more.

Valuable Features

We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.

Improvements to My Organization

At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.

Room for Improvement

I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.

With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.

Stability Issues

We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.

Scalability Issues

I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.

Customer Service and Technical Support

Tufin’s technical support engineers seemed to be knowledgeable and very helpful.

Initial Setup

I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.

Other Advice

If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489216
WAN Border Engineer at a pharma/biotech company with 10,001+ employees
Vendor
You can kind of see where the flows are coming and how they're working.

Valuable Features:

The ability to compare the old policy and the new policies is real handy. The topology view is really good.  You can kind of see where the flows are coming and how they're working.

Room for Improvement:

I come more from the WAN space as opposed to the security space, so I would obviously like to see Tufin integrate with Cisco routers. There's room for more integrations with other products.

Use of Solution:

I'm just kind of getting into it, so I don't think I have the full breadth of the product personally, but it is pretty usable.

Stability Issues:

It's been stable in our environment.

Scalability Issues:

We haven't had any trouble scaling it. We have about 100 policies. There haven’t been any issues with speed, as far as I can tell.

Valuable Features:

  • The ability to compare the old policy and the new policies is real handy.
  • The topology view is really good. 
  • You can kind of see where the flows are coming and how they're working.

Room for Improvement:

I come more from the WAN space as opposed to the security space, so I would obviously like to see Tufin integrate with Cisco routers. There's room for more integrations with other products.

Use of Solution:

I'm just kind of getting into it, so I don't think I have the full breadth of the product personally, but it is pretty usable.

Stability Issues:

It's been stable in our environment.

Scalability Issues:

We haven't had any trouble scaling it. We have about 100 policies.
There haven’t been any issues with speed, as far as I can tell.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489246
Network Engineer at a financial services firm with 10,001+ employees
Vendor
Helps us with troubleshooting to find out what changed. Patching and speed are issues.

Valuable Features

The governance feature is handy in the process flow. Tufin is easy for an average user to be able to put in their request and have it automatically assigned to other firewalls.

We are able to review changes from the previous day to be able to compare if there's a change that goes in from one day to the next, if there's an issue, we can see what change has occurred. You can see that through the reporting. It's quick to go and pull up what changed between the two days. It works great for the users to be able to put it in. And then troubleshooting afterward if something happened to find out what had changed.

Improvements to My Organization

It has come a long way. Compared to where we were, it's significantly better. We were using an internal process that was intensive. This is clearly better.

Room for Improvement

From my limited use of it directly as a user, I don't think it's efficiently comparing. We were looking for a 2 of 3 match that haven’t used the same rule, and it's not working as well. It's adding additional rules into our policy at times. It could be more effective than that. I’d like it to add fewer rules but still keep the same security posture.

We’ve also had issues with speed, and it needs to be a bit more reliable. It's definitely slows up. Sometimes, just when I log in, it didn't connect me to the system or we've had to do some emergency patches on it and it would take 10 or 15 minutes to get logged in. That was kind of weird and that's happened a couple times. I think it is user-friendly, outside of the things our own internal people have added and made it a little confusing.

I think the app could be a little bit improved in the way that it selects objects.

Stability Issues

From my user perspective, I think patching is an issue. I haven't done it, but I know they had to. It got slow, and there were issues getting connected in to it. Everything was running slow a few different times. We’ve had to contact support. There's been times we've lost a day and a half of usage.

Customer Service and Technical Support

I have not had to use technical support.

Implementation Team

I was not part of the implementation.

Other Advice

It works well. It’s something you would send a colleague to use. It gives a nice process flow as far as the end user putting something in, having governance check, and being able to have multiple work screens because we have different areas of the company and different processes. They have to have different work flows. We use multiple work flows. That's handy. You can build those in, you select from the beginning and then you're off and running.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489258
Senior Network Security Engineer at a government with 1,001-5,000 employees
Vendor
Good for retrieval and for policy remediation, as far as cleaning up policies.

Valuable Features:

The last account I was working for had just implemented Tufin. It was good for retrieval and for policy remediation, as far as cleaning up policies and so on. When I got there, they had a lot of old policies. Everything was all over the place. Tufin was good for policy cleanup.

Once you install Tufin, it performs a query and it searches all active policies. Once it does that, it places all the policies that you know in priority order, as far as which policies are being most used and which ones aren’t being used. Then it gives you something like a survey of things that were being used or any things that weren't being used. You can decide whether you want to take out or if you have some machines which are totally dead. That was really the big benefit of using Tufin.

Room for Improvement:

It took a long time just to try to gather the information. I would like Tufin to be faster.

Use of Solution:

For what we needed, it searched all of the information we wanted it to.

Stability Issues:

It was stable. We didn’t have any stability issues.

Scalability Issues:

It was very scalable and very customizable for what we needed it for. We had about 4,500 users on our network, and then we had six firewalls. It came in handy with that.

Initial Setup:

Installation was a little bit complex, so we did get help. We had to have professional services from Tufin come and help us. They were great. Once they came, it was simple to setup. 

I’m giving the product a rating of seven mostly because of the initial setup. It took us a while because we couldn't figure it out. After about three weeks, we had to hire someone to come and set it up. Once that happened, then it flowed.

Other Solutions Considered:

When we were deciding whether to implement Tufin, a lot of the other agencies were using it at the time. We went with Tufin because it was receiving favorable scores from the other agencies.

The only one I can compare it to is AlgoSec. AlgoSec has a few more features but a lot of similar agencies were going towards Tufin, so that's why we went with them.

Other Advice:

Define exactly the specifics of what you need it for. If you need it for remediation of policies, then it's definitely the product to go to.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489264
Sr Network Security Engineer with 1,001-5,000 employees
Vendor
I permanently use it for their Automatic Policy Generator, and for object lookup.

Valuable Features

I permanently use it for their Automatic Policy Generator, and for object lookup.

Improvements to My Organization

We use Tufin for object lookup. We often get requests from the business. They give us an IP and they request something like, "We need to know what the rules are for this.", so they can add more similar rules. We go into the object lookup, give the IP that we're looking for, and then it generates a report, either Excel or PDF.

We have probably a hundred policies using Tufin.

Room for Improvement

I would like to see a little bit more of enhancement on their PCI-compliance piece. We reviewed a Skybox product. They seem to be doing a lot better than Tufin does on the PCI reports.

Scalability Issues

I think we're ready for an upgrade, it's getting kind of slow. They did tell us that you can break up the database in the actual server application into two separate units. That's supposed to make it a lot faster. I think we'll probably do that in the next upgrade.

We have seen some slowness, but I think it's because we're on some aging hardware. We're quite larger than a lot of people that probably use it too. It has been scalable for our size so far.

Customer Service and Technical Support

I actually hadn't really had the need to reach out to technical support. We're a pretty big customer of theirs, and they're always coming around. I usually deal with my technical issues when they do that.

Implementation Team

I went through one upgrade, but they already had Tufin when I arrived.

Other Solutions Considered

We did a proof of concept to compare Skybox and Tufin.

Other Advice

It’s a pretty good product. The PCI compliance piece probably accounts for the rating of 8 as opposed to ten.

As far as comparing Tufin with another product, I would just look at some of Tufin’s features like the APG that is not used that often, but it's a really good feature. They do also have an extended tool section where you can kind of get a little bit more in depth.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489336
Network Security Engineer at a hospitality company with 1,001-5,000 employees
Vendor
The most valuable feature that I've found is rule optimization. Another benefit is the complete set of all rules.

Valuable Features

The most valuable feature that I've found is rule optimization. If the rule has massive hits and if I want to remove that rule, I can put that rule into the SecureTrack change. After a few weeks, it will tell me that these are all the IP addresses that it is hitting, and this is all the traffic that it is hitting. It provides all sorts of other information too. That's one of the features that I like in Tufin.

Having total compliance is a benefit. When our compliance department tells that there is a rule that says IP such-and-such, and that we have to remove that rule, it’s never easy for us to directly remove a rule until and unless we have some traffic analysis and so on.

Another benefit is the complete set of all rules. If I have to find a particular object, Tufin provides a search feature. That's one of the good features in Tufin. If you have more than 100 or 200 firewalls and 100 or 200 policies, and each and every policy has a humungous amount of rule numbers, it can give you detailed reports, as well as the search feature.

Room for Improvement

I would like to see improvements in historic views of rules - stating that this rule hasn't been used for the past one year, that this rule hasn't had much hits, these are all of the shadowed rules and these are all of the unshadowed rules - so we can narrow down the rule base. That's probably one of the aspects that I would like. If Tufin can help me out with that, that would be nice too.

It needs improvement with rule optimization and compliance.

Tufin product is good, but it requires a lot of CPU overhead. It might be because of the rule base we have. It might be due to other factors, but it's kind of slow for us. I would like to see an improvement in speed, as well.

Stability Issues

It's been stable. No complaints yet, except for the upgrade. The upgrade takes a little long, but that's fine. I believe that’s because of the vastness of our environment.

Scalability Issues

We probably have more than 2,000 rules for each and every policy. It depends, 1,000 rules, 2,000 rules, somewhere in between. We have a pretty massive rule base, and it's giving good reports.

Customer Service and Technical Support

Involvement with the technical support team went well. They are cooperative.

Other Solutions Considered

We also use AlgoSec for analysis.

Other Advice

It all depends upon the environment that you’re using. Compare it to other vendors, like FireMon and AlgoSec, and then you can rate the products and decide what to use and what not to use.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489228
Security Architect at HCA
Vendor
It’s nice to have a central location for remediating rules that are not compliant. I hope they add the ability to manage NATs and improve the interface.

Valuable Features:

What I’ve found very useful in a short period of time is the visibility it provides. It looks at the tools that don't meet our compliance requirements. We’re part of a program where we’re going back and remediating a lot of the rules that are falling out on compliance. Having a central location for that is very nice.

Improvements to My Organization:

It provides pretty decent visibility to the rule set that we have. Right now, we're looking to better utilize the zoning. When we start utilizing the zoning better, I think it will be a lot more useful tool. 

Room for Improvement:

A major thing that it sounds like it's still going to be lacking, is the ability to create and push NATs. Our network is very large and very complex, we use NATing internally quite a bit. That's a fairly large pain point for our firewall admins. We can use SecureTrack and SecureChange to create and manage rules, firewall rules, but it doesn't have the ability to manage NATs, which we find, is key for management.

Some of the pain points like NATing and the interface brings my rating for the product down to a seven. The interface is workable, but it could be a little bit more intuitive. I would rate the function of the product a ten.

Use of Solution:

I'm very new to the Tufin products. I'm new to HCA and this is the first time I had professional experience with it. 

Other Advice:

Dive in.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489252
Security Engineer at a non-tech company with 1,001-5,000 employees
Vendor
I've been converting from ASAs to Check Point. I used Tufin to analyze all the rule bases to get rid of what I don't need, and create less permissive rules.

Valuable Features:

The Automatic Policy Generator is a valuable feature, because I've been converting from ASAs to Check Point. I used Tufin to analyze all the rule bases to get rid of what I don't need, and create less permissive rules.

I had only 300 rules, but I've been able to consolidate it down to 67. There was a lot of duplication, and they're all interface based.

I like the diff where I can actually compare configs: who changed it, when they changed it, the last time it was saved, what changes were made. I can also do that in SolarWinds, but Tufin just makes it a little easier for me. Some of the tools’ features that they have, they're a little bit more mature in the later versions. The version that I have uses the spider-like view, with just the branches everywhere. It actually shows the network connectivity and the traffic. The routes, basically. I actually like that, but what I don't like about it is that, on the ASAs, it didn't take into account the weighted security code: 100, 50, 90 and so on. On the ASAs, according to that security code, you can talk to less secure networks without actually hitting a firewall policy. But if you want to talk to more secure networks, you actually have to go through the policy. The policy is basically the ACLs are interface based.

Room for Improvement:

I'm really interested in seeing the real risk value. Firewall policy management was great, but it's not something that's critical for me because I'm a smaller organization. I don't have 500 or 1000 rules. I'm more interested in just being able to show risk.

Other Solutions Considered:

I've kind of lost a little bit of interest in it, to be honest. There's some other tools that are doing a little bit better. I like AlgoSec and I also like Skybox. I’d like to be able to incorporate my policy data into it and actually be able to see a risk score from end to end. Tufin was not doing that at the time that I purchased it. A true risk score allows you to see the impact of a sev 1 versus a sev 5. Most organizations do sev 4 and 5 patching. They hardly ever go back and do a sev 1 and 2. You can actually take that data, analyze it, put it into your infrastructure, consolidate it and look at your total risk score for a vulnerability. Tufin might be offering that now, but it's modularized and I don't have the budget for it at the moment. I already spent a half-million dollars, so it's a little out of my budget at this point.

I did like the SecureChange feature, and they were one of the first to actually offer that. It allows people to log into a webpage, and if they needed a firewall rule, they would actually submit the request through Tufin. Tufin would then compare it to the compliance policy that you manually build into Tufin. If it violated the policy, it would deny the request for you. It would allow you to make an exception for it because of x, whatever that reason may be.

Other Advice:

All the competitors have their niches. Not one of them does anything perfectly. If you're comparing these type of management products, you want to look at what you're really going to use it for.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user489255
Security Operations Engineer at a hospitality company with 1,001-5,000 employees
Vendor
I use it for traffic analysis, to check the traffic hitting a specific rule, for rule consolidation and so on.

Valuable Features

I have used Tufin for traffic analysis, to check the traffic hitting a specific rule, for rule consolidation and so on. It’s really helpful. For my usage, it's very good.

Room for Improvement

We would like to see historic reports for the device, for a policy, for rule consolidation, and for rule optimization.

Also, it's pretty slow for us. Just to run an analysis for a single rule, we need to wait at least five minutes.

Stability Issues

We had a couple of stability issues before, when we were running on our old core. We used to not get the reports as we expected. The Tufin used to get disconnected from the device and just not provide the exact reports such as the hits on the rules.
Over the last year and a half, we upgraded twice, and right now it's pretty stable.

Scalability Issues

It has been scalable for our needs.

Customer Service and Technical Support

Technical support is really good. They're supportive.

Other Solutions Considered

We've been using AlgoSec as well for analysis. We use both Tufin and AlgoSec for our reports.

Other Advice

It's a good tool. We would need a view of all the tabs, for the analysis. If it's pretty fast, that should be good for us.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489243
Security Engineer at a financial services firm with 10,001+ employees
Vendor
We're using SecureTrack, and the most valuable feature for us is the accurate reporting it provides.

What is most valuable?

We're using SecureTrack, and the most valuable feature for us is the accurate reporting it provides. Every time I run a report, I know it's going to return just the exact information I'm looking for. 

I like the ability to drill down in the reports. That's very handy. It allows you to drill down, but it doesn't show you all the information at once, because some of it can be very overwhelming. It simplifies the information and then you can drill into the details.

At first, it presents it all in one format in the report. That's the simple format. Some of the things I'm looking for, I want an answer back quickly. I can see in just a one-page review that all of the information I was looking for is there.

What needs improvement?

On an enterprise-wide scale, I would like to see improvements to the auto generation feature. We don't use it very much, if at all, because it didn't work well.
It’s the feature where Tufin can review a certain rule and recommend more granular rules based on the logs that it sees for the rule. We've had a lot of difficulty getting that to work smoothly. Our Tufin engineers have had to play with the software behind the scenes to get that feature to work. It'd be nice to be able to just turn it on and have it work, no matter where we're looking at these rules in the enterprise. That's actually been a need. We are an organization with over 15 years of firewall rule history. We need to remediate rules. We need to clean them up. That's something I think Tufin needs some improvement on. I like the ability to review Cisco configurations right there on the spot. I've found that very handy.

What do I think about the stability of the solution?

I think for the most part it's been stable now that we have our new hardware. Our organization's very taxing on it. We have dozens of engineers running reports at the same time, but it's usually just a workload issue. It does give you the ability to schedule reports. If it's not something you need right away, then you can just schedule the report to run as soon as possible and then continue to work somewhere else. That saves me a lot of time.

Which solution did I use previously and why did I switch?

At a previous job, I used FireMon. It was similar at the time. I think Tufin has a lot more offerings with the Orchestration Suite now.

What other advice do I have?

Work with the sales teams directly, because they seem very willing to be flexible with the development side. Every organization has different needs. Tufin’s willingness to be flexible impressed me.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489261
Senior Network Security Engineer at a financial services firm with 10,001+ employees
Vendor
Searching for a specific rule, it shows whether an object exists. If it does, it shows what is in place and if we need to add something.

Valuable Features

In my group, we use Tufin to prove recourse. With firewalls, in terms of searching for existing rules, if we are looking for a particular rule, it shows whether an object exists, the network objects that exist. And if it does, it shows what is already in place and if we need to add something here and there. It's basically research analysis.

Improvements to My Organization

We use it for pulling your own reports, and checking the existing rule database from different firewalls from different managers.

Room for Improvement

I think they can improve the speed, although our speed issues might not be related to Tufin. Sometimes it is slow generating the reports, but I guess it depends on your infrastructure, if you have a good enough server. If you have more servers, the better.

If your infrastructure is big, and you're pulling a lot of metrics from many devices, it can be slow. But, if you add more servers, like a database service that reports are being pulled from, that speeds up the report generation a lot.

I know Tufin is great tool and can offer a lot more. I'm sure other groups or other people use it for what my group needs.

Scalability Issues

We are big, but I don't really know about scalability issues. I don't work on Tufin. I just utilize it. We just added a few more servers. In the last few weeks, the reports were coming pretty fast from busy firewalls.

Customer Service and Technical Support

I didn’t really use customer support. It's pretty self-explanatory when it comes to running reports and pulling metrics.

Other Solutions Considered

I was not part of the decision to use it.

We have not thought of using any other solutions. We have had Tufin since I joined the company.

Other Advice

It would be beneficial to get some kind of training from someone who knows the product, maybe from Tufin or someone else familiar with the product and the features. I know it can offer a lot, and you want to use its full potential.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user489210
Security Engineer at a healthcare company with 1,001-5,000 employees
Vendor
It can look at specific metrics across technologies. We would like the ability to correlate it with other toolsets

Valuable Features:

Policy management.

Improvements to My Organization:

It understands my need to make sure that there are specific metrics that we are looking at and with those seeing across our technologies, as opposed to just a vendor technology building reports. It's easier for us.

So far, with the asks that have been requested, we have been able to find the metrics we need. 

Room for Improvement:

My suggestion would be to be able to correlate it with other toolsets, and not just have it contained in their own toolsets. I’d like to be able to extract it so it can be consumed by other tools, like a governance tool such as GRC2, Archer, and by algorithms. It should not be contained in their environment. Let them perform their functions, but allow me to absorb others and use other governing tool sets to take a look at your metrics.

I’m rating it a seven just because I don't think I'm using the tool at its full functionality yet. It's meeting my current needs, but I don't know what the future use cases would be. So I can't say it's a ten, yet, but I'm moving towards ten. So, I start with a five as I use its functionality as meeting my needs. It will grow, I have confidence.

Deployment Issues:

The speed is good. As we continue to upgrade the software, I've been keeping up to date. Every version that I install, I see some improvement on the speed actually. So far so good.

Stability Issues:

I haven't had any issues. Even though my interaction has not yet provided me with a full understanding of whether it's stable or not, I have been interacting with the tool enough to determine whether there are any stability issues.

Other Advice:

If the tool meets your needs, evaluation process wise, then you should make sure that you reap the benefits. It has a lot of functions, and a lot of benefits and features. Start using them all.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user399324
Network Lead - Security Architecture at a retailer with 10,001+ employees
Vendor
The value for me is the ease of implementation. We also like the UI and scalability.

What is most valuable?

The biggest value for me is the ease of implementation. I'm newer to the company, only been there a year, but the fact that I could could win and recommend this product within six hours of getting the license installed shows that there's immediate ROI to my CSO.

How has it helped my organization?

I've been trying to clean up the firewall policies that I inherited from different iterations across topology changes -- from Cisco to Juniper to where we are now -- that have never been cleaned up. We're not publicly traded, so there's not a mandate to do so. When I worked in the energy sector, though, there were such mandates, but we weren't properly staffed.

Our current firewall policies never had a full, comprehensive risk rating of every rule, but we have that now. I've implemented different zones for setup so that we're able to get reporting immediately for our PCI environment. We know whether or not we're in compliance. If not, we can fix it immediately without waiting for an outside auditor. We can be proactive.

What needs improvement?

I'd like to see more work done on the topology side. Although the tool has gotten progressively better, topology still needs work. If it could be improved, that would really make the tool much more powerful. You can then have non-firewall people using it for troubleshooting.

For how long have I used the solution?

I've used it now with various companies for over 10 years.

What was my experience with deployment of the solution?

We've had no issues with deployment.

What do I think about the stability of the solution?

It's never failed or completely gone down. It's one of those set-it-and-forget-it tools.

What do I think about the scalability of the solution?

I'm very impressed with the scalability. Previously, we used appliances sitting on our network. This time, we went with a VM and our technical rep said we could put up to 80 licenses on it. That's way more scalability that I anticipated.

How are customer service and technical support?

Customer Service:

Customer service is very good. I haven't worked with than much other than for the license, but they're very responsive.

Technical Support:

Technical support is excellent. They're good at answering questions, very helpful, and responsive.

Which solution did I use previously and why did I switch?

I've also used FireMon. We liked the Tufin UI better.

How was the initial setup?

The initial setup was very straightforward. Our VM team installed the image for me and then I installed the license. From start to finish, it took about 24 hours, and most of that was paperwork.

What about the implementation team?

In-House

What was our ROI?

I was able to create initial tuning reports within an hour of populating the system with my firewalls. Within one week, I was able to create my PCI zones and configure automated reports for compliance

Which other solutions did I evaluate?

We looked at FireMon, which is an excellent product, but for me it came down to getting everything stood up and running within a minimum amount of time. I needed it to look really good because I was putting my name on it. Plus, my manager loves the web UI over the FireMon UI, which for him was the key.

What other advice do I have?

You're going to be really shocked with the first couple of reports that show stuff about which you had no idea. Let it go and get buy-in from as many other groups as you can. If security and network are separate, get network involved to access devices that will provide a clear picture of everything, especially of topology. Build those bridges ahead of time and present it more as a collaborative tool and not a "I'm watching you" tool.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user488118
Security Engineer at a financial services firm with 10,001+ employees
Vendor
Policy analysis is the product’s most valuable feature.

Valuable Features:

Policy analysis is the product’s most valuable feature. It can pull out various rules that we need to work on, edit, update, and so on. It can identify rules that need to be moved, or need to be optimized.

Improvements to My Organization:

Tufin analyzes tens of thousands of rules for us. Not all one firewall, but there's thousands and thousands of rules that Tufin analyzes.

Reporting is great. The only issues that we ever run into are with usage reports. You can run into things where something will have been modified and it ends up changed or something like that. Other than that, reporting is great.

Room for Improvement:

The capabilities Tufin has for Check Point products are excellent. It'd be nice to get the same level of features that it does for Check Point up to par with Cisco, Palo Alto, and so on. There's a couple of things that are lacking. For example, on the Palo Alto side, if you're using a lot of layer 7 rules, there's very little visibility into that. When you run policy analysis, you're still only getting back source IP, dest IP, ports. It's not showing the URLs, all that kind of stuff. That's the main thing.

The only other thing I could see being improved would be regarding one bug. Once in a while when you save a policy analysis query and you click save, it goes back to the screen where it lists them all. Someone else's will be there, and it's somehow swapped them with another engineer who was saving something at the same time. It doesn't happen often, but when it does, it's annoying. Especially if you've just entered a whole lot of info into it.

I’m rating it an 8 because of a couple of those little nagging features, the little bugs. But by and large, it does the job that we need it to do at the moment. We're going into the new world of SecureChange. We'll see how that goes, too.

Stability Issues:

In our previous configuration, it would take a beating. It would take days to get certain reports out of the system. We've just purchased a whole bunch of new hardware, and Tufin’s been a lot more stable. I'm getting reports again very fast.

Other Advice:

Based on looking at some of the other products out there, Tufin is definitely the leader of the pack. It's a good choice. Make sure you buy enough hardware, and make sure you know how you're going to use it. A lot of the features get very processor- and database-intensive, and you should have the proper gear to use it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user488112
Senior Security Engineer at a hospitality company with 1,001-5,000 employees
Vendor
I like the compliance portion of the SecureApp feature, where you build your security database.

Valuable Features

We can identify rules that are not used. We can identify rules that are open.

When importing the devices, they made it nice where you can script it and import all the devices into Tufin. That was a nice little feature.

I like the SecureApp feature. That looks like it's pretty handy. The compliance portion of it, where you build your security database. It runs against that security database and figures out whether the correct ports are opened up or if there are vulnerabilities.

Room for Improvement

I know that in importing some devices, I think routers and switches showed up the same. Router would be layer 3 but they would only show up in Tufin as a layer 2 device. On the Cisco portion of it, there wasn't separation between that.

At this point, there aren’t any other configurations I’d like to see.

Use of Solution

I’m using SecureTrack basically to evaluate rule bases.

I have not really found any other side benefits. I don't really use it that much and it's relatively new. I don’t use any of the recording features.

Stability Issues

I wouldn't say we had stability issues.

Scalability Issues

We have, I think, over a thousand devices right now, and we haven’t had any scalability issues.

Customer Service and Technical Support

I’ve never used technical support.

Initial Setup

I was part of the initial setup. I imported devices but that's about it. It was pretty easy. You can put it in an Excel spreadsheet and import it that way or as a CSV file.

Other Advice

It's a pretty useful tool if you have a large environment with a lot of devices and you're trying to make it easier for the technicians to basically pawn the work off and make the application team more accountable.

With the limited knowledge I have of it and the limited use, I would probably give them an 8. I never give anyone 10's or 9's.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user488103
Security Consultant at a tech services company with 1,001-5,000 employees
Consultant
We use Tufin for oversight and revision control to avoid implementing rules that are against security policy documentation.

Valuable Features

We use Tufin for oversight and revision control to avoid implementing rules that are against security policy documentation, and also to correct any kind of issues or mistakes in policy changes.

It can be useful for comparing rule changes to create rules that are more efficient and more consistent.

Improvements to My Organization

We primarily use Tufin to alert us whenever a firewall policy change has occurred. We immediately get an email with a summary of what changed, the objects, any kinds of rules that were created, and so on. We can review that from our email client to see what the other admin changed and visually see if they did something that was against our standards, if it was just a poorly written rule or something like that.

Room for Improvement

It's asking a lot, but anytime they add stuff to the rule usage analysis or the policy generator - those things are amazing already as they are - we'd really like to leverage that for cleanup and so on. One of the biggest issues for an encroached application silo firewall is that the policies get super-complicated and cleanup is not only a hassle but can impact business.

I’d like to see the cleanup process be more efficient. That's my biggest headache and the biggest elephant in the room. When you have a policy that's got hundreds of rules, help me clean it up please: tell me what rules aren't used, tell me what rules are redundant, and tell me how I can simplify the rule base. I mean it does a lot of that today, but feel free to innovate there. Make it better.

Stability Issues

It has been stable. We pretty much just set it and forget it. It reaches out to us or, when we want to go consult it, we don't typically have any problems pulling it up.

Scalability Issues

It has scaled well for us. We probably have about a couple hundred firewalls feeding it information including rule usage and so on.

Customer Service and Technical Support

We haven't really had to use technical support. I think the only time we had to was during implementation. We have kind of a weird setup where we needed to split out syslog for rule usage analysis because we consolidated our syslog in one place. We said, "Hey, can you just have Tufin pull from that?" Support helped us with that.

Implementation Team

Implementation was easy. The previous solution we had didn't really work. We brought Tufin in, got it working, and rolled it right out.

Other Solutions Considered

I was involved in the implementation, not so much in the vendor selection. Of course, I knew about Tufin, its reputation and so on, so I was not opposed to it at all.

Other Advice

I’m rating the product a nine just because I’m stingy with my tens.
Tufin delivers on everything that we've asked them. For a similar use case, they're solid and you're not going to have any kind of surprises or issues that are going to crop up from what I've seen. As an administrator rolling something out and having it work the first time, that's pretty much all you can ask for.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user488088
Staff Specialist at a financial services firm with 10,001+ employees
Vendor
It allows us to use the compliance portion of it to do our compliance reports.

Valuable Features

It allows us to use the compliance portion of it to do our compliance reports. It also allows us to do peer review on our changes when we do firewall pushes. Before we do our firewall pushes, we compare what changes we made during the staging process in the week. We go over them to make sure that nothing is going in that should not be going in. Also, we check each other's work to make sure nobody fat-fingered anything and gave somebody some crazy access to somewhere that shouldn't have been.

Improvements to My Organization

There should be a heck of a lot more benefits for us. The problem being we don't have the time or the training to do that. We just upgraded to 16.1. Now that we're on a supported version, we hope to get some training so that we can utilize the product a lot more than we currently are. It does exactly what we need it to do. I think with some tweaking and some more knowledge of the product, I think we'll get to where we need to be.

Room for Improvement

When we do our change reports, some of those reports come out at a thousand pages. We have to submit those to management. When they look at the report, they say, "Why is this report a thousand pages?" We found out that, when we do a global rule, it removes all the global rules and then re-adds all the global rules.

We're in a Provider-1 environment, we have four CMA's, we have 78 firewalls. That generates a huge report. Management looks at it and says, "This is useless. You should filter through x amount of pages to get to the meat."

From what we found out, they have an idea about how to fix it, but I don't think they really know what to fix.

We also have had challenges with the way it does certain functions. For example, the exceptions. I think a lot of it could be we're just not trained and don't have the knowledge of the system. And I think once we start getting in there and start using it more, that's when we’ll find little things that happen like the global policy injection and removal. Our biggest challenge now is we have new management. When we send them the reports, they're not really happy with the reporting structure of it.
Otherwise it does what we ask it to do. It's never been down, it's always reported everything that we needed to report. We never have challenges in that regards. But again, it's a lot of the reporting structure that is challenging for us right now.

Stability Issues

We don't have a problem with it crashing at all. We've never had a problem with it crashing at all. It's always been functional.

Scalability Issues

I think it's been solid. It's always been there for us.

Customer Service and Technical Support

We have used support in the past. We use it mainly for compliance, for when we want something not to show up on a report.

Other Advice

They're constantly upgrading, they're constantly adding new things to it. That's a good sign. As the technology changes, they're on the forefront of it to get you those reports and use that technology in their new functionality. They just need to keep doing what they're doing.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user488085
Sr. Security Administrator at a consultancy with 1,001-5,000 employees
Consultant
Most of the valuable features have to do with the reporting and the cleanup of policy.

Valuable Features

A lot of the most valuable features have to do with the reporting and the cleanup of policy. With our day-to-day busy lives, we just want to get the change in and implement it, and that just increases rule base exponentially. From time to time you need to go back and find duplicate services, objects, rules, and cleanup. With a lot of the cleanup effort, I think the product helps out a lot.

Tracking changes is beneficial. We get alerted immediately who made the change, what change was made, and things like that. That's probably the most valuable.

Room for Improvement

It is important to keep up to date with the vendors you support. For example, Palo Alto, CheckPoint, Cisco, F5, and so on. They should make sure that Tufin supports the latest version of those products.

We upgraded to R80 two months ago, and our Tufin product hasn't been working. It's because there's no support for R80. We're hoping that Tufin supports R80 soon so we can start getting all the changes. If a vendor upgrades to a certain version, Tufin needs to provide support fairly quickly.

Also, our 20/20 vision is to be in the cloud wherever we can. Cloud first. If Tufin had any kind of management in the cloud, that's one less piece of hardware to manage in-house. Being in the cloud would definitely provide that extra missing feature.

Use of Solution

We've had it for about 3 or 4 years now.

Stability Issues

We have not had any stability issues at all. Upgrading has been simple, no issues at all.

Scalability Issues

It is scalable. We manage about 150 firewalls. There are no issues at all.

Customer Service and Technical Support

The support portal has been quick. I actually emailed them about R80 support, and they were really fast at letting me know that it's coming in mid-2016.

Other Solutions Considered

Along with a colleague of mine, I was involved in the decision to start using Tufin a few years ago. We compared it to AlgoSec and a couple other vendors. Tufin seemed to meet our requirements at the time. Before our renewal, we are looking to re-evaluate what all the vendors have to make sure we are getting the most out of the product.

Other Advice

It's a great product. It's pretty straightforward to use. It meets our needs and great support overall.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user483819
Security Manager at a financial services firm with 10,001+ employees
Vendor
I like being able to use the historical data and well as compare what changed.

Valuable Features:

  • The comparison of what changed.
  • I also like being able to use the historical data - did this access exist on this date a week ago, two weeks ago, etc. Because I'll have a customer who's like, "Hey, our traffic isn't working anymore. It used to work, and now it doesn't. Why not?" I would go, and I'd check the policies, see what existed, if it did exist, and then I know that somebody removed it, and I can find out who. It's a great tool.

Improvements to My Organization:

We're currently using SecureTrack. We've deployed SecureChange, it's currently essentially at this point in a deaf status. But from SecureTrack, one of the most useful tools that I've had as well is the usage reports. Whether it's zero usage or if it's the higher use rules. Let's say I've got a rule at rule number four thousand that's just getting pegged like crazy. It's the number one hit rule. We're wondering why our firewall CPU is going crazy? It's spiking. So we go over to the report, see what rules are getting hit, and we see the bottom of our rule base is getting slammed. Now we know we need to move those rules up and optimize our policy.

Room for Improvement:

We're in talks with sales about them writing code to integrate with some of our different tools, so that's nice. I can't really think of any features that either don't exist or we haven't already requested.

We've asked for integration with the tool that does our baseline, that tells what traffic is and isn't allowed with our change control system. We've got the core routing and everything imported, so that was nice. A couple integrations there.


Stability Issues:

When we initially had it, it was on a single box, so it was pretty slow. A lot of people had access and they ran reports after reports after reports, and it got stepped on a lot. Once we upgraded, we got HA Pair, and then we've got distributed log folders now, and it runs super smooth. Maybe three years ago I experienced some bugs where it would kick me out of policy query. I would be building a query, and it would just kick me out, or it didn't save the changes, or it just forgot that I was doing something, but I haven't had that happen in maybe two and a half years.

Scalability Issues:

Well, we did, and then we upgraded the hardware. Not a big deal at that point.

Upgrading the hardware resolved the issues because the amount of logs that we generate is pretty insane. Having that one little box handle the entire enterprise full of logs was not very efficient.


Initial Setup:

I wasn't involved in the initial setup. I've been involved in the upgrades for the recent versions.

I was a secondary contact, so I was only helping, but it was extremely easy. I watched what he did, and it was a piece of cake. He's our Tufin guru on site, so we let him handle the majority of the implementation.

Other Solutions Considered:

Most important decision criteria: ease of use and the robustness of the tool. We checked FireMon, for instance, and they didn't have anywhere near the features we were looking at, and it was nowhere near as user friendly.

Other Advice:

Play with the tools. See what kind of reasons you think you'd need to use it. Why are you looking for this tool to begin with? See how easy it is to pick up for your team. They may not be familiar with a tool; let them play with it for a few minutes and see. Give them a task. How easy was it to get that task done?

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user483810
VP of Engineering at Netanium
Consultant
The key area is the automation that it allows in place of manual reviews.

Valuable Features:

The biggest thing is regarding the automation that it allows our customers to do at the end of the day so that they can go and scale their environment a lot more than they could in the past. I think that's really where it comes in. It's the process behind it which can be very painful and tedious. They help make it easier and it's pretty simple from that perspective. You can review compared to past policies.

It's a multi-stage process. When you first start using it, you can go based on rules and find a lot of things that you didn't know before automatically. Then over time, you can go and see points along time. See what's happened, what's changed and also make sure they're applying the appropriate policy.

Without Tufin it's a lot of manual reviews, and you'll miss things. Humans miss lots of things especially as rule bases get big.

Improvements to My Organization:

The integration with other parts of the system, so it  a lot about process. If you have ticketing systems, other things that you're using can be helpful. For the really leading edge customers, they're able to integrate it with their other processes to the end users. The end users can be the ones requesting, saying, "I have this application and I need it to work this way." Take the technical out of it and make it a lot more business oriented so that's pretty powerful.

Room for Improvement:

It's still challenging in some cases to get it integrated with other systems. Anything that Tufin or any company can do over time to make that easier and easier is going to make it easier for the end customer. A lot of times with implementations, companies don't get using it we've seen. A lot of times, we'll go in and help them which is good. In the early stages, like any product sometimes it can be hard to start using it. Ways to make it super easy for somebody coming into the game could be useful. Then from our perspective, we've seen so many services go and come. So many applications go service based (software as a service) so they certainly have an opportunity there too to do some things.

I'd rate it an 8.

Scalability Issues:

We've been working with it for a long time and it's been good from that perspective. Again, we have a lot of customers. It's been really scalable. We've had some customers that are on a hundred gateways on it.

Initial Setup:

It's straightforward to set up but like anything, there can sometimes be an initial gap with usage. Get it set up, get it running and then it's the habit. Forming that habit for companies, like anything new, can be hard.

Other Solutions Considered:

The space is pretty targeted. AlgoSec and Firemon are certainly their direct competitors. Those are really the big three in the space.

Other Advice:

Criteria when selecting a vendor  -I think it's looking at your current processes and where you'd like to be is really what it comes down to. If you're frustrated with the ways things are working, think about the way you'd like it to be and then see what product fits into that mindset for you.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
it_user483795
Senior Security Network Engineer at a financial services firm with 10,001+ employees
Real User
It's able to give us reports that tell us which rules in our policies are not needed.

What is most valuable?

There are a few things. One is that from the portal people are able to request access. It is going to be able to stage the policy, add the rules or objects or whatever is needed for us so that all we need to do is push the policy at the time. It almost doesn't need a human being to be involved in the rule staging of provision process.

How has it helped my organization?

We've been using Check Point for 10+ years and some of the rules were converted from other systems, mainly from Cisco devices. The conversion process or the migration process is not the cleanest. We end up with rules that we call over-saddling. Rules which are really not needed.

We're talking about a ton of rules. We have policies that have 3,000 rules. It's able to give us reports that tell us these 10 rules or 100 rules in our policies are not needed. Either we need to fix the rule which was a bad rule or we do not need another rule.

What needs improvement?

One thing it's not currently able to do is remove rules. For instance, one of the biggest things is that we have a server what we call decommissioned. That means they no longer need it. Either the application is end of life or they bought a new server and they took on new IPs. But we still have rules that allow the IP, so there's a hole there. Right now you cannot say, "Hey, Tufin, this IP is obsolete. Please remove all the rules that allows this IP."

Another good thing is that Tufin has a good portal. 

Which solution did I use previously and why did I switch?

We were using Skybox. Tufin has that fun end to the user which Skybox doesn't.

What other advice do I have?

I would recommend it.

With a tool like this, spend a few dollars to bring in their professional services to help out. Tufin is not going to be for a really small company. One of the important things is that you need to get your network team on-board.


Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user483792
Director, Enterprise IT Security and Compliance at a transportation company with 1,001-5,000 employees
Vendor
Easy to log in, to navigate, to produce reports and to create workflows.

Valuable Features

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Improvements to My Organization

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

Room for Improvement

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Use of Solution

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

Stability Issues

There have been no stability issues whatsoever. It’s rock solid.

Scalability Issues

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Customer Service and Technical Support

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

Other Solutions Considered

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

Other Advice

I would rate it a nine out of ten, since there's room for improvements, as always.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user483786
Network Security Engineer at a transportation company with 1,001-5,000 employees
Vendor
We Chose Tufin for its Ease of Use, Customization, and Workflow.

Valuable Features

The most valuable feature is the ease of use. Creating workflows for users is very easy. It's also pretty straightforward to look at audits and compare policies.

Improvements to My Organization

Before Tufin, we had a very antiquated way of doing firewall requests. It was a terrible workflow system. Workflow was one of the main reasons we looked at Tufin, since it is really easy for users.

Room for Improvement

I would like to see more customization with the emails that go out, the UI, the things that I look at, and the things that I see when I log in. We mostly use SecureChange, and when I look at my tasks, I would like to have more customization to maybe add a column, for example.

Use of Solution

We deployed it well over a year ago - Tufin SecureChange and Tufin SecureTrack.

Stability Issues

There have been no stability issues whatsoever. It’s rock solid.

Scalability Issues

Right now, with what we're using it for, it has been scalable. We haven't had an issue with scalability at all. It's been able to keep up.

Customer Service and Technical Support

We had to work with technical support to get the certificate set up and get SSL initially configured. It went well.

Initial Setup

Putting it together and getting it up and running was a breeze.

Other Solutions Considered

The top two we looked at were AlgoSec and Tufin. We felt that Tufin was the leader in the space and we chose it because it was easy to use, very customizable, and it gave us every one of the requirements that we were looking for.

Other Advice

I would give it a nine out of ten. It’s been a great product so far. I'd just like some more customization.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user479352
Network Consultant at a healthcare company with 1,001-5,000 employees
Vendor
There's a Lot of Depth to the Product, From Automation to Reporting Capabilites.

Valuable Features:

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

Room for Improvement:

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

Use of Solution:

We have only had the product for four or five months.

Stability Issues:

There have been no problems with stability.

Scalability Issues:

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

Initial Setup:

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

Other Advice:

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user479343
Senior Advisor Security Architect at a comms service provider with 10,001+ employees
Real User
Tufin Lets Us Clean Up the Rule Base Quickly and Remove Unused Rules.

Valuable Features

Tufin has helped us a lot. It lets us clean up the rule base in a short period of time and remove unused rules. Tufin provides you a report on rules for this that lets you delete objects that are obsolete and no longer needed in the rule base. If you don't use a tool like Tufin, this is done manually and may take days, because for every object, before you delete it, you have to make sure that it is not being used by someone else.

Improvements to My Organization

From a security point of view, Tufin can provide the posture of your environment, meaning whether your rule base is secure or not. It will analyze the file rule base, tell you if the service you enabled is secure, and give you some advice how to deal with the situation.

Room for Improvement

I want Tufin to be used by my entire team, but due to a lack of training and lack of resources, we are not able to do that. I would like to see more training videos that can be distributed to my team in order to really take advantage of the product.

Use of Solution

We have been using it for about 3 years now.

Stability Issues

I find it very stable. We haven't had any big issues since we started using it. Issues we have had have mostly been related to new features being added that weren’t supported by the device. In those scenarios, we submit the case to Tufin and they tell us about the new release.

Scalability Issues

We are a big company and I can say that we are not using the product in its fullest capacity. We have a different type of policy because we are using different vendors and different technologies, and while we have some issues with the juniper devices, it has absolutely been scalable.

Customer Service and Technical Support

Tech support has been fine. Right now I have an ongoing case and there is a delay, but it mostly comes from me because I took time to respond and they are telling me other ways that I know.

Other Solutions Considered

I implemented FireMon three years ago for a customer because the customer specifically requested it. I found it very hard to put in place. I wasn’t a part of the Tufin implementation, but in terms of the product itself, Tufin is easier to use.

Other Advice

I would give Tufin an 8 out of ten because some vendors own multi-contexts, and there are challenges supporting these devices. We are having issues with the Juniper device, for example.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user479295
HoD IP MPLS Department at a comms service provider with 1,001-5,000 employees
Vendor
Being able to run reports to see which rules aren't needed is useful. It allows me to optimize the policies.

Valuable Features

Being able to run reports to see what rules are there and which rules are not needed is very useful to me. It allows me to optimize the policies. Also, every time someone pushes policy it sends an email to say that the change was made. I have it set up to run reports every two days to let me see the state of the firewall or the state of the policies.

Improvements to My Organization

The ability to get a sanity check for the rule base is important. Right now, we write our own firewall rules, and with Tufin, we can cut those down to four hundred.

Room for Improvement

The upgrade was a bit cumbersome because we had to do a complete reinstall. We removed it from a version of Linux that wasn’t supported and we had to do our first fresh install.

Use of Solution

We’ve used it for a couple months now.

Stability Issues

We haven’t had any issues with stability so far.

Scalability Issues

We’re a small team and we manage five clusters, so it’s not too bad.

Customer Service and Technical Support

We used technical support for the upgrade and they were very helpful. We haven’t had any issues, apart from the fact that we had to do a fresh install, but we were provided support through that process. They were online with us right through using WebEx. That was great.

Other Advice

My experience with Tufin has been good. We haven’t had any technical issues and the features that I have seen in the software so far are excellent.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user479277
Security Specialist at a financial services firm with 501-1,000 employees
Vendor
It’s not a dangerous solution because we use it for looking at things and not for making changes.

Valuable Features

I use Tufin SecureTrack, which means I use it for looking at things and not for making changes. The value of it there is that, since I deal with Check Point policies a lot, I can use it to see what changes have been made to the policy since the last time I looked at it, because it may have been a couple of weeks since I last installed a policy or maybe somebody else has had their hand at it.

Tufin gives me a really easy way to graphically look at the policy, before and after changes are made, through two panes. As you drag around one pane, the other moves with it, and they resemble the Check Point dashboard view so it’s very familiar. You can easily spot all the differences and see what has changed in the policy to make sure there are not any mistakes and that nobody accidentally added a block edited any rule at the top of the policy—that’s probably happened to everybody, right?

I also use a feature where you can run a report on rule and object usage. This helps me spot rules or objects that aren’t really ever hit, so I can remove them from the database if they no longer exist.

Improvements to My Organization

Tufin is easy to use, which was really important for us. Also, it’s not a dangerous solution because we can’t make changes with it.

Room for Improvement

I'm running R77, and I'm concerned with how well it will work with R80, the new release of the operating system. R80 changes the way that the dashboard you use to manage the policy looks and operates, and we will have to see whether Tufin keeps up with that or not. Also, in the current R77, the various blades appear as different tabs in the interface and dashboard, and Tufin doesn't look at any of those tabs except the security policy. I'd like it to be able to look for changes in some of the other configurations. In R80, it's all tied together, but for now, it's in a separate panel. I don't currently have any way of using Tufin to audit what changes have been made to the web filtering configuration, for example.

Stability Issues

It's very stable.

Scalability Issues

I don't have a huge environment, but it doesn't seem to require a lot of horsepower. We're running it as a virtual machine, and that's working fine.

Customer Service and Technical Support

We haven’t needed technical support since we moved from a physical to a virtual world.

Initial Setup

It was straightforward. It’s been a few years, but I don’t recall any problems with setup.

Other Advice

I have no problems with Tufin, and it works great, but I would have to give it an eight out of ten. It’s just not as amazing as some of the other technologies I use, like Lancope StealthWatch. I wouldn’t tell anyone to stay away from it—It’s just a good idea to look at the competition and see what’s out there.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user477891
IT Security Engineer at a energy/utilities company with 1,001-5,000 employees
Vendor
Gives you the ability see what changes have been made and who made them, as well as pinpoint what has changed.

Valuable Features

Tufin gives you the ability see what changes have been made and who made them, as well as pinpoint what has changed so if there is an issue you can easily review it. I also like that if there is a new request that's coming in, you have the ability to compare the request with what is already in the system so you don't have to go into the firewall rules to try to figure it out. You can just do a comparison between different policies.

Improvements to My Organization

We use reports a lot for cleaning up, which is part of our regulatory requirement. You need to review the policies for any old reports, used objects or used services. That's basically what draws the purchase of this product.

I also like the product’s ability to reduce security risks. Being able to do some of the compliance checks has been very good for us.

Room for Improvement

The ability to search could be improved, and it would be helpful to be able to display more than a hundred results on a search or share when you do the workflow with multiple people at the user level on your same team. If you have a team of three people each one should be able to see each other's request without having high-level access rights.

Also, the workflow is very rigid. It's not very easy to manipulate. The graphical interface needs to be a little more user-friendly. You need to be able to move objects around to make a nice display. Right now, if you select an object, it just sits there and everything goes sequentially. I want to be able to move objects around to make the interface more presentable in the way you would normally code something. That's a big concern, because we've gotten several complaints.

Use of Solution

We have used Tufin for at least seven years.

Stability Issues

We haven’t had any problems, except for some licensing issues a long time ago.

Scalability Issues

For what we do we haven't seen any performance issues so far.

Customer Service and Technical Support

Technical support has been good. We've had different engineers help us out and they've all been very helpful.

Other Solutions Considered

We compared Tufin to AlgoSec. At that time, we felt that what Tufin had in terms of their workflow and the option to transfer over our existing workflow was more flexible. It was a hard decision. One of the other reasons we picked Tufin up versus AlgoSec was the responsiveness of the people we were working with. They understood the company and our relationship, and we felt that it would be easier to have the ear of the company if we needed customization. They did the changes that we requested, which made life easier. We felt that if we were to go with AlgoSec, it would be a lot harder.

We closed the deal after they made a change to DNS lookup. Objects need to be created on our DNS system before they’re populated, and you didn’t have a way to validate your IP with a host name at that time.

Other Advice

If I had to rate it one to ten, I’d give it a nine, since there’s room for improvement, even though they’ve been doing a lot of improvements over the years. I would also say that if you buy the product make use of it. There are more features available than you always realize, so a lot of times you might try the harder way first because you are used to working that way. You might discover that your life can get a lot easier.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user476727
Security Engineer at a financial services firm with 1,001-5,000 employees
Vendor
We use it as an auditing tool, since it’s a risk-based approach, which fits a lot of the needs of our auditors.

What is most valuable?

We use it as an auditing tool, since it’s a risk-based approach, which fits a lot of the needs of our auditors. We're able to clean up our firewall rules and use the security score in our monthly reports to executive management, showing them that we are making improvements within the security of our firewall policy. We can generate different inventory reports when rules are not in use. It allows us to print policy out for our auditors as well.

You can print off reports, either in Excel format or PDF format and deliver them to whoever needs those reports. It can also send you any report on a regular basis. For example, if you want to see your security scores, you can have that sent to you weekly.

How has it helped my organization?

Before we had Tufin, we had to do firewall policy cleanup and it was pretty painful. It would take us 6 weeks just to get through one review, and we had to do it quarterly. With Tufin, you can generate a report in 20 minutes and start taking action on it right away. It's a huge difference. You build up trust with the product. When you are looking at a rule and you don't know if it's been used before, you're kind of rolling the dice. When you have a tool that can look out 6 months and it hasn't been used, then you have a lot more confidence in cleaning that rule up.

What needs improvement?

Some of the challenges we have include getting the reports and the tools to look at our specific environment. There are some challenges with setup for that. You want to make sure that your PCI environment, your wireless environment, your DMZs and your internal network are all laid out in Tufin so they can be correctly scored and rated. A little more ease of use in that area would be helpful.

For how long have I used the solution?

We've had Tufin for 8 or 9 years. I was the one that brought it in.

What do I think about the stability of the solution?

We don't have any issues with stability of the product.

What do I think about the scalability of the solution?

We have a relatively small environment. We've got 30 firewalls, basically 15 clusters that Tufin monitors, and our policy rule base isn’t huge. We moved over to VMware and haven't had any issues with caring for the product.

Which solution did I use previously and why did I switch?

We actually used one of Tufin’s competitor’s products, AlgoSec, but found that the Tufin product is a lot more flexible from a reporting standpoint.

How was the initial setup?

It’s easy to set up. I would say to do a proof of concept and give it a try. It doesn’t take much effort to get it set up and start getting benefits.

What other advice do I have?

I would give it an 8 on a scale of 1-10 because it works really well in helping you create your own reports. You can drill down into each of the different risks that are in the environment and take action on it. It actually tells you, in a descriptive manner, what the issue is and how to fix it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user475923
Security Engineer at a retailer with 10,001+ employees
Vendor
The best feature is being able to query all our devices to find unused rules and objects and then clean them up.

Valuable Features:

The best feature is being able to query all our Check Point devices and certain other vendors like Fortinet as well. It can query and find unused rules and unused objects to clean things up for us.

I use reporting and assistance as a tool for cleanup. I would love to be able to get the newest version into our company and have it be used as a manager of not only Check Point but also the other vendors that we use. It looks like it's all there. - Fortinet, Palo Alto, some Cisco and other devices.

The fact that that we won't have to log into a Fortimaneger to manage Fortinet and then log into another to do Check Point, being able to log in straight to Tufin, build a rule and have it push it to the correct devices. That's huge and that's something that I really like about the new version.

Stability Issues:

We had some issues because of our unique configuration.

Scalability Issues:

I can't say too much about scalability, simply because it was not scalable for our environment because we are using a splintered specialized version just for our company. The Tufin apliance just doesn't play well with that specialized version. But for the things that we do have that are general release, it's awesome. It takes a little bit of a fiddling around but again, we're on an older version. It works flawlessly.

Other Advice:

Rating: because it's our unique older version, I'd give it a 6 or 7 but we only use it for reporting and cleanup. If we had the latest version, I'd easily give it an 8 or 9 because it can do so much more.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user475917
Director of Network and System Engineering at Allegiant Air
Vendor
Provides insight into all changes that are done within your network.

Valuable Features:

The visibility of the changes that are being made on the network. From a firewall perspective and router perspective, we have all our network devices in Tufin. We monitor all the changes that are made constantly. Prior to changes being made, they get approved by our IT security department, and then they're monitored after they're changed as well.

We haven't used it to push configuration yet, but we do have a third party network vendor that does our network changes for us. We immediately know if something was typed wrong or configured incorrectly. We'll get an email from Tufin, and we'll know that they typed something in wrong or incorrectly because that's the email that we receive from Tufin. A lot of times they'll transcribe things, and rules will get set in different directions. We'll know immediately when something happens.

Being the Director of Networking, that's what I'm primarily concerned about. It's to make sure that all the network changes that are being made are the correct changes, we're not opening things up to vulnerabilities that we shouldn't have, as well as making sure that we're locking down what we need to lock down.

Room for Improvement:

I like what's there today. I don't use the product that heavily as much as our IT security department does. Right now the product is doing exactly everything that I want to see it done. I would like to see the ability to have the changes in the configurations pushed out more easily and managed through Tufin to eliminate that human error factor more.

Scalability Issues:

We haven't run out of room with the product yet. It's very scalable. We fly to 115 different locations,we have 3 different data centers, and we monitor all our network devices, firewalls and routers through Tufin.

Other Advice:

If you don't have a product like Tufin, get a product like Tufin because it's amazing. It gives you insight into all changes that are done within your network. It's awesome, and it gives you the ability to manage it even though we haven't rolled that piece out ourselves yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user475893
Manager at a pharma/biotech company with 1,001-5,000 employees
Vendor
There are a lot of advanced features that we've investigated but the real core strength is for our compliance team to be able to pull the rule usage reports.

Valuable Features

The ability to create out of the box reporting and to have real time awareness of the changes in our environment.

Our operations team will make firewall rule changes and I actually get an email telling me everything that's been done. The way that we have the two things set up it will actually link to the change control that they're doing the work under. I'm then able to review and say "okay, this is what they said they were going to do, this is what they actually did and it's done compliantly."

The reporting simplifies the ability to report towards the business about how our rules are being used so we can make sure the security is always optimally maintained.

Improvements to My Organization

We currently use it at the most fundamental levels. There are a lot of advanced features that we've investigated but the real core strength is for our compliance team to be able to pull the rule usage reports.

Room for Improvement

When we were an early adopter and there were things that were not there, Tufin was very anxious to understand what the need was and then figure out how to integrate it into the product

Use of Solution

Over 5 years.

Stability Issues

It's reaching the edge of stability since we're putting a very strong demand on it. The resources within it are starting to now be challenged. We haven't had any significant issues.

Scalability Issues

We've reached the capacity of the current system and we're looking to upgrade. We went from about 100 firewalls in Tufin to almost 300. We've tripled the demand on the same appliance, but we intentionally bought a large appliance so we could grow into it.

Customer Service and Technical Support

We've used technical support and they've always been excellent.

Implementation Team

I deployed it. It was very easy. That was the one thing that we really appreciated about the product was the ease of deployment, the intuitive nature and that's what was one of it's strengths are. It came on an appliance, it was intuitive to deploy and it made it very beneficial.

Other Solutions Considered

When we selected we actually did a source selection analysis and from there we did a pilot with two of them

Other Advice

Regarding cloud solutions, it's going to be very interesting to do the security assessments with them.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Architect at a wholesaler/distributor with 5,001-10,000 employees
Vendor
Identifies redundant rules that we're not aware of.

Valuable Features:

The ability for it to identify unused rules, and overlapping/redundant rules. If you had a more open rule at the top, but you put a more granular rule at the bottom, it would tell you that that granular rule wasn't needed because it was already covered by another rule. A lot of times you get multiple firewall admins who just go in and start adding stuff, and they're not always looking for what's already in place. It's redundant and they don't realize it. 

So somebody could have added a rule but they couldn't find it, so they just went ahead and added access, and in the end, Tufin will identify it and say - you have rules that you don't need. When you're dealing with very large policies (hundreds - thousands of rules) it's a big advantage. Such as if you're dealing with firewalls that host 2000+ rules.

I used to use the reporting. It was able to at a glance tell me every rule that that particular IP address was given access.

Room for Improvement:

The ability to export the data outside of a PDF on some of the reports, I'm not sure that it can do that.

Scalability Issues:

It scaled for our needs.

Other Advice:

It fits in as part of the bigger picture. At the end of the day, I wish the firewall products themselves could do some of that stuff inherent to their own solution. 

Make sure you understand the capabilities and use it for what it's intended. It's not going to tell you the intent of rules, it's not going to tell you if it's a good rule or is it a bad rule, but it's going to help you with firewall clean-up or redundancy. It doesn't help a firewall admin create a better rule.


Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user437154
Network Admin at a media company with 51-200 employees
Vendor
SecureChange is the most valuable feature as it shows the difference between policies and proxies that affect performance.

Valuable Features

SecureChange is the most valuable feature as it shows the difference between policies and proxies that affect performance, such as the router or switches.

Room for Improvement

The user interface could be improved. It's currently not very user friendly and is not very attractive.

Deployment Issues

We've had no issues deploying it.

Stability Issues

It is very stable. We've had no issues with instability.

Scalability Issues

We have 600 objects in it and it's able to work well for all of them.

Customer Service and Technical Support

Technical support was very good when I needed their help with significant upgrades.

Initial Setup

The initial setup was very easy and straightforward. It wasn't complex or difficult at all.

Implementation Team

We…

Valuable Features

SecureChange is the most valuable feature as it shows the difference between policies and proxies that affect performance, such as the router or switches.

Room for Improvement

The user interface could be improved. It's currently not very user friendly and is not very attractive.

Deployment Issues

We've had no issues deploying it.

Stability Issues

It is very stable. We've had no issues with instability.

Scalability Issues

We have 600 objects in it and it's able to work well for all of them.

Customer Service and Technical Support

Technical support was very good when I needed their help with significant upgrades.

Initial Setup

The initial setup was very easy and straightforward. It wasn't complex or difficult at all.

Implementation Team

We implemented it with a partner's assistance.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user437172
IT Architect at a tech company with 10,001+ employees
MSP
You can search through policies of different firewalls with one step.

Valuable Features

You can search through policies of different firewalls with one step. That's one of the main features, because I have a lot of firewalls and do lot of firewall installations.

Improvements to My Organization

It makes it easy to find a rule and to make sure that all the firewalls are working in just one step, so this saves us time.

Room for Improvement

Granularity in rule evaluation needs work, especially if you want to narrow it down to a specific device, a cluster or a specific rule set. To have it more combinable so I can say that I want this and this cluster, but only a specific subset.

Use of Solution

We've been using it since 2007.

Stability Issues

It scales with functionality.

Scalability Issues

We don't have outages with Tufin and stability has never been an issue.

Customer Service and Technical Support

They've been great as they're quick and responsive. We use both phone and email to contact them.

Initial Setup

It was straightforward.

Other Solutions Considered

I was invited to look at AlgoSec, but I did not have the time. I only know about it from white papers and so on. SecureChange is the differentiator. I think the part which competes is more SecureTrack, but SecureChange and SecureApp are what makes Tufin more special and they are what we require, which is not provided by Algosec.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user437166
Network Engineer with 1,001-5,000 employees
Real User
We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Valuable Features

We purchased Tufin for the rule based analysis, so that when we did a Check Point migration from the earlier versions everything was OK. We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Tufin enabled us to clean out the rule base pre-migration. There's no point in migrating old and unused rules and objects to a new solution, so we were trying to be a bit proactive. That's why we purchased this solution and we had someone from Interel come over and help us configure it.

Room for Improvement

SecureChange has been a bit of a challenge. It's been a long time coming, and I guess improvement is also needed in their relationship with the customer to get the initial functions of it working. It's more making the move towards SecureChange which possibly isn't down to them, it's probably down to our relationship with our reseller and nailing each other down. Maybe it's a non-issue. For what we use it for, it's been great.

Use of Solution

We've used it for between four and six years.

Stability Issues

After a while, we found that we'd not really given it enough TLC for a couple of years. Therefore, we ended up in the situation where we had to get the guys from Interel to fine tune the appliance memory wise because it was little old. By the time we started using it to its full extent, you end up being able to fine tune it and eventually realize even that wasn't going to cut it and we ended up having to virtualize and it seems to be OK now.

Scalability Issues

We didn't have as much advanced management at that time. Over time, we've merged with other areas of our business and inherited many more advances, bobbles, with that, I think that's where we came across the problem that we wanted so many things active and realized that we did actually need to upscale the deployment.

We originally purchased it mainly for Check Point and then ended up purchasing Cisco ASA and Palo Alto licenses, so we ended up with more stuff than we originally purchased it for. Hence the need to upgrade for VMware and memory.

Customer Service and Technical Support

It has been good. When we've had an issue they've been very good. We were on the phone and I remember a conference with the support guys and they really went out of their way to help us out.

Initial Setup

It was fairly easy to deploy. We originally purchased the 500 series appliance, which was mid-range appliance and then we ended up eventually virtualizing that appliance and moving it to VMware, which is what we've now got. I don't remember ever having any major issues.

Other Solutions Considered

We did look at another solution, but don't ask me what it was called, I don't even remember. We did look at it at the same time, but it couldn't really do half of the things that Tufin did. I can't remember back that far, but I remember we looked at it and it was all really clunky. It didn't feel right, it didn't do half of the stuff that it was meant to be able to do and it was very slow as well. We pretty much put it out straight away.

Other Advice

It's done a good job. We've not fully utilized all of its features, we've hardly scratched the surface really, it's a powerful bit of tech and we've pretty much used it for a specific purpose that we purchased it for and realized it can be used a lot more, having said that we ended up purchasing second shares as well. We are now in the process of testing SecureChange because that was something that was really pushed through quite recently.

For us it works, it's a great solution, but that's not to say that there isn't a better one out there. Anyone that looks and researches, they probably look at different supplies of the same solution and make up their own minds really. It is the best tool for the job and technology moves on so, who knows.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user437163
Network, Telecom and Storage Manager at a financial services firm with 1,001-5,000 employees
Vendor
We were able to reduce the number of rules we had.

Valuable Features

The first one is the policy analyzer to help the network facility to remove objects and the server needs an object, an appliance object.

Improvements to My Organization

For the first one, we were able to reduce the number of rules, and the signaling one is about the compliance. We have many security rules to define the flows between the security zones, so we put all the rules under 13, and then we can generate reports.

Room for Improvement

It needs more compatibility with older firewalls.

Stability Issues

We have no issues.

Scalability Issues

We have 2000 employees, and it's been able to scale to meet our needs.

Customer Service and Technical Support

Very easy. We got the license, and we got all the roles and information from the firewall to generate reports.

Other Advice

Prior to implementing, you need to know the needs for each project. If you know the needs, you will probably meet expectations.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user466629
Manager, Information Security at Neustar
Vendor
We are starting to use it more as a compliance tool as opposed to just for tracking changes and backups.

What is most valuable?

Tufin is invaluable for helping us keep track of things, providing us a method for checks and balances. We're a Tufin SecureTrack customer at this point, and the product serves multiple purposes when tracking changes. We’ve also starting using it as a compliance tool, utilizing its capacity to help us analyze policies. Overall, SecureTrack is a very easy tool to use, and it’s relatively fast. We've recently virtualized it, and from a performance aspect, it works great.

I think we're on Version 15 right now – almost the latest one. Moving from the appliance to the virtual platform was really simple, and from a performance standpoint, it was pretty much seamless.

How has it helped my organization?

We are starting to use it more as a compliance tool as opposed to just for tracking changes and backups. Because it tracks changes, SecureTrack maintains a complete CVS (Concurrent Versions System of all of the configurations of a lot of our systems. Because we're a multi vendor environment, it's not just Check Point. We have licenses for all of the different firewall vendors’ products and things like that.

What needs improvement?

With SecureTrack, I think it does what it needs to do, so I can't recommend any changes, although I would like to see additional vendors added to it (and I’ve already discussed that with Tufin). They already support F5 BIG-IP, so we've discussed possibly adding Citrix. And, although they support A10 for the Tufin Orchestration Suite, I’d like to see support for SecureTrack as well. Because they already have those plug-ins on the Orchestration Suite side, it doesn't mean that they can't have it on the SecureTrack side as well.

I do think some of the licensing can be simplified or made more flexible. Because we are multi-vendor, it would be nice to have a way to convert licenses from one product to another. For example, I’m phasing out all of my Juniper firewalls, and I want to turn them into Cisco. It would be nice to be able to detach licenses and re-attach them to different types of devices.

I also think that at some point they're going to have more integration on the SecureTrack side for some of the other switching and routing platforms – not just Cisco. They already support some of the Juniper routers and switches, and SRX from the firewall standpoint. I am not sure of where they're going to go with Pulse Secure.

What do I think about the stability of the solution?

No, we never had any stability issues because it's a browser-based tool. We've never had any problems with accessing the tool, and its performance is great.

What do I think about the scalability of the solution?

I think it's scalable for what we have today. If we were to move to Tufin Orchestration Suite, we would probably look at putting more distributive Tufin appliances out in different places because we are worldwide and have major data centers throughout the world. We would probably try to keep things localized.

How are customer service and technical support?

Tufin’s support is actually very good. In the early years, there was a support guy who we would always end up getting, so he kind of knew us personally. He was great at helping us jump on things, running all sorts of different SQL commands and similar processes in order to fix whatever upgrade issues we had. Tufin support has always been great.

Which solution did I use previously and why did I switch?

We relied on other logs and on open source tools. We used about five or six different tools for various functions, but we were able to consolidate by moving over to Tufin SecureTrack.

Which other solutions did I evaluate?

At the time, we did a bake-off between Tufin, AlgoSec, and FireMon. One of the main things was that Tufin was just simple. It was basically: rack it, stack, turn it on, IP it, start plugging things in, and it was ready to go. With some of the competitors we had to set up a Window server, buy a Windows license, expertise it, etc.

We're using Tufin OS, which is just Linux. For any customer who wants a solution that is quick to set up and just works, Tufin's the way to go.

What other advice do I have?

I really, really like the solution and we’ve been really happy with Tufin. Even though our Tufin sales rep recently changed, they've always been engaged with us. They hit us up pretty often to find out if there's anything that we need, or if there's anything that they can do to improve or even expand the use of their product.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user466632
Manager, Security Engineering and Operations at a retailer with 1,001-5,000 employees
Vendor
We can provide evidence that nothing's getting into the environment that isn't already approved to go in.

Valuable Features

With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.

We can provide evidence the nothing's getting into that environment that isn't already approved to go in.

Improvements to My Organization

We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.

Room for Improvement

We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.

Stability Issues

No issues at all.

Scalability Issues

Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.

Customer Service and Technical Support

Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.

Initial Setup

We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.

Other Solutions Considered

No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.

Other Advice

The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.

I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.

I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.