Tufin Orchestration Suite Reviews

We use this solution for Firewall audit, compliance, and some automation.

Using Tufin makes it easy to visualize when investigating or auditing configs.

The most valuable feature is alerting, which lets me know when someone has made a change. When something stops working I can see what has been done and by whom.

This solution is easy to set up and use.

It is very easy to see what has changed when comparing two different revisions.

I would like to see visibility into the FW features like IPS/Content Filter policies, the same way it does for FW rules/policies.

We are using Tufin to manage our multi-vendor firewall environment.

We are using the Secure Change workflow to request, asses, and implement Firewall requests. Secure Track is used from our Security and Audit department for regular policy reviews.

Due to the usage of Tufin, we reduced the manual effort during audits to a minimum. The central place to request Firewall Rule Changes supports our Operation teams in a multi-supplier environment on a daily basis.

The automated reporting on a regular basis is helping us to be compliant with legal requirements.

We would like to see granular user permissions on SecureTrack.

The topology should be made easier to configure.

I would like to see the setup of the Unified Security Policy simplified.

We have had no outages over the last six years, so this solution is very stable.

This solution is highly scalable.

Customer support reacts very fast. Due to the complexity, sometimes additional support levels need to get involved.

We did not use another solution prior to this one.

The initial setup was complex.

A mix of Tufin Professional Services and in-house.

We evaluated other options before choosing this solution.

I recommend getting Tufin Professional Services involved when implementing automation.

The primary use case is data flow analysis.

We use Tufin to clean up our firewall policies of unused policies.

It gives our firewall administrators visibility into the total infrastructure.

The most valuable feature is troubleshooting.

I would like something that addresses security in the cloud.

The stability is bulletproof. 

It is extremely scalable. It really addresses the scale of a company's firewall footprint.

The technical support is excellent.

Our account manager and Tufin support have been a big help to us.

We were getting to the size where manual administration of firewalls did not make sense anymore.

The initial setup was straightforward, but time consuming.

This solution has helped us reduce the time it takes us to make changes. We have seen the reduction on the front end, when doing an analysis of the data flow.

We also considered AlgoSec.

I would recommend taking a look at the solution.

I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes.

This solution has sort of helped us to meet our compliance mandates.

The cloud-native security features will be more important in the future. I am just learning about them now.

I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.

It is customizable.

It does not natively support all of the Check Point functions, which is a big deal. The solution doesn't recognize traffic and impede it.

We have had a ton of issues with stability. The database is weirdly designed. Things just go wrong with it where we have to call the tech guys. They come in and clean the database fairly regularly.

We've scaled it to hundreds of firewalls. We haven't had a scalability issue. 

If you don't buy their premium support, their technical support is not great and you can only call during daytime hours. So, we ended up purchasing their premium support.

The reason that we purchased the solution is because of the visibility that it provides.

The SecureChange implementation was straightforward. 

The SecureApp implementation was very complicated. The topology was so complicated that we threw it away after months of having Tufin people come out to try and make it work. 

We bought deployment services from Tufin. 

We are seeing ROI in terms of having SecureApp. However, we made a significant investment to get there.

The topology doesn't work and SecureApp doesn't seem to be a strategic product for Tufin anymore. Proceed cautiously with that in mind.

I would rate their SecureChange an eight out of ten. I would give their vision an eight, but for their execution I would give a three out of ten. 

The primary use case is firewall management, consolidation, and optimization.

Our company has a grid, and there are different blocks of public domains and internal domains. It checks all that on our security grid. That has been customized by our administrator.

Tufin allows our say junior guys to learn how to view policies. It gives them a tool that will help them consolidate and optimize.

We use SecureChange. SecureChange is most valuable to me because I have customers out there that know the process now. 

It provides good visibility because we have a lot of gateways globally, so it consolidates them nicely.

It could be a little more intuitive. I haven't used it a lot, but it gives me the info I need, I just have to find it.

The stability is fine.

I have not had to use the technical support. Maybe I should.

I was not involved in the initial setup.

This solution helps us reduce the time it takes us to make changes. We're probably saving time by 25%.

It is a really good product. It does exactly what you want it to do.

Get the training. I didn't get the training. I assume they provide training.

Our primary use case is firewall monitoring, rule changes, and logging.

The change work flow process is flexible and customizable. We found it pretty easy, particularly when we were implementing new rules and with our cleanup. We found that the rule change was fairly easy to implement.

It has allowed us to monitor rule changes. This way we know exactly what would happen behind the scenes in the event of an after-hours change.

Its ability to detect changes within our firewall.

We had some issues initially with the initial reporting and alerting system.

While the visibility was pretty good initially, we have had issues with configuring and reporting.

I would like a better reporting feature and automatic alerting based upon rule changes.

Our engineers still have plenty of manual processes to work with.

The product seems stable from when we implemented it at the time.

We're pretty small scale, so I don't know how much larger it would go. We're about a 4,000 device network.

I haven't interacted with the technical support.

The initial setup was straightforward, but then it became complex due to our rule set.

We used a reseller, who was fine to work with.

The solution has helped reduce the time it takes us to make changes. It helps make overall integrated changes immediately. It allows us to cut down at least a few hours in the week in regards to changes and monitoring.

Really dig deep and understand your use cases, then what exactly you're looking for out of the solution.

It has allowed us to maintain particular rules in regards to CJIS and HIPAA compliance.

We have multiple networks connected to this solution. So, we are able to design and monitor different rule sets in the three different domains that we control.

We're using SecureTrack, and the most valuable feature for us is the accurate reporting it provides. Every time I run a report, I know it's going to return just the exact information I'm looking for. 

I like the ability to drill down in the reports. That's very handy. It allows you to drill down, but it doesn't show you all the information at once, because some of it can be very overwhelming. It simplifies the information and then you can drill into the details.

At first, it presents it all in one format in the report. That's the simple format. Some of the things I'm looking for, I want an answer back quickly. I can see in just a one-page review that all of the information I was looking for is there.

On an enterprise-wide scale, I would like to see improvements to the auto generation feature. We don't use it very much, if at all, because it didn't work well.
It’s the feature where Tufin can review a certain rule and recommend more granular rules based on the logs that it sees for the rule. We've had a lot of difficulty getting that to work smoothly. Our Tufin engineers have had to play with the software behind the scenes to get that feature to work. It'd be nice to be able to just turn it on and have it work, no matter where we're looking at these rules in the enterprise. That's actually been a need. We are an organization with over 15 years of firewall rule history. We need to remediate rules. We need to clean them up. That's something I think Tufin needs some improvement on. I like the ability to review Cisco configurations right there on the spot. I've found that very handy.

I think for the most part it's been stable now that we have our new hardware. Our organization's very taxing on it. We have dozens of engineers running reports at the same time, but it's usually just a workload issue. It does give you the ability to schedule reports. If it's not something you need right away, then you can just schedule the report to run as soon as possible and then continue to work somewhere else. That saves me a lot of time.

At a previous job, I used FireMon. It was similar at the time. I think Tufin has a lot more offerings with the Orchestration Suite now.

Work with the sales teams directly, because they seem very willing to be flexible with the development side. Every organization has different needs. Tufin’s willingness to be flexible impressed me.

Policy analysis is the product’s most valuable feature. It can pull out various rules that we need to work on, edit, update, and so on. It can identify rules that need to be moved, or need to be optimized.

Tufin analyzes tens of thousands of rules for us. Not all one firewall, but there's thousands and thousands of rules that Tufin analyzes.

Reporting is great. The only issues that we ever run into are with usage reports. You can run into things where something will have been modified and it ends up changed or something like that. Other than that, reporting is great.

The capabilities Tufin has for Check Point products are excellent. It'd be nice to get the same level of features that it does for Check Point up to par with Cisco, Palo Alto, and so on. There's a couple of things that are lacking. For example, on the Palo Alto side, if you're using a lot of layer 7 rules, there's very little visibility into that. When you run policy analysis, you're still only getting back source IP, dest IP, ports. It's not showing the URLs, all that kind of stuff. That's the main thing.

The only other thing I could see being improved would be regarding one bug. Once in a while when you save a policy analysis query and you click save, it goes back to the screen where it lists them all. Someone else's will be there, and it's somehow swapped them with another engineer who was saving something at the same time. It doesn't happen often, but when it does, it's annoying. Especially if you've just entered a whole lot of info into it.

I’m rating it an 8 because of a couple of those little nagging features, the little bugs. But by and large, it does the job that we need it to do at the moment. We're going into the new world of SecureChange. We'll see how that goes, too.

In our previous configuration, it would take a beating. It would take days to get certain reports out of the system. We've just purchased a whole bunch of new hardware, and Tufin’s been a lot more stable. I'm getting reports again very fast.

Based on looking at some of the other products out there, Tufin is definitely the leader of the pack. It's a good choice. Make sure you buy enough hardware, and make sure you know how you're going to use it. A lot of the features get very processor- and database-intensive, and you should have the proper gear to use it.