Tufin Orchestration Suite Reviews

We use Tufin for two purposes: 

1. To track all changes on our network equipment, our Cisco gear, F5s, and Check Point. 
2. We use SecureChange. So, we submit any firewall change through SecureChange, then we use that for the approval process. We are trying to have it end-to-end, where it provisions the device, but we're not there yet. 

Tufin is our audit trail for all changes. We have to be PCI compliant, and it is the tool that we go to for enforcing PCI on the network side.

The change workflow process has customizable and functional for us.

It has helped us meet our compliance mandates.

The revision reports are phenomenal. They really help us out to see what changed, when, and who, most importantly. Some of the other reporting that we audit and clean up have been really valuable for us. 

The visibility is great. We have found the policy browser to be very useful. It is a fairly new feature. 

I would like to see more expansion into the cloud and documentation needs improvement. When I try to do something new in the product, the documentation is no help. Something's written there, but it's not enough to help you do what you want to do. We would like more examples and use cases.

The cloud is fairly new to Tufin. We have AWS. Their first steps into providing audits on the cloud have been really helpful, but we ourselves don't know how we're going to manage the cloud. One of the features that we didn't like is the controlling of the security groups. We can read them but there's no way to change them or to really control them through Tufin. That would be a nice addition.

We are currently working on a bunch of automation to include Tufin. We need security group management (security group modification for Cisco devices). That is what we need from Tufin going forward. We can't go live with the total automation because there are pieces missing, e.g., you cannot update the service group.

It has been very stable. Though, the policy browser has had trouble working. We have experienced bugs.

We have a lot of devices on it now.

The technical support is hit or miss. More miss than hit. It takes them awhile to understand what the issue is. They don't know where to go in the product right away. A lot of stuff gets escalated to R&D, and even that is a very slow process. When it goes to R&D, it's really slow. We've had the same issue for months. They say it'll be fixed in the next release, then we'll get the next release, and it's even worse.

We deployed it ourselves.

We are really interested in the Tufin Orca product.

• For visibility in the network, I would rate the product as a nine out of ten. 
• For usability, I would rate the product as a seven out of ten. 
• For liability, I would rate the product as a nine out of ten. 
  

In my group, we use Tufin to prove recourse. With firewalls, in terms of searching for existing rules, if we are looking for a particular rule, it shows whether an object exists, the network objects that exist. And if it does, it shows what is already in place and if we need to add something here and there. It's basically research analysis.

We use it for pulling your own reports, and checking the existing rule database from different firewalls from different managers.

I think they can improve the speed, although our speed issues might not be related to Tufin. Sometimes it is slow generating the reports, but I guess it depends on your infrastructure, if you have a good enough server. If you have more servers, the better.

If your infrastructure is big, and you're pulling a lot of metrics from many devices, it can be slow. But, if you add more servers, like a database service that reports are being pulled from, that speeds up the report generation a lot.

I know Tufin is great tool and can offer a lot more. I'm sure other groups or other people use it for what my group needs.

We are big, but I don't really know about scalability issues. I don't work on Tufin. I just utilize it. We just added a few more servers. In the last few weeks, the reports were coming pretty fast from busy firewalls.

I didn’t really use customer support. It's pretty self-explanatory when it comes to running reports and pulling metrics.

I was not part of the decision to use it.

We have not thought of using any other solutions. We have had Tufin since I joined the company.

It would be beneficial to get some kind of training from someone who knows the product, maybe from Tufin or someone else familiar with the product and the features. I know it can offer a lot, and you want to use its full potential.

We purchased Tufin for the rule based analysis, so that when we did a Check Point migration from the earlier versions everything was OK. We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Tufin enabled us to clean out the rule base pre-migration. There's no point in migrating old and unused rules and objects to a new solution, so we were trying to be a bit proactive. That's why we purchased this solution and we had someone from Interel come over and help us configure it.

SecureChange has been a bit of a challenge. It's been a long time coming, and I guess improvement is also needed in their relationship with the customer to get the initial functions of it working. It's more making the move towards SecureChange which possibly isn't down to them, it's probably down to our relationship with our reseller and nailing each other down. Maybe it's a non-issue. For what we use it for, it's been great.

We've used it for between four and six years.

After a while, we found that we'd not really given it enough TLC for a couple of years. Therefore, we ended up in the situation where we had to get the guys from Interel to fine tune the appliance memory wise because it was little old. By the time we started using it to its full extent, you end up being able to fine tune it and eventually realize even that wasn't going to cut it and we ended up having to virtualize and it seems to be OK now.

We didn't have as much advanced management at that time. Over time, we've merged with other areas of our business and inherited many more advances, bobbles, with that, I think that's where we came across the problem that we wanted so many things active and realized that we did actually need to upscale the deployment.

We originally purchased it mainly for Check Point and then ended up purchasing Cisco ASA and Palo Alto licenses, so we ended up with more stuff than we originally purchased it for. Hence the need to upgrade for VMware and memory.

It has been good. When we've had an issue they've been very good. We were on the phone and I remember a conference with the support guys and they really went out of their way to help us out.

It was fairly easy to deploy. We originally purchased the 500 series appliance, which was mid-range appliance and then we ended up eventually virtualizing that appliance and moving it to VMware, which is what we've now got. I don't remember ever having any major issues.

We did look at another solution, but don't ask me what it was called, I don't even remember. We did look at it at the same time, but it couldn't really do half of the things that Tufin did. I can't remember back that far, but I remember we looked at it and it was all really clunky. It didn't feel right, it didn't do half of the stuff that it was meant to be able to do and it was very slow as well. We pretty much put it out straight away.

It's done a good job. We've not fully utilized all of its features, we've hardly scratched the surface really, it's a powerful bit of tech and we've pretty much used it for a specific purpose that we purchased it for and realized it can be used a lot more, having said that we ended up purchasing second shares as well. We are now in the process of testing SecureChange because that was something that was really pushed through quite recently.

For us it works, it's a great solution, but that's not to say that there isn't a better one out there. Anyone that looks and researches, they probably look at different supplies of the same solution and make up their own minds really. It is the best tool for the job and technology moves on so, who knows.

We use it to manage our policies, consolidate them, and if we see anything missing, we can use it to track that, as well.

Right now, we're mainly on-premise. S,o the cloud piece is not being used right now. However, in the future, we will use it. I think it will help tremendously to get a good picture across the board.

One of the main things is to look at what policies haven't been hit, so we can remove those remnant policies when people come in, use it, and it's still left on the Check Point. So when a couple of users say, "This is not needed anymore." We'll remove it.

The capability to manage: We have different domains, so we want to have a single pane of glass to see what all the different policies are doing.

We like the change impact analysis capabilities quite a bit. The only weakness is that the reporting is a bit clunky. We would like to have the reporting be better.

Right now, it is being used retroactively. There was talk with the rep this morning that they can do this proactively. In other words, we see the policy, and if it's not needed, then it can be removed, or add new policies, as needed.

We feel that it is a very good solution. So, we'll probably use it going forward.

This is one of the things that we do like about the solution, which is why we went with it.

The technical support has been very good. I would like it to be a little faster, but it's good.

There were some hiccups in the initial setup. In using the new features, there was a learning curve. However, for the most part, it was fairly straightforward.

We hired people that have done the deployment in the past. So, we did it all ourselves.

Manually looking at the policies is very time-consuming. With this product, I think we've streamlined the process tremendously.

We like the visibility. That's why we went with this solution over other competitors.

It does what it needs to do for our needs.

We are in the process of doing a PoC for the new changes.

Currently, it's all reactive. We do the changes, then we review it at a later time.

The governance feature is handy in the process flow. Tufin is easy for an average user to be able to put in their request and have it automatically assigned to other firewalls.

We are able to review changes from the previous day to be able to compare if there's a change that goes in from one day to the next, if there's an issue, we can see what change has occurred. You can see that through the reporting. It's quick to go and pull up what changed between the two days. It works great for the users to be able to put it in. And then troubleshooting afterward if something happened to find out what had changed.

It has come a long way. Compared to where we were, it's significantly better. We were using an internal process that was intensive. This is clearly better.

From my limited use of it directly as a user, I don't think it's efficiently comparing. We were looking for a 2 of 3 match that haven’t used the same rule, and it's not working as well. It's adding additional rules into our policy at times. It could be more effective than that. I’d like it to add fewer rules but still keep the same security posture.

We’ve also had issues with speed, and it needs to be a bit more reliable. It's definitely slows up. Sometimes, just when I log in, it didn't connect me to the system or we've had to do some emergency patches on it and it would take 10 or 15 minutes to get logged in. That was kind of weird and that's happened a couple times. I think it is user-friendly, outside of the things our own internal people have added and made it a little confusing.

I think the app could be a little bit improved in the way that it selects objects.

From my user perspective, I think patching is an issue. I haven't done it, but I know they had to. It got slow, and there were issues getting connected in to it. Everything was running slow a few different times. We’ve had to contact support. There's been times we've lost a day and a half of usage.

I have not had to use technical support.

I was not part of the implementation.

It works well. It’s something you would send a colleague to use. It gives a nice process flow as far as the end user putting something in, having governance check, and being able to have multiple work screens because we have different areas of the company and different processes. They have to have different work flows. We use multiple work flows. That's handy. You can build those in, you select from the beginning and then you're off and running.

• The comparison of what changed.
• I also like being able to use the historical data - did this access exist on this date a week ago, two weeks ago, etc. Because I'll have a customer who's like, "Hey, our traffic isn't working anymore. It used to work, and now it doesn't. Why not?" I would go, and I'd check the policies, see what existed, if it did exist, and then I know that somebody removed it, and I can find out who. It's a great tool.

We're currently using SecureTrack. We've deployed SecureChange, it's currently essentially at this point in a deaf status. But from SecureTrack, one of the most useful tools that I've had as well is the usage reports. Whether it's zero usage or if it's the higher use rules. Let's say I've got a rule at rule number four thousand that's just getting pegged like crazy. It's the number one hit rule. We're wondering why our firewall CPU is going crazy? It's spiking. So we go over to the report, see what rules are getting hit, and we see the bottom of our rule base is getting slammed. Now we know we need to move those rules up and optimize our policy.

We're in talks with sales about them writing code to integrate with some of our different tools, so that's nice. I can't really think of any features that either don't exist or we haven't already requested.

We've asked for integration with the tool that does our baseline, that tells what traffic is and isn't allowed with our change control system. We've got the core routing and everything imported, so that was nice. A couple integrations there.

When we initially had it, it was on a single box, so it was pretty slow. A lot of people had access and they ran reports after reports after reports, and it got stepped on a lot. Once we upgraded, we got HA Pair, and then we've got distributed log folders now, and it runs super smooth. Maybe three years ago I experienced some bugs where it would kick me out of policy query. I would be building a query, and it would just kick me out, or it didn't save the changes, or it just forgot that I was doing something, but I haven't had that happen in maybe two and a half years.

Well, we did, and then we upgraded the hardware. Not a big deal at that point.

Upgrading the hardware resolved the issues because the amount of logs that we generate is pretty insane. Having that one little box handle the entire enterprise full of logs was not very efficient.

I wasn't involved in the initial setup. I've been involved in the upgrades for the recent versions.

I was a secondary contact, so I was only helping, but it was extremely easy. I watched what he did, and it was a piece of cake. He's our Tufin guru on site, so we let him handle the majority of the implementation.

Most important decision criteria: ease of use and the robustness of the tool. We checked FireMon, for instance, and they didn't have anywhere near the features we were looking at, and it was nowhere near as user friendly.

Play with the tools. See what kind of reasons you think you'd need to use it. Why are you looking for this tool to begin with? See how easy it is to pick up for your team. They may not be familiar with a tool; let them play with it for a few minutes and see. Give them a task. How easy was it to get that task done?

We use it as an auditing tool, since it’s a risk-based approach, which fits a lot of the needs of our auditors. We're able to clean up our firewall rules and use the security score in our monthly reports to executive management, showing them that we are making improvements within the security of our firewall policy. We can generate different inventory reports when rules are not in use. It allows us to print policy out for our auditors as well.

You can print off reports, either in Excel format or PDF format and deliver them to whoever needs those reports. It can also send you any report on a regular basis. For example, if you want to see your security scores, you can have that sent to you weekly.

Before we had Tufin, we had to do firewall policy cleanup and it was pretty painful. It would take us 6 weeks just to get through one review, and we had to do it quarterly. With Tufin, you can generate a report in 20 minutes and start taking action on it right away. It's a huge difference. You build up trust with the product. When you are looking at a rule and you don't know if it's been used before, you're kind of rolling the dice. When you have a tool that can look out 6 months and it hasn't been used, then you have a lot more confidence in cleaning that rule up.

Some of the challenges we have include getting the reports and the tools to look at our specific environment. There are some challenges with setup for that. You want to make sure that your PCI environment, your wireless environment, your DMZs and your internal network are all laid out in Tufin so they can be correctly scored and rated. A little more ease of use in that area would be helpful.

We've had Tufin for 8 or 9 years. I was the one that brought it in.

We don't have any issues with stability of the product.

We have a relatively small environment. We've got 30 firewalls, basically 15 clusters that Tufin monitors, and our policy rule base isn’t huge. We moved over to VMware and haven't had any issues with caring for the product.

We actually used one of Tufin’s competitor’s products, AlgoSec, but found that the Tufin product is a lot more flexible from a reporting standpoint.

It’s easy to set up. I would say to do a proof of concept and give it a try. It doesn’t take much effort to get it set up and start getting benefits.

I would give it an 8 on a scale of 1-10 because it works really well in helping you create your own reports. You can drill down into each of the different risks that are in the environment and take action on it. It actually tells you, in a descriptive manner, what the issue is and how to fix it.

We primarily use this solution for integration, and we deploy the solution on-premises and on cloud.

They have very good responses regarding integration and internalization with open tickets.

The solution does not have automation with other Firewalls and it should be included.

We have been using this solution for approximately five years.

The solution is scalable. Currently, approximately 60% of our organization uses it.

We have had a good experience with customer service and support.

We have used AlgoSec.

Licensing costs are charged every year.

I rate this solution a six out of ten. The solution is good but can be improved by including additional automation in the next release.