Tufin Orchestration Suite Reviews

We use Tufin to do the review of rules, best practices, changes, and usage. So, it's an outside entity looking in to see what's happening on the rules sides. Then, we can do recertification for our rules, so they can be used again. Tufin puts it together really well, saying what's needed or not, then cleaning things up. We've been a customer for a very long time with them, and we're pretty pleased.

The solution's visibility is excellent for Check Point.

There's a new feature that validates standards. It allows the checks and balances against it, so it doesn't even go forward. It just says, "You're not right. Do it again."

We just got done with major audits. Tufin was able to provide information to give back to people, and say, "Hey, this is what I need to do, and what we're doing."

It's working on helping us meet our compliance mandates. We're a bank, so we're always chasing it, but it is helping us a lot. Rule recertifications are our biggest thing. However, what happens in the world of firewalls is people will put in rules to get what they need but don't ever clean them up when they stop using them.

The reporting is very good and provides in-depth knowledge for Check Point. We can write the rules as we see them. We can review rules and do searches. It has its own database which pulls all the information in regularly. This is very nice, and it is a good product for us.

I like the change impact analysis. It tells you what is going on,so you can review what has changed. In case you have to go backwards, and say, “Oops, that wasn't supposed to happen. How do I go get it?”

We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected.

It is a very stable product. 

It has very good growth. The scalability is very nice. We're doing a distributed environment right now. So, it has met our needs, which is nice.

The technical support has been excellent.

We were the first North American company to do this product, a long time ago. So, I don't know how the initial setup went. It's been a while. However, every time we go back and do stuff, it has been a pretty straightforward installation.

We used an integrator and professional services.

The overall experience was very good. I liked it.

We have seen ROI.

Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it.

We're just getting started on the change workflow. So, we're learning it, and it's working well.

It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors.

We are automating, so we are getting to a place where our engineers are spending less time on manual processes.

We do risk, cleanup, and change.

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

• Cleanup
• Visibility
• Scalability
  

Cleanup is its most valuable feature. We use Tufin to cleanup our firewall policies. You can see unnecessary, unused objects. A lot of times, you will create a host, then it's not used. It's like, "Delete that, because we don't need that in the database." Or, it's a rule that is not needed: unused rules.

Its cloud-native security features are good. They add even more visibility to your environment.

I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing.

I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action.

We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.

The stability is very good, especially now that they are developing a lighter weight operating system on top of the OS with 2.0 coming out this year. 

The current version is slow. I deal with a lot of large environments, which is mostly what Tufin has. It is slow because it is a database, Tomcat Server, and web server. Reports are slow. If you're generating manually on the fly, you can set them to run at night, then it's not a big deal.

The scalability is good, because you can have a central server, distributed server, and remote collectors. You can have remote land sites or branch offices. You can have the collectors collect the data for you. You don't have to rely on just one server.

The technical support is very good. It is a lot better than the firewall vendors themselves.

There were not enough resources to do the changes themselves. We definitely went offshoring. Now, you see a lot of that coming back because there is not enough people. We needed a system to do it.

At first, the initial setup is complex. Once you know it, the initial setup is straightforward.

First, you have to install the operating system. Then, you have to install the application, where there are certain version requirements. You can't just go right to the latest OS version. You have to go back to the older one, then upgrade those as well. It is a little cumbersome.

I am an integrator. Sometimes, we have to use Tufin on the back-end.

We have seen ROI just in the time savings and knowledge. Knowledge is power. Having the solution do it automatically for you without you doing the work is huge. If you are spending $50,000 a year, it could have cost you a $100,000 in man-hours without it, especially if you are working with a team..

This solution has helped reduce the time it takes our customers to make changes by 50 percent.

Engineers are spending less time on manual processes by 50 percent.

While licensing varies greatly, it is about $50,000 a year.

We did consider other vendors, but Tufin is the market leader. We only deal with the best of breed. We like to go with the best.

Do a proof of concept or proof of value. You will see the value right there.

The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

We are an IT service provider. We are using it in our company and on the customer side. So, we have internal customers, and we are also a solution provider for external customers.

We can check and analyze the current status of our firewall rules.

Their pricing can be better. It is not very transparent. 

In terms of functionality, we have not had any particular or special disadvantages other than the integration, but every tool that you take to integrate with your infrastructure is more or less complicated. For example, you have a history in your firewall infrastructure, and the longer the history is, the more you have to work on it to integrate. We see that in our infrastructure. We have been a service provider for more than 40 years, and we have been on the market for 20 years. We have a lot of customers, and there are some individual requests and setups. For the integration of Tufin or any other tool, you need a certain level of standardization. We have more disadvantages on the site from different firewall vendors. For example, with Drupal, you can integrate any individual firewall, but for Fortinet, you have to use a Fortinet manager.

We are not looking for any additional features at the moment. We are not planning to buy any other modules.

I have been using this solution for five years.

Until now, we have not had any problems in terms of stability.

It has been scalable so far. We don't have any issues.

On the administration side, 15 people are working with it.

I would rate them a six out of 10. In many cases, we had to escalate.

I didn't work with a similar product previously.

Its implementation process is complicated.

It is expensive, but as compared to other players, it's more or less okay. Their pricing is not very transparent. This is my biggest point regarding Tufin. I've never seen a price list or something like that. It's always individual, and in many cases, it's very confusing to know what is the base and what is the price.

I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. 

I would rate it a seven out of ten.

Our primary use case is firewall automation. We use SecureTrack and SecureChange. We have distribution serves, Remote Collectors, but what we primarily use is SecureChange integrated with ServiceNow for users to submit firewall requests. They then go to SecureChange which designs the rules and implements them.

When it comes to the turnaround of firewall rule requests, it used to take about a week to implement and have the customer test for firewall access. Now, it can take just one day. The implementation itself takes a minute or two. For the customer, it may take the rest of the day, by the time that the policy is installed and the customer tests, either that evening or the next day.

While I'm not involved in the leadership, I believe the solution has helped us to meet our compliance mandates: from a firewall perspective, as well as an audit perspective, as well as review of the rules and source and destination port requests.

As for ensuring that security policy is followed across the entire hybrid network, we're getting there. That's part of why we implemented Tufin. We are implementing that across our multiple offices. Once we get to that state, it will ensure that security policy is followed.

Finally, using the solution, our engineers are spending less time on manual processors.

In general, the automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product.

In terms of cleanup of our firewall policies, we don't officially use Tufin, but I, as an architect, do use the Automatic Policy Generator to review existing rules: high hit-count rules and open rules which aren't very secure. We use that to then build firewall rules which tighten up our firewall policy.

The change workflow process is flexible and customizable. We have had to edit and alter some of our workflow and it's pretty easy, pretty simple, pretty straightforward. We use Tufin support, their helpdesk, for that because we're a very new customer.

In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all.

We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.

My impression of the stability is positive. We haven't had any issues. We even went through an upgrade about a month ago and it was a smooth process.

As for scalability, we're finding that out right now. We're building out two new Remote Collectors for our global deployment of an additional 150 to 180 firewalls, plus additional Layer 3 appliances. We're working through that right now. Hopefully, it will be a smooth transition but I can't say for sure because we haven't actually implemented it yet.

I would rate tech support as "fair." Response time is a little slow, but when they do respond, and when time is available for them, we work through things pretty quickly to resolution.

I wasn't involved in the initial setup, but from what I've heard from others from whom I took it over, it was very straightforward.

I know they reviewed other solutions but I don't know which, for sure, since I inherited the project. I would assume AlgoSec and FireMon were reviewed as well.

Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation.

We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client.

I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.

We are using the SecureChange and SecureTrack components of this solution for rule re-certification and change automation. We are still in the implementation phase, but we expect to have this solution in our production environment by October 1st.

With respect to visibility, my impression is that it will do what we need it to do, but it will take some work.

We have tested the system to see if it will automatically check to see if a change request will violate any security policy rules, and it will do what we need. We intend to use this feature in production.

We expect that this solution will help us to meet our compliance mandates.

The most valuable features are the GUI interface and the API. 

We’ve found the change workflow process to be flexible and customizable. If it could not be customized then it would be very hard for us to make it work for our company.

The integration with different products needs to be improved.

For the most part, this solution will ensure that security policy is followed across the entire network. There are certain policies that are not baked into the product yet, like our proxy solution.

The options for certain things are pretty rigid, so they need to be more customizable.

So far, the stability of the solution has been good.

We have some work to do with scaling the product, so I don't yet know about the scalability.

Technical support for this solution has been great. They've been very responsive.

We will be using Tufin to clean up our firewall rules, but we currently use AlgoSec.

Our previous solution was an end-of-life product, so we had to evaluate the options that were out there.

The initial setup of this solution is straightforward, although we haven't done full-on production yet, so I don't know what we're going to run into.

Nexum assisted us with the deployment of this solution. They are good, and we use them for everything we can.

At this stage, we have not yet seen ROI.

We evaluated other solutions, but Tufin had a better workflow.

I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating.

Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes.

We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software.

My advice to anybody who is researching this solution is to pick what's right for you and do your homework.

I would rate this solution an eight out of ten.

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

Functioning monitors (not just marketing hype) for most types of firewalls and firewall managers, overall stability, scalability (could be better, but the still best on the market), and the ease of performing OS and software updates.

Having one vendor for both TOS operating system and TSS application makes it much easier to form relationships with Tufin sales, engineering and support, and improves product maintenance.

They should include a way for customers to add third party RPMs to expand system functionality that's retained across updates. A single central (master) database does not scale well past 1000 firewalls.

Also, it needs to expose a remote collector for central message (queues) metrics, monitor Java, Tomcat, web and database performance, to provide better intra-application data monitoring and alerting capabilities.

I've used it for seven years.

TufinOS 2.10 has been the easiest OS release to install to date. I haven't had the system running TSS R15-3 long enough yet to know if REST API improvements are usable.

None, so far with TufinOS 2.10 or SecureTrack R15-3. Postgres database (v9.0) should probably be updated to a newer version for improved performance and stability enhancements.

The SecureTrack R15-3 central-database shows significant performance strain, handling policy revisions, and rule/object usage updates from our 1600+ base of firewall devices. However, it continues to function, albeit slowly, day-in and day-out.

USA support M-F has been very good, and with pre-arrangement, weekend assistance is also available. Over the years, US Tufin support has had to escalate distributed application (remote-center db) performance problems to their Israeli R&D and developer teams for remediation. When this happens, mean time to repair can be measured in weeks instead of hours.

Very good, technical expertise from the US support staff, and exceptional technical expertise from the Israeli R&D people.

I have looked at other vendors, but we have been a Tufin customer since 2008, and have benefit from the maturity of their TOS and TSS products.

Upgrading from TOS 1.x to 2.x is a bit painful; the process requires wiping the system clean and reinstalling OS and applications, and then recovering data from a backup. But overall, the appliance approach that Tufin has taken greatly simplifies upgrades and patching.

Since 2008, we have purchased products through a Value Added Reseller. Our VAR intercedes for us on annual maintenance (support and update) calculations, and helps with unexpected contractual problems.

We have not calculated ROI, because we are always changing how we use the TSS application to obtain security information.

We have not performed a cost analysis on other similar products, but I'm confident that Tufin does and remains cost comparable.

In 2008-9, the choices were thin (Tufin, FireMon or AlgoSec); of those only Tufin offered the promise of an appliance based system that would scale large enough to warehouse data for reports and analysis from many hundreds of firewalls installed across the US.

Tufin is still growing and adding new features to its TSS applications suite. I don't believe your company would make the wrong choice if the products meet your company's requirements. Their latest product offerings of TOS run on virtual machines, and their near-future promise of a distributed central database (scalability improvements) should not be overlooked.