Tufin Orchestration Suite Reviews

The last account I was working for had just implemented Tufin. It was good for retrieval and for policy remediation, as far as cleaning up policies and so on. When I got there, they had a lot of old policies. Everything was all over the place. Tufin was good for policy cleanup.

Once you install Tufin, it performs a query and it searches all active policies. Once it does that, it places all the policies that you know in priority order, as far as which policies are being most used and which ones aren’t being used. Then it gives you something like a survey of things that were being used or any things that weren't being used. You can decide whether you want to take out or if you have some machines which are totally dead. That was really the big benefit of using Tufin.

It took a long time just to try to gather the information. I would like Tufin to be faster.

For what we needed, it searched all of the information we wanted it to.

It was stable. We didn’t have any stability issues.

It was very scalable and very customizable for what we needed it for. We had about 4,500 users on our network, and then we had six firewalls. It came in handy with that.

Installation was a little bit complex, so we did get help. We had to have professional services from Tufin come and help us. They were great. Once they came, it was simple to setup. 

I’m giving the product a rating of seven mostly because of the initial setup. It took us a while because we couldn't figure it out. After about three weeks, we had to hire someone to come and set it up. Once that happened, then it flowed.

When we were deciding whether to implement Tufin, a lot of the other agencies were using it at the time. We went with Tufin because it was receiving favorable scores from the other agencies.

The only one I can compare it to is AlgoSec. AlgoSec has a few more features but a lot of similar agencies were going towards Tufin, so that's why we went with them.

Define exactly the specifics of what you need it for. If you need it for remediation of policies, then it's definitely the product to go to.

I permanently use it for their Automatic Policy Generator, and for object lookup.

We use Tufin for object lookup. We often get requests from the business. They give us an IP and they request something like, "We need to know what the rules are for this.", so they can add more similar rules. We go into the object lookup, give the IP that we're looking for, and then it generates a report, either Excel or PDF.

We have probably a hundred policies using Tufin.

I would like to see a little bit more of enhancement on their PCI-compliance piece. We reviewed a Skybox product. They seem to be doing a lot better than Tufin does on the PCI reports.

I think we're ready for an upgrade, it's getting kind of slow. They did tell us that you can break up the database in the actual server application into two separate units. That's supposed to make it a lot faster. I think we'll probably do that in the next upgrade.

We have seen some slowness, but I think it's because we're on some aging hardware. We're quite larger than a lot of people that probably use it too. It has been scalable for our size so far.

I actually hadn't really had the need to reach out to technical support. We're a pretty big customer of theirs, and they're always coming around. I usually deal with my technical issues when they do that.

I went through one upgrade, but they already had Tufin when I arrived.

We did a proof of concept to compare Skybox and Tufin.

It’s a pretty good product. The PCI compliance piece probably accounts for the rating of 8 as opposed to ten.

As far as comparing Tufin with another product, I would just look at some of Tufin’s features like the APG that is not used that often, but it's a really good feature. They do also have an extended tool section where you can kind of get a little bit more in depth.

Tufin is invaluable for helping us keep track of things, providing us a method for checks and balances. We're a Tufin SecureTrack customer at this point, and the product serves multiple purposes when tracking changes. We’ve also starting using it as a compliance tool, utilizing its capacity to help us analyze policies. Overall, SecureTrack is a very easy tool to use, and it’s relatively fast. We've recently virtualized it, and from a performance aspect, it works great.

I think we're on Version 15 right now – almost the latest one. Moving from the appliance to the virtual platform was really simple, and from a performance standpoint, it was pretty much seamless.

We are starting to use it more as a compliance tool as opposed to just for tracking changes and backups. Because it tracks changes, SecureTrack maintains a complete CVS (Concurrent Versions System of all of the configurations of a lot of our systems. Because we're a multi vendor environment, it's not just Check Point. We have licenses for all of the different firewall vendors’ products and things like that.

With SecureTrack, I think it does what it needs to do, so I can't recommend any changes, although I would like to see additional vendors added to it (and I’ve already discussed that with Tufin). They already support F5 BIG-IP, so we've discussed possibly adding Citrix. And, although they support A10 for the Tufin Orchestration Suite, I’d like to see support for SecureTrack as well. Because they already have those plug-ins on the Orchestration Suite side, it doesn't mean that they can't have it on the SecureTrack side as well.

I do think some of the licensing can be simplified or made more flexible. Because we are multi-vendor, it would be nice to have a way to convert licenses from one product to another. For example, I’m phasing out all of my Juniper firewalls, and I want to turn them into Cisco. It would be nice to be able to detach licenses and re-attach them to different types of devices.

I also think that at some point they're going to have more integration on the SecureTrack side for some of the other switching and routing platforms – not just Cisco. They already support some of the Juniper routers and switches, and SRX from the firewall standpoint. I am not sure of where they're going to go with Pulse Secure.

No, we never had any stability issues because it's a browser-based tool. We've never had any problems with accessing the tool, and its performance is great.

I think it's scalable for what we have today. If we were to move to Tufin Orchestration Suite, we would probably look at putting more distributive Tufin appliances out in different places because we are worldwide and have major data centers throughout the world. We would probably try to keep things localized.

Tufin’s support is actually very good. In the early years, there was a support guy who we would always end up getting, so he kind of knew us personally. He was great at helping us jump on things, running all sorts of different SQL commands and similar processes in order to fix whatever upgrade issues we had. Tufin support has always been great.

We relied on other logs and on open source tools. We used about five or six different tools for various functions, but we were able to consolidate by moving over to Tufin SecureTrack.

At the time, we did a bake-off between Tufin, AlgoSec, and FireMon. One of the main things was that Tufin was just simple. It was basically: rack it, stack, turn it on, IP it, start plugging things in, and it was ready to go. With some of the competitors we had to set up a Window server, buy a Windows license, expertise it, etc.

We're using Tufin OS, which is just Linux. For any customer who wants a solution that is quick to set up and just works, Tufin's the way to go.

I really, really like the solution and we’ve been really happy with Tufin. Even though our Tufin sales rep recently changed, they've always been engaged with us. They hit us up pretty often to find out if there's anything that we need, or if there's anything that they can do to improve or even expand the use of their product.

The most valuable feature is the ability it gives us to browse our entire infrastructure and easily find which rules match our policies. Tufin also helps us to clean up our firewall rules by suing the object browser throughout our entire infrastructure.

Tufin has allowed us to do much faster analysis. We don't have to analyze the entire rule set anymore because it tells us whether each specific rule matches policy or not.

I'd like to see more features implemented into Tufin to help us with automatic monitoring of our firewall environment.

It's quite stable. We've had no issues with instability at all.

We don't have firewalls all over the world, just a part of it. For the number of firewalls we have, Tufin works fine.

For the project I worked on, there were some things that didn't work quite well enough, so I got the impression that customer service had different expectations from technical service. I used it as an opportunity to tell customer service that we should work on the project and finish the concept before talking about pricing. But they thought we only needed the standard product, but for me it was clear that our evaluation showed we needed something more.

I was only involved in the POC, and I didn't have any big issues with it. So I didn't have a lot of contact with technical support.

When the decision for Tufin was made, I was not yet in the company. I've performed several upgrades since, and they all went well.

We also evaluated AlgoSec and FireMon, but we're staying with Tufin as it's our first choice. We only looking at other vendors because we found that during our evaluation of Tufin, there were some features that weren't implemented. We didn't make any progress on the other evaluations, however, because we didn't want to invest the money in them when we had the feeling that they weren't going to do what we expected.

Tufin SecureTrack has been great for us.

Our primary use case for this solution varies on the customer's needs. However, we primarily use it to augment the safe firewall and consolidate various firewall vendors.

The consolidation of other firewall vendors is very valuable because many customers have different firewalls and the management administration has to be done differently. However, with Tufin SecureCloud, you can do things together.

The reporting during the initial setup could be better by including more automation, and the pricing should be reviewed, as it is a little too high.

We have been using this solution for two years.

The solution is scalable.

We have had a decent experience with customer service and support. The response time has always been within 24 hours, so we usually get a response within several hours of logging a technical issue.

The initial setup was straightforward, and it took us approximately 24 hours.

The licensing costs are charged annually but are higher than similar products.

I rate this solution an eight out of ten. The solution is good, but the reporting available could be improved, and the pricing could be reviewed as it is costly. Nevertheless, I recommend this solution to any organization that wants to implement a firewall analyzer. Additionally, I would advise new product users to read sections in the recommended requirements and ensure it is properly communicated to the vendor they choose to work with.

The way we've set up our policies are pretty unique in what they do, so there's not a lot of compare between them. But, historic is really important. We look at them and we say what is and what isn't important. We run through the compliance and the best practices. We're just starting to look at real usage and integration. That way, we would be able to say, "Okay, if this hasn't been used in a long time, maybe it's time to get rid of it." And we would be able to do our own cleanup because the tool will then tell us the value on long-term usage so we can take more advantage of it in real time.

We perform a lot of compares that show what was and what is now in our rule sets. In case there are issues or when somebody says, "Hey, this was working but now it doesn't," or, "Oh, I'm pretty sure that was in there and you must have removed it," we can validate those changes and go back in the history, say yes or no and do compares. There's a lot of new features that we're hoping to utilize, learn more about, and take advantage of. It's a timing thing and it's also education. We've been a Tufin customer for a long time and really like the product. We need to grow as much as the product is growing. 

There's tons of stuff in the product. The issue is more about what I don't know about it than what I am using it for. They definitely have kept up with the product and kept it moving forward. It looks like a really great partnership with Check Point and a lot of vendors. We're a Check Point shop, so it works very well.

We’ve asked them how to shorten the length of the change reports for global rules. They're going to try to allow us to select whether the global rule is reporting, or they're going to tell us how to do it a different way. We just brought it to their attention, so we're going to bring it to engineering. We’d like the reporting to be something similar to the reporting that Check Point puts out. There's some functionality that is very simple. I'll call it human reporting, such as a shared secret for a VPN change. Tufin does a really great job providing technical reporting, but it is unreadable to the average person. You look at it and think, "Yeah, I don't know what that did." We're asking Tufin to look at it, go over it with us, and say, "Is there a better way?" Either we're doing it wrong or they can improve the product to make it a little more usable, or at least readable.

It's been a very strong, reliable product.

As long as we keep up with the revisions, it's been very scalable. We just did another upgrade because we considered it a little slow. We were running an old version. Once we upgraded, it's been rock-solid. It's always been there, it's always been good.

We've been with Tufin for a long time. They’ve been very responsive to us. There was some changeover, and we have a new sales team. They called up, we had a meeting, and then, boom, we said, “Okay, let's schedule our upgrades.” That happened within two weeks.

The sales team so far has been great. We mentioned to them we're not educated enough on the product, they've already started talking to us about how to fix that. They're very responsive to our needs. It's a time and place issue, like anything. Unfortunately, we have to make the time and effort just as much as they have. They want to know when we want it. So they've been great for us, we've been very pleased with Tufin as a company.

They've been great. We have a good relationship with them and the product does a lot of things that we want. When I get challenged or it doesn't do what I want, it very easily could be me. I may be using it in the wrong fashion. 

We learned how to use it by just going and figuring it out ourselves. The way I'm doing a lot of things might not be the way they were designed to be done. But, as far response times from the company and everything else like that, I've been really pleased.

We've had it for a very long time. We've just been upgrading it as long as I've been with the company. It was in place before I joined the company.

At the moment, we’re not thinking of switching to another vendor. I know there's a couple of other monitoring solutions, like FireMon, or a couple of other systems that people have looked at.

Try it. It's a great relationship, but it's also a great product to work with.

It allows us to use the compliance portion of it to do our compliance reports. It also allows us to do peer review on our changes when we do firewall pushes. Before we do our firewall pushes, we compare what changes we made during the staging process in the week. We go over them to make sure that nothing is going in that should not be going in. Also, we check each other's work to make sure nobody fat-fingered anything and gave somebody some crazy access to somewhere that shouldn't have been.

There should be a heck of a lot more benefits for us. The problem being we don't have the time or the training to do that. We just upgraded to 16.1. Now that we're on a supported version, we hope to get some training so that we can utilize the product a lot more than we currently are. It does exactly what we need it to do. I think with some tweaking and some more knowledge of the product, I think we'll get to where we need to be.

When we do our change reports, some of those reports come out at a thousand pages. We have to submit those to management. When they look at the report, they say, "Why is this report a thousand pages?" We found out that, when we do a global rule, it removes all the global rules and then re-adds all the global rules.

We're in a Provider-1 environment, we have four CMA's, we have 78 firewalls. That generates a huge report. Management looks at it and says, "This is useless. You should filter through x amount of pages to get to the meat."

From what we found out, they have an idea about how to fix it, but I don't think they really know what to fix.

We also have had challenges with the way it does certain functions. For example, the exceptions. I think a lot of it could be we're just not trained and don't have the knowledge of the system. And I think once we start getting in there and start using it more, that's when we’ll find little things that happen like the global policy injection and removal. Our biggest challenge now is we have new management. When we send them the reports, they're not really happy with the reporting structure of it.
Otherwise it does what we ask it to do. It's never been down, it's always reported everything that we needed to report. We never have challenges in that regards. But again, it's a lot of the reporting structure that is challenging for us right now.

We don't have a problem with it crashing at all. We've never had a problem with it crashing at all. It's always been functional.

I think it's been solid. It's always been there for us.

We have used support in the past. We use it mainly for compliance, for when we want something not to show up on a report.

They're constantly upgrading, they're constantly adding new things to it. That's a good sign. As the technology changes, they're on the forefront of it to get you those reports and use that technology in their new functionality. They just need to keep doing what they're doing.

What I like most is the end to end view which is quite important for supporting the design teams.

In the design team, everything is based on things that already exists and Tufin helps us make changes safely.

I'd like to say SDN needs to be improved. This is the key and where the revolution in technology is going. This is something you need to be aware of as the legacy devices are not compatible with the SDN devices.

As far as I know, it’s OK.

It's been able to scale for our needs. What we have is OK.

Great. I’m not in a direct relationship with them, so it’s indirect but it's OK I think.

We didn't look at any other solutions.

I think we’re not using it for all the devices we intend to use it for, but somewhere in the middle. It works, it's as simple as that because we noticed the difference after we got it working, and we immediately saw the advantages of having it.