Tufin Orchestration Suite Reviews

We are using it mostly for reporting, as well as NERC CIP compliance for rule documentation. The primary use case is for doing rule cleanup, knocking down overly permissive rules, and cleaning up old unused rules. Basically, we are using the reporting functionality out of SecureTrack.

We use Tufin to clean up our firewall policies. We use an automatic policy generator. This is huge for us because certain rules, especially if they're overly permissive rules, have to have an analyst go through log file after log file, which is just impossible. Versus just setting Tufin, letting it run for a couple of weeks, then going back and looking at the results. That has definitely been a big win for us.

The policy comparison reporting has been a definite big improvement for our organization. 

We've used it to give read only access to look at actual policies for different departments who might not necessarily need access to the actual firewalls. This has created some efficiencies for us because an engineering team can go in and check to see if they need to engage us for firewall rule changes without having to engage us first, because they have the direct access. 

The solution has helped us meet our compliance mandates. We use the policy browser metadata to do documentation for rule justifications. That is what we supply to our external auditors.

The most valuable features are the rule set analysis reporting that you can do. We use it day in and day out for doing rule cleanup and policy analysis.

The policy comparison reporting is one of the more basic functions that it has, but it is very critical for us. We built it into our processes that before we push any change to production, an engineer will stage actual date rule changes and policy changes. Another engineer will go in and do a comparison report of the last push policy to the last save, making sure what has been changed is what is expected to. From an operational excellence, it's huge for us. We have huge policies. All it takes is one accidental right click, delete, or backspace button, which could impact our business. So, this is something that we use almost day in and day out.

We're definitely happy with the visibility. It gives us a lot more visibility and can do a lot more reporting that just wouldn't be possible for a human to do, who might just be looking at traditional log files.

We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange.

Stability has been rock solid. We were joking about that last night. There was a good amount of time where we weren't running reoccurring backups on a couple of our older appliances. They ran into no problems, whatsoever, for hardware or software for years. So, we were sort of joking, "The product's so good that we don't even have to back ours up half the time." Thus, stability has been very good for us.

Scalability is to be determined at this point for us. Right now, we have five or six isolated instances, and we're going to collapse those down to a single front-end. Then, we'll scale up to how many devices that we're monitoring. At this point, we haven't had any issues with scalability, but we haven't really pushed the appliances too hard yet. 

Making sure that you are designing or coming up with a solution and architecture which is scalable and as holistic as possible. We had some discussions yesterday with some other customers, and having the complete visibility of your entire environment rather than just a subset like we do today at our company will make or break your functionality of the product. Being as all inclusive as possible is probably critical, especially if you're looking at things like SecureChange.

The few times that we have had to engage tech support, they have been good to work with. They were pretty simple cases in both instances for us.

Our engineers are spending less time on manual processes, specifically for the reporting functionality. For doing the rule cleanup and policy analysis, it would be a nightmare to do that manually. So, it is saving our engineering teams time from not having to do manual log reviews.

We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network.

We don't use any workflows because we're not using SecureChange.

We haven't used the solution’s cloud-native security features.

We are using SecureTrack and SecureChange to make policy changes.

For us, it's all the features that Tufin provides, including the 

• USP
• rule design
• documentation
• implementation
• auditing.

They're all important. We could not have one without the others.

In addition, it provides greater visibility, once the setup is configured correctly. It provides a real-time sense of how the policies are configured and whether there are any shadow rules. Another great thing is that it provides greater reporting based on how the rules have been set up.

There are at least two things that need improvement. One is the business workflow and the second is the integration with logging solutions.

The product is stable. Regardless of the software we are running, the current or the new one, it is stable.

The solution is scalable if we have to add more devices, more distinct resources, or also high availability. That's part of the solution. It's not like after-thought, it's there.

Tech support is very helpful. If there are any issues, we bring them to support and they get addressed immediately.

You should definitely be looking at this as in your top-two choices, before even considering any other solutions.

We are in the midst of a transition, going to a newer version. All the features which I talked about above, we want to implement them in a new production infrastructure. We are working with Tufin and Professional Services very closely, so we can enable it. There is the old way - the way we are using it - versus the way we want to. It is not there yet. 

Currently, it's not helping us meet compliance mandates, but the new way will definitely help us to meet them. In addition, once we go with the new way of doing things, the solution will ensure that security policy is followed across our entire hybrid network. At that point it will follow business practices.

The primary use case is tickets.

Tufin has made handling firewall rule request tickets more centralized and easier to manage.

We have previously use Tufin to clean up our firewall policies, but we are not doing that currently.

The workloads are the most valuable feature right now, as it stands.

We find that the change workflow process is flexible and customizable. We change our workflow several times a year.

The visibility is good for the most part, but there are limitations to it. E.g., there is a lack of certain routing/networking protocols across all the vendors that they support.

The solution is not sophisticated enough for us to automatically check if a change request will violate any security policy rules.

Tufin's cloud-native security features are lacking in support.

I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there.

I would like more support for Juniper and Junos Space. I would like more of the features which are offered for other platforms being extended to the Juniper platform.

The USP needs improvement. It is pretty much not usable right now for us. It is all IP-based. The issue with that is we may have one subnet, but we have multiple things that would go in different zones all in that same subnet. Therefore, to use the USP, we would have to bring it out in tons of /32s, and it's not usable. Whereas, it would be far better if we could just put tags associated with IPs, then do USP based on tags.

In the sense of operating, the stability is good, but in the sense of performance efficiency, it is bad.

The scalability is bad.

We did not have a previous solution that we were using. We were looking to work towards improving the whole requesting of firewall policies.

We used a reseller for the deployment. Our experience was not that great, which has more to do with how our supply chain works and why we picked them. However, I don't ever really talk to them or hear from them.

We have seen ROI from the side of operations, and we'll probably get to more of that as time goes on. However it took a while to get to that point.

The solution has helped us reduce the time it takes us to make changes by at least a day.

It did reduce the time part of engineers manually spending time on processes from the aspect of manually having to go through the network and finding the path that a request would take to know where to put the rules. We have had some issues with topology, so not all of our tickets get that advantage. Probably 40 percent of them are that way, so that's why right now it is not as big of a gain.

We did consider other solutions.

Do proper research. Look at Tufin and all of the other products.

The primary use case is role recertification.

We are trying to get into it for compliance, but we are having issues with that.

This solution helps us ensure that security policy is followed across our entire hybrid network.

We actually review our firewalls now. Before we started using Tufin, our firewalls never got reviewed and we had no idea what was on them.

We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong.

It removes things which shouldn't be there. It has helped with that. Things that don't get used anymore and nobody tells us that they have been retired, it helps us identify those items. Then, once we get the compliance piece going, it'll help us make sure nothing violates policies.

The most valuable feature are role and objects usage for individual objects and app usage.

If we could get the compliance part working, that would help out a lot.

Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one.

A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet.

The user interface needs to be redesigned because things are not where you would expect them to be.

Stability is sometimes good, and sometimes not so good. 

There is an issue with all of our Palo Alto devices, where if one gets disconnected in Panorama, they all show as disconnected or with errors or wrong arguments, which is very generic. They are supposed to have a fix for it now, but we haven't implemented it yet, because they are not releasing it until eleventh of this month.

We haven't had any issues with scalability yet. We can scale as much as we need to.

The technical support is good. The guy with whom we have been working the most with lately has been pretty on top of everything. We had a couple people in the past who were a little iffy, but we haven't had to talk with them in a long time. I don't know if they're still there.

Our licensing costs are pretty low. We were grandfathered in, so we are at about $35,000 per year.

Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections.

We just started a PoC on the change workflow process of the solution.

We are just now moving stuff to the cloud.

The primary use case is data flow analysis.

We use Tufin to clean up our firewall policies of unused policies.

It gives our firewall administrators visibility into the total infrastructure.

The most valuable feature is troubleshooting.

I would like something that addresses security in the cloud.

The stability is bulletproof. 

It is extremely scalable. It really addresses the scale of a company's firewall footprint.

The technical support is excellent.

Our account manager and Tufin support have been a big help to us.

We were getting to the size where manual administration of firewalls did not make sense anymore.

The initial setup was straightforward, but time consuming.

This solution has helped us reduce the time it takes us to make changes. We have seen the reduction on the front end, when doing an analysis of the data flow.

We also considered AlgoSec.

I would recommend taking a look at the solution.

I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes.

This solution has sort of helped us to meet our compliance mandates.

The cloud-native security features will be more important in the future. I am just learning about them now.

I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.

The primary use case is automation.

We are using the latest version.

We find that the change workflow process is flexible and customizable. If we want to change approvers, that is very easy. If we wanted to add a step or get rid of a step, this is easily customizable.

We are using the visibility with notifications on every firewall change and what those changes were. We have visibility to see who is making the changes, and when. This is the biggest thing because we are underutilizing the product right now.

This solution has helped us meet our compliance mandates. Everything is all auditable. Every change is tracked down to the person and time.

The auditing is a valuable feature. We can be audited, because it has the ability for approvals to be set up and to put in policies. It is all automated.

So far, the stability is good.

With scalability, we are going to run into some issues. We have been talking about converting over to actual hardware as opposed to virtual. Therefore, I don't think we are scalable at this time, especially with the updates coming. I'm told that they're going to need a lot more horsepower to push them. 

As far as scalability, it is great for adding network objects and so on.

i have not talked to technical support.

As we start to dive in, I'll be reaching out to the customer success team.

The initial setup was straightforward. We did it in three days.

We used a reseller for the deployment. They were very good.

There was one other solution that we evaluated, but it didn't stack up. Tufin was the best solution.

Everything is good right now.

Reach out to whoever does your implementation and support. Ask as many questions as you can and do research.

We haven't got to the point where we've used the solution to clean our firewall policies yet. That is the next phase.

This solution won't help us ensure that our security policy is followed across our entire hybrid network until the next stage.

We're not in the cloud.

We use SecureTrack and SecureChange to manage all of our firewalls. 

We use the latest version.

The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days.

We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls.

Risk analysis is automatically in our policy.

The most valuable feature is automation.

The visibility of the policies are very good. It sees different things. The recordings are very good.

We use a lot of workflows and have a lot of custom things developed by Professional Services. It is very customizable.

We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting.

At least in our environment, the dynamic learning of the topology needs improvement.

If you would have asked me two weeks ago, I would have said the stability was excellent. However, we had some upgrade problems. They were worked out and the support was excellent in helping us get it fixed. In general, the stability is very good.

We have a very big environment. The scalability works well.

Pretty good. They know when to escalate. We never put in easy tickets, They know to escalate quickly if they have to. We have our own technical account manager too.

We invested in SecureChange to do automated workloads. When we deployed SecureChange, part of it was to automate our workloads to have more time to do more things, like making the ticketing process shorter.

Firewall rule changes went from a week and a half to around three and a half days.

We have not recently evaluated any new solutions.

Tufin is not perfect, but it's really good.

Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies.

The approval process is a lot more automated, but the implementation process didn't change.

We don't use Tufin in the cloud yet.

We don't have compliance mandates.

My company primarily uses this solution for reporting and enforcing policy. My role has to do with developing applications to allow integration with our other tools.

When I was using Tufin for analysis, there was a tool that would tell me which rules could be consolidated. It was amazing and helped me to clean up the firewall policies.

We use this solution to automatically check to see if change requests will violate any security policy rules, but I do not have any specific details or examples.

Tufin is the only multi-vendor firewall tool that is available, and it helps to bring everything together and report on what all of the rules are.

This solution helps to ensure that security policy is followed across the network because it is the main tool that non-technical security people use to keep track of firewall rules. Without it, they wouldn't even know where to begin. 

In my current role, the most valuable features are the API and the accessing. In my previous job, the analysis was my favorite.

I would like to see API access into every aspect of Tufin. For example, every feature and everything that's in the database, I would like to have programmatic access to. This would give me the ability to do anything that the product can do but from a script. This way, we are not beholden to the GUI in any way. If an operation requires that somebody click somewhere into the interface, manually, especially if it's just part of many other things that they have to do, then we want to fully automate that.

Some of the manual processes are taking longer because, without the proper API access, there are a lot of tickets coming in. These are from people who need to perform a task, but only a handful of them have access to it. This is because we're too afraid to give access to all of the people who actually need it.

In every instance that I've ever worked with it, it was stable.

I have not dealt with technical support.

In my previous company, I handled the deployment of this solution myself.

Turning on certain options in the solution comes at an additional cost.

My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close.

For what this product does, it does well. There are, however, things that are missing.

Overall, I would rate this solution a seven out of ten.