Tufin Orchestration Suite Reviews

We use Tufin for oversight and revision control to avoid implementing rules that are against security policy documentation, and also to correct any kind of issues or mistakes in policy changes.

It can be useful for comparing rule changes to create rules that are more efficient and more consistent.

We primarily use Tufin to alert us whenever a firewall policy change has occurred. We immediately get an email with a summary of what changed, the objects, any kinds of rules that were created, and so on. We can review that from our email client to see what the other admin changed and visually see if they did something that was against our standards, if it was just a poorly written rule or something like that.

It's asking a lot, but anytime they add stuff to the rule usage analysis or the policy generator - those things are amazing already as they are - we'd really like to leverage that for cleanup and so on. One of the biggest issues for an encroached application silo firewall is that the policies get super-complicated and cleanup is not only a hassle but can impact business.

I’d like to see the cleanup process be more efficient. That's my biggest headache and the biggest elephant in the room. When you have a policy that's got hundreds of rules, help me clean it up please: tell me what rules aren't used, tell me what rules are redundant, and tell me how I can simplify the rule base. I mean it does a lot of that today, but feel free to innovate there. Make it better.

It has been stable. We pretty much just set it and forget it. It reaches out to us or, when we want to go consult it, we don't typically have any problems pulling it up.

It has scaled well for us. We probably have about a couple hundred firewalls feeding it information including rule usage and so on.

We haven't really had to use technical support. I think the only time we had to was during implementation. We have kind of a weird setup where we needed to split out syslog for rule usage analysis because we consolidated our syslog in one place. We said, "Hey, can you just have Tufin pull from that?" Support helped us with that.

Implementation was easy. The previous solution we had didn't really work. We brought Tufin in, got it working, and rolled it right out.

I was involved in the implementation, not so much in the vendor selection. Of course, I knew about Tufin, its reputation and so on, so I was not opposed to it at all.

I’m rating the product a nine just because I’m stingy with my tens.
Tufin delivers on everything that we've asked them. For a similar use case, they're solid and you're not going to have any kind of surprises or issues that are going to crop up from what I've seen. As an administrator rolling something out and having it work the first time, that's pretty much all you can ask for.

Tufin has helped us a lot. It lets us clean up the rule base in a short period of time and remove unused rules. Tufin provides you a report on rules for this that lets you delete objects that are obsolete and no longer needed in the rule base. If you don't use a tool like Tufin, this is done manually and may take days, because for every object, before you delete it, you have to make sure that it is not being used by someone else.

From a security point of view, Tufin can provide the posture of your environment, meaning whether your rule base is secure or not. It will analyze the file rule base, tell you if the service you enabled is secure, and give you some advice how to deal with the situation.

I want Tufin to be used by my entire team, but due to a lack of training and lack of resources, we are not able to do that. I would like to see more training videos that can be distributed to my team in order to really take advantage of the product.

We have been using it for about 3 years now.

I find it very stable. We haven't had any big issues since we started using it. Issues we have had have mostly been related to new features being added that weren’t supported by the device. In those scenarios, we submit the case to Tufin and they tell us about the new release.

We are a big company and I can say that we are not using the product in its fullest capacity. We have a different type of policy because we are using different vendors and different technologies, and while we have some issues with the juniper devices, it has absolutely been scalable.

Tech support has been fine. Right now I have an ongoing case and there is a delay, but it mostly comes from me because I took time to respond and they are telling me other ways that I know.

I implemented FireMon three years ago for a customer because the customer specifically requested it. I found it very hard to put in place. I wasn’t a part of the Tufin implementation, but in terms of the product itself, Tufin is easier to use.

I would give Tufin an 8 out of ten because some vendors own multi-contexts, and there are challenges supporting these devices. We are having issues with the Juniper device, for example.

Tufin gives you the ability see what changes have been made and who made them, as well as pinpoint what has changed so if there is an issue you can easily review it. I also like that if there is a new request that's coming in, you have the ability to compare the request with what is already in the system so you don't have to go into the firewall rules to try to figure it out. You can just do a comparison between different policies.

We use reports a lot for cleaning up, which is part of our regulatory requirement. You need to review the policies for any old reports, used objects or used services. That's basically what draws the purchase of this product.

I also like the product’s ability to reduce security risks. Being able to do some of the compliance checks has been very good for us.

The ability to search could be improved, and it would be helpful to be able to display more than a hundred results on a search or share when you do the workflow with multiple people at the user level on your same team. If you have a team of three people each one should be able to see each other's request without having high-level access rights.

Also, the workflow is very rigid. It's not very easy to manipulate. The graphical interface needs to be a little more user-friendly. You need to be able to move objects around to make a nice display. Right now, if you select an object, it just sits there and everything goes sequentially. I want to be able to move objects around to make the interface more presentable in the way you would normally code something. That's a big concern, because we've gotten several complaints.

We have used Tufin for at least seven years.

We haven’t had any problems, except for some licensing issues a long time ago.

For what we do we haven't seen any performance issues so far.

Technical support has been good. We've had different engineers help us out and they've all been very helpful.

We compared Tufin to AlgoSec. At that time, we felt that what Tufin had in terms of their workflow and the option to transfer over our existing workflow was more flexible. It was a hard decision. One of the other reasons we picked Tufin up versus AlgoSec was the responsiveness of the people we were working with. They understood the company and our relationship, and we felt that it would be easier to have the ear of the company if we needed customization. They did the changes that we requested, which made life easier. We felt that if we were to go with AlgoSec, it would be a lot harder.

We closed the deal after they made a change to DNS lookup. Objects need to be created on our DNS system before they’re populated, and you didn’t have a way to validate your IP with a host name at that time.

If I had to rate it one to ten, I’d give it a nine, since there’s room for improvement, even though they’ve been doing a lot of improvements over the years. I would also say that if you buy the product make use of it. There are more features available than you always realize, so a lot of times you might try the harder way first because you are used to working that way. You might discover that your life can get a lot easier.

The most valuable feature for us is Tufin's versatility. Depending on the kind of device, we can correlate information from both the device and from the client. This is highly useful for us.

Tufin's given us the ability to correlate between policy and firewall rules. We can even search for the correlations to determine violations and exceptions. Also, it's a solution where we can define our entire company's security policies.

It needs better correlation so that it's easier to not have to look for information underneath all the data. So, even though the policy and firewalls are correlated, it's difficult to find them when we need to.

We haven't had any issues with deployment. In fact, it was very easy to do.

We haven't had any issues with stability.

We haven't had any issues with scalability.

The initial setup was not complex. It was fairly easy and straightforward.

We implemented it with our in-house team.

The multi-vendor support is very important for us. This is the most important feature because our system has integrations of software and hardware from many vendors. Tufin has also integrated well, supporting our system of multiple vendors.

Our company has a common policy that we need to ensure covers three different vendors we work with. Tufin helps us to manage this as it's where we've defined the common policy and also where we manage it.

I think that Tufin needs to be as-a-service, that is, in the cloud. The installation also needs to be easier. Additionally, with Tufin's business model, the licenses are quite expensive.

It's hard to stay updated with the last version. That's really the main hurdle we have with our deployments of Tufin.

It's quite stable, but you always need to do updates. Staying updated has prevented instabilities.

We don't have this issue because we only have four firewalls. It has scaled for our needs.

The initial setup was straightforward and pretty easy.

We implemented it ourselves with our in-house team. It was easy.

Sometimes it's very difficult to get the ideal revenue out of this tool. It's expensive.

The licensing is expensive. Maybe for a big company, the price and the licensing is not a problem. For a small or medium company, though, it could be an issue.

We also looked at AlgoSec and FireMon.

The last account I was working for had just implemented Tufin. It was good for retrieval and for policy remediation, as far as cleaning up policies and so on. When I got there, they had a lot of old policies. Everything was all over the place. Tufin was good for policy cleanup.

Once you install Tufin, it performs a query and it searches all active policies. Once it does that, it places all the policies that you know in priority order, as far as which policies are being most used and which ones aren’t being used. Then it gives you something like a survey of things that were being used or any things that weren't being used. You can decide whether you want to take out or if you have some machines which are totally dead. That was really the big benefit of using Tufin.

It took a long time just to try to gather the information. I would like Tufin to be faster.

For what we needed, it searched all of the information we wanted it to.

It was stable. We didn’t have any stability issues.

It was very scalable and very customizable for what we needed it for. We had about 4,500 users on our network, and then we had six firewalls. It came in handy with that.

Installation was a little bit complex, so we did get help. We had to have professional services from Tufin come and help us. They were great. Once they came, it was simple to setup. 

I’m giving the product a rating of seven mostly because of the initial setup. It took us a while because we couldn't figure it out. After about three weeks, we had to hire someone to come and set it up. Once that happened, then it flowed.

When we were deciding whether to implement Tufin, a lot of the other agencies were using it at the time. We went with Tufin because it was receiving favorable scores from the other agencies.

The only one I can compare it to is AlgoSec. AlgoSec has a few more features but a lot of similar agencies were going towards Tufin, so that's why we went with them.

Define exactly the specifics of what you need it for. If you need it for remediation of policies, then it's definitely the product to go to.

What I’ve found very useful in a short period of time is the visibility it provides. It looks at the tools that don't meet our compliance requirements. We’re part of a program where we’re going back and remediating a lot of the rules that are falling out on compliance. Having a central location for that is very nice.

It provides pretty decent visibility to the rule set that we have. Right now, we're looking to better utilize the zoning. When we start utilizing the zoning better, I think it will be a lot more useful tool. 

A major thing that it sounds like it's still going to be lacking, is the ability to create and push NATs. Our network is very large and very complex, we use NATing internally quite a bit. That's a fairly large pain point for our firewall admins. We can use SecureTrack and SecureChange to create and manage rules, firewall rules, but it doesn't have the ability to manage NATs, which we find, is key for management.

Some of the pain points like NATing and the interface brings my rating for the product down to a seven. The interface is workable, but it could be a little bit more intuitive. I would rate the function of the product a ten.

I'm very new to the Tufin products. I'm new to HCA and this is the first time I had professional experience with it. 

Dive in.

I use Tufin SecureTrack, which means I use it for looking at things and not for making changes. The value of it there is that, since I deal with Check Point policies a lot, I can use it to see what changes have been made to the policy since the last time I looked at it, because it may have been a couple of weeks since I last installed a policy or maybe somebody else has had their hand at it.

Tufin gives me a really easy way to graphically look at the policy, before and after changes are made, through two panes. As you drag around one pane, the other moves with it, and they resemble the Check Point dashboard view so it’s very familiar. You can easily spot all the differences and see what has changed in the policy to make sure there are not any mistakes and that nobody accidentally added a block edited any rule at the top of the policy—that’s probably happened to everybody, right?

I also use a feature where you can run a report on rule and object usage. This helps me spot rules or objects that aren’t really ever hit, so I can remove them from the database if they no longer exist.

Tufin is easy to use, which was really important for us. Also, it’s not a dangerous solution because we can’t make changes with it.

I'm running R77, and I'm concerned with how well it will work with R80, the new release of the operating system. R80 changes the way that the dashboard you use to manage the policy looks and operates, and we will have to see whether Tufin keeps up with that or not. Also, in the current R77, the various blades appear as different tabs in the interface and dashboard, and Tufin doesn't look at any of those tabs except the security policy. I'd like it to be able to look for changes in some of the other configurations. In R80, it's all tied together, but for now, it's in a separate panel. I don't currently have any way of using Tufin to audit what changes have been made to the web filtering configuration, for example.

It's very stable.

I don't have a huge environment, but it doesn't seem to require a lot of horsepower. We're running it as a virtual machine, and that's working fine.

We haven’t needed technical support since we moved from a physical to a virtual world.

It was straightforward. It’s been a few years, but I don’t recall any problems with setup.

I have no problems with Tufin, and it works great, but I would have to give it an eight out of ten. It’s just not as amazing as some of the other technologies I use, like Lancope StealthWatch. I wouldn’t tell anyone to stay away from it—It’s just a good idea to look at the competition and see what’s out there.