Tufin Orchestration Suite Reviews

We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.

It has improved our organization through the beginning of automation. It has also helped in terms of auditing. Tufin is a convenient way for us to show and prove what changes were done, when they were done, and by whom they were done.

Tufin also helps ensure that security policies are followed across our entire hybrid network. We use the USP, Universal Security Profile, which is governed by our cyber team. That team sets up the parameters and then, through the automation, when a request comes in, the first thing it does is check if it meets or violates. If it violates, it sends it right back to the requester. Another way we do it is that when somebody puts a request in, it goes through the USP. Then the cyber team combs through it to make sure that whatever service they're asking for can happen. For example, if someone wants Dev going to the internet, of course that's not going to happen. They'll filter all that out before it comes to us. Once it comes to us, we'll implement it, and then we comb through all the reports and make sure that nobody missed anything.

It also helps expedite changes.

The reports are very valuable. In terms of cleaning up firewall policies, we use Tufin to gather information in the reports. However, we don't automate Tufin to do the work. It's still done by a firewall engineer.

But the best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, "Hey, where's my server?" I can just go to Tufin and say, "Hey, where is that server?" and very quickly it tells me where it is, what policy it's on. That is a life saver. Without that, I'd be a janitor.

The visibility it provides is also very good.

The change workload process is flexible and customizable. For example, we have it working with ServiceNow. When somebody requests to have a rule in place or requests a firewall, they will first go to ServiceNow and put all their information in. ServiceNow then sends that over to Tufin and Tufin does its magic - verifies the USPs and does the design. That part is simplified. However, there are little mechanics in between that could be a lot better.

We use the solution to automatically check if a change request would violate any security policies or rules. Our cyber team is on it as well. We comb through all the changes done for that rule and verify. Before we do a push, we verify that there was no compromise to our security posture.

For me, there are two things that can make Tufin a bit better. This could be something on my end that I don't understand or maybe it can already be done and I don't know, but the two things that I am hoping to get out of this couple of days here at Tufinnovate 2019 are: have a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it.

In my industry, the banking industry, we're heavily regulated. Auditors are everywhere and they want everything accounted for. When I do a rule re-certification, I have to justify why that rule still there, who is using the rule, what's going on. Or if it hasn't been used, I want to get rid of it. But I don't want the onus to be on the firewall team. I want that onus to be on the person who requested the rule. I'm trying to figure out a way that I can have Tufin say, "Hey, look, John or Joan, your rules haven't been used in a year," or "Do you still require these rules or these servers?" and it would give them buttons to click, either "yes" or "no".

If they hit "no," Tufin would say, "Thanks very much," and disable them for 30 days, in case they made a mistake, and after 30 days, it would remove them. That type of automation would save us so much time. Right now, there are three people doing that job.

As an example with rules, when I look at a rule it will tell me how many days it was hit, when the last hit was, when it was last modified, but I can't get a creation date. What date was it created? It must know when it was created because it created an OUI for the rule. I asked support and they said, "Well, go here, go there, do this, spin your head and tap three times, and if you're lucky..." And I'm thinking, "Can you not just tell me the date it was created?" Then I could filter on those as well. Right now, I can't filter on rules that are over five years old, for example. Even when they're in use, I still want to see old rules. Maybe they've got old services that shouldn't be working anymore.

I would also like to see better logging.

SecureChange could be a bit better, at least with integration with ServiceNow or some of the other ticketing tools.

The scalability is amazing. We have it in two data centers. We have full redundancy with it. I have no qualms about its scalability, whatsoever.

Technical support has been very good. I've dealt with Professional Services and I dealt with a programmer when we did our ServiceNow with Tufin. They were really good; two of the best guys. Top-notch. My Professional Services guy is awesome. He's my go-to guy. The other gentleman, whose name is Neil, was really good. He was very kind, very accommodating, top-notch.

The switch to Tufin was done before I got to this company, but if I had to guess, I imagine somebody tried to jump out of the window or thought, "I'm going to go nuts if I have to look up one object in a pool of 30,000 and 8,000 rules." It's over 80 firewalls.

The initial setup was complex because we had to integrate with ServiceNow. That's what made it complex. Tufin would say, "Hey, we can do this," and ServiceNow would say, "Yeah, we can't do that." Or ServiceNow would say, "We do it this way," and Tufin would reply, "Yeah, that's not going to happen."

If it was just a stand-up and write some custom workflows, that would have been a lot easier.

We had a vendor or reseller with us, but they didn't have much experience with the size of network we have, so they were more listening in and trying to get experience while things were going on. I'm okay with that. At the end of the day, it was the Tufin guys who actually brought it all together.

If we look at the cost of a firewall engineer and the time saved as return on investment, we have seen a return. If we didn't have Tufin at all and the work that I'm doing now had to be done manually, those hours are about a four-to-one ratio. So that is a return on investment.

The cost is too much. For us it's around $40,000.

I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin.

We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year.

In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management.

Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction.

I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.

We are just using the solution as a tool for network migration management, primarily on the firewall side and inside, and to ensure we have some central view.

We discuss the solutions every year in terms of budgeting and the team has convinced me that it's necessary to spend this money on this solution. It provides value.

The initial setup is very straightforward. 

It is very stable. 

We haven't really had issues with the product.

There are some missing features we'd like to see them add in the future. 

We've been using the solution for four years. 

The solution is stable. It doesn't have bugs or glitches. It doesn't crash or freeze. It is reliable.

I can't speak to the scalability. I'm not sure if it will scale. 

We only have eight people using the product right now. They are just engineers. 

I've never been in touch with technical support. 

I've also used Cisco Defence Orchestrator.

The setup is straightforward. We have a very small and streamlined setup since we use it just for specific use cases. It isn't hard for us to get it up and running. 

The deployment only takes a few days. It can take anywhere from a few days to up to two weeks, however, never more than that.

The maintenance is very minimal. We need less than one person to handle it. 

We handled the setup in-house. We did not need to get any help from integrators or consultants. 

It's really difficult to really have KPIs which shows return on investment on such tools. While there is a return on investment, it's not quantified.

I can't speak to the exact cost of the licensing. The pricing is somewhere in the middle. It's quite normal and not overly costly. I'd rate it a three out of five in terms of affordability. There are no extra costs involved. 

We are customers and end-users. 

I'm not sure which version of the solution we're using. 

I do not work directly with the solution.

I'd rate the solution a six out of ten.

There are five people using this solution in my company. I manage the team that utilizes Tufin. I have had experience with the demos that my team has given me in relation to the auditing of our Palo Alto platform.

I'm a consumer of reports. The reports are clear as long as they're set up correctly. I'm able to see auditing changes, and changes in our firewall platform more clearly than with the native tools. It seems relatively useful. It can also provide guidance on different configurations that we have. 

The solution is on-premise.

The clarity around the auditing provides the most value for us.

They are a little bit behind on some of their support for the Palo Alto firewall platform. I'd like to see that catch up, specifically around importing certain objects.

From the Palo Alto platform, I remember hearing that Tufin required an update, so that would've been the only flash issue.

Their customer support is responsive.

The pricing is reasonable.

I would rate this solution 7 out of 10.

My advice is to look at what is currently supported in whatever security technology you have because some of the features may already be covered. However, if you identify a gap in what you currently have, specifically around auditing, then I would definitely suggest looking at Tufin.

I'm using the Fortinet firewalls, so I need the firewall manager tool to manage those files, together with the FortiManager. The Tufin guys provided a solution for our data center where we have a box server, which was specifically developed for Tufin. It would run the scan on the network, get to the firewall, or go to the router, run the scan and give me the compliance, and then send it to me. Then I get a report from there.

The features I have found most valuable are its capability to check on the firewall and the routers. Afterward, it checks out all the configs, checks the vulnerabilities, checks the risks - it checks everything that may end up causing our router to be compromised. In the end, it recommendations what we should do.

Then, if we apply the recommendations, it will scan again and give us a percentage. Sometimes we find out that at first that we didn't meet the compliance, getting a 46% maybe. Then, when after I apply the recommendations, after discussing with my team, and approving the recommendations, it is all remedied. After that, it goes to 80-something percent. And that is what we are looking for.

One area in which I need it to improve is that I need it to accommodate all the files and all the tools. For example, when I buy the firewall management tool, I want it to manage the firewall of every firewall I use across my organization. If I'm going to depend on only one vendor, and it looks likes a vendor or a catered tool, it can't help on any vendor to scan the technology and give the auditing compliance. This is something they can improve from their side.

The second thing I need is that if Tufin comes and deploys their solutions on my premises, I would like to have full support from them. Unfortunately, I didn't have their full support. So what worried me is that whenever the box is no longer working, then I'm no longer going to be able to see my compliance. I know I'm not going to charge whoever is not complying on my premises.

To sum up, the two main negative points with Tufin Orca are the absence of full support and that accommodation of files and tools is not provided in a good way.

Additionally, what Tufin should include in the next release is the ability to see the logical bullets points. In my case, I wanted to see the physical report because when things tripped and went wrong we needed to start fixing it on the physical side. So I would like to have the physical tool policy before we can have the looks side.

But on the looks side it was very good. We need to filter up to it regarding the beneficiaries in the policies. So it was very good on that side of the data, but when I'm using it as a firewall manager, and then find the firewall is down, I need to see it on the Tufin. Also, I need the capability for Tufin to start alerting me whenever there is a change on the firewall.

I can say that we didn't know about that function on Tufin and when we try to communicate with the Tufin guys, they are not able to assist us on that. So we end up having someone go to our firewall and start to make a change, and we end up not having the right thing and not being able to manage our firewall accordingly. The main point of using the same tool as a firewall manager is to have the daily health check of the box.

I have used Tufin for the last two years and then I left it when Skybox was introduced to me. Unfortunately, I didn't have the capacity to use Skybox because I didn't have the skills on my team, so I decided to leave it. But I am looking forward to getting the new tool which will help me to do what I need.

The initial setup was very complex. What worried us at first was that we didn't know how to integrate it with the network. We had to call the Tufin guys to help with that and they physically brought it to us for the integration to the network. So that was challenging.

When you ship the product to our country, to my organization, it is quite expensive. It's not cost-effective. It's quite expensive because we end up paying extra for accommodation, the transport, everything for that person to come and assist us on the integration to the network. 

Generally, you need to pay for everything -  for the support and the implementation with the integrator.

We can also add this to the areas for the improvement, that implementation is difficult and it would be great if they could simplify the way the person can implement the products.

On a scale of one to ten, I would give Tufin Orca a five. I would recommend it only if the organization has the skills and enough requirements so that they are able to run it. It is a very good tool when you use it because it basically gives you what you want. It is just hard in terms of support, patching, and upgrading. Overall, it's challenging if you don't have the skills or resources.

This product will work for those organizations that have the knowledge of how to install the solution.

The primary use case is role recertification.

We are trying to get into it for compliance, but we are having issues with that.

This solution helps us ensure that security policy is followed across our entire hybrid network.

We actually review our firewalls now. Before we started using Tufin, our firewalls never got reviewed and we had no idea what was on them.

We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong.

It removes things which shouldn't be there. It has helped with that. Things that don't get used anymore and nobody tells us that they have been retired, it helps us identify those items. Then, once we get the compliance piece going, it'll help us make sure nothing violates policies.

The most valuable feature are role and objects usage for individual objects and app usage.

If we could get the compliance part working, that would help out a lot.

Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one.

A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet.

The user interface needs to be redesigned because things are not where you would expect them to be.

Stability is sometimes good, and sometimes not so good. 

There is an issue with all of our Palo Alto devices, where if one gets disconnected in Panorama, they all show as disconnected or with errors or wrong arguments, which is very generic. They are supposed to have a fix for it now, but we haven't implemented it yet, because they are not releasing it until eleventh of this month.

We haven't had any issues with scalability yet. We can scale as much as we need to.

The technical support is good. The guy with whom we have been working the most with lately has been pretty on top of everything. We had a couple people in the past who were a little iffy, but we haven't had to talk with them in a long time. I don't know if they're still there.

Our licensing costs are pretty low. We were grandfathered in, so we are at about $35,000 per year.

Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections.

We just started a PoC on the change workflow process of the solution.

We are just now moving stuff to the cloud.

My company primarily uses this solution for reporting and enforcing policy. My role has to do with developing applications to allow integration with our other tools.

When I was using Tufin for analysis, there was a tool that would tell me which rules could be consolidated. It was amazing and helped me to clean up the firewall policies.

We use this solution to automatically check to see if change requests will violate any security policy rules, but I do not have any specific details or examples.

Tufin is the only multi-vendor firewall tool that is available, and it helps to bring everything together and report on what all of the rules are.

This solution helps to ensure that security policy is followed across the network because it is the main tool that non-technical security people use to keep track of firewall rules. Without it, they wouldn't even know where to begin. 

In my current role, the most valuable features are the API and the accessing. In my previous job, the analysis was my favorite.

I would like to see API access into every aspect of Tufin. For example, every feature and everything that's in the database, I would like to have programmatic access to. This would give me the ability to do anything that the product can do but from a script. This way, we are not beholden to the GUI in any way. If an operation requires that somebody click somewhere into the interface, manually, especially if it's just part of many other things that they have to do, then we want to fully automate that.

Some of the manual processes are taking longer because, without the proper API access, there are a lot of tickets coming in. These are from people who need to perform a task, but only a handful of them have access to it. This is because we're too afraid to give access to all of the people who actually need it.

In every instance that I've ever worked with it, it was stable.

I have not dealt with technical support.

In my previous company, I handled the deployment of this solution myself.

Turning on certain options in the solution comes at an additional cost.

My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close.

For what this product does, it does well. There are, however, things that are missing.

Overall, I would rate this solution a seven out of ten.

We are a reseller and solution provider. We have this product running in our lab, and what differentiates us is that we are able to take our client's use cases and execute them in our environment. 

This solution has helped our clients because it allows them to leverage the tools so that they can actually reduce their overall expenses for the environment. The push is operational, and they've been able to eliminate a number of contractors, thus saving quite a bit of money by using the automation capabilities of Orchestration.

The full Orchestration Suite is what we've been primarily driving because many of our customers want to move into automation, or at least some aspects of it.

The audit portion of this solution has made a really big difference for us. Also, the flexibility of change has allowed us to really drive the product into the marketplace for a large clientele.

This solution provides great visibility, for both our customers from a primary firewall perspective, as well as for the other solutions that they tie into. For example, it gives us an ability to view what’s going on with full plant environments in various parts of the world.

The change workflow process is extremely customizable. We really like it from the standpoint that we can push it from department to department for approvals. It’s not contained within a single solution set, but rather, it moves across the silos of an organization for the approval process.

This solution has helped our clients to meet compliance mandates across the globe, including, for example, GDPR and SOX requirements.

We would like to see more in terms of integration with other application types within the context, such as next-generation firewalls or next-generation threat devices that are out there. It's not just about firewalls anymore. A lot of convergence is happening at that enforcement point, so we'd like to see a little bit more attention on that. Examples would be integration with IPS, Application Control, Anti-Bot, and Anti-Malware.

We have found that this solution is quite stable. We do have some RFPs in to increase performance capabilities, but from our perspective, it's quite stable. If this were not true then our largest companies would not be buying the product.

This solution is extremely scalable, globally across thousands of firewalls, switches, and proxy devices. We look for scalability in a product. We have a small portfolio of solution providers, Tufin being one of them, and we choose them based on their scalability. There are other factors, but scalability is critical for us.

Technical support for this solution is good. We don't really use it too much because of our strong engineering team, but it's always been very responsive. We are sending two more engineers to the Cleveland area office next month.

We chose this solution a long time ago. We've been a partner for almost nine years. Because they spun off and many of the individuals who were part of the envelopment of products within the security space, like Ruby, came out of the Check Point environment. We're a very, very strong Check Point enterprise player, so we feel that anybody who understands product development and product distribution across large environments has to be a key for us.

We really weren't interested in products from other resellers, or we weren't interested in products from auditors. We were interested in products from people who knew how to develop products for the marketplace. So that's been a key for us. The other piece is the ability to scale, and then finally, the ability to automate with that scalability. We just don't find others as scalable as Tufin is.

The initial setup of this solution is straightforward. Obviously, with its flexibility, you really have to know what you're doing. In order to be able to leverage the product, it requires some expertise.

ROI is a little bit hard to measure in the security space, so our focus is on reducing TCO. For example, one of our clients was able to eliminate fifteen contractors that they had on an annual basis. This was a cost savings of $1,200,000 USD for the first year. Ultimately, we want to reduce TCO as much as possible.

Licensing is available in both perpetual and subscription models, and it appears to be good for our scalable environments. We have also needed to work with what we call small enforcement point pricing, which we'll probably get more into as people expand.

We do not yet have a great deal of experience with the cloud side of this solution. However, we're actually moving into our first contract around that and we'll be digging in deep. We find it, at least from our lab environment, highly successful, whether it's AWS or Azure, and we're looking at the Kubernetes side of things as well. So far, so good, from a lab perspective, but we will be rolling out our first, into a full Cloud environment for one of our global clientele.

For our clientele, this solution has, without question, saved them time when it comes to making changes. The whole idea is to be able to initiate a change and have it proliferate across thousands of devices. It's critical. So, just in that alone, we can save six months' worth of man-hours just in making a single change for some of the environments that we work with.

Tufin is really a leader in the space for taking manual processes and eliminating them as much as possible.

My advice to anybody researching this or a similar solution is to look for longevity in the field. Also, look for product development expertise and a legacy of that. Finally, look for scalability, stability, and growth within the marketplace across device sets.

I would rate this solution a nine out of ten.

The biggest value for me is the ease of implementation. I'm newer to the company, only been there a year, but the fact that I could could win and recommend this product within six hours of getting the license installed shows that there's immediate ROI to my CSO.

I've been trying to clean up the firewall policies that I inherited from different iterations across topology changes -- from Cisco to Juniper to where we are now -- that have never been cleaned up. We're not publicly traded, so there's not a mandate to do so. When I worked in the energy sector, though, there were such mandates, but we weren't properly staffed.

Our current firewall policies never had a full, comprehensive risk rating of every rule, but we have that now. I've implemented different zones for setup so that we're able to get reporting immediately for our PCI environment. We know whether or not we're in compliance. If not, we can fix it immediately without waiting for an outside auditor. We can be proactive.

I'd like to see more work done on the topology side. Although the tool has gotten progressively better, topology still needs work. If it could be improved, that would really make the tool much more powerful. You can then have non-firewall people using it for troubleshooting.

I've used it now with various companies for over 10 years.

We've had no issues with deployment.

It's never failed or completely gone down. It's one of those set-it-and-forget-it tools.

I'm very impressed with the scalability. Previously, we used appliances sitting on our network. This time, we went with a VM and our technical rep said we could put up to 80 licenses on it. That's way more scalability that I anticipated.

Customer service is very good. I haven't worked with than much other than for the license, but they're very responsive.

Technical support is excellent. They're good at answering questions, very helpful, and responsive.

I've also used FireMon. We liked the Tufin UI better.

The initial setup was very straightforward. Our VM team installed the image for me and then I installed the license. From start to finish, it took about 24 hours, and most of that was paperwork.

In-House

I was able to create initial tuning reports within an hour of populating the system with my firewalls. Within one week, I was able to create my PCI zones and configure automated reports for compliance

We looked at FireMon, which is an excellent product, but for me it came down to getting everything stood up and running within a minimum amount of time. I needed it to look really good because I was putting my name on it. Plus, my manager loves the web UI over the FireMon UI, which for him was the key.

You're going to be really shocked with the first couple of reports that show stuff about which you had no idea. Let it go and get buy-in from as many other groups as you can. If security and network are separate, get network involved to access devices that will provide a clear picture of everything, especially of topology. Build those bridges ahead of time and present it more as a collaborative tool and not a "I'm watching you" tool.