Tufin Orchestration Suite Reviews

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

We are using Tufin to be security compliant within our organization.

This solution was a need for our organization to stay compliant and it has helped us in this way.

The most valuable feature of Tufin is rule analysis.

I have been using Tufin for approximately three years.

Tufin is stable.

The scalability of Tufin is good.

We have approximately 20 people using Tufin in my company. We have many teams using the solution, such as security, operational network, and network architecture.

We do not have plans to increase the usage of this solution.

The support I received from Tufin was responsive and helpful.

I rate the support from Tufin a four out of five.

Positive

I have previously used AlgoSec and we switched because the price was too high.

The initial setup of Tufin was complex. We had some issues with the architecture.

We did the implementation of the solution in-house.

The price of Tufin could be lower.

We have a team of three engineers that do the maintenance of the solution.

I would recommend this solution to others.

I rate Tufin a nine out of ten.

We are just using the solution as a tool for network migration management, primarily on the firewall side and inside, and to ensure we have some central view.

We discuss the solutions every year in terms of budgeting and the team has convinced me that it's necessary to spend this money on this solution. It provides value.

The initial setup is very straightforward. 

It is very stable. 

We haven't really had issues with the product.

There are some missing features we'd like to see them add in the future. 

We've been using the solution for four years. 

The solution is stable. It doesn't have bugs or glitches. It doesn't crash or freeze. It is reliable.

I can't speak to the scalability. I'm not sure if it will scale. 

We only have eight people using the product right now. They are just engineers. 

I've never been in touch with technical support. 

I've also used Cisco Defence Orchestrator.

The setup is straightforward. We have a very small and streamlined setup since we use it just for specific use cases. It isn't hard for us to get it up and running. 

The deployment only takes a few days. It can take anywhere from a few days to up to two weeks, however, never more than that.

The maintenance is very minimal. We need less than one person to handle it. 

We handled the setup in-house. We did not need to get any help from integrators or consultants. 

It's really difficult to really have KPIs which shows return on investment on such tools. While there is a return on investment, it's not quantified.

I can't speak to the exact cost of the licensing. The pricing is somewhere in the middle. It's quite normal and not overly costly. I'd rate it a three out of five in terms of affordability. There are no extra costs involved. 

We are customers and end-users. 

I'm not sure which version of the solution we're using. 

I do not work directly with the solution.

I'd rate the solution a six out of ten.

The primary use case is firewall analysis.

We use SecureTrack, which is great.

The solution has helped us to meet our compliance mandates. We have to be PCI and SOX compliant. Some of these rules and systems might meet those requirements. Knowing which system can talk with which system is definitely helpful in that sense.

This solution has helped us reduce the time it takes to make changes.

Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall.

The visibility is great.

When you make changes, you have to enter the password each time for each firewall. This is sort of annoying.

They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.

It is very stable.

It seems pretty scalable. From what I have seen in the training, you can use it on multiple firewalls. It seems like a solution which was built for very large enterprise level networks.

I haven't dealt with the technical support yet.

If you want to be able to manage your firewalls efficiently and securely, then use Tufin.

It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good.

We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.

The biggest value for me is the ease of implementation. I'm newer to the company, only been there a year, but the fact that I could could win and recommend this product within six hours of getting the license installed shows that there's immediate ROI to my CSO.

I've been trying to clean up the firewall policies that I inherited from different iterations across topology changes -- from Cisco to Juniper to where we are now -- that have never been cleaned up. We're not publicly traded, so there's not a mandate to do so. When I worked in the energy sector, though, there were such mandates, but we weren't properly staffed.

Our current firewall policies never had a full, comprehensive risk rating of every rule, but we have that now. I've implemented different zones for setup so that we're able to get reporting immediately for our PCI environment. We know whether or not we're in compliance. If not, we can fix it immediately without waiting for an outside auditor. We can be proactive.

I'd like to see more work done on the topology side. Although the tool has gotten progressively better, topology still needs work. If it could be improved, that would really make the tool much more powerful. You can then have non-firewall people using it for troubleshooting.

I've used it now with various companies for over 10 years.

We've had no issues with deployment.

It's never failed or completely gone down. It's one of those set-it-and-forget-it tools.

I'm very impressed with the scalability. Previously, we used appliances sitting on our network. This time, we went with a VM and our technical rep said we could put up to 80 licenses on it. That's way more scalability that I anticipated.

Customer service is very good. I haven't worked with than much other than for the license, but they're very responsive.

Technical support is excellent. They're good at answering questions, very helpful, and responsive.

I've also used FireMon. We liked the Tufin UI better.

The initial setup was very straightforward. Our VM team installed the image for me and then I installed the license. From start to finish, it took about 24 hours, and most of that was paperwork.

In-House

I was able to create initial tuning reports within an hour of populating the system with my firewalls. Within one week, I was able to create my PCI zones and configure automated reports for compliance

We looked at FireMon, which is an excellent product, but for me it came down to getting everything stood up and running within a minimum amount of time. I needed it to look really good because I was putting my name on it. Plus, my manager loves the web UI over the FireMon UI, which for him was the key.

You're going to be really shocked with the first couple of reports that show stuff about which you had no idea. Let it go and get buy-in from as many other groups as you can. If security and network are separate, get network involved to access devices that will provide a clear picture of everything, especially of topology. Build those bridges ahead of time and present it more as a collaborative tool and not a "I'm watching you" tool.

The most valuable features for us are object looking, rule documentation, and reports. We use it for cyber security as well, so risk features and violations features are huge.

Even just looking up rules before we can make changes is a lifesaver. Previously, we'd have to go to the CMS of whatever firewalls we had. So instead of having to do that, now we can go to one location and search the rules that way.

Another major thing is the topology feature for the network part. Also, the SecureChange and automation means that the checkpoints can be done automatically, and they do the provisioning throughout the process. Looking up rules and understanding how they affect your environment.

It's also quite easy to use - there's nothing hidden, it's all laid out and that is much appreciated.

From a security standpoint, we have it in place where it will notify us if an engineer inadvertently violates a high-risk rule, and it even does this if they pre-stage a rule, so before they push it we can find out.

From an auditing standpoint, because we get audited three or four times a year, our auditors have access to see exactly what's happening in each firewall, and we've had fewer issues with auditing because of it.

For us, in man hours, it saves about 70 hours a week on checking rules and implementing the changes.

For implementing the rules of SecureChange, and trying to implement it with all of the software we have on our side, change management, and workflow management, we need better integration with our existing tools that will make these changes a lot faster. We have so many things on our side that we need to integrate. We now have HP Switches, so we'd like to have those covered as well in order to monitor them.

We've used it for three years.

No issues.

We had one bug - a year or so ago - and Tufin had an update that addressed the issue. The long implementation time was on our side. No other problems.

No issues.

Both customer service and technical support have improved during the three years we've used it. They're really quick to get back to us for both customer and technical support. They get on calls with us, WebEx, anything.

We were going through a major OS upgrade. We ran into some problems on our end with four appliances. It was a weekend and we opened a case on-line. We were able to get together with someone in 30 minutes, share the screen, and they walked us through implementing a fix within an hour or less.

Even though we have a remote collector, a distributed collector, and a central server, it was pretty straightforward.

We did it internally ourselves, but with some input on architecture from Tufin's professional services.

As far as licensing goes, the good thing is that the licensing for the firewalls is great. The licensing changes for the routers has improved because we no longer have to pay for topology monitoring.

We also looked at AlgoSec and FireMon. Algosec was good, but Tufin had the edge in the automation process and the reporting was even better. So it was basically between AlgoSec and Tufin.

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

We are a solution provider and this is one of the products that we implement for our clients. We also use it ourselves.

We have this solution installed in our data center, where we have a box specifically for Tufin. It scans our network, looks at the firewalls and the routers, assesses compliance and sends me a report.

The most valuable feature is the compliance check and the recommendations that it makes. This solution will connect with the firewalls and routers to check out the vulnerabilities, risks, and anything that can lead the organization to be compromised. From there it will make recommendations about what is required in order to ensure compliance. My team discusses the recommendations and then we remedy the issues.

My worry with Tufin is that it cannot connect to Fortinet, which is what I want to do. In order for this solution to be useful, it needs to be able to manage every type of firewall that I come across in my organization. I do not want to be tied to one vendor. Integration with all types of firewalls and related tools is necessary.

When Tufin deploys solutions on-premises then they should provide full support, but this was not the case in my organization.

The implementation, including integration with other solutions, is complex and should be simplified.

I want to see the physical topology of the network in order to help with troubleshooting.

I would like Tufin to alert me whenever there is a change in the firewall.

I have used Tufin Orca for the past two years.

We do not have full support for Tufin and it was expensive to have support visit us during our deployment.

The initial setup was very complex because we needed help to integrate it with the network. Unfortunately, we needed to have an engineer come to assist us, which is why it was challenging. Getting an engineer to visit our country is quite expensive because you have to pay extra for accommodation, transport, and everything. It is not cost-effective.

This is a solution that I would recommend, but only in cases where the organization has the skills. I would rate this solution in the middle because it meets my requirements, it is a very good tool, and it immediately gives you what you want. At the same time, when it comes to the support, setting it up, and upgrading it, it is challenging if you don't have skilled resources.

I would rate this solution a five out of ten.