Tufin Orchestration Suite Reviews

There are a few things. One is that from the portal people are able to request access. It is going to be able to stage the policy, add the rules or objects or whatever is needed for us so that all we need to do is push the policy at the time. It almost doesn't need a human being to be involved in the rule staging of provision process.

We've been using Check Point for 10+ years and some of the rules were converted from other systems, mainly from Cisco devices. The conversion process or the migration process is not the cleanest. We end up with rules that we call over-saddling. Rules which are really not needed.

We're talking about a ton of rules. We have policies that have 3,000 rules. It's able to give us reports that tell us these 10 rules or 100 rules in our policies are not needed. Either we need to fix the rule which was a bad rule or we do not need another rule.

One thing it's not currently able to do is remove rules. For instance, one of the biggest things is that we have a server what we call decommissioned. That means they no longer need it. Either the application is end of life or they bought a new server and they took on new IPs. But we still have rules that allow the IP, so there's a hole there. Right now you cannot say, "Hey, Tufin, this IP is obsolete. Please remove all the rules that allows this IP."

Another good thing is that Tufin has a good portal. 

We were using Skybox. Tufin has that fun end to the user which Skybox doesn't.

I would recommend it.

With a tool like this, spend a few dollars to bring in their professional services to help out. Tufin is not going to be for a really small company. One of the important things is that you need to get your network team on-board.

We purchased Tufin for the rule based analysis, so that when we did a Check Point migration from the earlier versions everything was OK. We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Tufin enabled us to clean out the rule base pre-migration. There's no point in migrating old and unused rules and objects to a new solution, so we were trying to be a bit proactive. That's why we purchased this solution and we had someone from Interel come over and help us configure it.

SecureChange has been a bit of a challenge. It's been a long time coming, and I guess improvement is also needed in their relationship with the customer to get the initial functions of it working. It's more making the move towards SecureChange which possibly isn't down to them, it's probably down to our relationship with our reseller and nailing each other down. Maybe it's a non-issue. For what we use it for, it's been great.

We've used it for between four and six years.

After a while, we found that we'd not really given it enough TLC for a couple of years. Therefore, we ended up in the situation where we had to get the guys from Interel to fine tune the appliance memory wise because it was little old. By the time we started using it to its full extent, you end up being able to fine tune it and eventually realize even that wasn't going to cut it and we ended up having to virtualize and it seems to be OK now.

We didn't have as much advanced management at that time. Over time, we've merged with other areas of our business and inherited many more advances, bobbles, with that, I think that's where we came across the problem that we wanted so many things active and realized that we did actually need to upscale the deployment.

We originally purchased it mainly for Check Point and then ended up purchasing Cisco ASA and Palo Alto licenses, so we ended up with more stuff than we originally purchased it for. Hence the need to upgrade for VMware and memory.

It has been good. When we've had an issue they've been very good. We were on the phone and I remember a conference with the support guys and they really went out of their way to help us out.

It was fairly easy to deploy. We originally purchased the 500 series appliance, which was mid-range appliance and then we ended up eventually virtualizing that appliance and moving it to VMware, which is what we've now got. I don't remember ever having any major issues.

We did look at another solution, but don't ask me what it was called, I don't even remember. We did look at it at the same time, but it couldn't really do half of the things that Tufin did. I can't remember back that far, but I remember we looked at it and it was all really clunky. It didn't feel right, it didn't do half of the stuff that it was meant to be able to do and it was very slow as well. We pretty much put it out straight away.

It's done a good job. We've not fully utilized all of its features, we've hardly scratched the surface really, it's a powerful bit of tech and we've pretty much used it for a specific purpose that we purchased it for and realized it can be used a lot more, having said that we ended up purchasing second shares as well. We are now in the process of testing SecureChange because that was something that was really pushed through quite recently.

For us it works, it's a great solution, but that's not to say that there isn't a better one out there. Anyone that looks and researches, they probably look at different supplies of the same solution and make up their own minds really. It is the best tool for the job and technology moves on so, who knows.

It’s the fact that before Tufin it wasn’t possible to manage firewall changes. We used emails.

Different departments can actually intervene at the same time on the same workflow and actually accelerate the job. Previously, we didn’t have that, so that’s a big thing.

• Previously, we couldn’t figure out a way to make our processes more efficient. With Tufin our goal is to automate this process. We haven’t achieved it yet but at least we have a vision.
• The fact that tickets can be dispatched automatically and analyzed prior to them being validated by the security teams.

We have some regressions from one burden to another. It was hard, so that’s definitely something we’re not happy with.

We have a PS module that we have been developing since we started working with Tufin. It was around two years ago and still isn’t finalized.

One of the things that I would like to see improved is the stability of the solution.

They do everything they can to reply as fast as they can but sometimes when problems are too complex, and they have to involve R&D, it can take quite a while to solve.

It was already deployed when I started working here, and it was a change for me, but it was straightforward. Most of the guided stuff was internal to the company. The architecture is not good but that’s got to do with the architecture on our side.

We also looked at AlgoSec, and it looks interesting especially the workflow parts which are more detailed.

It is an important application for controlling and monitoring firewall rules. It is useful for making and monitoring the changes.

Its price is reasonable, but it could be lower. 

It could have a more effective approach for creating and changing rules. It could provide advice or suggestions for a better understanding of rules and changing the rules. There should be suggestions for the rules that need to be changed to make them less risky.

I have been using this solution for eight months. We have recently done an upgrade, and we are using the latest version.

It is stable.

We have not been using it for a long time. So far, it is scalable for us. We have more or less ten people.

Their technical support is good.

We have worked with AlgoSec but in a restricted topology of the network. Both of these solutions are useful. It mainly comes down to the price. Even though Tufin is more costly, it has been more cost-effective for us, but it is not the same for all companies. It also depends on the integrator.

Its initial setup has medium complexity. It was not complex, but it was also not easy. We had some problems because it was a fresh installation.

Its price is reasonable, but it could be lower. It has been cost-effective for us. We have a contract for three years.

I would rate Tufin a nine out of ten. 

We were primarily using the solution in order to grade the firewall rules.

How the solution benefits the organization is something that is currently being tested. We're considering doing something different, as we just used this product as a POC.

The compliance aspect of the solution is its most valuable aspect.

The stability is very good.

You can easily scale the solution if you need to.

The number of features is very robust - and there are a large number of features. That's a huge selling point, which is why its popularity is where it is.

I have heard many people complain that there is a high level of complexity. It may make it difficult to work with for some people. That said, I don't have those issues with the product.

The initial setup can be tough.

The product could use better integration with the cloud.

I've been using the solution for years at this point, It's been a long time.

The stability is very, very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. The performance is good.

The scalability of the product is excellent. If a company needs to expand it, it can do so relatively easily.

In our case, while I don't have an exact user count, I can say that there were quite a lot of people on the product.

We're talking about shifting potentially away from Tufin, however, if we had kept it would have been used extensively.

While other people have the opinion that it could be better, I've mostly been satisfied with the level of support we've received. They've been okay. I've had three or four run-ins with them and they were all positive experiences.

I also work with AlgoSec. We use both solutions currently.

The initial setup is not straightforward. It's a little difficult, a little tough. New users need to expect this before they get started.

Often, a consultant is involved in the process, as there is a large learning curve, and many companies don't have the bandwidth to ramp up the staff. Bringing on a consultant can speed up the processes a bit.

The deployment took about a month or so.

We're still working on how many people we actually require to handle the maintenance aspect of the product.

Typically, we get a consultant for everything, however, this last deployment, in particular, seemed to be more challenging for the consultant and for the staff.

That said, our experience with the consultant was very good overall.

While we are getting what we need out of the solution in terms of functionality, I haven't really looked into an exact ROI. We got what we were looking to get out of it. 

The billing and licensing aspect of the product is not something I'm a part of. I don't have any insights into the costs involved in using the solution. I cannot see if there's just a flat licensing fee or if there are other costs needed on top of that.

We are considering moving away from the solution currently. We're looking for other options. We might shift towards FireMon, however, nothing is set in stone.

We're just a customer and end-user.

We're likely not using the latest version of the solution. Currently, there is a team that directly supports it. I can't remember the exact version number off-hand.

I'd advise organizations considering the solution to do their homework first and see if they can find out from industry associations and professionals what their experience has been.

In general, I would rate the solution at a nine out of ten.

We use SecureTrack and SecureChange to manage all of our firewalls. 

We use the latest version.

The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days.

We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls.

Risk analysis is automatically in our policy.

The most valuable feature is automation.

The visibility of the policies are very good. It sees different things. The recordings are very good.

We use a lot of workflows and have a lot of custom things developed by Professional Services. It is very customizable.

We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting.

At least in our environment, the dynamic learning of the topology needs improvement.

If you would have asked me two weeks ago, I would have said the stability was excellent. However, we had some upgrade problems. They were worked out and the support was excellent in helping us get it fixed. In general, the stability is very good.

We have a very big environment. The scalability works well.

Pretty good. They know when to escalate. We never put in easy tickets, They know to escalate quickly if they have to. We have our own technical account manager too.

We invested in SecureChange to do automated workloads. When we deployed SecureChange, part of it was to automate our workloads to have more time to do more things, like making the ticketing process shorter.

Firewall rule changes went from a week and a half to around three and a half days.

We have not recently evaluated any new solutions.

Tufin is not perfect, but it's really good.

Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies.

The approval process is a lot more automated, but the implementation process didn't change.

We don't use Tufin in the cloud yet.

We don't have compliance mandates.

For us, it's more about managing the policies and having an overview of all the policies that are available, that we currently implement, and bringing them to a central console so that we can have an overview of what's going on. We deploy Tufin for one of our customers, it's not for ourselves.

The key, convincing element that made our customer go with Tufin is that they have the ability to centrally monitor and view all changes that have been made in the network, and they are able to revert any problems that they encounter, if somebody has made a problematic change.

The policy overview is valuable.

The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin. Half of the network is F5 and there were a couple of other firewalls and they're trying to centrally manage them. There were issues in terms of managing the policies for F5. It's not as seamless as it should be.

Documentation to help users integrate to an F5-type of environment would be great, so that users would understand and know the limitations, rather than having to go through a PoC and then realize that it's just not suitable for integrating F5 products.

So far, the stability has been reasonably good. We haven't encountered any major issues. Even when integrating to overseas central management systems, it has been quite seamless.

Scalability is something the customer will be exploring in the next phase.

I think that the major limitation is its ability to integrate into more products. With the common products, the older products, it integrates very well. But with the newer products, like I said, F5 for example, they do have some issues. I'm not too sure about other firewall products and other DDoS products that could be in the network.

For now, the customer is trying to integrate the product into the rest of the group. That's currently being studied by some of their overseas counterparts to see if it's suitable. The plan is that the customer intends to proliferate this across the entire network, but that step will take place over five years' time.

Technical support is excellent, I would give a big thumbs-up to the technical support team.

We didn't use a previous solution, this is our main solution.

The initial setup is reasonably straightforward and the support team is quite good. They're very helpful and they're very knowledgeable.

The deployment, overall, took about three months, in terms of studying the customer's environment and doing some consultation and a deep-dive with the Tufin consultancy team.

We are an integrator, so we have a fairly decent understanding of the product and it wasn't that difficult to deploy.

Pricing played a big part here. We didn't present AlgoSec or FireMon. We got good support from Tufin directly. We managed to position it with an effective price for the customer. The customer had evaluated other products but, due to price as well as support, they chose Tufin.

We evaluated Tufin together with FireMon and AlgoSec.

The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin.

In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users.

We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade.

We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support.

From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.

Our primary use case is firewall management and policy management.

It has very good visibility with all our devices. We can see how they interact with each other, and if we're doing the right things or not.

We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it.

We are still in the beginning phases of it, but we're hoping that it can change how all of our policies are determined and implemented.

The most valuable feature is the consolidation of firewall products.

The change impact analysis capabilities of this solution are pretty good. We like the product a lot.

I would like the following additional features:

• Easier integration with more automation.
• Ability to get better results from rule-based requests.
• Ability to do some policy browsing and find out where they're hitting, specifically.
• Ability to pull hit count reports more easily. 

It's pretty stable. I haven't had any issues with it.

The scalability is pretty good. All we have to do is just add another device and buy another license. It seems pretty straightforward.

I personally haven't worked with them, but I've heard good things about how responsive they are. They've always been able to find the answer that we needed.

We had no solution previously. So, we needed something that would help make our decisions on better securing our network.

The initial setup was straightforward. It was very easy to setup and integrate. We had no issues.

Most of the work was done by us. However, we worked closely with Tufin support, and we have good things to say about that.

We also evaluated FireMon. We did not go with them because the solution was not as easy to install or incorporate in our organization. To us, Tufin just seemed to be the better product.

It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots.

Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end.

We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet.

We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.