Tufin Orchestration Suite Reviews

The ability for it to identify unused rules, and overlapping/redundant rules. If you had a more open rule at the top, but you put a more granular rule at the bottom, it would tell you that that granular rule wasn't needed because it was already covered by another rule. A lot of times you get multiple firewall admins who just go in and start adding stuff, and they're not always looking for what's already in place. It's redundant and they don't realize it. 

So somebody could have added a rule but they couldn't find it, so they just went ahead and added access, and in the end, Tufin will identify it and say - you have rules that you don't need. When you're dealing with very large policies (hundreds - thousands of rules) it's a big advantage. Such as if you're dealing with firewalls that host 2000+ rules.

I used to use the reporting. It was able to at a glance tell me every rule that that particular IP address was given access.

The ability to export the data outside of a PDF on some of the reports, I'm not sure that it can do that.

It scaled for our needs.

It fits in as part of the bigger picture. At the end of the day, I wish the firewall products themselves could do some of that stuff inherent to their own solution. 

Make sure you understand the capabilities and use it for what it's intended. It's not going to tell you the intent of rules, it's not going to tell you if it's a good rule or is it a bad rule, but it's going to help you with firewall clean-up or redundancy. It doesn't help a firewall admin create a better rule.

SecureChange is the most valuable feature as it shows the difference between policies and proxies that affect performance, such as the router or switches.

The user interface could be improved. It's currently not very user friendly and is not very attractive.

We've had no issues deploying it.

It is very stable. We've had no issues with instability.

We have 600 objects in it and it's able to work well for all of them.

Technical support was very good when I needed their help with significant upgrades.

The initial setup was very easy and straightforward. It wasn't complex or difficult at all.

We implemented it with a partner's assistance.

You can search through policies of different firewalls with one step. That's one of the main features, because I have a lot of firewalls and do lot of firewall installations.

It makes it easy to find a rule and to make sure that all the firewalls are working in just one step, so this saves us time.

Granularity in rule evaluation needs work, especially if you want to narrow it down to a specific device, a cluster or a specific rule set. To have it more combinable so I can say that I want this and this cluster, but only a specific subset.

We've been using it since 2007.

It scales with functionality.

We don't have outages with Tufin and stability has never been an issue.

They've been great as they're quick and responsive. We use both phone and email to contact them.

It was straightforward.

I was invited to look at AlgoSec, but I did not have the time. I only know about it from white papers and so on. SecureChange is the differentiator. I think the part which competes is more SecureTrack, but SecureChange and SecureApp are what makes Tufin more special and they are what we require, which is not provided by Algosec.

We purchased Tufin for the rule based analysis, so that when we did a Check Point migration from the earlier versions everything was OK. We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Tufin enabled us to clean out the rule base pre-migration. There's no point in migrating old and unused rules and objects to a new solution, so we were trying to be a bit proactive. That's why we purchased this solution and we had someone from Interel come over and help us configure it.

SecureChange has been a bit of a challenge. It's been a long time coming, and I guess improvement is also needed in their relationship with the customer to get the initial functions of it working. It's more making the move towards SecureChange which possibly isn't down to them, it's probably down to our relationship with our reseller and nailing each other down. Maybe it's a non-issue. For what we use it for, it's been great.

We've used it for between four and six years.

After a while, we found that we'd not really given it enough TLC for a couple of years. Therefore, we ended up in the situation where we had to get the guys from Interel to fine tune the appliance memory wise because it was little old. By the time we started using it to its full extent, you end up being able to fine tune it and eventually realize even that wasn't going to cut it and we ended up having to virtualize and it seems to be OK now.

We didn't have as much advanced management at that time. Over time, we've merged with other areas of our business and inherited many more advances, bobbles, with that, I think that's where we came across the problem that we wanted so many things active and realized that we did actually need to upscale the deployment.

We originally purchased it mainly for Check Point and then ended up purchasing Cisco ASA and Palo Alto licenses, so we ended up with more stuff than we originally purchased it for. Hence the need to upgrade for VMware and memory.

It has been good. When we've had an issue they've been very good. We were on the phone and I remember a conference with the support guys and they really went out of their way to help us out.

It was fairly easy to deploy. We originally purchased the 500 series appliance, which was mid-range appliance and then we ended up eventually virtualizing that appliance and moving it to VMware, which is what we've now got. I don't remember ever having any major issues.

We did look at another solution, but don't ask me what it was called, I don't even remember. We did look at it at the same time, but it couldn't really do half of the things that Tufin did. I can't remember back that far, but I remember we looked at it and it was all really clunky. It didn't feel right, it didn't do half of the stuff that it was meant to be able to do and it was very slow as well. We pretty much put it out straight away.

It's done a good job. We've not fully utilized all of its features, we've hardly scratched the surface really, it's a powerful bit of tech and we've pretty much used it for a specific purpose that we purchased it for and realized it can be used a lot more, having said that we ended up purchasing second shares as well. We are now in the process of testing SecureChange because that was something that was really pushed through quite recently.

For us it works, it's a great solution, but that's not to say that there isn't a better one out there. Anyone that looks and researches, they probably look at different supplies of the same solution and make up their own minds really. It is the best tool for the job and technology moves on so, who knows.

The first one is the policy analyzer to help the network facility to remove objects and the server needs an object, an appliance object.

For the first one, we were able to reduce the number of rules, and the signaling one is about the compliance. We have many security rules to define the flows between the security zones, so we put all the rules under 13, and then we can generate reports.

It needs more compatibility with older firewalls.

We have no issues.

We have 2000 employees, and it's been able to scale to meet our needs.

Very easy. We got the license, and we got all the roles and information from the firewall to generate reports.

Prior to implementing, you need to know the needs for each project. If you know the needs, you will probably meet expectations.

Tufin is invaluable for helping us keep track of things, providing us a method for checks and balances. We're a Tufin SecureTrack customer at this point, and the product serves multiple purposes when tracking changes. We’ve also starting using it as a compliance tool, utilizing its capacity to help us analyze policies. Overall, SecureTrack is a very easy tool to use, and it’s relatively fast. We've recently virtualized it, and from a performance aspect, it works great.

I think we're on Version 15 right now – almost the latest one. Moving from the appliance to the virtual platform was really simple, and from a performance standpoint, it was pretty much seamless.

We are starting to use it more as a compliance tool as opposed to just for tracking changes and backups. Because it tracks changes, SecureTrack maintains a complete CVS (Concurrent Versions System of all of the configurations of a lot of our systems. Because we're a multi vendor environment, it's not just Check Point. We have licenses for all of the different firewall vendors’ products and things like that.

With SecureTrack, I think it does what it needs to do, so I can't recommend any changes, although I would like to see additional vendors added to it (and I’ve already discussed that with Tufin). They already support F5 BIG-IP, so we've discussed possibly adding Citrix. And, although they support A10 for the Tufin Orchestration Suite, I’d like to see support for SecureTrack as well. Because they already have those plug-ins on the Orchestration Suite side, it doesn't mean that they can't have it on the SecureTrack side as well.

I do think some of the licensing can be simplified or made more flexible. Because we are multi-vendor, it would be nice to have a way to convert licenses from one product to another. For example, I’m phasing out all of my Juniper firewalls, and I want to turn them into Cisco. It would be nice to be able to detach licenses and re-attach them to different types of devices.

I also think that at some point they're going to have more integration on the SecureTrack side for some of the other switching and routing platforms – not just Cisco. They already support some of the Juniper routers and switches, and SRX from the firewall standpoint. I am not sure of where they're going to go with Pulse Secure.

No, we never had any stability issues because it's a browser-based tool. We've never had any problems with accessing the tool, and its performance is great.

I think it's scalable for what we have today. If we were to move to Tufin Orchestration Suite, we would probably look at putting more distributive Tufin appliances out in different places because we are worldwide and have major data centers throughout the world. We would probably try to keep things localized.

Tufin’s support is actually very good. In the early years, there was a support guy who we would always end up getting, so he kind of knew us personally. He was great at helping us jump on things, running all sorts of different SQL commands and similar processes in order to fix whatever upgrade issues we had. Tufin support has always been great.

We relied on other logs and on open source tools. We used about five or six different tools for various functions, but we were able to consolidate by moving over to Tufin SecureTrack.

At the time, we did a bake-off between Tufin, AlgoSec, and FireMon. One of the main things was that Tufin was just simple. It was basically: rack it, stack, turn it on, IP it, start plugging things in, and it was ready to go. With some of the competitors we had to set up a Window server, buy a Windows license, expertise it, etc.

We're using Tufin OS, which is just Linux. For any customer who wants a solution that is quick to set up and just works, Tufin's the way to go.

I really, really like the solution and we’ve been really happy with Tufin. Even though our Tufin sales rep recently changed, they've always been engaged with us. They hit us up pretty often to find out if there's anything that we need, or if there's anything that they can do to improve or even expand the use of their product.

With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.

We can provide evidence the nothing's getting into that environment that isn't already approved to go in.

We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.

We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.

No issues at all.

Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.

Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.

We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.

No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.

The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.

I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.

I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.

I find that he most valuable feature is actually optimizing my real firewalls. It shows me any issues. I track the change and it will tell me when it is actually going to affect any other rules or any other applications. That is the biggest feature.

Then the reporting functionality that comes along with it - for one change, this change what, when, etc. This is the main function that I will always be using, as well as positioning of the rules on the rule base and to optimize the firewall for me. Those are the best features and that is what sold me initially.

The thing I like about it is that it's real time, that's the biggest benefit. It helps me with everything that I need to do. Every time we want to make a change we put it in the system and it tells us, OK all good, or it tells you, these, this and this you have to fix. Have a look at it, send it to the service, they have a look at it, mediate, put it through again, and if it is clean it will go.

It prevents human error. That is the biggest benefit for me as you can load in as much high availability as you wish. Human error is always the thing that is hardest to get rid of as well because now the change team don't question any rule base that we are putting in because of the checks Tufin does prior to the change, so we know the impact is not going to impact anybody else. What the biggest problem was whenever we would change a rule before there was always the question, what is the small thing doing. Now I can do production changes during production time. Due to this, we have a seen a positive impact for the company, and that is what they wanted.

Small reactive. It is sometimes stuck or kind of jumps, but no actually business impact, but from an IT perspective, whatever we want we are getting on the fly.

It's not actually user intensive, so it does not hamper our power in any way.

It is expensive. It cost me about a million, which is quite expensive for us, but the benefit is worth it.

I used to have FireMon, and we changed it  because of their features. The main feature that made us change was SecureChange, and like I said when you do changes now, assist with the change that you are going to make to see if there is impact to the other, so this is what gives us this feature, now you can assess and say, will it have a problem? That is why it helps with the changes.

I'd definitely say go with Tufin as it's a brilliant solution. What is brilliant is the firewalls themselves. I'd check out CheckPoint as well to make sure that the solution meets your needs and works with your plans. It doesn't matter what CheckPoint plans you use, Tufin works with them all.