Tufin Orchestration Suite Reviews

For us, it's more about managing the policies and having an overview of all the policies that are available, that we currently implement, and bringing them to a central console so that we can have an overview of what's going on. We deploy Tufin for one of our customers, it's not for ourselves.

The key, convincing element that made our customer go with Tufin is that they have the ability to centrally monitor and view all changes that have been made in the network, and they are able to revert any problems that they encounter, if somebody has made a problematic change.

The policy overview is valuable.

The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin. Half of the network is F5 and there were a couple of other firewalls and they're trying to centrally manage them. There were issues in terms of managing the policies for F5. It's not as seamless as it should be.

Documentation to help users integrate to an F5-type of environment would be great, so that users would understand and know the limitations, rather than having to go through a PoC and then realize that it's just not suitable for integrating F5 products.

So far, the stability has been reasonably good. We haven't encountered any major issues. Even when integrating to overseas central management systems, it has been quite seamless.

Scalability is something the customer will be exploring in the next phase.

I think that the major limitation is its ability to integrate into more products. With the common products, the older products, it integrates very well. But with the newer products, like I said, F5 for example, they do have some issues. I'm not too sure about other firewall products and other DDoS products that could be in the network.

For now, the customer is trying to integrate the product into the rest of the group. That's currently being studied by some of their overseas counterparts to see if it's suitable. The plan is that the customer intends to proliferate this across the entire network, but that step will take place over five years' time.

Technical support is excellent, I would give a big thumbs-up to the technical support team.

We didn't use a previous solution, this is our main solution.

The initial setup is reasonably straightforward and the support team is quite good. They're very helpful and they're very knowledgeable.

The deployment, overall, took about three months, in terms of studying the customer's environment and doing some consultation and a deep-dive with the Tufin consultancy team.

We are an integrator, so we have a fairly decent understanding of the product and it wasn't that difficult to deploy.

Pricing played a big part here. We didn't present AlgoSec or FireMon. We got good support from Tufin directly. We managed to position it with an effective price for the customer. The customer had evaluated other products but, due to price as well as support, they chose Tufin.

We evaluated Tufin together with FireMon and AlgoSec.

The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin.

In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users.

We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade.

We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support.

From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.

Our primary use case is firewall management and policy management.

It has very good visibility with all our devices. We can see how they interact with each other, and if we're doing the right things or not.

We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it.

We are still in the beginning phases of it, but we're hoping that it can change how all of our policies are determined and implemented.

The most valuable feature is the consolidation of firewall products.

The change impact analysis capabilities of this solution are pretty good. We like the product a lot.

I would like the following additional features:

• Easier integration with more automation.
• Ability to get better results from rule-based requests.
• Ability to do some policy browsing and find out where they're hitting, specifically.
• Ability to pull hit count reports more easily. 

It's pretty stable. I haven't had any issues with it.

The scalability is pretty good. All we have to do is just add another device and buy another license. It seems pretty straightforward.

I personally haven't worked with them, but I've heard good things about how responsive they are. They've always been able to find the answer that we needed.

We had no solution previously. So, we needed something that would help make our decisions on better securing our network.

The initial setup was straightforward. It was very easy to setup and integrate. We had no issues.

Most of the work was done by us. However, we worked closely with Tufin support, and we have good things to say about that.

We also evaluated FireMon. We did not go with them because the solution was not as easy to install or incorporate in our organization. To us, Tufin just seemed to be the better product.

It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots.

Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end.

We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet.

We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.

We are using SecureChange to start orchestrating a lot of our changes. Our users can then request changes instead of having to go directly to us. We are trying to automate some of those pieces.

The visibility is very good. We have managers who are overseeing it, and they are approving things through it.

The whole process is flexible and customizable. We are building the matrix, then we're putting in exceptions. We have to add manual exceptions into it, and they have to come to us first before they can get it approved, which is good.

We use this solution to automatically check if a change request will violate any security policy rules. Similar to what we are doing with Azure, where they request a change, and if it violates policies, it gets kicked back. Then, we have to review it and figure out what they're doing. We can then move forward with it, if it's approved.

• The Orchestration
• The way that users can access it directly.
• The change impact analysis capabilities of this solution are good.

• The hardest piece is getting the matrix built.
• Room for improvement includes how we are pulling the routing cables and getting SNMP enabled.
• Tufin could provide a train for running its reports and showing people how to use them.

The solution is very stable. We've upgraded several times and not had any issues. For stability, it's perfect.

We're in the process of scaling it. We started off small, and now, we're enlarging it to cover more of the enterprise. The scalability is good.

I haven't used technical support. My colleague has, and they are very good. They work through solutions.

The initial setup was pretty straightforward. It communicating with the firewalls and management server were the big pieces.

Well when we first started, it was through a reseller. Then, as we're bringing in SecureChange, we have been doing it all that ourselves.

The reseller was Structured Communications, who is in Portland. It was part of a package deal that we built with them. Our experience with them was good. We used them a lot.

We don't have to go through our firewall group, who actually does the rules. They don't have to create tickets to send to us, then take a couple of days to get all that stuff built and put in place. Now, it is usually the same day, or within a day.

This solution helped us to reduce the time it takes to make changes. We used to spend up to an hour to do a change, and now, it's around five minutes.

Engineers are spending less time on manual processes. They are now spending half their time on manually processes, 20 to 30 minutes, because we don't have to go out and touch things anymore.

We're still in the process of implementing things, so we haven't really seen a lot of return yet, but we're hoping.

It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it.

I don't think we're using cloud native security quite yet.

We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.

At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.

I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.

With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.

We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.

I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.

Tufin’s technical support engineers seemed to be knowledgeable and very helpful.

I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.

If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

We have only had the product for four or five months.

There have been no problems with stability.

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.

With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.

We can provide evidence the nothing's getting into that environment that isn't already approved to go in.

We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.

We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.

No issues at all.

Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.

Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.

We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.

No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.

The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.

I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.

I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.

I find that he most valuable feature is actually optimizing my real firewalls. It shows me any issues. I track the change and it will tell me when it is actually going to affect any other rules or any other applications. That is the biggest feature.

Then the reporting functionality that comes along with it - for one change, this change what, when, etc. This is the main function that I will always be using, as well as positioning of the rules on the rule base and to optimize the firewall for me. Those are the best features and that is what sold me initially.

The thing I like about it is that it's real time, that's the biggest benefit. It helps me with everything that I need to do. Every time we want to make a change we put it in the system and it tells us, OK all good, or it tells you, these, this and this you have to fix. Have a look at it, send it to the service, they have a look at it, mediate, put it through again, and if it is clean it will go.

It prevents human error. That is the biggest benefit for me as you can load in as much high availability as you wish. Human error is always the thing that is hardest to get rid of as well because now the change team don't question any rule base that we are putting in because of the checks Tufin does prior to the change, so we know the impact is not going to impact anybody else. What the biggest problem was whenever we would change a rule before there was always the question, what is the small thing doing. Now I can do production changes during production time. Due to this, we have a seen a positive impact for the company, and that is what they wanted.

Small reactive. It is sometimes stuck or kind of jumps, but no actually business impact, but from an IT perspective, whatever we want we are getting on the fly.

It's not actually user intensive, so it does not hamper our power in any way.

It is expensive. It cost me about a million, which is quite expensive for us, but the benefit is worth it.

I used to have FireMon, and we changed it  because of their features. The main feature that made us change was SecureChange, and like I said when you do changes now, assist with the change that you are going to make to see if there is impact to the other, so this is what gives us this feature, now you can assess and say, will it have a problem? That is why it helps with the changes.

I'd definitely say go with Tufin as it's a brilliant solution. What is brilliant is the firewalls themselves. I'd check out CheckPoint as well to make sure that the solution meets your needs and works with your plans. It doesn't matter what CheckPoint plans you use, Tufin works with them all.

The most valuable function of Tufin is that it provides compliance tests on security devices. It gives us a great idea of what is going wrong and what we have to do to improve. Then, when we try to apply the solution to our policies, it provides us help in doing so. It tells us where to put our policy on both the front and back ends, as well as in the configuration files.

The usability and speed of the solution needs improvement. In our experience, it seems a little bit slow.

We've had it in place for more than a year now.

We've had no issues with deployment.

The stability of Tufin has been quite good for us. I have no complains about stability.

Honestly, I don't have too many devices running with Tufin, so we don't really have a need to scale much. But I do think that it needs improvement in the area of scalability.

In our experience, customer service is OK, but the product really doesn't need too much help. It works by itself and is quite stable.

In regards to technical support, we work with our partner's company, so we don't communicate directly with Tufin.

We co-operate with our partner's company, so we do not communicate directly with Tufin support.

The initial setup was straightforward.

The implementation was so simple we did it ourselves without too much help from our partner company, so I can say that it was easy for us to adopt the solution.

Fro my perspective, it's a solution that covered all our needs, so it was an easy choice. It was a bargain at the price point.

For us, it works, so why can't it work for you?