Tufin Orchestration Suite Reviews

So far, the solution has been fantastic. The customer has been very happy with its capabilities overall. 

It works very well in an enterprise environment.

There aren't any gaps in its offering at this time. It's a very complete solution.

The reporting on offer is very good. Tufin makes nice reports.

Technical support has always been very helpful and responsive. 

The pricing could be a bit more competitive. If you compare it to, for example, AlgoSec, AlgoSec has better pricing.

The implementation could be a bit easier. 

I've been working with the solution for about a year or so at this point. It hasn't been too long. 

We've had to contact technical support a few times in the past. Their support is fantastic. They are very helpful and responsive. They are knowledgeable about the product. We are quite satisfied with the level of service we receive. 

I also work with Cisco devices.

We had some issues during the initial implementation. Our client had some devices that, for some reason, just weren't integrating. If they could look into issues that clients face at the outset, when the setup is happening, it would make the experience a lot easier to handle. They just seem to need to be able to handle more integrations with other devices. 

The pricing could be a bit better. It's definitely not the least expensive option. It would be ideal if the product pricing came down a bit so that it was more competitive. The clients would appreciate that a lot.

I'm currently looking at other solutions to compare Tufin to. I have done some comparisons between Tufin and AlgoSec and my takeaway from that is that AlgoSec is less expensive.

I would advise other organizations considering the solution to first be aware of what they want to achieve. As a company, you need to start there before you start choosing solutions. That way, you'll know if the solution will properly meet your expectations. Tufin has a few options as well. It's important to understand which would work best according to your requirements. 

I would rate the solution at a nine out of ten overall. We've been very please with the capabilities of the product and our clients have been happy. 

We primarily use SecureTrack for viewing and tracking changes to policies.

This has helped us to better clean up and audit changes to the firewall policy. Also, giving access to the other teams without giving them direct access to the firewalls, themselves, is very helpful.

This solution has also saved our architects time. They are unable to view the firewall policy directly, so they use this product to find the rules that they need. If something is being moved then they can easily create a document that has all of the existing rules.

The most valuable feature is to give people outside of the firewall group access to view the policy. Tracking is the most useful feature for us, right now. It saves time but I cannot give an estimate as to how much.

The visibility is good. We can see the policies and what changes need to be made, based on the report.

When viewing the policy there are a lot of Check Point user's inline rules, and you don't see those in our policies. It just labels them from top-down. We use a lot of inline rules, and it would be beneficial to see those from within Tufin. 

Overall the system is stable, and we have had no issues configuring it with our firewalls, or otherwise.

It is scalable in the sense that we use a lot of policies and we haven't run into any limits yet.

The solution has been pretty straightforward and I haven't had to contact tech support. Again, we're not using all of the features so perhaps that is why. I do know that there are plans to use the SecureApp and SecureChange in the future, but the trust isn't there yet for us to push down those changes.

We did not use a solution prior to this one, but we needed Tufin to give access to other teams to view the policies. We did not want to give them direct access to the firewall management system.

I would say that the initial setup was of medium difficulty. I and one other engineer completed it, and it wasn't too difficult.

The deployment, in total, took more than a year. This included bringing in every single firewall policy and making sure that it was updating and tracking.

We handled the deployment in-house.

We did not evaluate other options before choosing this solution, and I don't know who else is competing in this space with exactly the same features as Tufin.

We don't use SecureChange at the moment, although hopefully, we can get to it in the future.

With respect to having this solution automatically clean up our firewall policies, we run the report but we don’t always push those changes on. We consider the recommendations but review it manually ourselves. This does point out what we can get rid of, and where we can optimize it. Once we have the trust of our team to push these changes automatically it will be implemented, but we're not ready for that yet.

Part of the reason is that we want to be in control of the firewall policy changes. We don't want developers or anybody recommending what we should be doing.

If somebody is looking to integrate a ticketing system, and not push changes directly through their firewall management system, and they would like a third-party verifier and checker then I don't know any other products that can do that. This is especially true for Check Point firewalls, and Palo Alto.

I would rate this solution an eight out of ten.

It is customizable.

It does not natively support all of the Check Point functions, which is a big deal. The solution doesn't recognize traffic and impede it.

We have had a ton of issues with stability. The database is weirdly designed. Things just go wrong with it where we have to call the tech guys. They come in and clean the database fairly regularly.

We've scaled it to hundreds of firewalls. We haven't had a scalability issue. 

If you don't buy their premium support, their technical support is not great and you can only call during daytime hours. So, we ended up purchasing their premium support.

The reason that we purchased the solution is because of the visibility that it provides.

The SecureChange implementation was straightforward. 

The SecureApp implementation was very complicated. The topology was so complicated that we threw it away after months of having Tufin people come out to try and make it work. 

We bought deployment services from Tufin. 

We are seeing ROI in terms of having SecureApp. However, we made a significant investment to get there.

The topology doesn't work and SecureApp doesn't seem to be a strategic product for Tufin anymore. Proceed cautiously with that in mind.

I would rate their SecureChange an eight out of ten. I would give their vision an eight, but for their execution I would give a three out of ten. 

It's mainly for the automation of policies.

The visibility is pretty good because it's a cross-vendor platform, so it provides visibility across different vendors.

We use this solution to automatically check if a change request will violate any security policy rules. We have a huge policy base, and we have certain compliancy requirements which we have to meet for the rules that we have. If we are planning to have a change in the policy base which could possibly violate the compliancy requirements, then we'd get the help of the tool to alert us in a way, which would make us aware of that.

It makes us aware when there will be any compliance violations possibly, and we can pro-actively prevent those violations from happening.

The automation because it is saving a lot of work, time, and effort required to do all of our manual work. The change impact analysis is pretty good, and with the automation, it takes care of a lot of things which we would be doing manually.

The change workflow process is flexible and customizable to some extent, but there is room for improvement. In some cases, we've found it difficult to get the exact thing which we were looking for. Then, we end up having to go and do the thing manually.

I would like them to have more focus on the whole compliance across the globe, like PCI DSS. These things keep on updating very frequently. If they can be on top of it and keep updating more frequently, getting more updates, that would be something good.

It's very stable. We haven't encountered any major issues, so it's pretty good.

It's pretty scalable. That's a good thing. 

Sometimes the technical support is able to help us quickly, and sometimes it just goes on for quite some time. Something complex or a new functionality requirement takes time, but if it's something simple, then they're pretty quick to resolve it. 

We didn't really do the deployment ourselves. So, it was someone else.

Tufin makes things a little easier. It lessens the amount of manual work which we have to do. It has a lot of benefits in terms of revenues, profits, employee costs, and operational costs. We have already seen return on investment.

The solution has helped us reduce the time it takes to make changes.

I also know that we evaluated AlgoSec.

I would suggest looking at not just the features and functionality which are specific to the environment which you are working in, but to be aware of the other features which the product has to offer. Because companies grow and things change, so it's always good to have at least a complete idea of what the product does and how it does it.

• The ability to compare the old policy and the new policies is real handy.
• The topology view is really good. 
• You can kind of see where the flows are coming and how they're working.

I come more from the WAN space as opposed to the security space, so I would obviously like to see Tufin integrate with Cisco routers. There's room for more integrations with other products.

I'm just kind of getting into it, so I don't think I have the full breadth of the product personally, but it is pretty usable.

It's been stable in our environment.

We haven't had any trouble scaling it. We have about 100 policies.
There haven’t been any issues with speed, as far as I can tell.

What I’ve found very useful in a short period of time is the visibility it provides. It looks at the tools that don't meet our compliance requirements. We’re part of a program where we’re going back and remediating a lot of the rules that are falling out on compliance. Having a central location for that is very nice.

It provides pretty decent visibility to the rule set that we have. Right now, we're looking to better utilize the zoning. When we start utilizing the zoning better, I think it will be a lot more useful tool. 

A major thing that it sounds like it's still going to be lacking, is the ability to create and push NATs. Our network is very large and very complex, we use NATing internally quite a bit. That's a fairly large pain point for our firewall admins. We can use SecureTrack and SecureChange to create and manage rules, firewall rules, but it doesn't have the ability to manage NATs, which we find, is key for management.

Some of the pain points like NATing and the interface brings my rating for the product down to a seven. The interface is workable, but it could be a little bit more intuitive. I would rate the function of the product a ten.

I'm very new to the Tufin products. I'm new to HCA and this is the first time I had professional experience with it. 

Dive in.

We use it as an auditing tool, since it’s a risk-based approach, which fits a lot of the needs of our auditors. We're able to clean up our firewall rules and use the security score in our monthly reports to executive management, showing them that we are making improvements within the security of our firewall policy. We can generate different inventory reports when rules are not in use. It allows us to print policy out for our auditors as well.

You can print off reports, either in Excel format or PDF format and deliver them to whoever needs those reports. It can also send you any report on a regular basis. For example, if you want to see your security scores, you can have that sent to you weekly.

Before we had Tufin, we had to do firewall policy cleanup and it was pretty painful. It would take us 6 weeks just to get through one review, and we had to do it quarterly. With Tufin, you can generate a report in 20 minutes and start taking action on it right away. It's a huge difference. You build up trust with the product. When you are looking at a rule and you don't know if it's been used before, you're kind of rolling the dice. When you have a tool that can look out 6 months and it hasn't been used, then you have a lot more confidence in cleaning that rule up.

Some of the challenges we have include getting the reports and the tools to look at our specific environment. There are some challenges with setup for that. You want to make sure that your PCI environment, your wireless environment, your DMZs and your internal network are all laid out in Tufin so they can be correctly scored and rated. A little more ease of use in that area would be helpful.

We've had Tufin for 8 or 9 years. I was the one that brought it in.

We don't have any issues with stability of the product.

We have a relatively small environment. We've got 30 firewalls, basically 15 clusters that Tufin monitors, and our policy rule base isn’t huge. We moved over to VMware and haven't had any issues with caring for the product.

We actually used one of Tufin’s competitor’s products, AlgoSec, but found that the Tufin product is a lot more flexible from a reporting standpoint.

It’s easy to set up. I would say to do a proof of concept and give it a try. It doesn’t take much effort to get it set up and start getting benefits.

I would give it an 8 on a scale of 1-10 because it works really well in helping you create your own reports. You can drill down into each of the different risks that are in the environment and take action on it. It actually tells you, in a descriptive manner, what the issue is and how to fix it.

Audit compliance. We need the PCI audit compliance and that's what Tufin delivers for us.

Before we'd have to manually go down rule bases three-thousand lines long, rule by rule finding the stuff that's missing. So it saves us a lot of time.

Well there's parts of the product that we can't use, the SecureChange, the network address translation, and users as it's all very difficult, so we've never managed to use it for that. We just use it for PCI and for rule based management, rules that have no hits, and I use it to help with the rule-based.

It's only broken twice in the ten years we've had it, so it's very good.

It scales because you can put multiple devices in multiple networks. We've got some things where the firewalls aren't routable back to the central, so we can put these proxy-serve type things in, so it's very scalable. You can have as many of them as you want.

I've used them only twice. Once for an RFE and once for a little issue that we had. I found them very knowledgeable, and UK based.

We bought Firemon in the interim and then got rid of it and went back exclusively to Tufin. We had a special environment and Firemon came in, took a pitch, and it was cheaper than Tufin and it checked all the boxes. But when it was actually deployed in the network it didn't fit the purpose so we cut our losses.

Very easy. You need Check Point skills for sure, and it goes with other products as well.

No, we didn't. We went straight to Tufin initially because we bought it. There wasn't anything else back then, because we got it ten years ago.