Tufin Orchestration Suite Reviews

The most valuable feature is that we can see what changes are happening on all our security devices at the very moment that they're done, so if any mistakes happen, then we can catch them very quickly before there is a big disaster and outage.

Mistakes like firewall policies where people put in wrong IPs instead of allowing permits and traffic stops. That is why it is very, very important.

On one of my earlier deployments, I was actually able to quickly diagnose about 100 VPNs that went down because one the administrators made a wrong encryption domain in the tech point, so we were able to catch it right away as the change happened. We were able to revert the changes very, very quickly, and it did not cause a long amount of downtime.

We are able to look at any objects that are not used, rule usage, which, for wide-open rules, we can put in tracking on those rules so we can turn down the rulebase, so those are the good benefits. The rulebase actually shows the same way for all the devices, so if you have checkpoint firewalls, or if you have five load balancers, you can actually have a similar view of all this, so you can understand it very easily.

The other good part is that whenever changes happen, we have to go through change control. We can put in our changer card numbers, and then those all come in the dashboard as the changes that were done on that particular change record, so then you can correlate the changes to a particular request which was approved.

New features would be when you look for any of the rules that are unused, then I would like to see whether there was a way to also make sure that the objects that exist are actually live or not. What I mean to say is, if you have a server that you had allowed in the rulebase, and you decommission the server, now the rulebase is there, which shows their logs, but I want to make sure that the server is actually decommissioned and not still alive. If there is a way that we can check for those objects, whether those objects still are alive in the network, that would be great.

I've been using the product since 2007, since its very early stages.

At one time, it had processed for a year. When I was in my previous company, I had installed one of the T500 boxes, and it had actually processed about 2.7 terabytes of logs, and we were able to trim down the biggest firewall. We now do about 11,000 rules, and they had never been cleaned for about five or six years, so by the end of the whole exercise, we trimmed down the rule base to less than 300 rules.

I've used about 200+ devices. That was all the environment was, so I definitely know, talking to other customers who have thousands of devices, so it scales very well.

Technical support is great. I've worked with several people within the company.

It was straightforward. I was able to get all my firewalls and a lot of the other networking devices in less than half a day.

I compared it to the usability and the easy way to actually add devices. We compared it to AlgoSec and FireMon. Both of them I did not feel were very intuitive to work with, so a lot of training would be required.

Just buy it. Don't even think about any other product. Just buy it.

Our primary use case if for risk compliance. 

The change workflow process is flexible and customizable. 

It has helped us to meet our compliance mandates. We have some requirements that we need to provide more visibility on the risk levels of our firewall base, and Tufin helped us with that requirement. 

The USB is the most valuable feature for us. Inside of Tufin, we are planning to leverage the USB solution.

The visibility is excellent. We have a better view of our compliance status. 

I would like to see an improved reporting model that can be flexible for us to generate our own reports. The data is already there. 

It has been very stable since 2017. We haven't had any power problems. As far as hardware goes, it's been very stable. In the software, we found some bugs, but we're working with support to fix them.

Scalability is very good. We are planning to add more entities this year. 

Technical support is satisfactory at the moment. 

The initial setup was very straightforward. 

We did most of the onboarding ourselves. 

We also looked at AlgoSec. 

I was part of the decision-making process.

I would rate it an eight out of ten. It's very easy to use and you can get good results very quickly. 

We don't use the cloud native security features yet.

Our primary use case is for automation and orchestration.

We use Tufin to automatically check if a change request will violate any security policy rules. One of the things we want to do is to have a blacklist/whitelist policy. A blacklist of things that can never be allowed and a whitelist of things which are always allowed. I want this tool to block or report ports that should not be used, putting somebody in a change. In addition to that, I want it to be able to block people from mapping IP addresses in North Korea, Iran, or whatever is on the blacklist.

Our corporate policy mandates that we can only make changes to our firewalls daily. Once we get ServiceNow integrated with our whitelist policy, Tufin should be able to initiate the change and get us to reduce time.

It should help us meet our compliance mandates going forward. It is replacing AlgoSec.

The ease of use is the most valuable feature. 

The change workflow process is flexible and customizable. We have one guy who has never logged into Tufin ever in his life. He sits down and in 30 minutes had written an automation routine, then went back and changed it. He did that with no training. For me, that is a major benefit.

The two reasons that we wanted Tufin

1. The single pane of glass, so our Tier 1 and Tier 2 could make changes.
2. The network mapping which is something that we have never had before.

• I would like to see them get rid of the REST APIs and use something more modern. 
• I would also like to see them do more cloud integration within the Tufin Orchestration Suite, not within a SaaS solution. 
• I would like them to move their community support off of Google and onto something more long-term.

So far, stability has been good. 

It has already pulled in all our Layer 3 switches and routers across the company.

I don't know if I can expand on the cloud yet.

We bought premium support. I have heard from my team that they are great. 

We switched from AlgoSec because they had horrible customer support, and difficult change management and processes. 

The initial setup was very straightforward. It was done in five days, which is pretty cool.  

We used Tufin for the deployment. We had a positive experience with them. 

We compared AlgoSec, Tufin, and Skybox side-by-side. Originally, the team chose Skybox. They threw in what a lot of other groups had wanted, like the network team, security team, and DevOps team. When I sat them down (because I voted Tufin), I asked them why and they gave me all of the explanations that were all somebody else's reasons, not ours. I told them that this tool is for us and we needed a true orchestration automation tool. Not one that supports everyone else's automation, and we need one for firewalls.

I would rate it a seven out of ten. 

I would advise someone considering this type of solution to not listen to the sales teams among the competitors. They all throw each other under the bus and a lot of it is not true. Tufin's competitors will tell you how bad of a company that Tufin is and how you can't trust them, and how their stuff doesn't work. Then, Tufin doesn't say anything bad about their competitors. So, don't trust everything that you hear. 

Do your own research. Do a proof of concept. Get all of the vendors in. Give it a month to test drive. Set it up and let them prove it out. In the end, the correct tool, not the better salesman, will win.

We use Tufin for two purposes: 

1. To track all changes on our network equipment, our Cisco gear, F5s, and Check Point. 
2. We use SecureChange. So, we submit any firewall change through SecureChange, then we use that for the approval process. We are trying to have it end-to-end, where it provisions the device, but we're not there yet. 

Tufin is our audit trail for all changes. We have to be PCI compliant, and it is the tool that we go to for enforcing PCI on the network side.

The change workflow process has customizable and functional for us.

It has helped us meet our compliance mandates.

The revision reports are phenomenal. They really help us out to see what changed, when, and who, most importantly. Some of the other reporting that we audit and clean up have been really valuable for us. 

The visibility is great. We have found the policy browser to be very useful. It is a fairly new feature. 

I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do. We would like more examples and use cases.

The cloud is fairly new to Tufin. We have AWS. Their first steps into providing audits on the cloud have been really helpful, but we ourselves don't know how we're going to manage the cloud. One of the features that we didn't like is the controlling of the security groups. We can read them but there's no way to change them or to really control them through Tufin. That would be a nice addition.

We are currently working on a bunch of automation to include Tufin. We need security group management (security group modification for Cisco devices). That is what we need from Tufin going forward. We can't go live with the total automation because there are pieces missing, e.g., you cannot update the service group.

It has been very stable. Though, the policy browser has had trouble working. We have experienced bugs.

We have a lot of devices on it now.

The technical support is hit or miss. More miss than hit. It takes them awhile to understand what the issue is. They don't know where to go in the product right away. A lot of stuff gets escalated to R&D, and even that is a very slow process. When it goes to R&D, it's really slow. We've had the same issue for months. They say it'll be fixed in the next release, then we'll get the next release, and it's even worse.

We deployed it ourselves.

We are really interested in the Tufin Orca product.

• For visibility in the network, I would rate the product as a nine out of ten. 
• For usability, I would rate the product as a seven out of ten. 
• For liability, I would rate the product as a nine out of ten. 
  

The primary case is to get more compliance and security with good performance. We use Tufin to use some Check Point products. The product is for the way we manage our security, performance, and boxes.

The change impact analysis has been very good. We continue to improve. 

The change workflow process is flexible and customizable. Right now, we are using SecureChange, which is improving the rules that get applied to Check Point.

We use the solution to automatically check if a change request will violate any security policy rules by generating a Sunday email report in these type of situations.

Using the Tufin reports, for internal and external audits, is a way we can demonstrate how we made compliance. After any of the observation that we get from the audits, we just run the reports one more time to see if our changes are being successfully applied and everything is working according to the requirements.

Tufin has been very helpful to get a lot of groups changed and getting all the information inputted on a tool, then later to applied on the device. 

We can get reports with Tufin at anytime. We can have automated reports, even with security and compliance.

The visibility is very good, as it incorporates graphics with some charts and comparisons. So, we have very good visibility for the entire tool.

I would like to simplify the reports, and maybe have another view besides the charts. Possibly they could be more graphical.

I would like to see them continue improving the versions.

The stability has been improved, even person by person. It is even stronger in a way.

The scalability is according to performance that we are experience. Therefore, we are getting more devices on this tool, so it has been very helpful for us.

I haven't used their technical support.

The initial setup was very simple. We could obtain deep knowledge information from Tufin's knowledge base (KB).

The solution has helped us to reduce the time it takes to make changes. With Tufin, it takes ten to 15 minutes. Before, it was 30 minutes or more.

I would recommend Tufin. They are very helpful for IT organizations, as they continue improving SecureChange.

With our security plan, we can see how Tufin meets the basic requirements. Then, we can go and customize if there is any risk, which might be interfering with ports or external networks.

Some of our customers has Tufin, and we manage it. We're also planning to have our own Tufin that we're going to use as a leveraged service for all of our customers.

Visibility is its largest and most valuable feature. You can see everything or all the devices on the network for each customer. It provides you a larger view of what might be wrong with the network and how you can improve it with firewall rules, etc. 

If you are talking about secure change, being able to automate the entire change process is pretty much the winner for us. It is going to really reduce the time that it takes for us to do changes, and we can just go out and get more customers.

They've got such a large number of APIs, and it is so easy to use their APIs. Effectively, they allow us to use it with anything. The only way to improve it more is by offering support for implementing their APIs into certain hardware or software that we might use. They can provide support for implementing APIs.

We have been using this solution for three months.

I have not contacted their technical support.

We didn't work with any similar product, but we are just going with secure track and secure change, not secure cloud and secure app. That's all that we really need at this time, and obviously, we will work with Tufin in the future if we need more.

A few of our clients have decided to implement Tufin themselves, whilst we just manage their firewalls. We were not involved in the setup of the management suite. However, after seeing the benefits of this, we have heavily considered the use of Tufin on a number of our other clients we manage.

We have identified that setup is a part of this and in our conversations with Tufin sought to address this. They offer a service for the full setup of the platform for use as an MSSP, and then providing a hand off service towards the end of this setup process which teaches engineers how to setup the remaining required devices.

For the full functionality, Tufin utilises all L3 devices on the network, so setup can be quite daunting. However, we identified that it would take ~30 minutes per L3 device, some of which can be done simultaneously. This is the biggest drawback to Tufin integration. However, Tufin can be used to some degree without this, meaning you can reap the benefits of it sooner rather than later.

What we found is that the return on investment will be pretty quick. This is because of the time saving that Tufin offers in FW changes, we can implement more changes at a faster rate. This has huge savings for employee's workload and the cost of their work. We have freed up a large majority of our FW engineer's time. The huge ROI we witnessed has resulted in us identifying that we can go to market to gain more customers and really broaden our customer base without the 'con' of hiring more people.

Because we're quite a large company, the initial price wasn't too much of a factor for us. This is because the ROI was so significant for us.

We identified others, like Firemon and Skybox, however we found that they were not as mature as Tufin, not offering the same range of Firewall Vendors, e.g. Palo Alto, Check Point, etc., and the same level of automation.

I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future.

I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.

Our primary use case for this solution is for audit and firewall rule base management. 

Tufin allows us to perform self-audits and use rule-based accountability. 

The most valuable features are the Security Risks and Best Practices reporting/Rule base cleanup.

I feel that the user interface is a bit dated. The product version updates should be automated, and the reports could be a bit cleaner.

We use it to manage our policies, consolidate them, and if we see anything missing, we can use it to track that, as well.

Right now, we're mainly on-premise. S,o the cloud piece is not being used right now. However, in the future, we will use it. I think it will help tremendously to get a good picture across the board.

One of the main things is to look at what policies haven't been hit, so we can remove those remnant policies when people come in, use it, and it's still left on the Check Point. So when a couple of users say, "This is not needed anymore." We'll remove it.

The capability to manage: We have different domains, so we want to have a single pane of glass to see what all the different policies are doing.

We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better.

Right now, it is being used retroactively. There was talk with the rep this morning that they can do this proactively. In other words, we see the policy, and if it's not needed, then it can be removed, or add new policies, as needed.

We feel that it is a very good solution. So, we'll probably use it going forward.

This is one of the things that we do like about the solution, which is why we went with it.

The technical support has been very good. I would like it to be a little faster, but it's good.

There were some hiccups in the initial setup. In using the new features, there was a learning curve. However, for the most part, it was fairly straightforward.

We hired people that have done the deployment in the past. So, we did it all ourselves.

Manually looking at the policies is very time-consuming. With this product, I think we've streamlined the process tremendously.

We like the visibility. That's why we went with this solution over other competitors.

It does what it needs to do for our needs.

We are in the process of doing a PoC for the new changes.

Currently, it's all reactive. We do the changes, then we review it at a later time.