Tufin Orchestration Suite Reviews

Our primary use case is firewall management and policy management.

It has very good visibility with all our devices. We can see how they interact with each other, and if we're doing the right things or not.

We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it.

We are still in the beginning phases of it, but we're hoping that it can change how all of our policies are determined and implemented.

The most valuable feature is the consolidation of firewall products.

The change impact analysis capabilities of this solution are pretty good. We like the product a lot.

I would like the following additional features:

• Easier integration with more automation.
• Ability to get better results from rule-based requests.
• Ability to do some policy browsing and find out where they're hitting, specifically.
• Ability to pull hit count reports more easily. 

It's pretty stable. I haven't had any issues with it.

The scalability is pretty good. All we have to do is just add another device and buy another license. It seems pretty straightforward.

I personally haven't worked with them, but I've heard good things about how responsive they are. They've always been able to find the answer that we needed.

We had no solution previously. So, we needed something that would help make our decisions on better securing our network.

The initial setup was straightforward. It was very easy to setup and integrate. We had no issues.

Most of the work was done by us. However, we worked closely with Tufin support, and we have good things to say about that.

We also evaluated FireMon. We did not go with them because the solution was not as easy to install or incorporate in our organization. To us, Tufin just seemed to be the better product.

It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots.

Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end.

We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet.

We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.

We are using SecureChange to start orchestrating a lot of our changes. Our users can then request changes instead of having to go directly to us. We are trying to automate some of those pieces.

The visibility is very good. We have managers who are overseeing it, and they are approving things through it.

The whole process is flexible and customizable. We are building the matrix, then we're putting in exceptions. We have to add manual exceptions into it, and they have to come to us first before they can get it approved, which is good.

We use this solution to automatically check if a change request will violate any security policy rules. Similar to what we are doing with Azure, where they request a change, and if it violates policies, it gets kicked back. Then, we have to review it and figure out what they're doing. We can then move forward with it, if it's approved.

• The Orchestration
• The way that users can access it directly.
• The change impact analysis capabilities of this solution are good.

• The hardest piece is getting the matrix built.
• Room for improvement includes how we are pulling the routing cables and getting SNMP enabled.
• Tufin could provide a train for running its reports and showing people how to use them.

The solution is very stable. We've upgraded several times and not had any issues. For stability, it's perfect.

We're in the process of scaling it. We started off small, and now, we're enlarging it to cover more of the enterprise. The scalability is good.

I haven't used technical support. My colleague has, and they are very good. They work through solutions.

The initial setup was pretty straightforward. It communicating with the firewalls and management server were the big pieces.

Well when we first started, it was through a reseller. Then, as we're bringing in SecureChange, we have been doing it all that ourselves.

The reseller was Structured Communications, who is in Portland. It was part of a package deal that we built with them. Our experience with them was good. We used them a lot.

We don't have to go through our firewall group, who actually does the rules. They don't have to create tickets to send to us, then take a couple of days to get all that stuff built and put in place. Now, it is usually the same day, or within a day.

This solution helped us to reduce the time it takes to make changes. We used to spend up to an hour to do a change, and now, it's around five minutes.

Engineers are spending less time on manual processes. They are now spending half their time on manually processes, 20 to 30 minutes, because we don't have to go out and touch things anymore.

We're still in the process of implementing things, so we haven't really seen a lot of return yet, but we're hoping.

It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it.

I don't think we're using cloud native security quite yet.

We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.

At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.

I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.

With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.

We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.

I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.

Tufin’s technical support engineers seemed to be knowledgeable and very helpful.

I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.

If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

We have only had the product for four or five months.

There have been no problems with stability.

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.

With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.

We can provide evidence the nothing's getting into that environment that isn't already approved to go in.

We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.

We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.

No issues at all.

Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.

Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.

We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.

No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.

The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.

I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.

I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.

I find that he most valuable feature is actually optimizing my real firewalls. It shows me any issues. I track the change and it will tell me when it is actually going to affect any other rules or any other applications. That is the biggest feature.

Then the reporting functionality that comes along with it - for one change, this change what, when, etc. This is the main function that I will always be using, as well as positioning of the rules on the rule base and to optimize the firewall for me. Those are the best features and that is what sold me initially.

The thing I like about it is that it's real time, that's the biggest benefit. It helps me with everything that I need to do. Every time we want to make a change we put it in the system and it tells us, OK all good, or it tells you, these, this and this you have to fix. Have a look at it, send it to the service, they have a look at it, mediate, put it through again, and if it is clean it will go.

It prevents human error. That is the biggest benefit for me as you can load in as much high availability as you wish. Human error is always the thing that is hardest to get rid of as well because now the change team don't question any rule base that we are putting in because of the checks Tufin does prior to the change, so we know the impact is not going to impact anybody else. What the biggest problem was whenever we would change a rule before there was always the question, what is the small thing doing. Now I can do production changes during production time. Due to this, we have a seen a positive impact for the company, and that is what they wanted.

Small reactive. It is sometimes stuck or kind of jumps, but no actually business impact, but from an IT perspective, whatever we want we are getting on the fly.

It's not actually user intensive, so it does not hamper our power in any way.

It is expensive. It cost me about a million, which is quite expensive for us, but the benefit is worth it.

I used to have FireMon, and we changed it  because of their features. The main feature that made us change was SecureChange, and like I said when you do changes now, assist with the change that you are going to make to see if there is impact to the other, so this is what gives us this feature, now you can assess and say, will it have a problem? That is why it helps with the changes.

I'd definitely say go with Tufin as it's a brilliant solution. What is brilliant is the firewalls themselves. I'd check out CheckPoint as well to make sure that the solution meets your needs and works with your plans. It doesn't matter what CheckPoint plans you use, Tufin works with them all.

The most valuable function of Tufin is that it provides compliance tests on security devices. It gives us a great idea of what is going wrong and what we have to do to improve. Then, when we try to apply the solution to our policies, it provides us help in doing so. It tells us where to put our policy on both the front and back ends, as well as in the configuration files.

The usability and speed of the solution needs improvement. In our experience, it seems a little bit slow.

We've had it in place for more than a year now.

We've had no issues with deployment.

The stability of Tufin has been quite good for us. I have no complains about stability.

Honestly, I don't have too many devices running with Tufin, so we don't really have a need to scale much. But I do think that it needs improvement in the area of scalability.

In our experience, customer service is OK, but the product really doesn't need too much help. It works by itself and is quite stable.

In regards to technical support, we work with our partner's company, so we don't communicate directly with Tufin.

We co-operate with our partner's company, so we do not communicate directly with Tufin support.

The initial setup was straightforward.

The implementation was so simple we did it ourselves without too much help from our partner company, so I can say that it was easy for us to adopt the solution.

Fro my perspective, it's a solution that covered all our needs, so it was an easy choice. It was a bargain at the price point.

For us, it works, so why can't it work for you?

The most valuable feature is that we can see what changes are happening on all our security devices at the very moment that they're done, so if any mistakes happen, then we can catch them very quickly before there is a big disaster and outage.

Mistakes like firewall policies where people put in wrong IPs instead of allowing permits and traffic stops. That is why it is very, very important.

On one of my earlier deployments, I was actually able to quickly diagnose about 100 VPNs that went down because one the administrators made a wrong encryption domain in the tech point, so we were able to catch it right away as the change happened. We were able to revert the changes very, very quickly, and it did not cause a long amount of downtime.

We are able to look at any objects that are not used, rule usage, which, for wide-open rules, we can put in tracking on those rules so we can turn down the rulebase, so those are the good benefits. The rulebase actually shows the same way for all the devices, so if you have checkpoint firewalls, or if you have five load balancers, you can actually have a similar view of all this, so you can understand it very easily.

The other good part is that whenever changes happen, we have to go through change control. We can put in our changer card numbers, and then those all come in the dashboard as the changes that were done on that particular change record, so then you can correlate the changes to a particular request which was approved.

New features would be when you look for any of the rules that are unused, then I would like to see whether there was a way to also make sure that the objects that exist are actually live or not. What I mean to say is, if you have a server that you had allowed in the rulebase, and you decommission the server, now the rulebase is there, which shows their logs, but I want to make sure that the server is actually decommissioned and not still alive. If there is a way that we can check for those objects, whether those objects still are alive in the network, that would be great.

I've been using the product since 2007, since its very early stages.

At one time, it had processed for a year. When I was in my previous company, I had installed one of the T500 boxes, and it had actually processed about 2.7 terabytes of logs, and we were able to trim down the biggest firewall. We now do about 11,000 rules, and they had never been cleaned for about five or six years, so by the end of the whole exercise, we trimmed down the rule base to less than 300 rules.

I've used about 200+ devices. That was all the environment was, so I definitely know, talking to other customers who have thousands of devices, so it scales very well.

Technical support is great. I've worked with several people within the company.

It was straightforward. I was able to get all my firewalls and a lot of the other networking devices in less than half a day.

I compared it to the usability and the easy way to actually add devices. We compared it to AlgoSec and FireMon. Both of them I did not feel were very intuitive to work with, so a lot of training would be required.

Just buy it. Don't even think about any other product. Just buy it.