Tufin Orchestration Suite Reviews

The multi-vendor support is very important for us. This is the most important feature because our system has integrations of software and hardware from many vendors. Tufin has also integrated well, supporting our system of multiple vendors.

Our company has a common policy that we need to ensure covers three different vendors we work with. Tufin helps us to manage this as it's where we've defined the common policy and also where we manage it.

I think that Tufin needs to be as-a-service, that is, in the cloud. The installation also needs to be easier. Additionally, with Tufin's business model, the licenses are quite expensive.

It's hard to stay updated with the last version. That's really the main hurdle we have with our deployments of Tufin.

It's quite stable, but you always need to do updates. Staying updated has prevented instabilities.

We don't have this issue because we only have four firewalls. It has scaled for our needs.

The initial setup was straightforward and pretty easy.

We implemented it ourselves with our in-house team. It was easy.

Sometimes it's very difficult to get the ideal revenue out of this tool. It's expensive.

The licensing is expensive. Maybe for a big company, the price and the licensing is not a problem. For a small or medium company, though, it could be an issue.

We also looked at AlgoSec and FireMon.

We use both modules, SecureTrack and SecureChange. With Securetrack, we follow rules implementation and compliance; with SecureChange we manage the workflow of firewalls openings.

Thanks to Tufin we're able to manage the life cycle of rules and to keep logs of each firewall modification. Policies are also optimized using the tool.

Checkpoint and Cisco products are well implemented and managed. For Fortinet firewalls some features are not yet available.

In networks where the WAN is managed by a third party, some features may be missing if you're not able to have information about routing, ACL, etc

2 years.

Product is quite complete. The hard work concerned building a topology on the product base on reality of the network. Some workaround we do in reality may be hard to model using the tool. Topology is mandatory for SecureChange to work.

Product is stable and we've had no problems concerning stability, even if we're not able to have a clear view of the capacity of this tool. There is no reporting on capacity. For instance, there is no alarm.

No issue specifically, but for large networks several appliances are required to have a distributed architecture. Also, for SecureChange it's necessary to have a separate instance so the topology calculation has no impact on user interfaces.

Excellent, even if we have more contact with support team, customer service is always checking that everything is fine.

Excellent, the support and the post sales service is the best I ever had. They're always available and listen our concerns. Even some features required have been delivered a few weeks after the requirement.

We used another solution some years ago, but we switched, first of all, for performance and stability issues. The old solution was not able to handle the number of rules we can manage in our network.

The main setup subject will be to check what's the first need you want to answer. In our cases we want to manage our life cycle of rules and we work on it. Start small and grow up smoothly while you understand your network topology.

Vendor was quite good. This is a tool with which the need to understand your network is mandatory. You must have an in-house team to be fully operate this tool. This is also the easiest for support.

Our main ROI is to be more agile and flexible for rules lifecycle. We're able to answer faster with the same number of people.

Pricing is correct. You've got one or several appliances and pricing is not too high. After licensing is per firewall managed by the tool, so you can grow smoothly.

We did an evaluation of the different solutions on the market, and it was our vendor that recommend us the solution.

I recommend this solution. In our case, it was the missing part to be able to provide a better service to our clients.

We use this solution for recertifying connections, application-based automation, and compliance with regulations.

The workflows save time and speed up the authorization processes for applications. For network operators, it enhanced visibility. For application operators, it increased knowledge of dependencies and also provided them with impact awareness.

Before this solution, we used Excel sheets. This approach did not provide ways to filter the options for implementing changes. The filtering of lots of criteria is very valuable.

I would like to see more configuration options on next-generation firewalls, defining possible standards for devices.

The tool is highly reliable.

We have not run into limitations around scalability. Depending on the devices, it is better to have a sizing discussion with the sales engineer.

In the beginning, we did not have a dedicated support handler and it caused some issues because the service requests were interrelated. When we later obtained a central contact in support, it improved the handling.

Prior to this solution, we used Excel and firewall vendor consoles.

The initial setup was fairly complex because of the agreement with the network provider.

We implemented this solution in-house with the support of Tufin Professional Services.

I suggest talking with Tufin about the flexibility of the pricing structure.

We did not perform our own evaluation. However, one of the daughter companies evaluated multiple products (Tufin, FireMon, and AlgoSec) and selected Tufin. We relied on their research.

Implementing the tool is easy, but introducing the changes within the company can be challenging.

We are doing firewall automation through Tufin.

In terms of the change impact analysis capabilities of this solution, we get a lot of CNR queues and it has saved a lot of time when making changes. And the analysis tells us that we have made a particular change and it sends out a lot of alerts. We can analyze them and do some auditing stuff as well with Tufin.

We have a lot of teams that do stuff in Tufin, management teams, auditing staff, and a team for implementation. So the time it saves us across that whole scenario is hard to pin down, but it has saved us a lot of hours in implementing the CNR queues, approximately 20 to 30 hours a week. That a big time savings.

The solution will automatically check if a change request will violate any security policy rules. We have an auditing staff using this feature within Tufin. If we have an open rule, it will send us an alert and we can see why this alert has been sent and take action on it.

Tufin helps us ensure that security policy is followed across our entire hybrid network. We can set up rules and policies for this and we can do a lot of auditing as a result.

The topology and the config backup that we see for devices are key features we get from Tufin.

The change workflow process is flexible and customizable. We went through a lot of difficulties while doing stuff, and it now provides a lot of flexibility while making changes. We can go back and implement the changes again and that is one of the things that is very flexible. If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix. A break-fix is one of the things that we can use to redo things on Tufin, itself. That is one of its useful tools.

Auditing is another good tool within Tufin. The automation stuff and searching of reports are good for auditing as well.

I have gone over compliance issues in Tufin, but compliance is one of the things which might not be that clear in Tufin. It just shows the configuration. That is one of the things they have to work on. It is one of the constraints, in my opinion.

The topology is good but they could work on it and get something better out of it.

If we talk about the complexity of getting more nodes over Tufin, Tomcat or web services become flat. This is one of the constraints that I have seen. The web services are not that stable. This has to be checked and taken care of.

If you have a normal load in Tufin it works perfectly fine. But they need to work on the stability because if a certain amount of load is put in Tufin it just breaks downs, from what I've seen lately. That has to be taken care of. The parameters for the platform also matter in that situation, but if they can work on the stability, that would be great.

The scalability is fine but when it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again. The scalability is perfectly fine but, performance-wise, they have to work on the platform or the base of Tufin to make it more robust. In a bad situation, if a lot of guys are logging in, it breaks down.

Although I am in India, we have U.S. support. I haven't had any interactions directly with tech support, but one of my counterparts in the U.S. talks to them and sorts things out for us. I haven't had any discussions with them where I can analyze their work.

It was challenging at the time because we wanted to implement a lot of things which Tufin doesn't have as default. There was a lot of customization required and it took a lot of time - one or two months - to sort that out.

We did not have a previous solution. We were moving towards automation and we wanted something that would save time in doing firewall queues and creating firewall rules. We were looking for a good tool and Tufin was one of them. It is a multipurpose tool that gives us topologies, and auditing and alerting.

I don't think we had any issues installing it. That was not a problem. It is not that difficult but it is not easy either. The setup was normal and I wouldn't complain about it.

Our deployment took about ten to 15 days to get things onboarded. There were many other guys who were also involved in it and I don't remember entirely, but I think that's how long it took to onboard things.

The number of people involved in the deployment depends on the infrastructure and what kind of services you are looking for. If you're looking at server management, that would require one or two guys. If you're looking at onboarding of devices, you would need another one or two guys. For the auditing stuff, again, another one or two guys could do it. So for each of these areas, one or a maximum of two guys could handle it. Once you are done with onboarding, managing it takes two guys.

Regarding our implementation strategy, our primary motive was to get firewall automation in place. With that in mind, we worked to bring in all the devices and all the firewalls. Then we started talking about getting the different packages over to it and working to get the firewall automation done. There were a lot of things we had to do - it took months - when we had to bring in new patches or requests.

It was Tufin only and one or two guys within our team. There was no third-party involved.

Firewall automation was one of the biggest concerns we had, and we have largely sorted that out with this tool. If we are saving hours, then we are saving money.

I was involved with the pricing at the start. But then management took over that issue. In terms of affordability, this company is using it, so it seems they are fine with it. We just provide management with our requirements and it's their concern and responsibility to bring us what we need. Since we still have this solution, I think they are fine with it. But it's a management call.

My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin.

Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day.

We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it.

As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future.

I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.

It can compare policy revisions side by side to see when you've made a change, and what the change is. It also lists the detail of the objects and policies. In other words, it has the ability to list all the policies as well as having side by side revisions.

I think we knew we needed to invest in the solutions because of a replacement we had to do last year. We had no other way of gathering the information. It wasn’t replacing anything.

I would like to be able to see the changes made on the software blades that Check Point has, such as URL filtering, IPS.

I’d like to see it work with F5. It's supposed to work and it doesn't. The problems we have with the F5 is what brings the rating down, because that was a big part of the reason we purchased it. If they fix the F5 issue, I’d probably rate it an 8 or a 9.

We have been using it for one year. When we first implemented Tufin, we were replacing firewalls that had been in place for so long, there was absolutely no way of migrating the policy over so we had to recreate it from scratch. We were able to use the information provided from Tufin to do that.

We’ve used the recording tools a little bit, but just for Check Points, not the F5s. They're helpful in a way. Sometimes it seems like they're giving you partial information, like it wants to give you some information that you've made a change to, but it's really hard to track down where that change actually was made. It’s more like configuration-level changes are difficult to read on the report.

We've had issues with using Tufin for the F5 load balancers. We can't get our information out of our F5s.

Using technical support was kind of cumbersome. They couldn't figure out what the problem was with the F5s. After they thought they found the problem, we set up another set of F5s. The problem that they thought was causing it, was no longer in place with the other set of F5s, but they didn't work either.

I was involved in the initial setup a year ago. It was straightforward. It was pretty easy to set up.

We weren’t comparing it to anybody else.

Keep in mind that you're only going to get the network security layer of the Check Point showing up on the recording. You're not going to get all of the software blades that come along with it. One of the things my manager was disappointed to find was that we weren't able to gather that information.

Tufin has helped us a lot. It lets us clean up the rule base in a short period of time and remove unused rules. Tufin provides you a report on rules for this that lets you delete objects that are obsolete and no longer needed in the rule base. If you don't use a tool like Tufin, this is done manually and may take days, because for every object, before you delete it, you have to make sure that it is not being used by someone else.

From a security point of view, Tufin can provide the posture of your environment, meaning whether your rule base is secure or not. It will analyze the file rule base, tell you if the service you enabled is secure, and give you some advice how to deal with the situation.

I want Tufin to be used by my entire team, but due to a lack of training and lack of resources, we are not able to do that. I would like to see more training videos that can be distributed to my team in order to really take advantage of the product.

We have been using it for about 3 years now.

I find it very stable. We haven't had any big issues since we started using it. Issues we have had have mostly been related to new features being added that weren’t supported by the device. In those scenarios, we submit the case to Tufin and they tell us about the new release.

We are a big company and I can say that we are not using the product in its fullest capacity. We have a different type of policy because we are using different vendors and different technologies, and while we have some issues with the juniper devices, it has absolutely been scalable.

Tech support has been fine. Right now I have an ongoing case and there is a delay, but it mostly comes from me because I took time to respond and they are telling me other ways that I know.

I implemented FireMon three years ago for a customer because the customer specifically requested it. I found it very hard to put in place. I wasn’t a part of the Tufin implementation, but in terms of the product itself, Tufin is easier to use.

I would give Tufin an 8 out of ten because some vendors own multi-contexts, and there are challenges supporting these devices. We are having issues with the Juniper device, for example.

Tufin gives you the ability see what changes have been made and who made them, as well as pinpoint what has changed so if there is an issue you can easily review it. I also like that if there is a new request that's coming in, you have the ability to compare the request with what is already in the system so you don't have to go into the firewall rules to try to figure it out. You can just do a comparison between different policies.

We use reports a lot for cleaning up, which is part of our regulatory requirement. You need to review the policies for any old reports, used objects or used services. That's basically what draws the purchase of this product.

I also like the product’s ability to reduce security risks. Being able to do some of the compliance checks has been very good for us.

The ability to search could be improved, and it would be helpful to be able to display more than a hundred results on a search or share when you do the workflow with multiple people at the user level on your same team. If you have a team of three people each one should be able to see each other's request without having high-level access rights.

Also, the workflow is very rigid. It's not very easy to manipulate. The graphical interface needs to be a little more user-friendly. You need to be able to move objects around to make a nice display. Right now, if you select an object, it just sits there and everything goes sequentially. I want to be able to move objects around to make the interface more presentable in the way you would normally code something. That's a big concern, because we've gotten several complaints.

We have used Tufin for at least seven years.

We haven’t had any problems, except for some licensing issues a long time ago.

For what we do we haven't seen any performance issues so far.

Technical support has been good. We've had different engineers help us out and they've all been very helpful.

We compared Tufin to AlgoSec. At that time, we felt that what Tufin had in terms of their workflow and the option to transfer over our existing workflow was more flexible. It was a hard decision. One of the other reasons we picked Tufin up versus AlgoSec was the responsiveness of the people we were working with. They understood the company and our relationship, and we felt that it would be easier to have the ear of the company if we needed customization. They did the changes that we requested, which made life easier. We felt that if we were to go with AlgoSec, it would be a lot harder.

We closed the deal after they made a change to DNS lookup. Objects need to be created on our DNS system before they’re populated, and you didn’t have a way to validate your IP with a host name at that time.

If I had to rate it one to ten, I’d give it a nine, since there’s room for improvement, even though they’ve been doing a lot of improvements over the years. I would also say that if you buy the product make use of it. There are more features available than you always realize, so a lot of times you might try the harder way first because you are used to working that way. You might discover that your life can get a lot easier.

The most valuable feature for us is Tufin's versatility. Depending on the kind of device, we can correlate information from both the device and from the client. This is highly useful for us.

Tufin's given us the ability to correlate between policy and firewall rules. We can even search for the correlations to determine violations and exceptions. Also, it's a solution where we can define our entire company's security policies.

It needs better correlation so that it's easier to not have to look for information underneath all the data. So, even though the policy and firewalls are correlated, it's difficult to find them when we need to.

We haven't had any issues with deployment. In fact, it was very easy to do.

We haven't had any issues with stability.

We haven't had any issues with scalability.

The initial setup was not complex. It was fairly easy and straightforward.

We implemented it with our in-house team.