Tufin Orchestration Suite Reviews

Policy analysis is the product’s most valuable feature. It can pull out various rules that we need to work on, edit, update, and so on. It can identify rules that need to be moved, or need to be optimized.

Tufin analyzes tens of thousands of rules for us. Not all one firewall, but there's thousands and thousands of rules that Tufin analyzes.

Reporting is great. The only issues that we ever run into are with usage reports. You can run into things where something will have been modified and it ends up changed or something like that. Other than that, reporting is great.

The capabilities Tufin has for Check Point products are excellent. It'd be nice to get the same level of features that it does for Check Point up to par with Cisco, Palo Alto, and so on. There's a couple of things that are lacking. For example, on the Palo Alto side, if you're using a lot of layer 7 rules, there's very little visibility into that. When you run policy analysis, you're still only getting back source IP, dest IP, ports. It's not showing the URLs, all that kind of stuff. That's the main thing.

The only other thing I could see being improved would be regarding one bug. Once in a while when you save a policy analysis query and you click save, it goes back to the screen where it lists them all. Someone else's will be there, and it's somehow swapped them with another engineer who was saving something at the same time. It doesn't happen often, but when it does, it's annoying. Especially if you've just entered a whole lot of info into it.

I’m rating it an 8 because of a couple of those little nagging features, the little bugs. But by and large, it does the job that we need it to do at the moment. We're going into the new world of SecureChange. We'll see how that goes, too.

In our previous configuration, it would take a beating. It would take days to get certain reports out of the system. We've just purchased a whole bunch of new hardware, and Tufin’s been a lot more stable. I'm getting reports again very fast.

Based on looking at some of the other products out there, Tufin is definitely the leader of the pack. It's a good choice. Make sure you buy enough hardware, and make sure you know how you're going to use it. A lot of the features get very processor- and database-intensive, and you should have the proper gear to use it.

The biggest thing is regarding the automation that it allows our customers to do at the end of the day so that they can go and scale their environment a lot more than they could in the past. I think that's really where it comes in. It's the process behind it which can be very painful and tedious. They help make it easier and it's pretty simple from that perspective. You can review compared to past policies.

It's a multi-stage process. When you first start using it, you can go based on rules and find a lot of things that you didn't know before automatically. Then over time, you can go and see points along time. See what's happened, what's changed and also make sure they're applying the appropriate policy.

Without Tufin it's a lot of manual reviews, and you'll miss things. Humans miss lots of things especially as rule bases get big.

The integration with other parts of the system, so it  a lot about process. If you have ticketing systems, other things that you're using can be helpful. For the really leading edge customers, they're able to integrate it with their other processes to the end users. The end users can be the ones requesting, saying, "I have this application and I need it to work this way." Take the technical out of it and make it a lot more business oriented so that's pretty powerful.

It's still challenging in some cases to get it integrated with other systems. Anything that Tufin or any company can do over time to make that easier and easier is going to make it easier for the end customer. A lot of times with implementations, companies don't get using it we've seen. A lot of times, we'll go in and help them which is good. In the early stages, like any product sometimes it can be hard to start using it. Ways to make it super easy for somebody coming into the game could be useful. Then from our perspective, we've seen so many services go and come. So many applications go service based (software as a service) so they certainly have an opportunity there too to do some things.

I'd rate it an 8.

We've been working with it for a long time and it's been good from that perspective. Again, we have a lot of customers. It's been really scalable. We've had some customers that are on a hundred gateways on it.

It's straightforward to set up but like anything, there can sometimes be an initial gap with usage. Get it set up, get it running and then it's the habit. Forming that habit for companies, like anything new, can be hard.

The space is pretty targeted. AlgoSec and Firemon are certainly their direct competitors. Those are really the big three in the space.

Criteria when selecting a vendor  -I think it's looking at your current processes and where you'd like to be is really what it comes down to. If you're frustrated with the ways things are working, think about the way you'd like it to be and then see what product fits into that mindset for you.

The ability for it to identify unused rules, and overlapping/redundant rules. If you had a more open rule at the top, but you put a more granular rule at the bottom, it would tell you that that granular rule wasn't needed because it was already covered by another rule. A lot of times you get multiple firewall admins who just go in and start adding stuff, and they're not always looking for what's already in place. It's redundant and they don't realize it. 

So somebody could have added a rule but they couldn't find it, so they just went ahead and added access, and in the end, Tufin will identify it and say - you have rules that you don't need. When you're dealing with very large policies (hundreds - thousands of rules) it's a big advantage. Such as if you're dealing with firewalls that host 2000+ rules.

I used to use the reporting. It was able to at a glance tell me every rule that that particular IP address was given access.

The ability to export the data outside of a PDF on some of the reports, I'm not sure that it can do that.

It scaled for our needs.

It fits in as part of the bigger picture. At the end of the day, I wish the firewall products themselves could do some of that stuff inherent to their own solution. 

Make sure you understand the capabilities and use it for what it's intended. It's not going to tell you the intent of rules, it's not going to tell you if it's a good rule or is it a bad rule, but it's going to help you with firewall clean-up or redundancy. It doesn't help a firewall admin create a better rule.

We use this solution for recertifying connections, application-based automation, and compliance with regulations.

The workflows save time and speed up the authorization processes for applications. For network operators, it enhanced visibility. For application operators, it increased knowledge of dependencies and also provided them with impact awareness.

Before this solution, we used Excel sheets. This approach did not provide ways to filter the options for implementing changes. The filtering of lots of criteria is very valuable.

I would like to see more configuration options on next-generation firewalls, defining possible standards for devices.

The tool is highly reliable.

We have not run into limitations around scalability. Depending on the devices, it is better to have a sizing discussion with the sales engineer.

In the beginning, we did not have a dedicated support handler and it caused some issues because the service requests were interrelated. When we later obtained a central contact in support, it improved the handling.

Prior to this solution, we used Excel and firewall vendor consoles.

The initial setup was fairly complex because of the agreement with the network provider.

We implemented this solution in-house with the support of Tufin Professional Services.

I suggest talking with Tufin about the flexibility of the pricing structure.

We did not perform our own evaluation. However, one of the daughter companies evaluated multiple products (Tufin, FireMon, and AlgoSec) and selected Tufin. We relied on their research.

Implementing the tool is easy, but introducing the changes within the company can be challenging.

Policy management.

It understands my need to make sure that there are specific metrics that we are looking at and with those seeing across our technologies, as opposed to just a vendor technology building reports. It's easier for us.

So far, with the asks that have been requested, we have been able to find the metrics we need. 

My suggestion would be to be able to correlate it with other toolsets, and not just have it contained in their own toolsets. I’d like to be able to extract it so it can be consumed by other tools, like a governance tool such as GRC2, Archer, and by algorithms. It should not be contained in their environment. Let them perform their functions, but allow me to absorb others and use other governing tool sets to take a look at your metrics.

I’m rating it a seven just because I don't think I'm using the tool at its full functionality yet. It's meeting my current needs, but I don't know what the future use cases would be. So I can't say it's a ten, yet, but I'm moving towards ten. So, I start with a five as I use its functionality as meeting my needs. It will grow, I have confidence.

The speed is good. As we continue to upgrade the software, I've been keeping up to date. Every version that I install, I see some improvement on the speed actually. So far so good.

I haven't had any issues. Even though my interaction has not yet provided me with a full understanding of whether it's stable or not, I have been interacting with the tool enough to determine whether there are any stability issues.

If the tool meets your needs, evaluation process wise, then you should make sure that you reap the benefits. It has a lot of functions, and a lot of benefits and features. Start using them all.

The most valuable feature is the ease of use. Creating workflows for users is very easy. It's also pretty straightforward to look at audits and compare policies.

Before Tufin, we had a very antiquated way of doing firewall requests. It was a terrible workflow system. Workflow was one of the main reasons we looked at Tufin, since it is really easy for users.

I would like to see more customization with the emails that go out, the UI, the things that I look at, and the things that I see when I log in. We mostly use SecureChange, and when I look at my tasks, I would like to have more customization to maybe add a column, for example.

We deployed it well over a year ago - Tufin SecureChange and Tufin SecureTrack.

There have been no stability issues whatsoever. It’s rock solid.

Right now, with what we're using it for, it has been scalable. We haven't had an issue with scalability at all. It's been able to keep up.

We had to work with technical support to get the certificate set up and get SSL initially configured. It went well.

Putting it together and getting it up and running was a breeze.

The top two we looked at were AlgoSec and Tufin. We felt that Tufin was the leader in the space and we chose it because it was easy to use, very customizable, and it gave us every one of the requirements that we were looking for.

I would give it a nine out of ten. It’s been a great product so far. I'd just like some more customization.

Our primary use case is configuration management and change management.

Tufin has improved my organization with its configuration management. It has tremendously improved operation's success and has made life easier. 

It has also increased the amount of gateways there, which has really helped us. Information is readily visible.

Tufin has ensured that the security policy is followed across our entire hybrid network in the way that it has given us what is in place now. We're trying to impose the security policies of the organization. There is still time to get in there.

• Configuration management
• Change management

I don't get the full visibility. There are a lot of improvements which can be done in terms of visibility.

We have had challenges implementing the change workflow process. We were trying to do and end-to-end automation part and standard services, like Active Directory, through a couple of customers and internal applications. We had challenges that we couldn't overcome, even with help. We are still trying to achieve this.

Change management is something which is currently difficult. It should work seamlessly, not have too many integration points. It should be simple.

Stability is good, so far it hasn't given us any trouble.

We've never really had the opportunity to check the scalability. Our company's growth at the moment is stagnant and normal.

Their customer service is better than it used to be.

We implemented through a consultant from Tufin, who was helpful.

We have seen ROI in operational aspects, in terms of how long it takes to resolve incidences which arise. 

I would rate it seven out of ten. I would recommend Tufin if someone is considering it.

We are still in the process of phasing it in to help us with our compliance mandates.

Tufin is invaluable for helping us keep track of things, providing us a method for checks and balances. We're a Tufin SecureTrack customer at this point, and the product serves multiple purposes when tracking changes. We’ve also starting using it as a compliance tool, utilizing its capacity to help us analyze policies. Overall, SecureTrack is a very easy tool to use, and it’s relatively fast. We've recently virtualized it, and from a performance aspect, it works great.

I think we're on Version 15 right now – almost the latest one. Moving from the appliance to the virtual platform was really simple, and from a performance standpoint, it was pretty much seamless.

We are starting to use it more as a compliance tool as opposed to just for tracking changes and backups. Because it tracks changes, SecureTrack maintains a complete CVS (Concurrent Versions System of all of the configurations of a lot of our systems. Because we're a multi vendor environment, it's not just Check Point. We have licenses for all of the different firewall vendors’ products and things like that.

With SecureTrack, I think it does what it needs to do, so I can't recommend any changes, although I would like to see additional vendors added to it (and I’ve already discussed that with Tufin). They already support F5 BIG-IP, so we've discussed possibly adding Citrix. And, although they support A10 for the Tufin Orchestration Suite, I’d like to see support for SecureTrack as well. Because they already have those plug-ins on the Orchestration Suite side, it doesn't mean that they can't have it on the SecureTrack side as well.

I do think some of the licensing can be simplified or made more flexible. Because we are multi-vendor, it would be nice to have a way to convert licenses from one product to another. For example, I’m phasing out all of my Juniper firewalls, and I want to turn them into Cisco. It would be nice to be able to detach licenses and re-attach them to different types of devices.

I also think that at some point they're going to have more integration on the SecureTrack side for some of the other switching and routing platforms – not just Cisco. They already support some of the Juniper routers and switches, and SRX from the firewall standpoint. I am not sure of where they're going to go with Pulse Secure.

No, we never had any stability issues because it's a browser-based tool. We've never had any problems with accessing the tool, and its performance is great.

I think it's scalable for what we have today. If we were to move to Tufin Orchestration Suite, we would probably look at putting more distributive Tufin appliances out in different places because we are worldwide and have major data centers throughout the world. We would probably try to keep things localized.

Tufin’s support is actually very good. In the early years, there was a support guy who we would always end up getting, so he kind of knew us personally. He was great at helping us jump on things, running all sorts of different SQL commands and similar processes in order to fix whatever upgrade issues we had. Tufin support has always been great.

We relied on other logs and on open source tools. We used about five or six different tools for various functions, but we were able to consolidate by moving over to Tufin SecureTrack.

At the time, we did a bake-off between Tufin, AlgoSec, and FireMon. One of the main things was that Tufin was just simple. It was basically: rack it, stack, turn it on, IP it, start plugging things in, and it was ready to go. With some of the competitors we had to set up a Window server, buy a Windows license, expertise it, etc.

We're using Tufin OS, which is just Linux. For any customer who wants a solution that is quick to set up and just works, Tufin's the way to go.

I really, really like the solution and we’ve been really happy with Tufin. Even though our Tufin sales rep recently changed, they've always been engaged with us. They hit us up pretty often to find out if there's anything that we need, or if there's anything that they can do to improve or even expand the use of their product.