Tufin is the most useful when working with multiple gateways and different administrators who manage firewall rules. It can also be beneficial for security operations centers that are responsible for monitoring and maintaining the rule sets. This is the message we convey to our customers when recommending Tufin. I rate Tufin an eight out of ten.
I rate this solution a ten out of ten. The solution is good, and no clients complained about it. Therefore, I recommend this solution for people seeking to use it, as they can never go wrong with it. However, for a beginner, it could be tricky to implement.
Senior Manager - Network-& Systems-Management at a computer software company with 201-500 employees
Real User
2022-09-02T15:56:04Z
Sep 2, 2022
We are customers and end-users. I'm not sure which version of the solution we're using. I do not work directly with the solution. I'd rate the solution a six out of ten.
I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. I would rate it a seven out of ten.
DSI France retail banking networks at a financial services firm with 10,001+ employees
Real User
2022-01-23T17:08:13Z
Jan 23, 2022
I would rate this solution 7 out of 10. The main brick in order to build your solution is the first step, which is having a good understanding of your network and good people to talk to when you want to build your topology. Once it is done, the solution runs by itself. Exporting, reporting, topology, and changes are all handled by this solution. After the initial deployment, it is a stable solution. It can suit customer needs in complex environments. A con is that it is very needy in terms of implementation such as small configurations. We had that problem with networking devices. We had to implement it to get all the information from all the routing devices. Even if they don't belong to our network, we had to have the information from MPLS devices on the telecom operator. Sometimes it was difficult to build the solution from scratch. The Syslog part was a little difficult to handle. For the appliance we have right now, it handles the management, the Syslog, and all the needed modules in order to operate the solution. Sometimes, it is a little bit hard for the appliance to get straight to all the models it runs. Maybe with the new models of the appliances, it's easier for the appliances to run all the models. With the newer generations of the OS, I suppose that now it's more effective and less of a time-consuming process, but it's okay for us to upgrade after that in order to get all the new features in the new OS.
Information Security Engineer at a healthcare company with 10,001+ employees
Real User
2021-11-07T09:18:00Z
Nov 7, 2021
I would rate this solution 7 out of 10. My advice is to look at what is currently supported in whatever security technology you have because some of the features may already be covered. However, if you identify a gap in what you currently have, specifically around auditing, then I would definitely suggest looking at Tufin.
Executive Director at a financial services firm with 1,001-5,000 employees
Real User
2021-06-03T10:03:01Z
Jun 3, 2021
Tufin is a good company. I think most of the products in this market have difficulty working across a multi-vendor solution, and that also applies with Tufin. It works really well when you have a single vendor solution but it's just not as intuitive if you have back-to-back firewalls or you have a complex topology. For simple topologies, it works really well. There are currently some issues with this solution but if things improve with the new version, which apparently has some enhancements, I would give them a higher rating. For now, I rate this product a seven out of 10.
Project Manager at a comms service provider with 10,001+ employees
Real User
2021-04-15T16:39:54Z
Apr 15, 2021
We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. I'm not sure of which version of the solution we're using. I can't recall the version number off-hand. I'd rate the solution at a seven out of ten.
Information Technology Graduate at a computer software company with 10,001+ employees
Real User
2021-04-15T13:21:59Z
Apr 15, 2021
I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future. I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.
We are just a customer and an end-user. We are not using the most up-to-date version of the product. We are using one of the previous versions. I cannot at this time remember the version number, however, it was pretty old. We had a plan to upgrade, and then unfortunately ended up not doing that. I'd rate the solution at a nine out of ten as it helps us do our work. We're mostly quite happy with its capabilities.
Presales Network & Security Engineer at a tech services company with 51-200 employees
Reseller
2020-12-10T07:18:12Z
Dec 10, 2020
I would recommend this solution to others who are interested in using it. I have not worked with any other vendors with this type of solution, for example, FireMon. I haven't worked with it. I would recommend it specifically to start with a secure track, which is a monitoring tool. Once the customer sees it, they want the solution. Afterward, for automation and secure change. I would rate Tufin an eight out of ten.
Manager of Security Engineering at Global Payments Inc.
Real User
2019-07-18T09:23:00Z
Jul 18, 2019
It is a great tool. It will help you increase your productivity and simplifies your workflow. We should use it to clean up our firewall policies since the tool is there.
Security Engineer at a insurance company with 201-500 employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Everything is good right now. Reach out to whoever does your implementation and support. Ask as many questions as you can and do research. We haven't got to the point where we've used the solution to clean our firewall policies yet. That is the next phase. This solution won't help us ensure that our security policy is followed across our entire hybrid network until the next stage. We're not in the cloud.
CyberSecurity Supervisor at a energy/utilities company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step. My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. I would rate this solution an eight out of ten.
If someone was looking for this type of solution, I would tell them, "Here are the top four solutions that I know of and the places that I worked on each of them. Here are the benefits, gossip, and downsides that I've seen for each one." Tufin has the best solution as far as it being self-contained, reliable, and integrating with the other things that you want it to integrate with. The customer service is also not arrogant like some of the other solutions. We need to utilize it to its capacity and capabilities, and we're not doing that yet. It will eventually reduce the time it takes to make changes. I don't know how much time it will save, since a lot of the manual processes are done by another team. I am still building my team underneath me. The cloud stuff is great, but I am sort of scared to look at it because we still trying to work out our traditional stuff being compliant and under control, then doing what it's supposed to be doing. I can't even imagine what the developers are doing in the cloud stuff.
Senior Network Engineer at a financial services firm with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin. We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year. In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management. Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction. I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.
Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help. We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.
Give it a try. Get a full list of Layer 3 devices available, import it into Tufin, look at the topology, and work forward from there. Currently, we are still not provisioning.
Team Lead of Border Protection at a manufacturing company with 1,001-5,000 employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Tufin is not perfect, but it's really good. Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies. The approval process is a lot more automated, but the implementation process didn't change. We don't use Tufin in the cloud yet. We don't have compliance mandates.
Senior Network Security Engineer at a retailer with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
If you want to be able to manage your firewalls efficiently and securely, then use Tufin. It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good. We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.
Associate Director Program Management at a pharma/biotech company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Tufin seems like a high quality product from a company that cares. It focuses on exactly what we need. We would like to get to having Tufin make changes on firewall rules, but we are going to need help convincing our management of that we should be using Tufin to do that. It looks very promising, but we can't use it for that yet. We haven't implemented the change workflow process yet. While we didn't buy it for the solution’s cloud-native security features. I'm interested in that, but it is not in my mandate right now. The product has been fabulous.
Network Engineer at a energy/utilities company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network. We don't use any workflows because we're not using SecureChange. We haven't used the solution’s cloud-native security features.
Firewall Administrator Security Engineer at a comms service provider with 1,001-5,000 employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
I would recommend taking a look at the solution. I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes. This solution has sort of helped us to meet our compliance mandates. The cloud-native security features will be more important in the future. I am just learning about them now. I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.
Lead Engineer at a insurance company with 1,001-5,000 employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
You should definitely be looking at this as in your top-two choices, before even considering any other solutions. We are in the midst of a transition, going to a newer version. All the features which I talked about above, we want to implement them in a new production infrastructure. We are working with Tufin and Professional Services very closely, so we can enable it. There is the old way - the way we are using it - versus the way we want to. It is not there yet. Currently, it's not helping us meet compliance mandates, but the new way will definitely help us to meet them. In addition, once we go with the new way of doing things, the solution will ensure that security policy is followed across our entire hybrid network. At that point it will follow business practices.
Network Engineer at a healthcare company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Check out this product and see what it can do for you. Talk with the marketing team and account reps and see what direct benefit the platform gives you. Then, see what strengths it has compared to the competition, as well as its value proposition. We are not to the point of using the solution to automatically check if a change request will violate any security policy rules, but it is coming. We are building the security policy part of it out across out hybrid network, especially with the USP.
Network Engineer Lead at a energy/utilities company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Give Tufin a good, hard look. From my experience, it is the best of breed. Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.
Network Engineer at a healthcare company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Tufin provides a very comprehensive solution. Anyone looking to go down the path of automation should not look any further because Tufin will be able to meet their requirements and scale out really effectively. We don't yet use the solution to automatically check if a change request will violate any security policy rules. We are in the process of building that. Similarly, we are still working on having the solution ensure that security policy is followed across our entire hybrid network. We are in the cloud but we haven't yet started using the Tufin solution actively in the cloud. We are still in a trial phase as of now, but so far the results have been pretty good. We tend to test things out a little bit more but the results have been positive and favorable for us to move forward.
Network Security Operations at a insurance company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product. Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit. We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that. Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments. All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.
Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation. We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client. I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.
Do a proof of concept or proof of value. You will see the value right there. The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.
Security Analyst at a retailer with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
Understand your DNS or network segment. What all these different subments and how they will fit into what categories, because you are going to directly take that info when you build out your USP. If it's too messy, your USP is not really going to do anything. You need to have a good dictionary for the USP to follow. We aren't really using the cloud-native security features in our current environment.
Change Manager at a pharma/biotech company with 10,001+ employees
Real User
2019-07-18T08:39:00Z
Jul 18, 2019
There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that. It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well. Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change request will violate any security policy. However, we are not doing that yet. The program that I am supporting is not engaged in any of the firewalls affecting the cloud, so I didn't have a lot of context with that. Once we have it up and running, this solution should help reduce the time that it takes to make changes and our engineers should spend less time on manual processes. I did training at Tufin two weeks ago.
My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close. For what this product does, it does well. There are, however, things that are missing. Overall, I would rate this solution a seven out of ten.
My advice to anybody who is implementing this solution is to take the time to learn the product, in and out, right away. I would rate this solution an eight out of ten.
Infrastructure Engineer Specialist at a healthcare company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
I do find that the change workflow process is flexible and customizable, but not fully. I would say that it is seventy percent customizable, as there are pros and cons in the workflow. You cannot fully customize the workflow by yourself. There are certain limitations in the workflow, such as the inability to create a Firewall object or an IP object. You can only create or modify the Firewall object group. The other problem is the schedule window, as it pushes all of the firewalls on the CMA. For us, this solution is a supplement. Tufin is partners with Check Point and Fortinet firewalls, but I can manage firewalls without using it. At the same time, while it is not mandatory, it is helping us. For anybody who is considering this solution, I would say that Tufin helps you to get approval and it will help you to push your firewall policies. In the long run, when you have to manage hundreds of firewalls, it is a good thing to have. I would rate this solution a six out of ten.
InfoSec Consultant at a insurance company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
We do not yet use this solution to automatically check if a change request will violate any security policy rules. We have not yet utilized this solution to help with compliance. With respect to the cloud-native security features, we are not leveraging the cloud as much as we should with Tufin. There could be better things out-of-the-box; However, I know that it is a solution that has to cover a wide range of industry and supportability, so therefore it's a challenge to get everyone's wants and needs. My advice to anybody who is implementing this solution is to spend more time than you think you need on SecureTrack because it sets the standard for using SecureChange in all of the other products. I would rate this solution a seven out of ten.
Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well. We're not really using the cloud parts of it yet. Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.
Infrastructure Analyst at a manufacturing company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating. Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes. We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software. My advice to anybody who is researching this solution is to pick what's right for you and do your homework. I would rate this solution an eight out of ten.
Security Consultant at a insurance company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it. I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly. The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation. I would rate this solution a seven out of ten.
The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation. The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic. This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows. The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product. I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.
Network Security Analyst at a energy/utilities company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections. We just started a PoC on the change workflow process of the solution. We are just now moving stuff to the cloud.
Senior Network Engineer at a pharma/biotech company with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals. We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are. In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise. My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you. This solution saves us a lot of time that we don't have, but there is always room for improvement. I would rate this solution a nine out of ten.
Security Engineer at a government with 10,001+ employees
Real User
2019-07-17T04:14:00Z
Jul 17, 2019
We don't use SecureChange at the moment, although hopefully, we can get to it in the future. With respect to having this solution automatically clean up our firewall policies, we run the report but we don’t always push those changes on. We consider the recommendations but review it manually ourselves. This does point out what we can get rid of, and where we can optimize it. Once we have the trust of our team to push these changes automatically it will be implemented, but we're not ready for that yet. Part of the reason is that we want to be in control of the firewall policy changes. We don't want developers or anybody recommending what we should be doing. If somebody is looking to integrate a ticketing system, and not push changes directly through their firewall management system, and they would like a third-party verifier and checker then I don't know any other products that can do that. This is especially true for Check Point firewalls, and Palo Alto. I would rate this solution an eight out of ten.
We do not yet have a great deal of experience with the cloud side of this solution. However, we're actually moving into our first contract around that and we'll be digging in deep. We find it, at least from our lab environment, highly successful, whether it's AWS or Azure, and we're looking at the Kubernetes side of things as well. So far, so good, from a lab perspective, but we will be rolling out our first, into a full Cloud environment for one of our global clientele. For our clientele, this solution has, without question, saved them time when it comes to making changes. The whole idea is to be able to initiate a change and have it proliferate across thousands of devices. It's critical. So, just in that alone, we can save six months' worth of man-hours just in making a single change for some of the environments that we work with. Tufin is really a leader in the space for taking manual processes and eliminating them as much as possible. My advice to anybody researching this or a similar solution is to look for longevity in the field. Also, look for product development expertise and a legacy of that. Finally, look for scalability, stability, and growth within the marketplace across device sets. I would rate this solution a nine out of ten.
Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent. This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP. For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do. I would rate this solution an eight out of ten.
Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days. For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally. My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network. This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient. I would rate this solution a seven out of ten.
This tool is excellent in the specific areas where it is applied. We are spending less time on manual processes and at some point, we will be stopping them. This solution definitely helps to reduce the time it takes to make changes. With other tools, I have spent five or six hours or even days, but with this solution, it takes me thirty minutes. It can take even less, depending on the complexity of the firewall. My only complaint is that I would like to be able to export data to different formats. I would rate this solution a nine out of ten.
IT Manager at a financial services firm with 10,001+ employees
Real User
2019-07-16T10:43:00Z
Jul 16, 2019
There is always room for improvement, but with the performance and the day to day stability that we have, I think that it's a very good product. Overall, I am very happy and satisfied with the product, and I am looking forward to a lot of new features. I would rate this solution an eight out of ten.
In terms of advice, it depends on what a user's needs are. For us, we only considered Tufin for the security and the network parts, especially the network mapping. I need to see the hop-by-hop, from this site to that site, how many hops for a transfer packet. Tufin is good for beginners. Tufin filters based on rules, even if a beginner doesn't know what to do, how to configure the firewall. Tufin can then monitor based on those rules. It's a good value for what it does. We had no issues with this product. It was good for us. We could deploy it in our environment without any issue. I rate it at eight out of ten because we are still evaluating Tufin. Our project is running on Riverbed for SDN. I don't know if Tufin can integrate with Riverbed. Other than that, I have no issues with this product.
Network/Security Engineer at a leisure / travel company with 51-200 employees
Real User
2019-05-02T07:06:00Z
May 2, 2019
My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin. Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day. We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it. As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future. I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.
Network Architect at a transportation company with 10,001+ employees
Real User
2019-04-03T05:29:00Z
Apr 3, 2019
Don't bother with the web interface, calm down, don't worry, everything will be fine. They will improve it. The rest of it, I don't have any issues. They're technically prepared, the tool does its thing. The only two things I would be patient with are the web interface and that documentation which is not really well organized. Besides that, it's pretty easy. It's pretty easy to configure and, once you start using it, you will see the potential. AlgoSec, Skybox, and all those tools probably have the potential as well. But Tufin is easy enough for everybody. What we don't use, and what we are not planning to use, is the third module, the SecureApp. We haven't played with it and we're not planning on using it, for the moment. In terms of using Tufin to automatically check if change requests will violate any security policy rules, we would love to do that. What we didn't do is build the security matrix. That part is the one that takes a lot of time to build. You have to work with the security team and all the players involved. Because we did not design the security matrix, we couldn't match a firewall rule with the security matrix and say, "Okay", or "Not okay," and do some automation there. What we did is prepare a form for a firewall petition, and some automatic steps. For instance, in the first step, you enter the request and it sends an email to a business approver. Depending on whether that firewall or that flow is predefined as allowed or not, you can skip that step and go to the next step. We did a little bit of logic with the change-request form. It worked pretty well for us. The purchasing process takes a little bit of time because of all the different groups involved. But we're planning on implementing it and to finish around next summer, 2020; to have both SecureTrack and SecureChange up and running. As for compliance, we don't have many requirements. Of course, we are bound to some ISO certifications, because it's the car industry, but we don't have any specific PCI. We don't sell cars over the internet, so we don't have to do that. When it comes to Tufin's cloud-native security features, what we have is our landing zone in AWS - a VPN tunnel from on-premise to Amazon, with Transit VPC. We have a couple of Palo Altos, securing the track from on-premise to the cloud. And we added those Palo Altos to Tufin. We needed to tweak and include some virtual devices in Tufin so the routing would be okay. But that was quite easy. It was well-documented as well. The only problem is that we got our quotation from our supplier, and the Security Groups are extremely expensive. They bill you $1,200 dollars per Security Group per year, which is really high. We're not that big, we may have 100 or 150 Security Groups. That's would be about $200,000 just to manage Security Groups. We were put off by that. From the start, we won't have the Security Group feature. We think it's too expensive. As for increasing our usage of Tufin, we'll go day by day and see how it responds to our requirements. SecureTrack at the beginning, then SecureChange. Maybe, if everything goes well, we will think about SecureApp. It's not in the scope at the moment, but maybe we will implement it. I would rate Tufin a seven out of ten. It will get better once they get their act together with the documentation and the interface.
Specialist in Network Security Operations Support at a financial services firm with 10,001+ employees
Real User
2019-03-14T11:34:00Z
Mar 14, 2019
If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy. We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet. Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests. We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.
I would rate it seven out of ten. I would recommend Tufin if someone is considering it. We are still in the process of phasing it in to help us with our compliance mandates.
Security Engineer at a manufacturing company with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
While it has its highlights, it has deep issues that need to be addressed. This solution help us ensure that security policy is followed across our hybrid network. Our company doesn't really have federal or regulatory compliance requirements. Spend a lot of time testing and doing a PoC for it, before you make the final decision to go for it.
Network Security at a transportation company with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it. I don't think we're using cloud native security quite yet.
Cyber Security Engineer at a healthcare company with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots. Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end. We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet. We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.
I would suggest looking at not just the features and functionality which are specific to the environment which you are working in, but to be aware of the other features which the product has to offer. Because companies grow and things change, so it's always good to have at least a complete idea of what the product does and how it does it.
Network Security at a tech services company with 5,001-10,000 employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
I would recommend Tufin. They are very helpful for IT organizations, as they continue improving SecureChange. With our security plan, we can see how Tufin meets the basic requirements. Then, we can go and customize if there is any risk, which might be interfering with ports or external networks.
Security Analyst at a government with 1,001-5,000 employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
Really dig deep and understand your use cases, then what exactly you're looking for out of the solution. It has allowed us to maintain particular rules in regards to CJIS and HIPAA compliance. We have multiple networks connected to this solution. So, we are able to design and monitor different rule sets in the three different domains that we control.
Security Engineering at a financial services firm with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it. We're just getting started on the change workflow. So, we're learning it, and it's working well. It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors. We are automating, so we are getting to a place where our engineers are spending less time on manual processes.
Senior Information Security Architect at First Citizens Bank
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
It does what it needs to do for our needs. We are in the process of doing a PoC for the new changes. Currently, it's all reactive. We do the changes, then we review it at a later time.
You need a product like this, but look at difference solutions in the market. I would rate it a seven out of ten. We do not use the product across our entire network. We do not use the cloud native security features. In the future, we will use the solution to check if a change request will violate any security policy rules.
IT Manager at a financial services firm with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
I would rate it an eight out of ten. It's very easy to use and you can get good results very quickly. We don't use the cloud native security features yet.
Manager at a manufacturing company with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
I would rate it a seven out of ten. I would advise someone considering this type of solution to not listen to the sales teams among the competitors. They all throw each other under the bus and a lot of it is not true. Tufin's competitors will tell you how bad of a company that Tufin is and how you can't trust them, and how their stuff doesn't work. Then, Tufin doesn't say anything bad about their competitors. So, don't trust everything that you hear. Do your own research. Do a proof of concept. Get all of the vendors in. Give it a month to test drive. Set it up and let them prove it out. In the end, the correct tool, not the better salesman, will win.
I would rate it a seven out of ten mainly because it does everything really well. In general, it still does what it's supposed to do, and we don't have any issues with it. I would advise someone considering this solution to know exactly what you need before you start the process. Be very thorough, because the devil is in the details and you need to know exactly what you want and need. Then you'll be able to tell which solution is better, and which one gives you the better return on investment.
We are really interested in the Tufin Orca product. * For visibility in the network, I would rate the product as a nine out of ten. * For usability, I would rate the product as a seven out of ten. * For liability, I would rate the product as a nine out of ten.
Security Architect at a manufacturing company with 10,001+ employees
Real User
2019-02-12T10:29:00Z
Feb 12, 2019
The topology doesn't work and SecureApp doesn't seem to be a strategic product for Tufin anymore. Proceed cautiously with that in mind. I would rate their SecureChange an eight out of ten. I would give their vision an eight, but for their execution I would give a three out of ten.
Professional Services Engineer at a tech services company
Reseller
2019-02-12T10:29:00Z
Feb 12, 2019
Check the product out for yourself. I wasn't using it for visibility into my firewall infrastructure, because I have other avenues. I wasn't using the compliance portion when I was testing it, only the orchestration. I want to look at Tufin for remediation and compliance in the future.
Business Director at a tech services company with 201-500 employees
Real User
2019-02-12T10:09:00Z
Feb 12, 2019
The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin. In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users. We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade. We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support. From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.
Network Engineer at a tech services company with 11-50 employees
Consultant
2018-07-30T09:01:00Z
Jul 30, 2018
Plan ahead because the implementation of Tufin is hard if you don't have an idea of what you want to do. Without a plan, it will be hard to get it working. When I'm selecting a vendor, I read the opinion of other people who use the product. I want to learn if it is buggy and if it is doing what people need it to do. I rate Tufin at about eight out of 10 because they really need to improve the reporting.
Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment. Customers gain visibility and control across their network, ensure continuous compliance with security standards and embed security enforcement into workflows and development pipelines.
Tufin is the most useful when working with multiple gateways and different administrators who manage firewall rules. It can also be beneficial for security operations centers that are responsible for monitoring and maintaining the rule sets. This is the message we convey to our customers when recommending Tufin. I rate Tufin an eight out of ten.
We use two people for the maintenance of the solution. I rate Tufin an eight out of ten.
We have a team of three engineers that do the maintenance of the solution. I would recommend this solution to others. I rate Tufin a nine out of ten.
I rate this solution a ten out of ten. The solution is good, and no clients complained about it. Therefore, I recommend this solution for people seeking to use it, as they can never go wrong with it. However, for a beginner, it could be tricky to implement.
I rate this solution a six out of ten. The solution is good but can be improved by including additional automation in the next release.
We are customers and end-users. I'm not sure which version of the solution we're using. I do not work directly with the solution. I'd rate the solution a six out of ten.
I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. I would rate it a seven out of ten.
I would rate this solution 7 out of 10. The main brick in order to build your solution is the first step, which is having a good understanding of your network and good people to talk to when you want to build your topology. Once it is done, the solution runs by itself. Exporting, reporting, topology, and changes are all handled by this solution. After the initial deployment, it is a stable solution. It can suit customer needs in complex environments. A con is that it is very needy in terms of implementation such as small configurations. We had that problem with networking devices. We had to implement it to get all the information from all the routing devices. Even if they don't belong to our network, we had to have the information from MPLS devices on the telecom operator. Sometimes it was difficult to build the solution from scratch. The Syslog part was a little difficult to handle. For the appliance we have right now, it handles the management, the Syslog, and all the needed modules in order to operate the solution. Sometimes, it is a little bit hard for the appliance to get straight to all the models it runs. Maybe with the new models of the appliances, it's easier for the appliances to run all the models. With the newer generations of the OS, I suppose that now it's more effective and less of a time-consuming process, but it's okay for us to upgrade after that in order to get all the new features in the new OS.
I would rate this solution 7 out of 10. My advice is to look at what is currently supported in whatever security technology you have because some of the features may already be covered. However, if you identify a gap in what you currently have, specifically around auditing, then I would definitely suggest looking at Tufin.
Tufin is a good company. I think most of the products in this market have difficulty working across a multi-vendor solution, and that also applies with Tufin. It works really well when you have a single vendor solution but it's just not as intuitive if you have back-to-back firewalls or you have a complex topology. For simple topologies, it works really well. There are currently some issues with this solution but if things improve with the new version, which apparently has some enhancements, I would give them a higher rating. For now, I rate this product a seven out of 10.
We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. I'm not sure of which version of the solution we're using. I can't recall the version number off-hand. I'd rate the solution at a seven out of ten.
I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future. I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.
We are just a customer and an end-user. We are not using the most up-to-date version of the product. We are using one of the previous versions. I cannot at this time remember the version number, however, it was pretty old. We had a plan to upgrade, and then unfortunately ended up not doing that. I'd rate the solution at a nine out of ten as it helps us do our work. We're mostly quite happy with its capabilities.
I would recommend this solution to others who are interested in using it. I have not worked with any other vendors with this type of solution, for example, FireMon. I haven't worked with it. I would recommend it specifically to start with a secure track, which is a monitoring tool. Once the customer sees it, they want the solution. Afterward, for automation and secure change. I would rate Tufin an eight out of ten.
Implementing the tool is easy, but introducing the changes within the company can be challenging.
I recommend getting Tufin Professional Services involved when implementing automation.
It is a great tool. It will help you increase your productivity and simplifies your workflow. We should use it to clean up our firewall policies since the tool is there.
Everything is good right now. Reach out to whoever does your implementation and support. Ask as many questions as you can and do research. We haven't got to the point where we've used the solution to clean our firewall policies yet. That is the next phase. This solution won't help us ensure that our security policy is followed across our entire hybrid network until the next stage. We're not in the cloud.
This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step. My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. I would rate this solution an eight out of ten.
Try Tufin out. Make a PoC of it. That is how we sell most of our products because it works well. Our customers do not have a hybrid network.
If someone was looking for this type of solution, I would tell them, "Here are the top four solutions that I know of and the places that I worked on each of them. Here are the benefits, gossip, and downsides that I've seen for each one." Tufin has the best solution as far as it being self-contained, reliable, and integrating with the other things that you want it to integrate with. The customer service is also not arrogant like some of the other solutions. We need to utilize it to its capacity and capabilities, and we're not doing that yet. It will eventually reduce the time it takes to make changes. I don't know how much time it will save, since a lot of the manual processes are done by another team. I am still building my team underneath me. The cloud stuff is great, but I am sort of scared to look at it because we still trying to work out our traditional stuff being compliant and under control, then doing what it's supposed to be doing. I can't even imagine what the developers are doing in the cloud stuff.
I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin. We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year. In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management. Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction. I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.
A powerful tool for a security team to optimize time.
Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help. We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.
Give it a try. Get a full list of Layer 3 devices available, import it into Tufin, look at the topology, and work forward from there. Currently, we are still not provisioning.
Tufin is not perfect, but it's really good. Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies. The approval process is a lot more automated, but the implementation process didn't change. We don't use Tufin in the cloud yet. We don't have compliance mandates.
If you want to be able to manage your firewalls efficiently and securely, then use Tufin. It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good. We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.
Do proper research. Look at Tufin and all of the other products.
Tufin seems like a high quality product from a company that cares. It focuses on exactly what we need. We would like to get to having Tufin make changes on firewall rules, but we are going to need help convincing our management of that we should be using Tufin to do that. It looks very promising, but we can't use it for that yet. We haven't implemented the change workflow process yet. While we didn't buy it for the solution’s cloud-native security features. I'm interested in that, but it is not in my mandate right now. The product has been fabulous.
We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network. We don't use any workflows because we're not using SecureChange. We haven't used the solution’s cloud-native security features.
I would recommend taking a look at the solution. I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes. This solution has sort of helped us to meet our compliance mandates. The cloud-native security features will be more important in the future. I am just learning about them now. I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.
You should definitely be looking at this as in your top-two choices, before even considering any other solutions. We are in the midst of a transition, going to a newer version. All the features which I talked about above, we want to implement them in a new production infrastructure. We are working with Tufin and Professional Services very closely, so we can enable it. There is the old way - the way we are using it - versus the way we want to. It is not there yet. Currently, it's not helping us meet compliance mandates, but the new way will definitely help us to meet them. In addition, once we go with the new way of doing things, the solution will ensure that security policy is followed across our entire hybrid network. At that point it will follow business practices.
Check out this product and see what it can do for you. Talk with the marketing team and account reps and see what direct benefit the platform gives you. Then, see what strengths it has compared to the competition, as well as its value proposition. We are not to the point of using the solution to automatically check if a change request will violate any security policy rules, but it is coming. We are building the security policy part of it out across out hybrid network, especially with the USP.
Give Tufin a good, hard look. From my experience, it is the best of breed. Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.
Tufin provides a very comprehensive solution. Anyone looking to go down the path of automation should not look any further because Tufin will be able to meet their requirements and scale out really effectively. We don't yet use the solution to automatically check if a change request will violate any security policy rules. We are in the process of building that. Similarly, we are still working on having the solution ensure that security policy is followed across our entire hybrid network. We are in the cloud but we haven't yet started using the Tufin solution actively in the cloud. We are still in a trial phase as of now, but so far the results have been pretty good. We tend to test things out a little bit more but the results have been positive and favorable for us to move forward.
It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product. Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit. We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that. Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments. All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.
Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation. We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client. I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.
Do a proof of concept or proof of value. You will see the value right there. The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.
Understand your DNS or network segment. What all these different subments and how they will fit into what categories, because you are going to directly take that info when you build out your USP. If it's too messy, your USP is not really going to do anything. You need to have a good dictionary for the USP to follow. We aren't really using the cloud-native security features in our current environment.
There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that. It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well. Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change request will violate any security policy. However, we are not doing that yet. The program that I am supporting is not engaged in any of the firewalls affecting the cloud, so I didn't have a lot of context with that. Once we have it up and running, this solution should help reduce the time that it takes to make changes and our engineers should spend less time on manual processes. I did training at Tufin two weeks ago.
My advice for anybody who is researching this solution is that if they are a larger company with a lot of money to spend, and they have a heterogeneous network with more than three different firewall vendors, then they absolutely need it. There is no competitor or really anybody who is even close. For what this product does, it does well. There are, however, things that are missing. Overall, I would rate this solution a seven out of ten.
My advice to anybody who is implementing this solution is to take the time to learn the product, in and out, right away. I would rate this solution an eight out of ten.
I do find that the change workflow process is flexible and customizable, but not fully. I would say that it is seventy percent customizable, as there are pros and cons in the workflow. You cannot fully customize the workflow by yourself. There are certain limitations in the workflow, such as the inability to create a Firewall object or an IP object. You can only create or modify the Firewall object group. The other problem is the schedule window, as it pushes all of the firewalls on the CMA. For us, this solution is a supplement. Tufin is partners with Check Point and Fortinet firewalls, but I can manage firewalls without using it. At the same time, while it is not mandatory, it is helping us. For anybody who is considering this solution, I would say that Tufin helps you to get approval and it will help you to push your firewall policies. In the long run, when you have to manage hundreds of firewalls, it is a good thing to have. I would rate this solution a six out of ten.
We do not yet use this solution to automatically check if a change request will violate any security policy rules. We have not yet utilized this solution to help with compliance. With respect to the cloud-native security features, we are not leveraging the cloud as much as we should with Tufin. There could be better things out-of-the-box; However, I know that it is a solution that has to cover a wide range of industry and supportability, so therefore it's a challenge to get everyone's wants and needs. My advice to anybody who is implementing this solution is to spend more time than you think you need on SecureTrack because it sets the standard for using SecureChange in all of the other products. I would rate this solution a seven out of ten.
Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well. We're not really using the cloud parts of it yet. Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.
I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating. Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes. We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software. My advice to anybody who is researching this solution is to pick what's right for you and do your homework. I would rate this solution an eight out of ten.
This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it. I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly. The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation. I would rate this solution a seven out of ten.
The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation. The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic. This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows. The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product. I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.
Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections. We just started a PoC on the change workflow process of the solution. We are just now moving stuff to the cloud.
The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals. We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are. In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise. My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you. This solution saves us a lot of time that we don't have, but there is always room for improvement. I would rate this solution a nine out of ten.
We don't use SecureChange at the moment, although hopefully, we can get to it in the future. With respect to having this solution automatically clean up our firewall policies, we run the report but we don’t always push those changes on. We consider the recommendations but review it manually ourselves. This does point out what we can get rid of, and where we can optimize it. Once we have the trust of our team to push these changes automatically it will be implemented, but we're not ready for that yet. Part of the reason is that we want to be in control of the firewall policy changes. We don't want developers or anybody recommending what we should be doing. If somebody is looking to integrate a ticketing system, and not push changes directly through their firewall management system, and they would like a third-party verifier and checker then I don't know any other products that can do that. This is especially true for Check Point firewalls, and Palo Alto. I would rate this solution an eight out of ten.
We do not yet have a great deal of experience with the cloud side of this solution. However, we're actually moving into our first contract around that and we'll be digging in deep. We find it, at least from our lab environment, highly successful, whether it's AWS or Azure, and we're looking at the Kubernetes side of things as well. So far, so good, from a lab perspective, but we will be rolling out our first, into a full Cloud environment for one of our global clientele. For our clientele, this solution has, without question, saved them time when it comes to making changes. The whole idea is to be able to initiate a change and have it proliferate across thousands of devices. It's critical. So, just in that alone, we can save six months' worth of man-hours just in making a single change for some of the environments that we work with. Tufin is really a leader in the space for taking manual processes and eliminating them as much as possible. My advice to anybody researching this or a similar solution is to look for longevity in the field. Also, look for product development expertise and a legacy of that. Finally, look for scalability, stability, and growth within the marketplace across device sets. I would rate this solution a nine out of ten.
Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent. This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP. For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do. I would rate this solution an eight out of ten.
Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days. For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally. My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network. This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient. I would rate this solution a seven out of ten.
This tool is excellent in the specific areas where it is applied. We are spending less time on manual processes and at some point, we will be stopping them. This solution definitely helps to reduce the time it takes to make changes. With other tools, I have spent five or six hours or even days, but with this solution, it takes me thirty minutes. It can take even less, depending on the complexity of the firewall. My only complaint is that I would like to be able to export data to different formats. I would rate this solution a nine out of ten.
There is always room for improvement, but with the performance and the day to day stability that we have, I think that it's a very good product. Overall, I am very happy and satisfied with the product, and I am looking forward to a lot of new features. I would rate this solution an eight out of ten.
In terms of advice, it depends on what a user's needs are. For us, we only considered Tufin for the security and the network parts, especially the network mapping. I need to see the hop-by-hop, from this site to that site, how many hops for a transfer packet. Tufin is good for beginners. Tufin filters based on rules, even if a beginner doesn't know what to do, how to configure the firewall. Tufin can then monitor based on those rules. It's a good value for what it does. We had no issues with this product. It was good for us. We could deploy it in our environment without any issue. I rate it at eight out of ten because we are still evaluating Tufin. Our project is running on Riverbed for SDN. I don't know if Tufin can integrate with Riverbed. Other than that, I have no issues with this product.
My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin. Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day. We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it. As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future. I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.
Don't bother with the web interface, calm down, don't worry, everything will be fine. They will improve it. The rest of it, I don't have any issues. They're technically prepared, the tool does its thing. The only two things I would be patient with are the web interface and that documentation which is not really well organized. Besides that, it's pretty easy. It's pretty easy to configure and, once you start using it, you will see the potential. AlgoSec, Skybox, and all those tools probably have the potential as well. But Tufin is easy enough for everybody. What we don't use, and what we are not planning to use, is the third module, the SecureApp. We haven't played with it and we're not planning on using it, for the moment. In terms of using Tufin to automatically check if change requests will violate any security policy rules, we would love to do that. What we didn't do is build the security matrix. That part is the one that takes a lot of time to build. You have to work with the security team and all the players involved. Because we did not design the security matrix, we couldn't match a firewall rule with the security matrix and say, "Okay", or "Not okay," and do some automation there. What we did is prepare a form for a firewall petition, and some automatic steps. For instance, in the first step, you enter the request and it sends an email to a business approver. Depending on whether that firewall or that flow is predefined as allowed or not, you can skip that step and go to the next step. We did a little bit of logic with the change-request form. It worked pretty well for us. The purchasing process takes a little bit of time because of all the different groups involved. But we're planning on implementing it and to finish around next summer, 2020; to have both SecureTrack and SecureChange up and running. As for compliance, we don't have many requirements. Of course, we are bound to some ISO certifications, because it's the car industry, but we don't have any specific PCI. We don't sell cars over the internet, so we don't have to do that. When it comes to Tufin's cloud-native security features, what we have is our landing zone in AWS - a VPN tunnel from on-premise to Amazon, with Transit VPC. We have a couple of Palo Altos, securing the track from on-premise to the cloud. And we added those Palo Altos to Tufin. We needed to tweak and include some virtual devices in Tufin so the routing would be okay. But that was quite easy. It was well-documented as well. The only problem is that we got our quotation from our supplier, and the Security Groups are extremely expensive. They bill you $1,200 dollars per Security Group per year, which is really high. We're not that big, we may have 100 or 150 Security Groups. That's would be about $200,000 just to manage Security Groups. We were put off by that. From the start, we won't have the Security Group feature. We think it's too expensive. As for increasing our usage of Tufin, we'll go day by day and see how it responds to our requirements. SecureTrack at the beginning, then SecureChange. Maybe, if everything goes well, we will think about SecureApp. It's not in the scope at the moment, but maybe we will implement it. I would rate Tufin a seven out of ten. It will get better once they get their act together with the documentation and the interface.
If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy. We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet. Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests. We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.
I would rate it seven out of ten. I would recommend Tufin if someone is considering it. We are still in the process of phasing it in to help us with our compliance mandates.
While it has its highlights, it has deep issues that need to be addressed. This solution help us ensure that security policy is followed across our hybrid network. Our company doesn't really have federal or regulatory compliance requirements. Spend a lot of time testing and doing a PoC for it, before you make the final decision to go for it.
It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it. I don't think we're using cloud native security quite yet.
It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots. Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end. We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet. We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.
Seriously Tufin for your final decision.
I would suggest looking at not just the features and functionality which are specific to the environment which you are working in, but to be aware of the other features which the product has to offer. Because companies grow and things change, so it's always good to have at least a complete idea of what the product does and how it does it.
I would recommend Tufin. They are very helpful for IT organizations, as they continue improving SecureChange. With our security plan, we can see how Tufin meets the basic requirements. Then, we can go and customize if there is any risk, which might be interfering with ports or external networks.
Really dig deep and understand your use cases, then what exactly you're looking for out of the solution. It has allowed us to maintain particular rules in regards to CJIS and HIPAA compliance. We have multiple networks connected to this solution. So, we are able to design and monitor different rule sets in the three different domains that we control.
Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it. We're just getting started on the change workflow. So, we're learning it, and it's working well. It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors. We are automating, so we are getting to a place where our engineers are spending less time on manual processes.
It is a really good product. It does exactly what you want it to do. Get the training. I didn't get the training. I assume they provide training.
It does what it needs to do for our needs. We are in the process of doing a PoC for the new changes. Currently, it's all reactive. We do the changes, then we review it at a later time.
You need a product like this, but look at difference solutions in the market. I would rate it a seven out of ten. We do not use the product across our entire network. We do not use the cloud native security features. In the future, we will use the solution to check if a change request will violate any security policy rules.
There is room for the product to grow.
I would rate it an eight out of ten. It's very easy to use and you can get good results very quickly. We don't use the cloud native security features yet.
I would rate it a seven out of ten. I would advise someone considering this type of solution to not listen to the sales teams among the competitors. They all throw each other under the bus and a lot of it is not true. Tufin's competitors will tell you how bad of a company that Tufin is and how you can't trust them, and how their stuff doesn't work. Then, Tufin doesn't say anything bad about their competitors. So, don't trust everything that you hear. Do your own research. Do a proof of concept. Get all of the vendors in. Give it a month to test drive. Set it up and let them prove it out. In the end, the correct tool, not the better salesman, will win.
I would rate it a seven out of ten mainly because it does everything really well. In general, it still does what it's supposed to do, and we don't have any issues with it. I would advise someone considering this solution to know exactly what you need before you start the process. Be very thorough, because the devil is in the details and you need to know exactly what you want and need. Then you'll be able to tell which solution is better, and which one gives you the better return on investment.
We are really interested in the Tufin Orca product. * For visibility in the network, I would rate the product as a nine out of ten. * For usability, I would rate the product as a seven out of ten. * For liability, I would rate the product as a nine out of ten.
The topology doesn't work and SecureApp doesn't seem to be a strategic product for Tufin anymore. Proceed cautiously with that in mind. I would rate their SecureChange an eight out of ten. I would give their vision an eight, but for their execution I would give a three out of ten.
Check the product out for yourself. I wasn't using it for visibility into my firewall infrastructure, because I have other avenues. I wasn't using the compliance portion when I was testing it, only the orchestration. I want to look at Tufin for remediation and compliance in the future.
The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin. In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users. We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade. We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support. From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.
Plan ahead because the implementation of Tufin is hard if you don't have an idea of what you want to do. Without a plan, it will be hard to get it working. When I'm selecting a vendor, I read the opinion of other people who use the product. I want to learn if it is buggy and if it is doing what people need it to do. I rate Tufin at about eight out of 10 because they really need to improve the reporting.