We are using SecureChange to start orchestrating a lot of our changes. Our users can then request changes instead of having to go directly to us. We are trying to automate some of those pieces.
Network Security at a transportation company with 10,001+ employees
The change impact analysis capabilities of this solution are good
Pros and Cons
- "The visibility is very good. We have managers who are overseeing it, and they are approving things through it."
- "The hardest piece is getting the matrix built."
What is our primary use case?
How has it helped my organization?
The visibility is very good. We have managers who are overseeing it, and they are approving things through it.
The whole process is flexible and customizable. We are building the matrix, then we're putting in exceptions. We have to add manual exceptions into it, and they have to come to us first before they can get it approved, which is good.
We use this solution to automatically check if a change request will violate any security policy rules. Similar to what we are doing with Azure, where they request a change, and if it violates policies, it gets kicked back. Then, we have to review it and figure out what they're doing. We can then move forward with it, if it's approved.
What is most valuable?
- The Orchestration
- The way that users can access it directly.
- The change impact analysis capabilities of this solution are good.
What needs improvement?
- The hardest piece is getting the matrix built.
- Room for improvement includes how we are pulling the routing cables and getting SNMP enabled.
- Tufin could provide a train for running its reports and showing people how to use them.
Buyer's Guide
Tufin Orchestration Suite
November 2024
Learn what your peers think about Tufin Orchestration Suite. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,660 professionals have used our research since 2012.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
The solution is very stable. We've upgraded several times and not had any issues. For stability, it's perfect.
What do I think about the scalability of the solution?
We're in the process of scaling it. We started off small, and now, we're enlarging it to cover more of the enterprise. The scalability is good.
How are customer service and support?
I haven't used technical support. My colleague has, and they are very good. They work through solutions.
How was the initial setup?
The initial setup was pretty straightforward. It communicating with the firewalls and management server were the big pieces.
What about the implementation team?
Well when we first started, it was through a reseller. Then, as we're bringing in SecureChange, we have been doing it all that ourselves.
The reseller was Structured Communications, who is in Portland. It was part of a package deal that we built with them. Our experience with them was good. We used them a lot.
What was our ROI?
We don't have to go through our firewall group, who actually does the rules. They don't have to create tickets to send to us, then take a couple of days to get all that stuff built and put in place. Now, it is usually the same day, or within a day.
This solution helped us to reduce the time it takes to make changes. We used to spend up to an hour to do a change, and now, it's around five minutes.
Engineers are spending less time on manual processes. They are now spending half their time on manually processes, 20 to 30 minutes, because we don't have to go out and touch things anymore.
We're still in the process of implementing things, so we haven't really seen a lot of return yet, but we're hoping.
What other advice do I have?
It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it.
I don't think we're using cloud native security quite yet.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a hospitality company with 1,001-5,000 employees
We use SecureTrack for tracking unused rules. I’d like to see the application topology developed more.
Valuable Features
We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.
Improvements to My Organization
At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.
Room for Improvement
I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.
With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.
Stability Issues
We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.
Scalability Issues
I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.
Customer Service and Technical Support
Tufin’s technical support engineers seemed to be knowledgeable and very helpful.
Initial Setup
I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.
Other Advice
If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Tufin Orchestration Suite
November 2024
Learn what your peers think about Tufin Orchestration Suite. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,660 professionals have used our research since 2012.
Network Consultant at a healthcare company with 1,001-5,000 employees
There's a Lot of Depth to the Product, From Automation to Reporting Capabilites.
Valuable Features:
Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.
There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.
Room for Improvement:
There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.
In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.
Use of Solution:
We have only had the product for four or five months.
Stability Issues:
There have been no problems with stability.
Scalability Issues:
We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.
Initial Setup:
There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.
Other Advice:
I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Manager, Security Engineering and Operations at a retailer with 1,001-5,000 employees
We can provide evidence that nothing's getting into the environment that isn't already approved to go in.
Valuable Features
With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.
We can provide evidence the nothing's getting into that environment that isn't already approved to go in.
Improvements to My Organization
We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.
Room for Improvement
We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.
Stability Issues
No issues at all.
Scalability Issues
Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.
Customer Service and Technical Support
Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.
Initial Setup
We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.
Other Solutions Considered
No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.
Other Advice
The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.
I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.
I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Head of I.T. Security at a insurance company with 1,001-5,000 employees
Optimizing my firewalls and the reporting functionality are the main reasons I initially chose this solution.
What is most valuable?
I find that he most valuable feature is actually optimizing my real firewalls. It shows me any issues. I track the change and it will tell me when it is actually going to affect any other rules or any other applications. That is the biggest feature.
Then the reporting functionality that comes along with it - for one change, this change what, when, etc. This is the main function that I will always be using, as well as positioning of the rules on the rule base and to optimize the firewall for me. Those are the best features and that is what sold me initially.
The thing I like about it is that it's real time, that's the biggest benefit. It helps me with everything that I need to do. Every time we want to make a change we put it in the system and it tells us, OK all good, or it tells you, these, this and this you have to fix. Have a look at it, send it to the service, they have a look at it, mediate, put it through again, and if it is clean it will go.
How has it helped my organization?
It prevents human error. That is the biggest benefit for me as you can load in as much high availability as you wish. Human error is always the thing that is hardest to get rid of as well because now the change team don't question any rule base that we are putting in because of the checks Tufin does prior to the change, so we know the impact is not going to impact anybody else. What the biggest problem was whenever we would change a rule before there was always the question, what is the small thing doing. Now I can do production changes during production time. Due to this, we have a seen a positive impact for the company, and that is what they wanted.
What do I think about the stability of the solution?
Small reactive. It is sometimes stuck or kind of jumps, but no actually business impact, but from an IT perspective, whatever we want we are getting on the fly.
What do I think about the scalability of the solution?
It's not actually user intensive, so it does not hamper our power in any way.
How are customer service and technical support?
It is expensive. It cost me about a million, which is quite expensive for us, but the benefit is worth it.
Which solution did I use previously and why did I switch?
I used to have FireMon, and we changed it because of their features. The main feature that made us change was SecureChange, and like I said when you do changes now, assist with the change that you are going to make to see if there is impact to the other, so this is what gives us this feature, now you can assess and say, will it have a problem? That is why it helps with the changes.
What other advice do I have?
I'd definitely say go with Tufin as it's a brilliant solution. What is brilliant is the firewalls themselves. I'd check out CheckPoint as well to make sure that the solution meets your needs and works with your plans. It doesn't matter what CheckPoint plans you use, Tufin works with them all.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Senior Network Engineer at a financial services firm with 1,001-5,000 employees
It tells us where to put our policy on both the front and back ends, as well as in the configuration files.
Valuable Features
The most valuable function of Tufin is that it provides compliance tests on security devices. It gives us a great idea of what is going wrong and what we have to do to improve. Then, when we try to apply the solution to our policies, it provides us help in doing so. It tells us where to put our policy on both the front and back ends, as well as in the configuration files.
Room for Improvement
The usability and speed of the solution needs improvement. In our experience, it seems a little bit slow.
Use of Solution
We've had it in place for more than a year now.
Deployment Issues
We've had no issues with deployment.
Stability Issues
The stability of Tufin has been quite good for us. I have no complains about stability.
Scalability Issues
Honestly, I don't have too many devices running with Tufin, so we don't really have a need to scale much. But I do think that it needs improvement in the area of scalability.
Customer Service and Technical Support
Customer Service:
In our experience, customer service is OK, but the product really doesn't need too much help. It works by itself and is quite stable.
Technical Support:In regards to technical support, we work with our partner's company, so we don't communicate directly with Tufin.
We co-operate with our partner's company, so we do not communicate directly with Tufin support.
Initial Setup
The initial setup was straightforward.
Implementation Team
The implementation was so simple we did it ourselves without too much help from our partner company, so I can say that it was easy for us to adopt the solution.
Other Solutions Considered
Fro my perspective, it's a solution that covered all our needs, so it was an easy choice. It was a bargain at the price point.
Other Advice
For us, it works, so why can't it work for you?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Security Architect at a tech services company with 1,001-5,000 employees
We can see what changes are happening on our security devices at the moment that they're done, so if mistakes happen, we can catch them before there is a disaster.
What is most valuable?
The most valuable feature is that we can see what changes are happening on all our security devices at the very moment that they're done, so if any mistakes happen, then we can catch them very quickly before there is a big disaster and outage.
Mistakes like firewall policies where people put in wrong IPs instead of allowing permits and traffic stops. That is why it is very, very important.
How has it helped my organization?
On one of my earlier deployments, I was actually able to quickly diagnose about 100 VPNs that went down because one the administrators made a wrong encryption domain in the tech point, so we were able to catch it right away as the change happened. We were able to revert the changes very, very quickly, and it did not cause a long amount of downtime.
We are able to look at any objects that are not used, rule usage, which, for wide-open rules, we can put in tracking on those rules so we can turn down the rulebase, so those are the good benefits. The rulebase actually shows the same way for all the devices, so if you have checkpoint firewalls, or if you have five load balancers, you can actually have a similar view of all this, so you can understand it very easily.
The other good part is that whenever changes happen, we have to go through change control. We can put in our changer card numbers, and then those all come in the dashboard as the changes that were done on that particular change record, so then you can correlate the changes to a particular request which was approved.
What needs improvement?
New features would be when you look for any of the rules that are unused, then I would like to see whether there was a way to also make sure that the objects that exist are actually live or not. What I mean to say is, if you have a server that you had allowed in the rulebase, and you decommission the server, now the rulebase is there, which shows their logs, but I want to make sure that the server is actually decommissioned and not still alive. If there is a way that we can check for those objects, whether those objects still are alive in the network, that would be great.
For how long have I used the solution?
I've been using the product since 2007, since its very early stages.
What do I think about the stability of the solution?
At one time, it had processed for a year. When I was in my previous company, I had installed one of the T500 boxes, and it had actually processed about 2.7 terabytes of logs, and we were able to trim down the biggest firewall. We now do about 11,000 rules, and they had never been cleaned for about five or six years, so by the end of the whole exercise, we trimmed down the rule base to less than 300 rules.
What do I think about the scalability of the solution?
I've used about 200+ devices. That was all the environment was, so I definitely know, talking to other customers who have thousands of devices, so it scales very well.
How are customer service and technical support?
Technical support is great. I've worked with several people within the company.
Which solution did I use previously and why did I switch?
It was straightforward. I was able to get all my firewalls and a lot of the other networking devices in less than half a day.
Which other solutions did I evaluate?
I compared it to the usability and the easy way to actually add devices. We compared it to AlgoSec and FireMon. Both of them I did not feel were very intuitive to work with, so a lot of training would be required.
What other advice do I have?
Just buy it. Don't even think about any other product. Just buy it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Manager at a financial services firm with 10,001+ employees
Helps us meet our compliance mandates and has excellent visibility
Pros and Cons
- "It has helped us to meet our compliance mandates. We have some requirements that we need to provide more visibility on the risk levels of our firewall base and Tufin helped us with that requirement."
- "I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data's already there."
What is our primary use case?
Our primary use case if for risk compliance.
How has it helped my organization?
The change workflow process is flexible and customizable.
It has helped us to meet our compliance mandates. We have some requirements that we need to provide more visibility on the risk levels of our firewall base, and Tufin helped us with that requirement.
What is most valuable?
The USB is the most valuable feature for us. Inside of Tufin, we are planning to leverage the USB solution.
The visibility is excellent. We have a better view of our compliance status.
What needs improvement?
I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data is already there.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
It has been very stable since 2017. We haven't had any power problems. As far as hardware goes, it's been very stable. In the software, we found some bugs, but we're working with support to fix them.
What do I think about the scalability of the solution?
Scalability is very good. We are planning to add more entities this year.
How are customer service and technical support?
Technical support is satisfactory at the moment.
How was the initial setup?
The initial setup was very straightforward.
What about the implementation team?
We did most of the onboarding ourselves.
Which other solutions did I evaluate?
We also looked at AlgoSec.
I was part of the decision-making process.
What other advice do I have?
I would rate it an eight out of ten. It's very easy to use and you can get good results very quickly.
We don't use the cloud native security features yet.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Tufin Orchestration Suite Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Popular Comparisons
FireMon Security Manager
Skybox Security Suite
Palo Alto Networks Panorama
AWS Firewall Manager
Azure Firewall Manager
ManageEngine Firewall Analyzer
Cisco Defense Orchestrator
Buyer's Guide
Download our free Tufin Orchestration Suite Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between AlgoSec and Tufin?
- Comparing network security vendors and devices
- When should companies use SSL Inspection?
- When evaluating Firewall Security Management, what aspect do you think is the most important to look for?
- What are the most important features you would be looking for in a firewall?
- How do I estimate the required firewall throughput for my organization?
- What are the pros and cons of Tufin, AlgoSec and RedSeal?
- Tasks to Perform on Preventive Maintenance.
- Why is network segmentation important?
- Can a router with automatically-created firewall access lists be considered a scrubbing center?
Good feedback, as a former FireMon member I would like to invite you to test-drive v8 interface. The major critic I had past year was the interface as you mentioned was not intuitive. V8 is the next step for Policy Management Solutions. I have had users that are very happy with Tufin but at this point all users on my experience that have tested new v8 interface recognises the advantages.