Tufin Orchestration Suite Reviews

The primary use cases are firewall support and generating rules.

It is definitely a time saver. We can process more rules on a daily basis. It allows the customers to request their own rules. Sometimes, they need a little help, but they can submit it. As long as it passes the risk analysis, because it has to get through our NSA group. We just apply and push it that night.

We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them.

The change workflow process is flexible and customizable. When we first got it, Tufin created a workflow based on our requirements. Since then we have modified and tweaked it. We added in Palo Alto, and we just keep adding steps. We can also add scripts. We have multiple scripts for a workflow, which makes it very flexible. You write the script and plug it into the workflow, then it's working.

We use the Unified Security Policy to automatically check if a change request will violate any security policy rules.

This solution has helped us ensure that our security policy is followed across our entire hybrid network. It is the same Unified Security Policy editing each request. It is the same set of rules. If it's good enough for Check Point, then it will be good enough for Palo Alto, and it's all zone based.

My primary use case involves applying firewall policies faster from a central point. Additionally, I would like to use it to generate reports, but this hasn't occurred yet.

Tufin Orchestration Suite is a good tool that makes firewall policies faster to implement from a central point, and its support is good. It offers automation capabilities that are very helpful, especially for network security orchestration and applying policies.

We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.

It has improved our organization through the beginning of automation. It has also helped in terms of auditing. Tufin is a convenient way for us to show and prove what changes were done, when they were done, and by whom they were done.

Tufin also helps ensure that security policies are followed across our entire hybrid network. We use the USP, Universal Security Profile, which is governed by our cyber team. That team sets up the parameters and then, through the automation, when a request comes in, the first thing it does is check if it meets or violates. If it violates, it sends it right back to the requester. Another way we do it is that when somebody puts a request in, it goes through the USP. Then the cyber team combs through it to make sure that whatever service they're asking for can happen. For example, if someone wants Dev going to the internet, of course that's not going to happen. They'll filter all that out before it comes to us. Once it comes to us, we'll implement it, and then we comb through all the reports and make sure that nobody missed anything.

It also helps expedite changes.

We do risk, cleanup, and change.

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment.

It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated.

We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.

We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack. 

At this stage, we are doing only manual checks. We are only using SecureTrack to verify the flows through Tufin. At a later stage, when we will also automate certain types of rules to be done through SecureChange, this will tremendously help us. We are not there yet, but this will help us in terms of time and resource costs.

In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play. 

We use Tufin to help us clean up the firewall policies. It provides very easy reporting. We get all the aged or unused rules listed very quickly, as soon we run the report. It's a quite easy way of doing it. However, we have not automated our process. We are hoping that at some point that we will be in a position to automate that process.

We use the solution to automatically check if a change request will violate any security policy rules. If a request comes in, and it is from an Internet zone going straight out to an inside secure zone, then we definitely flag it. There are other policies that we find in our USP, which we flag. These are the type of things that we check.

We definitely use the compliance reports, which has simplified things. However, we haven't fully integrated it into the GRC process with Tufin yet. The desire is to make sure our GRC resources are fully aware and engaged in our Tufin deployment.

We are leveraging some components to provide reports for our GRC process, but there is no plan to integrate those processes. Those are run by different teams. We were planning to integrate our ticketing system (ServiceNow) with Tufin, which is ongoing. We are working on that now.

• Firewall audits
• Firewall rule processing
• Path analysis

We use Tufin to clean up your Firewall policy. We can look at the historical rules and find out what is violating our USP, then make a change accordingly.

This solution has helped us to meet our compliance mandates. We implemented the Unified Security Policy (USP). This helped enforce our compliance requirements. We have mitigated and remediated issues that have been brought forth due to that USP showing us issues.

We use the SecureTrack component for several things including the maintenance of firewall rules. Examples of this are identifying rules that are no longer in use and identifying shadowed rules that can be consolidated. We also use this solution to look for violation policies, as well as unused rules.

We use this solution in AWS and in our on-prem firewall.

The number one benefit this solution provides is time savings. Both I and another engineer save hours upon hours of work spent creating reports, which Tufin now does for us. This is reclaimed time now well spent on other things.

Tufin has done a very good job in improving upon the USP policy for violations.

Our engineers save quite a bit of time that was previously spent on manual processes.

Automate the firewall change via SecureChange Workflow

1. Policy Optimization by using Tufin APG under SecureTrack. If you have a wide open policy, and you want to restrict it into fewer lines of policy based on last 30 or 90 days hits, you can use APG tool to build restrictive policy.

2. Firewall Cleanup: Deletering unused Rules, unsed objects, duplicate objects from firewall database, by using the report created by Tufin under SecureTrack. You can run this report on Tufin SecureChange to delete all the unwanted space. This will save tons of space on your Firewall database.

3. SecureChange Workflow: You can link Tufin to ticketing system to upload the firewall change ticket, and use the workflow to fully automate the firewall change process, from start to finish

4. Topology: If you a good topology, you don't need to see routing table on Firewall, or going through any visio network design to find the L3 networks in your enterprise. Topology under SecureTrack helped me a lot

6. Enterprise Unified Security Policy: Once I do have an Approved Unified Security Policy from the CISO, I don't need to ask approval for each low risk firewall change. USP not only saved CISO busy time, but also increased the efficiency of firewall team. The firewall change request doesn't have to stay in Approver Pending steps