Tufin Orchestration Suite Reviews

We use the solution on-premises.

Policy management and the cartography of the network have been the most valuable features.

The network part of the solution could be improved, specifically the licensing model for routing devices. Customers need to get the license easily in order to have the cartography of the network and build the other solution of Tufin, such as a secure change and secure application. To do that, we need the licenses for the network devices in complex environments where customers have a lot of network devices. It is too hard to get a license for each device, so Tufin should remodel the license model for these kinds of devices.

For the license for the security devices, it's okay that Tufin has a model for physical devices and for virtual devices. For the network devices, the main reason to have a license is to get topological information, routing information, and so on. With Tufin, it's a bit hard to tag all the devices that you need to build the topology of your network. 

We have already talked to Tufin in order to simplify the license model for the routing devices because these devices are the main technology. The RN is just for routing information, not for the security and building access list, and building VPNs, and stuff.

In order to have that topological view, you need a license for each device. For that, the cost of the solution rises exponentially. Because there are a lot of routing devices for your network, in order to build the topology of your network, you have to spend a lot of money just on licenses for devices that aren't security but do routing work only.

They have to rebuild their licensing model in order to fit the needs of their customers.

For routing devices, we would like to have something related to the orchestration for the solution because we know that there is one for Tufin, but I don't know how it works, if it has to work with all the models installed, what the features are for that orchestration, and what the needs are for that model to work properly in a complex environment. 

For example, we work in complex banking environments where there are a lot of bricks to communicate with. For that, what is the information needed for the orchestration in order to have an extensive look at the topology of our network, and after that, how the orchestration is going to implement the right accesses to main privileges on security devices all around the topology of our employment.

I have been using this solution for five years.

We didn't have a lot of problems regarding the solution. It's a stable solution.

In order to have it running correctly, we had to dedicate a person to manage the solution. I work on it with Tufin and with some of our partners in the group. We have our Société Générale in the group. We have some other partners inside the group with Tufin in order to build this kind of model for the time to market objectives.

We didn't have a lot of problems concerning maintenance. We had two or three hardware problems that were solved remotely by support and for the upgrade and the OS upgrade because there are two kinds of upgrades to operate. The OSTs and the secure channel also have upgrades, which we did ourselves.

Tufin has a policy of publishing new versions of the Dell OS, so two versions a year. One is a final version, and the other one is a beta version. In a year, you get two or three updates. It's not very hard to follow the stream of changes in one year.

We didn't have to expand the solution, but management has had thoughts about expanding the solution for other environments, for other clients, and for the customers.

Technical support was present and responsive for our needs. We had some problems with the appliances. They were very quick to respond to our support tickets and to give the right solutions for the problems we had.

On a scale of one to give, I would give technical support a four.

We needed someone from Tufin in order to get it installed. It's not a straightforward process from scratch. You have to build your own network with someone from the PS, and after that, you have to give a lot of information about your network, your devices, where they are located, what is the networking scheme of your network so that the PS can implement all that. After that, they can build the model for you.

On a scale of one to five, I would rate initial setup a three.

We used engineers from Tufin for setup. They were responsive. They were experienced with the solution they sell.

There is a permanent license for devices, but it's not relative to a device itself. Once you purchase 10 licenses for virtual appliances or virtual context, you can put them into different virtual firewalls, but you can reuse these licenses for other devices if you don't need them for the old ones. 

For example, if you deploy new ones, and you don't need these licenses for the old context, you can redeploy them in another one relative to a device, like a Mac address.

The problem is that once you redeploy the license for another context, another rhythm, or another virtual appliance, you lose all the history and reports from the Syslog from the old one.

I haven't looked into the competition because we don't have the ability to choose between solutions for central management.

I would rate this solution 7 out of 10. 

The main brick in order to build your solution is the first step, which is having a good understanding of your network and good people to talk to when you want to build your topology. Once it is done, the solution runs by itself. Exporting, reporting, topology, and changes are all handled by this solution.

After the initial deployment, it is a stable solution. It can suit customer needs in complex environments.

A con is that it is very needy in terms of implementation such as small configurations. We had that problem with networking devices. We had to implement it to get all the information from all the routing devices. Even if they don't belong to our network, we had to have the information from MPLS devices on the telecom operator. Sometimes it was difficult to build the solution from scratch.

The Syslog part was a little difficult to handle. For the appliance we have right now, it handles the management, the Syslog, and all the needed modules in order to operate the solution. Sometimes, it is a little bit hard for the appliance to get straight to all the models it runs. Maybe with the new models of the appliances, it's easier for the appliances to run all the models. With the newer generations of the OS, I suppose that now it's more effective and less of a time-consuming process, but it's okay for us to upgrade after that in order to get all the new features in the new OS.

We are using it mostly for reporting, as well as NERC CIP compliance for rule documentation. The primary use case is for doing rule cleanup, knocking down overly permissive rules, and cleaning up old unused rules. Basically, we are using the reporting functionality out of SecureTrack.

We use Tufin to clean up our firewall policies. We use an automatic policy generator. This is huge for us because certain rules, especially if they're overly permissive rules, have to have an analyst go through log file after log file, which is just impossible. Versus just setting Tufin, letting it run for a couple of weeks, then going back and looking at the results. That has definitely been a big win for us.

The policy comparison reporting has been a definite big improvement for our organization. 

We've used it to give read only access to look at actual policies for different departments who might not necessarily need access to the actual firewalls. This has created some efficiencies for us because an engineering team can go in and check to see if they need to engage us for firewall rule changes without having to engage us first, because they have the direct access. 

The solution has helped us meet our compliance mandates. We use the policy browser metadata to do documentation for rule justifications. That is what we supply to our external auditors.

The most valuable features are the rule set analysis reporting that you can do. We use it day in and day out for doing rule cleanup and policy analysis.

The policy comparison reporting is one of the more basic functions that it has, but it is very critical for us. We built it into our processes that before we push any change to production, an engineer will stage actual date rule changes and policy changes. Another engineer will go in and do a comparison report of the last push policy to the last save, making sure what has been changed is what is expected to. From an operational excellence, it's huge for us. We have huge policies. All it takes is one accidental right click, delete, or backspace button, which could impact our business. So, this is something that we use almost day in and day out.

We're definitely happy with the visibility. It gives us a lot more visibility and can do a lot more reporting that just wouldn't be possible for a human to do, who might just be looking at traditional log files.

We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange.

Stability has been rock solid. We were joking about that last night. There was a good amount of time where we weren't running reoccurring backups on a couple of our older appliances. They ran into no problems, whatsoever, for hardware or software for years. So, we were sort of joking, "The product's so good that we don't even have to back ours up half the time." Thus, stability has been very good for us.

Scalability is to be determined at this point for us. Right now, we have five or six isolated instances, and we're going to collapse those down to a single front-end. Then, we'll scale up to how many devices that we're monitoring. At this point, we haven't had any issues with scalability, but we haven't really pushed the appliances too hard yet. 

Making sure that you are designing or coming up with a solution and architecture which is scalable and as holistic as possible. We had some discussions yesterday with some other customers, and having the complete visibility of your entire environment rather than just a subset like we do today at our company will make or break your functionality of the product. Being as all inclusive as possible is probably critical, especially if you're looking at things like SecureChange.

The few times that we have had to engage tech support, they have been good to work with. They were pretty simple cases in both instances for us.

Our engineers are spending less time on manual processes, specifically for the reporting functionality. For doing the rule cleanup and policy analysis, it would be a nightmare to do that manually. So, it is saving our engineering teams time from not having to do manual log reviews.

We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network.

We don't use any workflows because we're not using SecureChange.

We haven't used the solution’s cloud-native security features.

Tufin is the product which we do our compliance under. That's one of the requirements. We also do change control tracking: who does what and the impact. 

The users have reports for best practices and clean up.

The primary use case going forward will be automation, changing the internal process by trying to eliminate human errors.

Change management tracking is important: Who does what when. We know if something happens by checking the reports and comparing. We know exactly what mistakes were made and corrections. 

In a financial organization, there are so many approval processes. At the designing levels, you can add any number of layers (for approval/decline), add qualifications, and traffic flow analysis.

Because it is a predefined customized, we can define whatever we want it to be and add the exceptions.

SecureChange makes our lives easier with automation. 

It provides a granular report, like what is there or not and what is required or not in the clean up. This makes our lives operationally easier. 

It is very easy to learn and is user friendly. The GUI is user-friendly.

I'm looking for the backup change. I want a predefined backup plan.

The stability is a pretty standard. It is working, and not like other products where it is breaking the system. It is pretty stable.

We will be using the appliance based product, which cannot be scaled as much. It is a limitation in the hardware.

The technical support is very good and helpful. We have not encountered that many issues in any one place. 

The initial setup was very straightforward because the documentation was straightforward.

We did it ourselves. Tufin support helped us with the configuration.

We are also evaluated Skybox and AlgoSec.

Tufin is meeting one of our requirments, which is why we are looking to the future with the product.

There is room for the product to grow.

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

There have been no stability issues whatsoever. It’s rock solid.

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

I would rate it a nine out of ten, since there's room for improvements, as always.

The visibility of the changes that are being made on the network. From a firewall perspective and router perspective, we have all our network devices in Tufin. We monitor all the changes that are made constantly. Prior to changes being made, they get approved by our IT security department, and then they're monitored after they're changed as well.

We haven't used it to push configuration yet, but we do have a third party network vendor that does our network changes for us. We immediately know if something was typed wrong or configured incorrectly. We'll get an email from Tufin, and we'll know that they typed something in wrong or incorrectly because that's the email that we receive from Tufin. A lot of times they'll transcribe things, and rules will get set in different directions. We'll know immediately when something happens.

Being the Director of Networking, that's what I'm primarily concerned about. It's to make sure that all the network changes that are being made are the correct changes, we're not opening things up to vulnerabilities that we shouldn't have, as well as making sure that we're locking down what we need to lock down.

I like what's there today. I don't use the product that heavily as much as our IT security department does. Right now the product is doing exactly everything that I want to see it done. I would like to see the ability to have the changes in the configurations pushed out more easily and managed through Tufin to eliminate that human error factor more.

We haven't run out of room with the product yet. It's very scalable. We fly to 115 different locations,we have 3 different data centers, and we monitor all our network devices, firewalls and routers through Tufin.

If you don't have a product like Tufin, get a product like Tufin because it's amazing. It gives you insight into all changes that are done within your network. It's awesome, and it gives you the ability to manage it even though we haven't rolled that piece out ourselves yet.

1. It's easily deployable.
2. It provides change and reporting on changes 
3. One of the features helps you clean up firewall rules, and maintain a good, clean rule set.

From an organizational standpoint, it can help improve for one by streamlining the change process, assisting and streamlining the change process for firewalls, routers and switching ACLs.

Also, it can help with compliance from an organizational standpoint, maintaining a certain level of compliance. Also, reporting - it provides reporting to auditors for the organizational level that need to provide evidence and for other auditors outside the organisation.

They could improve their support. 

They've already known about their support being kind of shaky. They can make the product more MSP ready, managed service provider ready. They can do that.

Outside of that, I can't really think of anything right now, but making it MSP ready and providing better support, I think they can definitely improve upon.

5 years.

I am impressed with the deployability. The set-up is really straight forward. I mean, I had one of my guys who has never really touched a computer before set one up.

I believe it is stable, well not every time, but 99.9% of the time.

It scales okay. They can add some scalability to it, yes, they can definitely add scalability to it.

Their pricing is too expensive, and I think they're one of the best products on the market but I think they can't get enough market share because of the pricing (the licensing). It's too expensive. They changed licensing models a couple of times I think, but I think they need to be more cognizant of the middle market, as far as licensing. 

My advice would be to do your research first on the product. Make sure it's going to cover everything you need, which it does. They have several uses for Tufin, several models as far as function like Securetracks, Securechange and the Secureapp, so you've got to do your research and someone may need all of the orchestration, the full Orchestration Suite.

I would ask you to just research it, make sure you get what you need because quite often people go to buy Tufin and they go to buy the Securetrack just the Securetrack firewall changes, that they end up getting a quote for Securechange, Secureapp, and not even know it, and they say "Oh, that's too expensive," but that's not really what they wanted, they just want the Securetracks.

I would also have them get a competitor, a demo ware competitor and compare it to Tufin just so they can see how well Tufin out-performs their competitor.

In regards to my rating of 8, if they did mark the price down, change the licensing model to include more middle market, so they can reach the middle market and get more market share, and also provided their partners, and this is going to be a big one for them, provide their partners with two-way licensing so their partners can use the product for free.

If I am partnering up with Tufin, and I've got to keep downloading demos to use it and I have to advise potential users about the Tufin product, it's just not going to work. They should give me the product for free, especially if I have sold a few deals for them, they should give me the product for free with a couple hundred licenses that I can use anywhere I want to. This should be done every year, so long as I'm a partner.

That would help increase their visibility, their market share, and bring them up from an eight to maybe a nine or so.

Tufin is used for the design proposals process.

The most valuable feature of Tufin is security auditing. We are able to check the rules and compliance of the company, for example, what is allowed or not. We are able to check the rules over different gateways and set over firewalls.

The reporting function could improve in Tufin. For our clients with companies that have strong compliance, reporting privacy data is mostly a problem. In the IT department, private data needs a function that one person can analyze it. It requires multiple people to analyze the data.

Tufin currently supports various firewall gateways, such as Checkpoint, Palo Alto, Fortinet, and Cisco. However, it would be beneficial if they expanded their support to include other security providers. For example, in Germany, government agencies often use specialized firewalling components from companies, such as Genua and Rohde & Schwarz. It would be a valuable addition for Tufin to include support for these solutions to better serve the German market.

I have been using Tufin for approximately five years.

I rate the stability of Tufin an eight out of ten.

Tufin is more suitable for enterprise companies. The benefits of the solution come when you have 10 to 50 gateways, and you have to control all the rule sets and do a revision over this installation. This is when you see the benefit of a central auditing tool, such as Tufin.

I rate the scalability of Tufin a seven out of ten.

Tufin's support is helpful. However, it can take some time to get a resolution to a problem. My colleagues have had some success with Tufin's support, but they often have to start at the first level of support and work their way up to the second or third level before they reach someone with a deeper knowledge of the issue. It would be more efficient if there was a way to reach higher-level support directly, as it can take a lot of time to get to the experts. The first two levels of support are not very helpful, as they often just ask a lot of questions without providing solutions.

I have previously used AlgoSec. However, Tufin suits my customer's use case better.

The initial setup of Tufin is simple. I receive feedback from my customers that they don't need much time to be familiar with the software.

The implementation typically can be done in one day. However, it depends on the number of gateways in the management system.

My team gives our customers an introduction to Tufin, helps with the initial configuration, and then the handover. If it is a large implementation we will use three people to assist.

Tuffin is expensive, and we have to explain to our customers the benefit for them to purchase. If we explain the benefits in the correct way they do not mind the price. We typically do costing for the customer for three to five years. We make the general total cost of ownership at the beginning of a project for our customers.

Tufin is the most useful when working with multiple gateways and different administrators who manage firewall rules. It can also be beneficial for security operations centers that are responsible for monitoring and maintaining the rule sets. This is the message we convey to our customers when recommending Tufin.

I rate Tufin an eight out of ten.

Our primary use case is trying to make sure that when firewall rules are requested, they meet our compliance. Tufin has a notion of a universal security policy, where you line up the policies and we use the solution for that. We also use it to track all of the changes. I'm the executive director of the company. 

Tufin gives us the rule, definitions and things of that sort, which is great. All the basic functions work well. 

Our compliance goes through SecureChange and they give us the rule set and then the recommendation. Ideally we'd like to press a button and create a Terraform to put into the build and deploy. We can't do that yet and there are several manual steps which can lead to errors. We'd like that to change. 

I would also like to see the ingest of flow data enhanced, so that multiple flow data can be ingested from different points on the network and be mapped out. The basics work, the issue is when you have a complex network because maybe you want flow data from the firewall and with Tufin it's only from a single source.

I've been using this solution for over two years. 

Tufin is a good company. I think most of the products in this market have difficulty working across a multi-vendor solution, and that also applies with Tufin. It works really well when you have a single vendor solution but it's just not as intuitive if you have back-to-back firewalls or you have a complex topology. For simple topologies, it works really well.

There are currently some issues with this solution but if things improve with the new version, which apparently has some enhancements, I would give them a higher rating. For now, I rate this product a seven out of 10.