Tufin Orchestration Suite Reviews

We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.

At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.

I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.

With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.

We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.

I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.

Tufin’s technical support engineers seemed to be knowledgeable and very helpful.

I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.

If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.

• The ability to compare the old policy and the new policies is real handy.
• The topology view is really good. 
• You can kind of see where the flows are coming and how they're working.

I come more from the WAN space as opposed to the security space, so I would obviously like to see Tufin integrate with Cisco routers. There's room for more integrations with other products.

I'm just kind of getting into it, so I don't think I have the full breadth of the product personally, but it is pretty usable.

It's been stable in our environment.

We haven't had any trouble scaling it. We have about 100 policies.
There haven’t been any issues with speed, as far as I can tell.

The governance feature is handy in the process flow. Tufin is easy for an average user to be able to put in their request and have it automatically assigned to other firewalls.

We are able to review changes from the previous day to be able to compare if there's a change that goes in from one day to the next, if there's an issue, we can see what change has occurred. You can see that through the reporting. It's quick to go and pull up what changed between the two days. It works great for the users to be able to put it in. And then troubleshooting afterward if something happened to find out what had changed.

It has come a long way. Compared to where we were, it's significantly better. We were using an internal process that was intensive. This is clearly better.

From my limited use of it directly as a user, I don't think it's efficiently comparing. We were looking for a 2 of 3 match that haven’t used the same rule, and it's not working as well. It's adding additional rules into our policy at times. It could be more effective than that. I’d like it to add fewer rules but still keep the same security posture.

We’ve also had issues with speed, and it needs to be a bit more reliable. It's definitely slows up. Sometimes, just when I log in, it didn't connect me to the system or we've had to do some emergency patches on it and it would take 10 or 15 minutes to get logged in. That was kind of weird and that's happened a couple times. I think it is user-friendly, outside of the things our own internal people have added and made it a little confusing.

I think the app could be a little bit improved in the way that it selects objects.

From my user perspective, I think patching is an issue. I haven't done it, but I know they had to. It got slow, and there were issues getting connected in to it. Everything was running slow a few different times. We’ve had to contact support. There's been times we've lost a day and a half of usage.

I have not had to use technical support.

I was not part of the implementation.

It works well. It’s something you would send a colleague to use. It gives a nice process flow as far as the end user putting something in, having governance check, and being able to have multiple work screens because we have different areas of the company and different processes. They have to have different work flows. We use multiple work flows. That's handy. You can build those in, you select from the beginning and then you're off and running.

The last account I was working for had just implemented Tufin. It was good for retrieval and for policy remediation, as far as cleaning up policies and so on. When I got there, they had a lot of old policies. Everything was all over the place. Tufin was good for policy cleanup.

Once you install Tufin, it performs a query and it searches all active policies. Once it does that, it places all the policies that you know in priority order, as far as which policies are being most used and which ones aren’t being used. Then it gives you something like a survey of things that were being used or any things that weren't being used. You can decide whether you want to take out or if you have some machines which are totally dead. That was really the big benefit of using Tufin.

It took a long time just to try to gather the information. I would like Tufin to be faster.

For what we needed, it searched all of the information we wanted it to.

It was stable. We didn’t have any stability issues.

It was very scalable and very customizable for what we needed it for. We had about 4,500 users on our network, and then we had six firewalls. It came in handy with that.

Installation was a little bit complex, so we did get help. We had to have professional services from Tufin come and help us. They were great. Once they came, it was simple to setup. 

I’m giving the product a rating of seven mostly because of the initial setup. It took us a while because we couldn't figure it out. After about three weeks, we had to hire someone to come and set it up. Once that happened, then it flowed.

When we were deciding whether to implement Tufin, a lot of the other agencies were using it at the time. We went with Tufin because it was receiving favorable scores from the other agencies.

The only one I can compare it to is AlgoSec. AlgoSec has a few more features but a lot of similar agencies were going towards Tufin, so that's why we went with them.

Define exactly the specifics of what you need it for. If you need it for remediation of policies, then it's definitely the product to go to.

I permanently use it for their Automatic Policy Generator, and for object lookup.

We use Tufin for object lookup. We often get requests from the business. They give us an IP and they request something like, "We need to know what the rules are for this.", so they can add more similar rules. We go into the object lookup, give the IP that we're looking for, and then it generates a report, either Excel or PDF.

We have probably a hundred policies using Tufin.

I would like to see a little bit more of enhancement on their PCI-compliance piece. We reviewed a Skybox product. They seem to be doing a lot better than Tufin does on the PCI reports.

I think we're ready for an upgrade, it's getting kind of slow. They did tell us that you can break up the database in the actual server application into two separate units. That's supposed to make it a lot faster. I think we'll probably do that in the next upgrade.

We have seen some slowness, but I think it's because we're on some aging hardware. We're quite larger than a lot of people that probably use it too. It has been scalable for our size so far.

I actually hadn't really had the need to reach out to technical support. We're a pretty big customer of theirs, and they're always coming around. I usually deal with my technical issues when they do that.

I went through one upgrade, but they already had Tufin when I arrived.

We did a proof of concept to compare Skybox and Tufin.

It’s a pretty good product. The PCI compliance piece probably accounts for the rating of 8 as opposed to ten.

As far as comparing Tufin with another product, I would just look at some of Tufin’s features like the APG that is not used that often, but it's a really good feature. They do also have an extended tool section where you can kind of get a little bit more in depth.

The most valuable feature that I've found is rule optimization. If the rule has massive hits and if I want to remove that rule, I can put that rule into the SecureTrack change. After a few weeks, it will tell me that these are all the IP addresses that it is hitting, and this is all the traffic that it is hitting. It provides all sorts of other information too. That's one of the features that I like in Tufin.

Having total compliance is a benefit. When our compliance department tells that there is a rule that says IP such-and-such, and that we have to remove that rule, it’s never easy for us to directly remove a rule until and unless we have some traffic analysis and so on.

Another benefit is the complete set of all rules. If I have to find a particular object, Tufin provides a search feature. That's one of the good features in Tufin. If you have more than 100 or 200 firewalls and 100 or 200 policies, and each and every policy has a humungous amount of rule numbers, it can give you detailed reports, as well as the search feature.

I would like to see improvements in historic views of rules - stating that this rule hasn't been used for the past one year, that this rule hasn't had much hits, these are all of the shadowed rules and these are all of the unshadowed rules - so we can narrow down the rule base. That's probably one of the aspects that I would like. If Tufin can help me out with that, that would be nice too.

It needs improvement with rule optimization and compliance.

Tufin product is good, but it requires a lot of CPU overhead. It might be because of the rule base we have. It might be due to other factors, but it's kind of slow for us. I would like to see an improvement in speed, as well.

It's been stable. No complaints yet, except for the upgrade. The upgrade takes a little long, but that's fine. I believe that’s because of the vastness of our environment.

We probably have more than 2,000 rules for each and every policy. It depends, 1,000 rules, 2,000 rules, somewhere in between. We have a pretty massive rule base, and it's giving good reports.

Involvement with the technical support team went well. They are cooperative.

We also use AlgoSec for analysis.

It all depends upon the environment that you’re using. Compare it to other vendors, like FireMon and AlgoSec, and then you can rate the products and decide what to use and what not to use.

What I’ve found very useful in a short period of time is the visibility it provides. It looks at the tools that don't meet our compliance requirements. We’re part of a program where we’re going back and remediating a lot of the rules that are falling out on compliance. Having a central location for that is very nice.

It provides pretty decent visibility to the rule set that we have. Right now, we're looking to better utilize the zoning. When we start utilizing the zoning better, I think it will be a lot more useful tool. 

A major thing that it sounds like it's still going to be lacking, is the ability to create and push NATs. Our network is very large and very complex, we use NATing internally quite a bit. That's a fairly large pain point for our firewall admins. We can use SecureTrack and SecureChange to create and manage rules, firewall rules, but it doesn't have the ability to manage NATs, which we find, is key for management.

Some of the pain points like NATing and the interface brings my rating for the product down to a seven. The interface is workable, but it could be a little bit more intuitive. I would rate the function of the product a ten.

I'm very new to the Tufin products. I'm new to HCA and this is the first time I had professional experience with it. 

Dive in.

The Automatic Policy Generator is a valuable feature, because I've been converting from ASAs to Check Point. I used Tufin to analyze all the rule bases to get rid of what I don't need, and create less permissive rules.

I had only 300 rules, but I've been able to consolidate it down to 67. There was a lot of duplication, and they're all interface based.

I like the diff where I can actually compare configs: who changed it, when they changed it, the last time it was saved, what changes were made. I can also do that in SolarWinds, but Tufin just makes it a little easier for me. Some of the tools’ features that they have, they're a little bit more mature in the later versions. The version that I have uses the spider-like view, with just the branches everywhere. It actually shows the network connectivity and the traffic. The routes, basically. I actually like that, but what I don't like about it is that, on the ASAs, it didn't take into account the weighted security code: 100, 50, 90 and so on. On the ASAs, according to that security code, you can talk to less secure networks without actually hitting a firewall policy. But if you want to talk to more secure networks, you actually have to go through the policy. The policy is basically the ACLs are interface based.

I'm really interested in seeing the real risk value. Firewall policy management was great, but it's not something that's critical for me because I'm a smaller organization. I don't have 500 or 1000 rules. I'm more interested in just being able to show risk.

I've kind of lost a little bit of interest in it, to be honest. There's some other tools that are doing a little bit better. I like AlgoSec and I also like Skybox. I’d like to be able to incorporate my policy data into it and actually be able to see a risk score from end to end. Tufin was not doing that at the time that I purchased it. A true risk score allows you to see the impact of a sev 1 versus a sev 5. Most organizations do sev 4 and 5 patching. They hardly ever go back and do a sev 1 and 2. You can actually take that data, analyze it, put it into your infrastructure, consolidate it and look at your total risk score for a vulnerability. Tufin might be offering that now, but it's modularized and I don't have the budget for it at the moment. I already spent a half-million dollars, so it's a little out of my budget at this point.

I did like the SecureChange feature, and they were one of the first to actually offer that. It allows people to log into a webpage, and if they needed a firewall rule, they would actually submit the request through Tufin. Tufin would then compare it to the compliance policy that you manually build into Tufin. If it violated the policy, it would deny the request for you. It would allow you to make an exception for it because of x, whatever that reason may be.

All the competitors have their niches. Not one of them does anything perfectly. If you're comparing these type of management products, you want to look at what you're really going to use it for.