Tufin Orchestration Suite Reviews

I like how it's able to optimize your policy, look at the objects, and other similar functions. We only have Check Point integrated with Tufin SecureTrack, so that's a key benefit of using it. We can check policies against past policies. It does a kind of compliance check or risk analysis if there are unused policies or unused objects. It highlights them and it gives you a good view of what doesn't need to be there.

It would be better if Tufin could integrate with the Cisco routers, FireEye, and other devices like that, so you can do the routing changes and so on straight from SecureChange. That would be good.

I haven't looked at their latest versions or releases, what's new, and what's not. We're still running a version that's at least a year old, so I still have to look at it. If they have added integration with Cisco routers already, that's good, but we don't have that in the version that we have. It doesn't support Cisco routers at all.

It's been stable in our multi-domain environment. We have more than 20 or 30 policies.

When we were looking at products that can do this, I think we only looked at Tufin. Its integration with Check Point is what led us to Tufin. That was the main reason why we looked at it.

I hope that Tufin just keeps doing what they’ve been doing. We look forward for future enhancements.

We're using it to write down policy changes. We have lots of jobs making firewall changes. We track down all of those in the reports and we can see what is going on. If something goes wrong, we can track down the latest changes and determine how to fix it.

We would like to use Tufin through the cloud. We don't want to keep the hardware or all those devices on premises, where we have to manage them and upgrade them. If we could use Tufin through the cloud, we could just tweak the firewalls, keep the changes, and then track them.

Right now, Tufin is on premises, which means we have to manage it, we have to upgrade it, and we have to take care of the devices. The infrastructure is not very critical for us, and we just need to use it, so we would prefer to use it through the cloud. Everything is in the cloud.

I have not found it to be slow at all. The speed is good. At first, we installed Tufin in one of our offices, but now we are using it everywhere.

Technical support has been good.

I permanently use it for their Automatic Policy Generator, and for object lookup.

We use Tufin for object lookup. We often get requests from the business. They give us an IP and they request something like, "We need to know what the rules are for this.", so they can add more similar rules. We go into the object lookup, give the IP that we're looking for, and then it generates a report, either Excel or PDF.

We have probably a hundred policies using Tufin.

I would like to see a little bit more of enhancement on their PCI-compliance piece. We reviewed a Skybox product. They seem to be doing a lot better than Tufin does on the PCI reports.

I think we're ready for an upgrade, it's getting kind of slow. They did tell us that you can break up the database in the actual server application into two separate units. That's supposed to make it a lot faster. I think we'll probably do that in the next upgrade.

We have seen some slowness, but I think it's because we're on some aging hardware. We're quite larger than a lot of people that probably use it too. It has been scalable for our size so far.

I actually hadn't really had the need to reach out to technical support. We're a pretty big customer of theirs, and they're always coming around. I usually deal with my technical issues when they do that.

I went through one upgrade, but they already had Tufin when I arrived.

We did a proof of concept to compare Skybox and Tufin.

It’s a pretty good product. The PCI compliance piece probably accounts for the rating of 8 as opposed to ten.

As far as comparing Tufin with another product, I would just look at some of Tufin’s features like the APG that is not used that often, but it's a really good feature. They do also have an extended tool section where you can kind of get a little bit more in depth.

Audit compliance. We need the PCI audit compliance and that's what Tufin delivers for us.

Before we'd have to manually go down rule bases three-thousand lines long, rule by rule finding the stuff that's missing. So it saves us a lot of time.

Well there's parts of the product that we can't use, the SecureChange, the network address translation, and users as it's all very difficult, so we've never managed to use it for that. We just use it for PCI and for rule based management, rules that have no hits, and I use it to help with the rule-based.

It's only broken twice in the ten years we've had it, so it's very good.

It scales because you can put multiple devices in multiple networks. We've got some things where the firewalls aren't routable back to the central, so we can put these proxy-serve type things in, so it's very scalable. You can have as many of them as you want.

I've used them only twice. Once for an RFE and once for a little issue that we had. I found them very knowledgeable, and UK based.

We bought Firemon in the interim and then got rid of it and went back exclusively to Tufin. We had a special environment and Firemon came in, took a pitch, and it was cheaper than Tufin and it checked all the boxes. But when it was actually deployed in the network it didn't fit the purpose so we cut our losses.

Very easy. You need Check Point skills for sure, and it goes with other products as well.

No, we didn't. We went straight to Tufin initially because we bought it. There wasn't anything else back then, because we got it ten years ago.

The most valuable feature for us is SecureTrack. With it, we have rule documentation, change documentation, and the ability to create various reports. We can also enforce compliance with our security policy, as well as to define exceptions.

Another valuable feature is SecureChange, which enables us to have individual workflows. Individual workflows have to be followed step-by-step without skipping a step. That's the great thing that we can do with automation so that firewall administrators don't have to do so much manual, routine work.

There's an automatic compliance check. If you have an accessory test from A to B, the system will check the entire firewall infrastructure to see if it's possible immediately or not, and if it's not possible now, then the change will be started, and if it's a standard change, the standard change will be run more or less automatically, and it's not necessary to involve the technical team for a standard change.

The GUI is not really adaptable as you cannot configure it. The buttons are fixed and it's not really intuitive. It's good for selling training, but in daily work, it's not very easy for those who are new at it.

We've had no issues deploying it.

I think the stability is very good. We've had no issues with instability.

It scales from small network segments up to very, very big companies with thousands of firewalls.

Once I heard from a German Tufin guy something about enthusiastic support, and I thought he was crazy. But now, I think it's true. Even when there's standard support, I become nervous when I don't get feedback within one or two hours, even if the SLA says twenty-four hours. They're very responsive, and also very technical. Technically, they're quite good.

It depends, but mostly the initial setup is straightforward. Just install the operating system, take the appliance, install the software, and then connect all the devices you want to monitor, then you have the basis. Maybe it takes some effort to implement or to import unsupported devices, or defining generic devices and so on. But the standard installation is very straightforward and easy.

I don't evaluate other vendors every two weeks, but I've evaluated them before, and I think Tufin is quite a technically-leading solution. It's very robust and Tufin has focused on stability and topology. Correct topology is the main factor for authorization speed, and Tufin is the best.

We use SecureTrack to walk us through the implementations of our firewalls and for all our policy checks, complaint checks, and reporting and overview of our monitoring policies.

It's given us an easier workflow since we go through the different steps of network validation to make sure that the request coming from the user is technically sound and implementable. It also helps us with security validation, that is, compliance with company goals and so on. We've also added change management so that we're able to implement solutions at the at the optimal time.

I'd like to see automation of a number of steps. In particular, I think that the implementation and validation steps that we're currently doing manually should be automated. Even the input part at the beginning of our workflow could be automated with a link to our ITSM solution.

Deploying it has been without issues.

I have no instability issues at all. It’s working so well that I’m not worried about it.

We have a number of firewalls with no concerns about scalability.

I have had a number of discussions with mostly the sales team and some engineers on how to go ahead and implement some things. So technical support in that regard has been great.

I wasn’t involved because I wasn’t in with the company at that time. I was involved since April and we had some upgrades to perform. It was straightforward and we had no issues with it.

We've implemented with just our in-house team since the initial setup.

We looked at some other solutions at events, but they are not as advanced or complete as what you get from Tufin.

Give it a try.

We're able to generate reports to know what's going on with our rules, specifically expiration dates and PCI's, for our firewalls. It lets us know exactly what's happening.

When we make changes, we need to know exactly what's going on between each firewall and why a rule may pass or not pass between each. It would be good if Tufin gave us the ability to do this in a graphical way.

We have sixty firewalls, and sometimes the path between any two firewalls may have five rules. We need to know exactly what is going on and where we have to implement a rule. It's very complicated to do right now, and that's why we want to implement a security change.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.

We need a vendor that has good, responsive support. Tufin support has been that.

We have a virtual firewall and when we ran our system, there was a problem with mismatched object rules. We called support to help us clean the firewall. The rep looked around and, after an hour-and-a-half, confirmed the problem. Then another five or six technicians analyzed our request and, after three or four days, released a fix for us.

We had no issues with the setup.

There may be a better product a year from now, but we're using Tufin now and we're satisfied with it. We'll use it until it doesn't do the job. It's a big deal changing firewall vendors, so we don't want to change unnecessarily.

Our primary use case for this solution is firewall remediation.

I didn't get very far with it because I didn't used Tufin in production, only during the evaluation phase.

I tested it for the change orchestration. That is what my evaluation recently was specifically for. While the product was a little slow, it did look full-featured. 

The firewall remediation and compliance pieces are the most valuable features. 

I couldn't get it to work in the lab, even with help, on multiple occasions, from one of Tufin's engineers. It was set up in my private lab per all their instructions, and I gave them control of the system. However, they were unable to make it install the policies to Check Point in an automated fashion. So, I unfortunately gave up on the proof of concept at that point.

In terms of stability, the version I tested in the lab was okay.

I don't know about the scalability, as I never got it out a very small VM.

Their technical support was okay. I needed more help getting the product to work in the lab. 

We did not have an automated provisioning solution. At that time, all firewall changes were being implemented manually by administrators.

The initial setup was straightforward. 

I was working directly with Tufin's sales team and SEs.

We looked at AlgoSec and Tufin. However, we did not chose Tufin because of the issues.

Check the product out for yourself.

I wasn't using it for visibility into my firewall infrastructure, because I have other avenues.

I wasn't using the compliance portion when I was testing it, only the orchestration.

I want to look at Tufin for remediation and compliance in the future.