Tufin Orchestration Suite Reviews

It allows us to use the compliance portion of it to do our compliance reports. It also allows us to do peer review on our changes when we do firewall pushes. Before we do our firewall pushes, we compare what changes we made during the staging process in the week. We go over them to make sure that nothing is going in that should not be going in. Also, we check each other's work to make sure nobody fat-fingered anything and gave somebody some crazy access to somewhere that shouldn't have been.

There should be a heck of a lot more benefits for us. The problem being we don't have the time or the training to do that. We just upgraded to 16.1. Now that we're on a supported version, we hope to get some training so that we can utilize the product a lot more than we currently are. It does exactly what we need it to do. I think with some tweaking and some more knowledge of the product, I think we'll get to where we need to be.

When we do our change reports, some of those reports come out at a thousand pages. We have to submit those to management. When they look at the report, they say, "Why is this report a thousand pages?" We found out that, when we do a global rule, it removes all the global rules and then re-adds all the global rules.

We're in a Provider-1 environment, we have four CMA's, we have 78 firewalls. That generates a huge report. Management looks at it and says, "This is useless. You should filter through x amount of pages to get to the meat."

From what we found out, they have an idea about how to fix it, but I don't think they really know what to fix.

We also have had challenges with the way it does certain functions. For example, the exceptions. I think a lot of it could be we're just not trained and don't have the knowledge of the system. And I think once we start getting in there and start using it more, that's when we’ll find little things that happen like the global policy injection and removal. Our biggest challenge now is we have new management. When we send them the reports, they're not really happy with the reporting structure of it.
Otherwise it does what we ask it to do. It's never been down, it's always reported everything that we needed to report. We never have challenges in that regards. But again, it's a lot of the reporting structure that is challenging for us right now.

We don't have a problem with it crashing at all. We've never had a problem with it crashing at all. It's always been functional.

I think it's been solid. It's always been there for us.

We have used support in the past. We use it mainly for compliance, for when we want something not to show up on a report.

They're constantly upgrading, they're constantly adding new things to it. That's a good sign. As the technology changes, they're on the forefront of it to get you those reports and use that technology in their new functionality. They just need to keep doing what they're doing.

A lot of the most valuable features have to do with the reporting and the cleanup of policy. With our day-to-day busy lives, we just want to get the change in and implement it, and that just increases rule base exponentially. From time to time you need to go back and find duplicate services, objects, rules, and cleanup. With a lot of the cleanup effort, I think the product helps out a lot.

Tracking changes is beneficial. We get alerted immediately who made the change, what change was made, and things like that. That's probably the most valuable.

It is important to keep up to date with the vendors you support. For example, Palo Alto, CheckPoint, Cisco, F5, and so on. They should make sure that Tufin supports the latest version of those products.

We upgraded to R80 two months ago, and our Tufin product hasn't been working. It's because there's no support for R80. We're hoping that Tufin supports R80 soon so we can start getting all the changes. If a vendor upgrades to a certain version, Tufin needs to provide support fairly quickly.

Also, our 20/20 vision is to be in the cloud wherever we can. Cloud first. If Tufin had any kind of management in the cloud, that's one less piece of hardware to manage in-house. Being in the cloud would definitely provide that extra missing feature.

We've had it for about 3 or 4 years now.

We have not had any stability issues at all. Upgrading has been simple, no issues at all.

It is scalable. We manage about 150 firewalls. There are no issues at all.

The support portal has been quick. I actually emailed them about R80 support, and they were really fast at letting me know that it's coming in mid-2016.

Along with a colleague of mine, I was involved in the decision to start using Tufin a few years ago. We compared it to AlgoSec and a couple other vendors. Tufin seemed to meet our requirements at the time. Before our renewal, we are looking to re-evaluate what all the vendors have to make sure we are getting the most out of the product.

It's a great product. It's pretty straightforward to use. It meets our needs and great support overall.

• The comparison of what changed.
• I also like being able to use the historical data - did this access exist on this date a week ago, two weeks ago, etc. Because I'll have a customer who's like, "Hey, our traffic isn't working anymore. It used to work, and now it doesn't. Why not?" I would go, and I'd check the policies, see what existed, if it did exist, and then I know that somebody removed it, and I can find out who. It's a great tool.

We're currently using SecureTrack. We've deployed SecureChange, it's currently essentially at this point in a deaf status. But from SecureTrack, one of the most useful tools that I've had as well is the usage reports. Whether it's zero usage or if it's the higher use rules. Let's say I've got a rule at rule number four thousand that's just getting pegged like crazy. It's the number one hit rule. We're wondering why our firewall CPU is going crazy? It's spiking. So we go over to the report, see what rules are getting hit, and we see the bottom of our rule base is getting slammed. Now we know we need to move those rules up and optimize our policy.

We're in talks with sales about them writing code to integrate with some of our different tools, so that's nice. I can't really think of any features that either don't exist or we haven't already requested.

We've asked for integration with the tool that does our baseline, that tells what traffic is and isn't allowed with our change control system. We've got the core routing and everything imported, so that was nice. A couple integrations there.

When we initially had it, it was on a single box, so it was pretty slow. A lot of people had access and they ran reports after reports after reports, and it got stepped on a lot. Once we upgraded, we got HA Pair, and then we've got distributed log folders now, and it runs super smooth. Maybe three years ago I experienced some bugs where it would kick me out of policy query. I would be building a query, and it would just kick me out, or it didn't save the changes, or it just forgot that I was doing something, but I haven't had that happen in maybe two and a half years.

Well, we did, and then we upgraded the hardware. Not a big deal at that point.

Upgrading the hardware resolved the issues because the amount of logs that we generate is pretty insane. Having that one little box handle the entire enterprise full of logs was not very efficient.

I wasn't involved in the initial setup. I've been involved in the upgrades for the recent versions.

I was a secondary contact, so I was only helping, but it was extremely easy. I watched what he did, and it was a piece of cake. He's our Tufin guru on site, so we let him handle the majority of the implementation.

Most important decision criteria: ease of use and the robustness of the tool. We checked FireMon, for instance, and they didn't have anywhere near the features we were looking at, and it was nowhere near as user friendly.

Play with the tools. See what kind of reasons you think you'd need to use it. Why are you looking for this tool to begin with? See how easy it is to pick up for your team. They may not be familiar with a tool; let them play with it for a few minutes and see. Give them a task. How easy was it to get that task done?

The biggest thing is regarding the automation that it allows our customers to do at the end of the day so that they can go and scale their environment a lot more than they could in the past. I think that's really where it comes in. It's the process behind it which can be very painful and tedious. They help make it easier and it's pretty simple from that perspective. You can review compared to past policies.

It's a multi-stage process. When you first start using it, you can go based on rules and find a lot of things that you didn't know before automatically. Then over time, you can go and see points along time. See what's happened, what's changed and also make sure they're applying the appropriate policy.

Without Tufin it's a lot of manual reviews, and you'll miss things. Humans miss lots of things especially as rule bases get big.

The integration with other parts of the system, so it  a lot about process. If you have ticketing systems, other things that you're using can be helpful. For the really leading edge customers, they're able to integrate it with their other processes to the end users. The end users can be the ones requesting, saying, "I have this application and I need it to work this way." Take the technical out of it and make it a lot more business oriented so that's pretty powerful.

It's still challenging in some cases to get it integrated with other systems. Anything that Tufin or any company can do over time to make that easier and easier is going to make it easier for the end customer. A lot of times with implementations, companies don't get using it we've seen. A lot of times, we'll go in and help them which is good. In the early stages, like any product sometimes it can be hard to start using it. Ways to make it super easy for somebody coming into the game could be useful. Then from our perspective, we've seen so many services go and come. So many applications go service based (software as a service) so they certainly have an opportunity there too to do some things.

I'd rate it an 8.

We've been working with it for a long time and it's been good from that perspective. Again, we have a lot of customers. It's been really scalable. We've had some customers that are on a hundred gateways on it.

It's straightforward to set up but like anything, there can sometimes be an initial gap with usage. Get it set up, get it running and then it's the habit. Forming that habit for companies, like anything new, can be hard.

The space is pretty targeted. AlgoSec and Firemon are certainly their direct competitors. Those are really the big three in the space.

Criteria when selecting a vendor  -I think it's looking at your current processes and where you'd like to be is really what it comes down to. If you're frustrated with the ways things are working, think about the way you'd like it to be and then see what product fits into that mindset for you.

There are a few things. One is that from the portal people are able to request access. It is going to be able to stage the policy, add the rules or objects or whatever is needed for us so that all we need to do is push the policy at the time. It almost doesn't need a human being to be involved in the rule staging of provision process.

We've been using Check Point for 10+ years and some of the rules were converted from other systems, mainly from Cisco devices. The conversion process or the migration process is not the cleanest. We end up with rules that we call over-saddling. Rules which are really not needed.

We're talking about a ton of rules. We have policies that have 3,000 rules. It's able to give us reports that tell us these 10 rules or 100 rules in our policies are not needed. Either we need to fix the rule which was a bad rule or we do not need another rule.

One thing it's not currently able to do is remove rules. For instance, one of the biggest things is that we have a server what we call decommissioned. That means they no longer need it. Either the application is end of life or they bought a new server and they took on new IPs. But we still have rules that allow the IP, so there's a hole there. Right now you cannot say, "Hey, Tufin, this IP is obsolete. Please remove all the rules that allows this IP."

Another good thing is that Tufin has a good portal. 

We were using Skybox. Tufin has that fun end to the user which Skybox doesn't.

I would recommend it.

With a tool like this, spend a few dollars to bring in their professional services to help out. Tufin is not going to be for a really small company. One of the important things is that you need to get your network team on-board.

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

There have been no stability issues whatsoever. It’s rock solid.

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

I would rate it a nine out of ten, since there's room for improvements, as always.

The most valuable feature is the ease of use. Creating workflows for users is very easy. It's also pretty straightforward to look at audits and compare policies.

Before Tufin, we had a very antiquated way of doing firewall requests. It was a terrible workflow system. Workflow was one of the main reasons we looked at Tufin, since it is really easy for users.

I would like to see more customization with the emails that go out, the UI, the things that I look at, and the things that I see when I log in. We mostly use SecureChange, and when I look at my tasks, I would like to have more customization to maybe add a column, for example.

We deployed it well over a year ago - Tufin SecureChange and Tufin SecureTrack.

There have been no stability issues whatsoever. It’s rock solid.

Right now, with what we're using it for, it has been scalable. We haven't had an issue with scalability at all. It's been able to keep up.

We had to work with technical support to get the certificate set up and get SSL initially configured. It went well.

Putting it together and getting it up and running was a breeze.

The top two we looked at were AlgoSec and Tufin. We felt that Tufin was the leader in the space and we chose it because it was easy to use, very customizable, and it gave us every one of the requirements that we were looking for.

I would give it a nine out of ten. It’s been a great product so far. I'd just like some more customization.

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

We have only had the product for four or five months.

There have been no problems with stability.

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.