Tufin Orchestration Suite Reviews

Right now, we are just using it for SecureTrack. Next year, we have plans to buy the license for SecureChange as well.

I think we're using version 18, and we are in the process of upgrading it to 19-2

We got Tufin from a company that we acquired, so its helping us do mitigations there. Now, we are extending the scope and implementing it in our HQ, as well. It has helped for PCI and compliance.

The solution helps us ensure that security policy is followed across our entire network. It is important to configure and define all the networks right.

One of the primary reasons why we want to use Tufin is currently we are having issues with companies from overseas who manage our firewalls. It is very inefficient where they say that they have implemented the rules, then later on we find out the implementation has not been done properly and they are missing firewalls. Hopefully, once we fully implement this tool, it should be able to tell us if firewall rules are missing. It should be able to tell them before they communicate with us. After the implementation, we can verify and make sure that everything is working and do all the validations.

It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good.

If we had the budget and money, the SecureChange is really great. What you can do and where you can push everything from one console. You can create a change and do the whole automation: create the change, implement the change, and close the change. Right now, I have to go to two, three, or four different consoles. Whereas if I had SecureChange, I could do everything in one place. From an auditing perspective, it becomes easy. Right now, I have to give a change ticket number, then show the auditor and tell them to search for that change ticket number in a different place. If everything is in one place, that makes your life easier.

The change workflow process is flexible and customizable.

I would like more API integration, API integration with the cloud, and API integration with other chain management solutions. I would also like more scripts, which would help us not have to write scripts. If you give me all this, I can use the scripts to automate stuff, making my life easier.

I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls.

I have seen some issues with the stability. One of the things that we noticed was when R18 was released about one or two years back, it couldn't discover the newer versions of firewalls, then we had to upgrade it. After the upgrade we ran into some other issues. However, it looks like with the patches it is getting there.

With the scalability, you have to use different components: the reporting server and distribution server. When we implemented it earlier, we didn't design it properly, which I feel is our issue. Once we design it properly, the way that we are implementing it now, I feel the scalability should be there.

I have used auditing tools in the past, so I was already aware of Tufin. When I saw the processes in my company where I worked were manual, I recommended a solution, saying, "We need to expand the solution from our other company to here, as well. It will simplify our processes."

The initial implementation was done at an acquired company, so it was already installed. However, we are doing upgrades now.

I think we will be using Tufin for the upgrades.

We have seen ROI:

• The productivity has increased. The team is more productive.
• It will decrease the time of firewall implementation, which will increase the productivity in the sense that now other teams don't have to wait for their projects. 
• This helps us simplify our processes.

Our engineers are spending less time doing manual processing. Their productivity has at least increased by 50 percent.

We haven't purchased the license yet for SecureChange. We do have plans to buy it next year.

The additional piece, which we are buying and doesn't include our other solution, is close to 300,000.

We did not have have time to evaluate other solutions. Also, we already had Tufin in place in our other company. 

This seems to be a better solution than AlgoSec, which I have used in the past. I have also seen FireMon, and Tufin gave us what we needed. I didn't see a reason to explore other solutions.

It is a great tool. It will help you increase your productivity and simplifies your workflow.

We should use it to clean up our firewall policies since the tool is there.

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

Tufin is primarily used to orchestrate and manage network traffic and firewall devices. It is specifically useful for implementing firewall policies and handling requests from clients that require policy updates or changes.

Tufin simplifies understanding network topology. New employees can quickly grasp the various IPs, devices, and the network's logical and physical layout within a short period, often reducing what would normally take a week into just a day.

While Tufin is suitable for small businesses, issues can arise in larger enterprises, particularly concerning policy-based forwarding and NAT traffic.

I have about three years of experience using Tufin.

Tufin is quite stable and typically does not require much troubleshooting.

When dealing with a large number of devices, Tufin can sometimes face challenges, indicating potential scalability issues.

The support team is effective; they connect to the network quickly and help resolve any issues that arise, although issues are infrequent.

Neutral

The initial setup of Tufin is easy and can be done within a day, provided the environment is prepared.

Tufin and AlgoSec are at the same level in terms of pricing. They are suitable for small to medium businesses with significant investments.

I have worked with AlgoSec, which is used for similar purposes and provides strong support for network devices. Both Tufin and AlgoSec can connect via API and support major firewalls and networking devices.

I would definitely recommend Tufin, especially for critical industries like banking or ISPs. It is essential for organizations willing to invest and ensure robust network management.

I'd rate the solution eight out of ten.

Our company uses the solution to auto deploy and analyze locks for hundreds of Layer 2 firewalls which are more challenging than Layer 3. 

We write script for manual configurations, create policies, analyze all rules and locks, and then auto deploy.

We currently have 40 engineers and 100 staff who use the solution. 

Maintenance of the solution is easy because we copy the latest configurations. 

I am improving rules for hundreds of firewalls to increase security and rigidity with confidence that the solution is handling it well. 

The solution's most valuable features are its security policy and steps for deployment. 

The solution is flexible and easier to integrate in a Layer 2 environment. Other solutions such as AlgoSec and Skybox have Layer 2 speakers but are complicated to implement.

Integration for Layer 2 devices could be improved because it requires manual scripting. Other layers are very simple to integrate. It would be a benefit to have a form field for firewall names, user names, and passwords which then auto integrate. 

Licensing options are confusing and require additional fees for high availability. Competitors include high availability with their standard licenses. 

I have been using the solution for two years. 

We monitor stability all the time and find that the solution is quite stable. 

We have not yet scaled beyond our initial deployment that included hundreds of firewalls. The solution handles our complex environment with no issues. 

Technical support is great. Our company has a complex environment and we asked Tufin to make integration easier for us. They rose to the challenge and tailored the solution to our existing environment. 

The technical support team in Singapore is quite responsive when we ask for help. 

Our initial setup was more complex than others because we implemented Layer 2 firewalls. 

Setup would have been somewhat complex using any solution. Our entire deployment took one year but most of that time was spent integrating Layer 2 firewalls and building baseline security policies. The solution itself did not cause delays but rather it was our internal protocols that required a large investment of time. 

I rate the complexity of setup a six out of ten. 

The implementation was handled by a local Indonesian partner. 

The solution is more reasonably priced than its competitors. 

We subscribe to the yearly license and find it to be quite budget friendly. 

A high availability license was an additional cost so we opted to purchase the standard license but were later given high availability at no additional fee. 

We conducted a proof of concept exercise before making a vendor selection. 

We did not choose Skybox because security is bundled in the solution and we only needed one tool for a specific reason. 

AlgoSec is the best solution for file management but Tufin is very comparable and reasonably priced. 

I rate the solution an eight out of ten. 

Currently, we're an electric utility. We use it for NERC CIP for validating rules into ESPs, which makes it easier for us to pull out the rules and justifications for auditors.

We are using either Tufin 18-2 or 18-3 and testing 19-2.

As a company, we don't have anything in the cloud.

It has helped us immensely on the compliance side. We are able to look for overly broad rules. E.g., rules with any-any using the USP to see if we have violations. This was pretty impossible to do before by just looking at the CLI on the firewall and spreadsheets.

We use Tufin to clean up our firewall policies. The biggest use in the last couple of months has been to pull rules out of firewalls rather than putting them in. We're cleaning up and pulling rules out.

We use this solution to automatically check if a change request will violate any security policy rules. Even though we've been using the product for several years, we've just now started rolling out SecureChange, updating our USPs, and building USPs. We are using those to do security checks.

This solution helped us meet our compliance mandates. With the USPs, we can control what is being put in, then we know when violations are occurring ahead of time.

The ability to write reports to figure out what ports and services are allowed into specific zones. For instance, we know that there are certain devices which are only allowed to have interactive remote access into an electronic security perimeter (ESP). We've written reports which can tell us if someone inadvertently opened something up that shouldn't have been, then we can pull it out. Now that we are using SecureChange, it can alert us to that fact as the rules are being built, which is huge for us.

The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously.

It makes it a whole lot easier for rule clean up because we can find rules that haven't been used. We can find rules that are too broad and pull those out, putting more specific rules in, which could be done before but this cuts the time way down to do it.

The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor.

I got a sneak peek of a release or two. There are some new features coming out that we could use today. E.g., SecureChange won't allow us to put in more readable ACLs rather than try to compress them. Sometimesm we don't want it to full optimization of a rule set. I would love the ability to tell it, "Thank,s but no thanks. I don't want to optimize this rule. Please put it in the way that I want it." Right now, that's hard to do. It's almost impossible.

It is a very stable product. There have been a few times where we have had to call support and have something fixed. It has happened, but it's very rare.

It seems to scale very well. We have had the same servers in for four years now, and everything's keeping up. We haven't had any issues yet, and we are probably monitoring around 400 firewalls today.

The technical support has been very responsive. If they can't figure it out, they are not afraid to go to Israel, back to the developers, and find an answer to the problem. Typically, within a day or two, they have the answer and we are back up and running. They've been great to work with.

We knew that we had to invest in something which could help us clean up our rule sets. 

We took baby steps, so the initial setup was pretty straightforward. We just started with SecureTrack, getting it talking to the firewalls, and initially using it to document justification for rules on our compliance firewalls. We have been doing more with it over the years.

We used Tufin for the deployment.

This solution has helped us reduce the time it takes to make changes. We have been using SecureChange for the last six months, and it has streamedlined the process. We can usually do changes now within two or three days, where sometimes it used to take a week or more.

Engineers are spending less time on manual processes. We can push the changes to the firewalls. The engineers don't have to log onto the firewalls, then cut and paste.

I just wrote a purchase order for it. It is a $150,000 a year.

We looked at three solutions at the time, then chose Tufin. We felt that Tufin was one of the more customizable solutions and had the best price. They came in cheaper than everyone else, and at our company, that means a lot. Thankfully, they were the best. We felt they were best of breed at the time.

Give Tufin a good, hard look. From my experience, it is the best of breed.

Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.

I am responsible for the management of network devices, including firewalls. Security management is handled by our parent company.

It's a great tool for checking compliance of network device configurations against our company's rules and industry standards like NIST 2.0.

It made us look at security policies more holistically, from the perspective of the entire network across all our devices.

We used a version from a few years ago. So, I think my opinion would be a little outdated. Moreover, at the time, there were no huge complaints.

Customizing it can be a little tricky, but that depends on your use cases.

I have worked with Tufin Orchestration Suite, but we no longer use it.

Every case was solved by our partner. They were licensed partners. They were certified and licensed by Tufin.

I was satisfied with the support.

Positive

We didn't work with any system of compared functionality.

Moreover, opting for any solution is a corporate decision made at a much higher level than mine.

The deployment wasn't difficult. It's just connecting the system to network devices using some pre-deployed credentials and reading the device configurations. The difficult part is setting it up for the specific tasks you need from Tufin Orchestration Suite. 

Customizing it can be a little tricky, but that depends on your needs. So specific use cases could be challenging.

From my perspective as an engineering manager, it saved my team time.

And looking at it from a higher level, it saved the organization money. As an organization, that's paying for my people's time.

So, ROI is something each organization has to figure out based on its own usage patterns.

The pricing depends on the business case. For us, the pricing was six out of ten, with ten being the most expensive and one being the cheapest. 

We didn't use the entire suite. So, I would rate it a seven out of ten. 

We use this solution for firewall rule management.

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

We used a consultant from Tufin, itself, for our deployment.

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

I believe that FireMon was considered before we chose this solution.

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.

We primarily use this solution for Change automation. We do not use USP, yet.

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

This solution is stable. We don't have any issues with it, but it's a resource hog.

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

We used a G2 reseller for our deployment and it was a good experience.

Our licensing fees are approximately $250,000 USD.

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.