Tufin Orchestration Suite Reviews

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

We implement Tufin for other customers and help set it up. 

I'm not the end user. I just set it up for the end user.

We are using the latest version from 2018.

We use Tufin to clean up our firewall policies. They already have the compliance policies sort of prepopulated in there to point out violations.

Most customers will go through and check the USP to see if it violated with the designer tool.

We are in the process of working with a customer right now to set up the Unified Security Policy (USP). We got all the violations from the first phase and will go through to do the mediations, then run the scan again to show the progression of the clients.

The preconfigured PCI compliance USPs are the best part for me. These make things a lot easier.

The visualizer for the Network Topology is really good. You can see all the routes throughout your entire environment.

The change workflow process is very easy to customize. You can do a workflow however you want, so you can have an approval every single step. Or, you can remove approvals on certain steps, automating some steps.

It capabilities are very good.

Sometimes, the user interface is a little cumbersome, trying to navigate between them. In the new version, it looks like they resolved those issues. 

We have had a couple issues with the VMs, but I think it was just because they were starving for resources. A recommendation on what the virtual appliances should have for resources would be appreciated.

We have done PR strategies and added Tufin appliances. It is super easy to just back up and restore to a new one. You can get a new appliance up and running in 20 minutes.

We worked with their professional support before, but we have not worked with their Professional services.

The initial setup is straightforward.

We are a reseller.

We've install it to make money.

Tufin does make the process faster for customers, depending on if they use SecureChange to automate their process. Everything is all in one then.

Licensing is on a customer by customer basis.

Try Tufin out. Make a PoC of it. That is how we sell most of our products because it works well.

Our customers do not have a hybrid network.

The primary use case is for compliance with PCI regulation for local and country regulations.

We are using the latest version of the product.

We use Tufin to clean up our firewall policies because it is so fast. A report about compliance and the clean-up process used to take about one month up before. With Tufin, it takes only one day.

Implementing roles in the firewall used to take two days, but now, it takes two hours.

The audit and policy relation reports have helped me show compliance to managers.

The product helps my cybersecurity team. Now, my cybersecurity team spends their time creating new controls for new technologies.

The workflow is the most valuable feature.

The visibility that the solution provides is amazing.

The change workflow process is flexible and customizable. I can send one request to an IT Manager and another one to a Development Manager, making them customized.

I would like to see more about the cloud in the next release. They need a large plan to deploy the cloud into the solution and a way to implement it.

The web service for integration with other solutions needs improvement.

The stability is okay.

At this moment, it is not necessary to expand the solution.

I don't really use the technical support.

We did not have a previous solution. I was looking for a solution to optimize time in security policy management. Then, I found the Tufin and contacted a reseller.

The initial setup was super easy. It was fast to implement the firewall. The Check Point was very fast.

We used a reseller for the implementation. It was the first time for the reseller to do this implementation.

It saves us a lot of time. People can devote their time to other more important tasks. 

The seller of Tufin, when I wanted the solution, was very flexible because the cost on the lease was very high in Latin America. So, he was able to reduce the cost.

We considered Algosec and Firemon, but Tufin was the best.

A powerful tool for a security team to optimize time.

The primary use case is firewall analysis.

We use SecureTrack, which is great.

The solution has helped us to meet our compliance mandates. We have to be PCI and SOX compliant. Some of these rules and systems might meet those requirements. Knowing which system can talk with which system is definitely helpful in that sense.

This solution has helped us reduce the time it takes to make changes.

Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall.

The visibility is great.

When you make changes, you have to enter the password each time for each firewall. This is sort of annoying.

They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.

It is very stable.

It seems pretty scalable. From what I have seen in the training, you can use it on multiple firewalls. It seems like a solution which was built for very large enterprise level networks.

I haven't dealt with the technical support yet.

If you want to be able to manage your firewalls efficiently and securely, then use Tufin.

It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good.

We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.

We use SecureChange for change management, and the SecureTrack component for reporting and the summary.

We use this solution to clean up firewall policy, although I do not personally do it very often.

The change workflow process is flexible and customizable. We have a couple of custom components, and my colleague was able to put them together in five minutes, so it seems pretty flexible to me.

The solution automatically checks to see if our change request will violate any of our security policy rules. This helps with general risk assessments, and when we transfer data between security zones over certain ports. It really benefits us, as well as the users who submit the rules, because they're not all familiar with all of the rules that are in place.

Implementing this solution has made everything faster. With the introduction of SecureChange, I think it has been easier for the average person to become a firewall rule setter.

Using this solution helps us to meet our compliance mandate. It does this by making everything quicker, which makes it easier to meet our SLAs.

This solution helps to ensure that the security policy is followed across our entire network. It leaves less wiggle room for people to venture out and make exceptions because it does the thinking for us. We follow it's recommendations, so there is less compromise.

The most valuable feature of this solution is reporting.

This solution has helped to reduce the time it takes to make changes. I don't think that we were ever slow, but we can now say that changes are completed within twenty-four hours.

I think that the interface could be cleaner, and easier to use. There are some things that I think are varied. Some of the reports, when you try pulling them out, I think that you've got to jump through too many hoops to get the results that you want to find.

I would like to have the ability to view multiple "handled by" names. Right now, it's either one, or we and the customer see nothing. I would like to clean that up because I am part of those phone calls.

I think that with respect to end-user operation, the whole-space users, the communication is lacking.

For the most part, stability is alright. It works well until we do an update and it breaks everything. But, it gets fixed, and it's good again until the next update. 

We have not tested scalability because we're set at where we are right now, although that is not to say that we won't be expanding in the future.

Technical support for this solution is really good. They are pretty quick at responding to our tickets. When the update breaks everything, they're pretty quick at sending someone to fix it and bring us back up within a couple of days.

Prior to implementing this solution, we used a home-grown, internal request process. It was very frustrating, across the board.

We used a consultant to assist with our deployment, and we had no problems.

My advice to anybody who is implementing this solution is to take the time to learn the product, in and out, right away.

I would rate this solution an eight out of ten.

We are using Tufin to generate reports on unused rules and for compliance reporting.

In our environment we have two data centers which have the same IP address for service in both. This means that in data center A, server X's IP address is the same as server X's IP address in data center B, but it's sitting in a different firewall. So we are exploring SecureChange to automate the pushing of rules in both gateways at the same time. That way we will be able to track to which firewall, in which data center, we have pushed rules.

It helps us to meet our compliance mandates because we are able to define whatever compliance we are subject to. We are a financial institution so we have to comply with PCI DSS, we have to comply with certain financial rules and regulations. We are able to do that with Tufin.

It also helps ensure that security policies are followed across our entire hybrid network. So far there have been no complaints from the auditor who is checking our firewall rules. The only exception is that, because we have so many requests in a day, some of them are not used yet by the requester. What our auditor sees is only the unused part. But we are 80 to 90 percent compliant.

Finally, I expect it will help our engineers to spend less time on manual processes, that it will cut half of the time spent looking at all the rules and validation. Currently, 70 percent of my engineers' load is looking at rule validation and requests that are not being made correctly.

We are still using only one-third of the functions that Tufin has, but SecureTrack is among the most valuable.

The most valuable function is the SecureChange where it is able to automate everything from the validation of the rules to the pushing of the rules. We are mainly using Checkpoint and Tufin together.

In addition, it's helpful that we can generate accurate and detailed rule-usage reports. That enables quick clean up.

In terms of visibility, Tufin does show all the schedules based on the usage.

Another feature I like in Tufin is that we are able to track the flow of the source and destination, passing through which level of device and which firewall. It makes our operation, our daily tasks, much easier than doing it manually for each and every request.

There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow. They need to improve how they do their database indexing. That is the main fault of Tufin right now for us. It's slow. Even though we are allocating 64 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise, it would be a perfect tool.

The stability is great. It has never gone down. The only problem is the slowness.

The stability is dependent on the devices. The part where we are having a problem now is the result of migrating to RAT which is using APIs which keep going down when our MDS has a heavy load.

In terms of scalability, the only issue is the licensing part. You have to have the correct license to go to a larger installment.

This solution is the first of its kind in our bank.

The initial setup was straightforward. I was able to deploy Tufin in a few minutes only. Integrating with devices - as we are using Checkpoint, API, Syslog - is simple.

For now, we have only installed one server, not distributed. Soon we will go for distributed, because we need to collect all the logs from all our overseas sources.

I was the only one involved in the deployment and am the only one who takes care of the maintenance and day-to-day configuration. Our firewall team will be using Tufin but they don't do the maintenance. At the moment there are about 15 users. Half of them are the firewall team and then there are a few auditors and a few people in the business unit who are monitoring the rules.

ROI is measured in engineers having time for their families and being able to have more time to do other things. It is not a specific figure, it is more a matter of how time is spent.

The current licensing scheme is quite confusing but it is clearer than the old one. If you have one MDS you just buy the MDS license and the gateway license. That's most of it.

Before this, they broke it down into VS, virtual environment, physical environment, single boxes, cluster boxes. Now the licensing part is much more straightforward. If you have ten gateways you don't need to define one as a single and another as a cluster gateway.

Pricing is quite high. We did compare it with AlgoSec but the pricing is not much different between the two.

The decision was made before I joined the organization. I don't know if they looked at competitors or not. Currently, we are looking at AlgoSec, if it can replace Tufin or compete with Tufin in terms of features.

The main differences between the two are only in the pricing and the look and feel. They both do the same thing. Both will be able to achieve our organization's targets. But in terms of look and feel, our engineers are already used to what we have. And I do prefer Tufin.

If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy.

We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet.

Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests.

We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.

The visibility of the changes that are being made on the network. From a firewall perspective and router perspective, we have all our network devices in Tufin. We monitor all the changes that are made constantly. Prior to changes being made, they get approved by our IT security department, and then they're monitored after they're changed as well.

We haven't used it to push configuration yet, but we do have a third party network vendor that does our network changes for us. We immediately know if something was typed wrong or configured incorrectly. We'll get an email from Tufin, and we'll know that they typed something in wrong or incorrectly because that's the email that we receive from Tufin. A lot of times they'll transcribe things, and rules will get set in different directions. We'll know immediately when something happens.

Being the Director of Networking, that's what I'm primarily concerned about. It's to make sure that all the network changes that are being made are the correct changes, we're not opening things up to vulnerabilities that we shouldn't have, as well as making sure that we're locking down what we need to lock down.

I like what's there today. I don't use the product that heavily as much as our IT security department does. Right now the product is doing exactly everything that I want to see it done. I would like to see the ability to have the changes in the configurations pushed out more easily and managed through Tufin to eliminate that human error factor more.

We haven't run out of room with the product yet. It's very scalable. We fly to 115 different locations,we have 3 different data centers, and we monitor all our network devices, firewalls and routers through Tufin.

If you don't have a product like Tufin, get a product like Tufin because it's amazing. It gives you insight into all changes that are done within your network. It's awesome, and it gives you the ability to manage it even though we haven't rolled that piece out ourselves yet.

We use SecureTrack for troubleshooting, APG (Automatic Policy Generator), implementation of new requests, change monitoring, rule and object usage reports.

This solution provides an unified display of rules across vendors.

We use this solution e.g. for cleanup and processing of shadowed rules.

Using this solution saves us time and money. The Automatic Policy Generator saves time because we are able to identify the required policy when a client doesn't know what he needs.

We are able to perform an inventory analysis for colleagues.

The most valuable feature of this solution is APG, the Automatic Policy Generator. Further there are very good capabilities for policy browsing and reporting implemented.

I would like to see better report integration in this solution.

I would rate the stability of this solution a nine out of ten.

The scalability of this solution is ok.

The technical support team for this solution is very polite.

There was some functionality in the integration with Check Point that was initially working not in the best matter, and it was only fixed after Check Point got involved.

We did not use another solution prior to this one.

The initial setup of this solution was not complex. It was simple.

Our in-house team handled the implementation and deployment of this solution.

Tufin is expensive but it is very good.

We did evaluate other options. However, Tufin was the best one that we tried.