Please share with the community what you think needs improvement with Tufin.
What are its weaknesses? What would you like to see changed in a future version?
I would like to see visibility into the FW features like IPS/Content Filter policies, the same way it does for FW rules/policies.
I would like to see more configuration options on next-generation firewalls, defining possible standards for devices.
We would like to see granular user permissions on SecureTrack. The topology should be made easier to configure. I would like to see the setup of the Unified Security Policy simplified.
I would like to see better report integration in this solution.
The product should integrate with the UTM features. It may benefit the firewall implementation and migration.
I would like more API integration, API integration with the cloud, and API integration with other chain management solutions. I would also like more scripts, which would help us not have to write scripts. If you give me all this, I can use the scripts to automate stuff, making my life easier. I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls.
The visibility is good for the most part, but there are limitations to it. E.g., there is a lack of certain routing/networking protocols across all the vendors that they support. The solution is not sophisticated enough for us to automatically check if a change request will violate any security policy rules. Tufin's cloud-native security features are lacking in support. I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there. I would like more support for Juniper and Junos Space. I would like more of the features which are offered for other platforms being extended to the Juniper platform. The USP needs improvement. It is pretty much not usable right now for us. It is all IP-based. The issue with that is we may have one subnet, but we have multiple things that would go in different zones all in that same subnet. Therefore, to use the USP, we would have to bring it out in tons of /32s, and it's not usable. Whereas, it would be far better if we could just put tags associated with IPs, then do USP based on tags.
The UI was a little clunky at the first. It was confusing. They are working on that. The new one is better.
When you make changes, you have to enter the password each time for each firewall. This is sort of annoying. They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.
We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting. At least in our environment, the dynamic learning of the topology needs improvement.
The metrics need improvement. They need more consistency or understanding of automation, along lines of customization of automation. Going forward, we would like a whole bunch of stuff regarding metrics and reporting. Also, a whole bunch of stuff regarding stopping SLAs when it goes back to the user or requester. I'm struggling with cloud right now.
1. Tufin workflow doesn't support IPS module, Identity Awareness Module, Policy Inline layer (Checkpoint) 2. Limitation on edit/create Group object: You can't create group Service object 3. You have to run Designer to Assign Firewall Rule Name, and Rule Number. By default, Tufin uses topology
I would like to see more about the cloud in the next release. They need a large plan to deploy the cloud into the solution and a way to implement it. The web service for integration with other solutions needs improvement.
For me, there are two things that can make Tufin a bit better. This could be something on my end that I don't understand or maybe it can already be done and I don't know, but the two things that I am hoping to get out of this couple of days here at Tufinnovate 2019 are: have a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it. In my industry, the banking industry, we're heavily regulated. Auditors are everywhere and they want everything accounted for. When I do a rule re-certification, I have to justify why that rule still there, who is using the rule, what's going on. Or if it hasn't been used, I want to get rid of it. But I don't want the onus to be on the firewall team. I want that onus to be on the person who requested the rule. I'm trying to figure out a way that I can have Tufin say, "Hey, look, John or Joan, your rules haven't been used in a year," or "Do you still require these rules or these servers?" and it would give them buttons to click, either "yes" or "no". If they hit "no," Tufin would say, "Thanks very much," and disable them for 30 days, in case they made a mistake, and after 30 days, it would remove them. That type of automation would save us so much time. Right now, there are three people doing that job. As an example with rules, when I look at a rule it will tell me how many days it was hit, when the last hit was, when it was last modified, but I can't get a creation date. What date was it created? It must know when it was created because it created an OUI for the rule. I asked support and they said, "Well, go here, go there, do this, spin your head and tap three times, and if you're lucky..." And I'm thinking, "Can you not just tell me the date it was created?" Then I could filter on those as well. Right now, I can't filter on rules that are over five years old, for example. Even when they're in use, I still want to see old rules. Maybe they've got old services that shouldn't be working anymore. I would also like to see better logging. SecureChange could be a bit better, at least with integration with ServiceNow or some of the other ticketing tools.
The biggest area where I see a need for improvement is some of the documentation and training stuff. It does a really good job of hitting the big concepts, but it needs like another layer deeper of actually getting into some of the details of how to do some of the things. Conceptually, I understand how the product works, but now how do I start building stuff and integrating it into my environment. Just being a bit more upfront and honest about issues, as far as like HA, distributed stuff, and the need for load balancers, if you want to do HA. Nobody ever likes talking about the fact that their solution really isn't truly HA, you got buy an F5 to sit in front of it if you want to do HA, or something like that. Everybody shies away from talking about that, but if you get that out upfront, then the engineers can be prepared for it, then they can try and figure it out and make it work. This is not unique to Tufin. Everybody is like, "Oh yeah, we do HA." Then, three months later, after you have bought some stuff, now you're just like, "Oh no, we got to have an F5 in front of this. That didn't even come up in our discussions. So, how do I get resources away for that? Because I don't have an F5 in this environment, and I need one." I just found out some of the things that I need to use right now, like the reports from the report package are only available on 17-3 and above, and I need that as soon as possible. Hopefully, we will upgrade to 19-1 or 19-2 even before I go to bed tonight. It is sort of an uphill battle right now to ensure that it has all the visibility that it needs, so we can be assured that it is doing what it will do.
Sometimes, the user interface is a little cumbersome, trying to navigate between them. In the new version, it looks like they resolved those issues.
One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.
We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange.
I would like something that addresses security in the cloud.
There are at least two things that need improvement. One is the business workflow and the second is the integration with logging solutions.
We would like Tufin to have interoperability with Juniper products, along with official support. They could maybe update the interface. However, I know there is an interface update coming, I just haven't seen it yet. There is room for improvement, as far as making the product easy to use and having training available. In my training with the workflow, it always kicks me back every time that I do a step backwards. I think that automatically it should take you to the next step in the workflow, that would be appreciated.
The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor. I got a sneak peek of a release or two. There are some new features coming out that we could use today. E.g., SecureChange won't allow us to put in more readable ACLs rather than try to compress them. Sometimesm we don't want it to full optimization of a rule set. I would love the ability to tell it, "Thank,s but no thanks. I don't want to optimize this rule. Please put it in the way that I want it." Right now, that's hard to do. It's almost impossible.
Tufin has come a long way when it comes to visibility. What we would like to see is a little bit more on the discovery level, network discovery, which Tufin does not have today. It does a pretty good job when you statically define the endpoints; it goes and discovers them. But an auto-discovery feature on the network would be awesome. More API integration with third-party platforms is something that we would definitely like to see in upcoming releases. Enhanced reporting and enhancements to some of the dashboard features would be good too.
I would like to drive value from is to getting to a point where we are almost like a DevOps operation for security changes. We have put in a lot of requests. Some of them are high level related to cloud. Others relate to some of the reporting structures that we have. E.g., some of the automated reporting capabilities for specifics on certain regulations. Certain countries have certain regulations, and with GRC, if we can associate that on certain regulations, then we can spit out reports from that. We would like to see integration of the different versions of this product, e.g., SecureChange and SecureTrack. They eventually need to start amalgamating all these into an end-to-end product for visibility.
In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all. We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.
I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing. I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action. We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.
I wish they had a credentials vault or something. Right now, you have to manually add a username and password per device, and if they are using something like in a centralized, like an AD account, that password rotates eventually. Now, I have to go back and change information for all these hundreds of devices. Whereas, if they just had some credentials vault for credential one, two, and three, then you could just reference them per device and change it in one place. It would make our lives a lot easier. I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab. Tufin covers a lot of vendors, but there are still some that they don't, like Radware. Some of these vendors that they don't cover are at critical points in our company, as far as explaining the full picture of our routing. Since it can't show the full picture, it can't support that.
I would like a USP that was a little like an interface and a bit more intuitive. It seems like the 2.0 version did that better. I know when I was performing a search, like in the policy query area, some of those options as your typing could be better defined. That was one thing that came up. I would like it if there was some way to provide real-time feedback or context for each option as you are typing in search fields and search parameters. Even somebody with relatively little experience like I have should be able to come in and have more intuition towards how to operate the solution. That would be a bit more helpful. There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful. A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time.
I think that the interface could be cleaner, and easier to use. There are some things that I think are varied. Some of the reports, when you try pulling them out, I think that you've got to jump through too many hoops to get the results that you want to find. I would like to have the ability to view multiple "handled by" names. Right now, it's either one, or we and the customer see nothing. I would like to clean that up because I am part of those phone calls. I think that with respect to end-user operation, the whole-space users, the communication is lacking.
I would like to see API access into every aspect of Tufin. For example, every feature and everything that's in the database, I would like to have programmatic access to. This would give me the ability to do anything that the product can do but from a script. This way, we are not beholden to the GUI in any way. If an operation requires that somebody click somewhere into the interface, manually, especially if it's just part of many other things that they have to do, then we want to fully automate that. Some of the manual processes are taking longer because, without the proper API access, there are a lot of tickets coming in. These are from people who need to perform a task, but only a handful of them have access to it. This is because we're too afraid to give access to all of the people who actually need it.
Support for Firepower is still ramping up, but meanwhile, some things are missing. I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that. This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow. There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."
There are some limitations in the product and we were unable to use the Clean Up reports. We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet. USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it. One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that. It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.
The integration with different products needs to be improved. For the most part, this solution will ensure that security policy is followed across the entire network. There are certain policies that are not baked into the product yet, like our proxy solution. The options for certain things are pretty rigid, so they need to be more customizable.
We like what we have seen out of SecureTrack 2.0 with its improved search capabilities, where you can do greater than, less than, not equal, etc. Right now, if you're in there and you want to do a search, you have to write it in a specific way, since you can't use a not statement, less than, or greater than. Therefore, it will be a lot easier to maintain your USP because it has the new editor. It looks more like a spreadsheet online. I am just a little disappointed to hear because we are using SecureChange that we can't go to SecureTrack 2.0 yet. We have to wait for a couple of more versions. On Palo Alto, we were told that you want to go with the panorama. Then, all the gateways are under it, so everything you create has to be as a shared object. When we first brought this to Tufin, Tufin said, "No, it's more secure to only have local objects." However, it sounds like Palo Alto has now convinced Tufin that shared objects is more the way to go. Otherwise, you have a lot of stuff filtering down to all the firewalls. Tufin gave us a script to plug into our workflow to make things shared, but I am expecting this will become more a part of our base product. They have found some things, like our database is huge, which they finally realize. I guess they didn't really have in their plans to do much with shared objects on Palo Alto, but they are saying that this is what is really making our database swell. They are saying it's on their side and are putting in their fixes to fix it, which is good. The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless.
The visibility is not as good as it should be. There are certain things that it doesn't have visibility to yet, but I'm hoping that it's coming. Once it has greater, fuller visibility, we can do more. The change workflow process is flexible and customizable to a certain extent. The GUI is limited with respect to how much you can develop and visualize the process. However, there is good flexibility in the number of fields and text that you can add. SecureTrack needs improvement, and access to SecureChange needs improvement. Some of the features that I would like to see in the next release of this solution are: * I would like Tufin to be supported on a container that is based in the cloud. * I would like the database to be separated from the backend. * I would like better automation support for Palo Alto.
My team does not have a good relationship with Tufin because the provisioning team, and even our Tufin account manager, are not friendly or helpful to us. The product, itself, is fine. I would like to see Tufin as a standalone product that does not strictly manage other firewalls, such as Check Point, but works independently. Ideally, it should not have to rely on other products. This solution increases the time it takes to make changes. It is easy to manage the firewall policy with the Check Point management server, so the time spent with Tufin is extra. The fact that all of the firewall policies are pushed to the CMA is a major drawback of the schedule window.
If we could get the compliance part working, that would help out a lot. Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one. A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet. The user interface needs to be redesigned because things are not where you would expect them to be.
The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not. The USP can be improved, as far as I can tell. I would like to see better integration and compatibility with the Azure cloud. We are not using Azure today, but I've asked questions about it and there are limitations.
When viewing the policy there are a lot of Check Point user's inline rules, and you don't see those in our policies. It just labels them from top-down. We use a lot of inline rules, and it would be beneficial to see those from within Tufin.
We would like to see more in terms of integration with other application types within the context, such as next-generation firewalls or next-generation threat devices that are out there. It's not just about firewalls anymore. A lot of convergence is happening at that enforcement point, so we'd like to see a little bit more attention on that. Examples would be integration with IPS, Application Control, Anti-Bot, and Anti-Malware.
Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance. One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in. I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.
One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled. For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising. We have had issues with the stability of this solution, and the basic technical support is not very good. In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.
I would like the ability to export information in other formats including PDF, HTML, or Excel.
The reporting still has a lot of improvements to be made. I would like to see improved role-based access.
I work on the network and security sides. The network visibility side needs improvement. I need to be able to see what the configuration changes are inside. On the firewall side, there are no visibility issues. Also, I'm not sure if it integrates with Riverbed.
I have gone over compliance issues in Tufin, but compliance is one of the things which might not be that clear in Tufin. It just shows the configuration. That is one of the things they have to work on. It is one of the constraints, in my opinion. The topology is good but they could work on it and get something better out of it. If we talk about the complexity of getting more nodes over Tufin, Tomcat or web services become flat. This is one of the constraints that I have seen. The web services are not that stable. This has to be checked and taken care of.
I feel that the user interface is a bit dated. The product version updates should be automated, and the reports could be a bit cleaner.
The visibility that Tufin provides us with is improvable. The interface is like a 1990s kind of thing. It's a little ugly. There are many things that you cannot tweak, little things like the column width and how you display the information. You end up exporting everything to an Excel file and doing your work there. They tried to put too much stuff on the screen. It's a little difficult to find what we want. It's a design issue, it's not a functionality issue. The web interface is really like going back in time 20 years. You have to move columns back and forth and make them big to see the whole text in them. If you hover over a name, it won't show the content. You have to click on it and open it. It's a bit cumbersome. The documentation site is horrible as well. It has a tree structure, and you really get lost quite easily. If you have the patience to browse through that hell of documentation, you will find what you need, but it is hell to browse and search. The information is there, it's just difficult to filter and search it. Documentation is one thing they can improve on.
There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow. They need to improve how they do their database indexing. That is the main fault of Tufin right now for us. It's slow. Even though we are allocating 64 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise, it would be a perfect tool.
I would like an improved reporting module which can be flexible (custom reports) and allow us to generate our own reports, because the data is already there.
We don't have any issues with it, but the reports could be easier to read and more customizable. Also, capturing some of the different versions, and being able to dig through them could be a bit better.
The change impact analysis doesn't even get close to actually solving our problems. I am not impressed with it. The solution's cloud-native security features are lackluster. They need to catch up to where the industry is at. Our engineers still require quite a bit of manual digging to find the data that they need. It would be nice if the product would allow more flexibility around that and the workflow to present more data to correct this. There are tons of things that the solution needs. They just need to prioritize them and get some of their customers satisfied.
* The hardest piece is getting the matrix built. * Room for improvement includes how we are pulling the routing cables and getting SNMP enabled. * Tufin could provide a train for running its reports and showing people how to use them.
I would like the following additional features: * Easier integration with more automation. * Ability to get better results from rule-based requests. * Ability to do some policy browsing and find out where they're hitting, specifically. * Ability to pull hit count reports more easily.
There are features that we haven't used, and we need to understand them first.
The change workflow process is flexible and customizable to some extent, but there is room for improvement. In some cases, we've found it difficult to get the exact thing which we were looking for. Then, we end up having to go and do the thing manually. I would like them to have more focus on the whole compliance across the globe, like PCI DSS. These things keep on updating very frequently. If they can be on top of it and keep updating more frequently, getting more updates, that would be something good.
I would like to simplify the reports, and maybe have another view besides the charts. Possibly they could be more graphical. I would like to see them continue improving the versions.
We had some issues initially with the initial reporting and alerting system. While the visibility was pretty good initially, we have had issues with configuring and reporting. I would like a better reporting feature and automatic alerting based upon rule changes. Our engineers still have plenty of manual processes to work with.
We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected.
It could be a little more intuitive. I haven't used it a lot, but it gives me the info I need, I just have to find it.
We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better. Right now, it is being used retroactively. There was talk with the rep this morning that they can do this proactively. In other words, we see the policy, and if it's not needed, then it can be removed, or add new policies, as needed.
I would rate their reports as a four out of ten. I don't like the way that they are shown. It is too hard to export and send them to our clients. We are switching to AlgoSec. It's a corporate decision. There's probably room for improvement.
I'm looking for the backup change. I want a predefined backup plan.
I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data is already there.
* I would like to see them get rid of the REST APIs and use something more modern. * I would also like to see them do more cloud integration within the Tufin Orchestration Suite, not within a SaaS solution. * I would like them to move their community support off of Google and onto something more long-term.
I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do. We would like more examples and use cases. The cloud is fairly new to Tufin. We have AWS. Their first steps into providing audits on the cloud have been really helpful, but we ourselves don't know how we're going to manage the cloud. One of the features that we didn't like is the controlling of the security groups. We can read them but there's no way to change them or to really control them through Tufin. That would be a nice addition. We are currently working on a bunch of automation to include Tufin. We need security group management (security group modification for Cisco devices). That is what we need from Tufin going forward. We can't go live with the total automation because there are pieces missing, e.g., you cannot update the service group.
It does not natively support all of the Check Point functions, which is a big deal. The solution doesn't recognize traffic and impede it.
I couldn't get it to work in the lab, even with help, on multiple occasions, from one of Tufin's engineers. It was set up in my private lab per all their instructions, and I gave them control of the system. However, they were unable to make it install the policies to Check Point in an automated fashion. So, I unfortunately gave up on the proof of concept at that point.
I don't get the full visibility. There are a lot of improvements which can be done in terms of visibility. We have had challenges implementing the change workflow process. We were trying to do and end-to-end automation part and standard services, like Active Directory, through a couple of customers and internal applications. We had challenges that we couldn't overcome, even with help. We are still trying to achieve this. Change management is something which is currently difficult. It should work seamlessly, not have too many integration points. It should be simple.
The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin. Half of the network is F5 and there were a couple of other firewalls and they're trying to centrally manage them. There were issues in terms of managing the policies for F5. It's not as seamless as it should be. Documentation to help users integrate to an F5-type of environment would be great, so that users would understand and know the limitations, rather than having to go through a PoC and then realize that it's just not suitable for integrating F5 products.
It would be great to add a link to Visio to create shapes directly from Tufin, as it has the configuration.
It needs better reporting with more graphics and more pie charts, so management can understand details. The reports that are done now are full of data and management would like to have an image to help understand, right away, what the reports are saying.
This solution would benefit from an improved reporting functionality with graphing so that reports can be presented to management.