Tufin Orchestration Suite Reviews

Our primary use case is for automation and orchestration.

We use Tufin to automatically check if a change request will violate any security policy rules. One of the things we want to do is to have a blacklist/whitelist policy. A blacklist of things that can never be allowed and a whitelist of things which are always allowed. I want this tool to block or report ports that should not be used, putting somebody in a change. In addition to that, I want it to be able to block people from mapping IP addresses in North Korea, Iran, or whatever is on the blacklist.

Our corporate policy mandates that we can only make changes to our firewalls daily. Once we get ServiceNow integrated with our whitelist policy, Tufin should be able to initiate the change and get us to reduce time.

It should help us meet our compliance mandates going forward. It is replacing AlgoSec.

The ease of use is the most valuable feature. 

The change workflow process is flexible and customizable. We have one guy who has never logged into Tufin ever in his life. He sits down and in 30 minutes had written an automation routine, then went back and changed it. He did that with no training. For me, that is a major benefit.

The two reasons that we wanted Tufin

1. The single pane of glass, so our Tier 1 and Tier 2 could make changes.
2. The network mapping which is something that we have never had before.

• I would like to see them get rid of the REST APIs and use something more modern. 
• I would also like to see them do more cloud integration within the Tufin Orchestration Suite, not within a SaaS solution. 
• I would like them to move their community support off of Google and onto something more long-term.

So far, stability has been good. 

It has already pulled in all our Layer 3 switches and routers across the company.

I don't know if I can expand on the cloud yet.

We bought premium support. I have heard from my team that they are great. 

We switched from AlgoSec because they had horrible customer support, and difficult change management and processes. 

The initial setup was very straightforward. It was done in five days, which is pretty cool.  

We used Tufin for the deployment. We had a positive experience with them. 

We compared AlgoSec, Tufin, and Skybox side-by-side. Originally, the team chose Skybox. They threw in what a lot of other groups had wanted, like the network team, security team, and DevOps team. When I sat them down (because I voted Tufin), I asked them why and they gave me all of the explanations that were all somebody else's reasons, not ours. I told them that this tool is for us and we needed a true orchestration automation tool. Not one that supports everyone else's automation, and we need one for firewalls.

I would rate it a seven out of ten. 

I would advise someone considering this type of solution to not listen to the sales teams among the competitors. They all throw each other under the bus and a lot of it is not true. Tufin's competitors will tell you how bad of a company that Tufin is and how you can't trust them, and how their stuff doesn't work. Then, Tufin doesn't say anything bad about their competitors. So, don't trust everything that you hear. 

Do your own research. Do a proof of concept. Get all of the vendors in. Give it a month to test drive. Set it up and let them prove it out. In the end, the correct tool, not the better salesman, will win.

We use Tufin for two purposes: 

1. To track all changes on our network equipment, our Cisco gear, F5s, and Check Point. 
2. We use SecureChange. So, we submit any firewall change through SecureChange, then we use that for the approval process. We are trying to have it end-to-end, where it provisions the device, but we're not there yet. 

Tufin is our audit trail for all changes. We have to be PCI compliant, and it is the tool that we go to for enforcing PCI on the network side.

The change workflow process has customizable and functional for us.

It has helped us meet our compliance mandates.

The revision reports are phenomenal. They really help us out to see what changed, when, and who, most importantly. Some of the other reporting that we audit and clean up have been really valuable for us. 

The visibility is great. We have found the policy browser to be very useful. It is a fairly new feature. 

I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do. We would like more examples and use cases.

The cloud is fairly new to Tufin. We have AWS. Their first steps into providing audits on the cloud have been really helpful, but we ourselves don't know how we're going to manage the cloud. One of the features that we didn't like is the controlling of the security groups. We can read them but there's no way to change them or to really control them through Tufin. That would be a nice addition.

We are currently working on a bunch of automation to include Tufin. We need security group management (security group modification for Cisco devices). That is what we need from Tufin going forward. We can't go live with the total automation because there are pieces missing, e.g., you cannot update the service group.

It has been very stable. Though, the policy browser has had trouble working. We have experienced bugs.

We have a lot of devices on it now.

The technical support is hit or miss. More miss than hit. It takes them awhile to understand what the issue is. They don't know where to go in the product right away. A lot of stuff gets escalated to R&D, and even that is a very slow process. When it goes to R&D, it's really slow. We've had the same issue for months. They say it'll be fixed in the next release, then we'll get the next release, and it's even worse.

We deployed it ourselves.

We are really interested in the Tufin Orca product.

• For visibility in the network, I would rate the product as a nine out of ten. 
• For usability, I would rate the product as a seven out of ten. 
• For liability, I would rate the product as a nine out of ten. 
  

The primary case is to get more compliance and security with good performance. We use Tufin to use some Check Point products. The product is for the way we manage our security, performance, and boxes.

The change impact analysis has been very good. We continue to improve. 

The change workflow process is flexible and customizable. Right now, we are using SecureChange, which is improving the rules that get applied to Check Point.

We use the solution to automatically check if a change request will violate any security policy rules by generating a Sunday email report in these type of situations.

Using the Tufin reports, for internal and external audits, is a way we can demonstrate how we made compliance. After any of the observation that we get from the audits, we just run the reports one more time to see if our changes are being successfully applied and everything is working according to the requirements.

Tufin has been very helpful to get a lot of groups changed and getting all the information inputted on a tool, then later to applied on the device. 

We can get reports with Tufin at anytime. We can have automated reports, even with security and compliance.

The visibility is very good, as it incorporates graphics with some charts and comparisons. So, we have very good visibility for the entire tool.

I would like to simplify the reports, and maybe have another view besides the charts. Possibly they could be more graphical.

I would like to see them continue improving the versions.

The stability has been improved, even person by person. It is even stronger in a way.

The scalability is according to performance that we are experience. Therefore, we are getting more devices on this tool, so it has been very helpful for us.

I haven't used their technical support.

The initial setup was very simple. We could obtain deep knowledge information from Tufin's knowledge base (KB).

The solution has helped us to reduce the time it takes to make changes. With Tufin, it takes ten to 15 minutes. Before, it was 30 minutes or more.

I would recommend Tufin. They are very helpful for IT organizations, as they continue improving SecureChange.

With our security plan, we can see how Tufin meets the basic requirements. Then, we can go and customize if there is any risk, which might be interfering with ports or external networks.

Some of our customers has Tufin, and we manage it. We're also planning to have our own Tufin that we're going to use as a leveraged service for all of our customers.

Visibility is its largest and most valuable feature. You can see everything or all the devices on the network for each customer. It provides you a larger view of what might be wrong with the network and how you can improve it with firewall rules, etc. 

If you are talking about secure change, being able to automate the entire change process is pretty much the winner for us. It is going to really reduce the time that it takes for us to do changes, and we can just go out and get more customers.

They've got such a large number of APIs, and it is so easy to use their APIs. Effectively, they allow us to use it with anything. The only way to improve it more is by offering support for implementing their APIs into certain hardware or software that we might use. They can provide support for implementing APIs.

We have been using this solution for three months.

I have not contacted their technical support.

We didn't work with any similar product, but we are just going with secure track and secure change, not secure cloud and secure app. That's all that we really need at this time, and obviously, we will work with Tufin in the future if we need more.

A few of our clients have decided to implement Tufin themselves, whilst we just manage their firewalls. We were not involved in the setup of the management suite. However, after seeing the benefits of this, we have heavily considered the use of Tufin on a number of our other clients we manage.

We have identified that setup is a part of this and in our conversations with Tufin sought to address this. They offer a service for the full setup of the platform for use as an MSSP, and then providing a hand off service towards the end of this setup process which teaches engineers how to setup the remaining required devices.

For the full functionality, Tufin utilises all L3 devices on the network, so setup can be quite daunting. However, we identified that it would take ~30 minutes per L3 device, some of which can be done simultaneously. This is the biggest drawback to Tufin integration. However, Tufin can be used to some degree without this, meaning you can reap the benefits of it sooner rather than later.

What we found is that the return on investment will be pretty quick. This is because of the time saving that Tufin offers in FW changes, we can implement more changes at a faster rate. This has huge savings for employee's workload and the cost of their work. We have freed up a large majority of our FW engineer's time. The huge ROI we witnessed has resulted in us identifying that we can go to market to gain more customers and really broaden our customer base without the 'con' of hiring more people.

Because we're quite a large company, the initial price wasn't too much of a factor for us. This is because the ROI was so significant for us.

We identified others, like Firemon and Skybox, however we found that they were not as mature as Tufin, not offering the same range of Firewall Vendors, e.g. Palo Alto, Check Point, etc., and the same level of automation.

I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future.

I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.

Our primary use case for this solution is for audit and firewall rule base management. 

Tufin allows us to perform self-audits and use rule-based accountability. 

The most valuable features are the Security Risks and Best Practices reporting/Rule base cleanup.

I feel that the user interface is a bit dated. The product version updates should be automated, and the reports could be a bit cleaner.

We use it to manage our policies, consolidate them, and if we see anything missing, we can use it to track that, as well.

Right now, we're mainly on-premise. S,o the cloud piece is not being used right now. However, in the future, we will use it. I think it will help tremendously to get a good picture across the board.

One of the main things is to look at what policies haven't been hit, so we can remove those remnant policies when people come in, use it, and it's still left on the Check Point. So when a couple of users say, "This is not needed anymore." We'll remove it.

The capability to manage: We have different domains, so we want to have a single pane of glass to see what all the different policies are doing.

We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better.

Right now, it is being used retroactively. There was talk with the rep this morning that they can do this proactively. In other words, we see the policy, and if it's not needed, then it can be removed, or add new policies, as needed.

We feel that it is a very good solution. So, we'll probably use it going forward.

This is one of the things that we do like about the solution, which is why we went with it.

The technical support has been very good. I would like it to be a little faster, but it's good.

There were some hiccups in the initial setup. In using the new features, there was a learning curve. However, for the most part, it was fairly straightforward.

We hired people that have done the deployment in the past. So, we did it all ourselves.

Manually looking at the policies is very time-consuming. With this product, I think we've streamlined the process tremendously.

We like the visibility. That's why we went with this solution over other competitors.

It does what it needs to do for our needs.

We are in the process of doing a PoC for the new changes.

Currently, it's all reactive. We do the changes, then we review it at a later time.

The governance feature is handy in the process flow. Tufin is easy for an average user to be able to put in their request and have it automatically assigned to other firewalls.

We are able to review changes from the previous day to be able to compare if there's a change that goes in from one day to the next, if there's an issue, we can see what change has occurred. You can see that through the reporting. It's quick to go and pull up what changed between the two days. It works great for the users to be able to put it in. And then troubleshooting afterward if something happened to find out what had changed.

It has come a long way. Compared to where we were, it's significantly better. We were using an internal process that was intensive. This is clearly better.

From my limited use of it directly as a user, I don't think it's efficiently comparing. We were looking for a 2 of 3 match that haven’t used the same rule, and it's not working as well. It's adding additional rules into our policy at times. It could be more effective than that. I’d like it to add fewer rules but still keep the same security posture.

We’ve also had issues with speed, and it needs to be a bit more reliable. It's definitely slows up. Sometimes, just when I log in, it didn't connect me to the system or we've had to do some emergency patches on it and it would take 10 or 15 minutes to get logged in. That was kind of weird and that's happened a couple times. I think it is user-friendly, outside of the things our own internal people have added and made it a little confusing.

I think the app could be a little bit improved in the way that it selects objects.

From my user perspective, I think patching is an issue. I haven't done it, but I know they had to. It got slow, and there were issues getting connected in to it. Everything was running slow a few different times. We’ve had to contact support. There's been times we've lost a day and a half of usage.

I have not had to use technical support.

I was not part of the implementation.

It works well. It’s something you would send a colleague to use. It gives a nice process flow as far as the end user putting something in, having governance check, and being able to have multiple work screens because we have different areas of the company and different processes. They have to have different work flows. We use multiple work flows. That's handy. You can build those in, you select from the beginning and then you're off and running.

The most valuable feature that I've found is rule optimization. If the rule has massive hits and if I want to remove that rule, I can put that rule into the SecureTrack change. After a few weeks, it will tell me that these are all the IP addresses that it is hitting, and this is all the traffic that it is hitting. It provides all sorts of other information too. That's one of the features that I like in Tufin.

Having total compliance is a benefit. When our compliance department tells that there is a rule that says IP such-and-such, and that we have to remove that rule, it’s never easy for us to directly remove a rule until and unless we have some traffic analysis and so on.

Another benefit is the complete set of all rules. If I have to find a particular object, Tufin provides a search feature. That's one of the good features in Tufin. If you have more than 100 or 200 firewalls and 100 or 200 policies, and each and every policy has a humungous amount of rule numbers, it can give you detailed reports, as well as the search feature.

I would like to see improvements in historic views of rules - stating that this rule hasn't been used for the past one year, that this rule hasn't had much hits, these are all of the shadowed rules and these are all of the unshadowed rules - so we can narrow down the rule base. That's probably one of the aspects that I would like. If Tufin can help me out with that, that would be nice too.

It needs improvement with rule optimization and compliance.

Tufin product is good, but it requires a lot of CPU overhead. It might be because of the rule base we have. It might be due to other factors, but it's kind of slow for us. I would like to see an improvement in speed, as well.

It's been stable. No complaints yet, except for the upgrade. The upgrade takes a little long, but that's fine. I believe that’s because of the vastness of our environment.

We probably have more than 2,000 rules for each and every policy. It depends, 1,000 rules, 2,000 rules, somewhere in between. We have a pretty massive rule base, and it's giving good reports.

Involvement with the technical support team went well. They are cooperative.

We also use AlgoSec for analysis.

It all depends upon the environment that you’re using. Compare it to other vendors, like FireMon and AlgoSec, and then you can rate the products and decide what to use and what not to use.