Tufin Orchestration Suite Reviews

We use the SecureTrack component for several things including the maintenance of firewall rules. Examples of this are identifying rules that are no longer in use and identifying shadowed rules that can be consolidated. We also use this solution to look for violation policies, as well as unused rules.

We use this solution in AWS and in our on-prem firewall.

The number one benefit this solution provides is time savings. Both I and another engineer save hours upon hours of work spent creating reports, which Tufin now does for us. This is reclaimed time now well spent on other things.

Tufin has done a very good job in improving upon the USP policy for violations.

Our engineers save quite a bit of time that was previously spent on manual processes.

The most valuable feature is the ability to gather all of the firewall information without having to do it manually. It makes it much easier and saves time.

We use Tufin to clean up our firewall policies. By doing so, we don’t have a bloated firewall policy that can, in the end, cost more in terms of processor overhead.

The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not.

The USP can be improved, as far as I can tell.

I would like to see better integration and compatibility with the Azure cloud. We are not using Azure today, but I've asked questions about it and there are limitations.

This solution is solid, as far as I can tell.

We haven't pushed this product to the point where we have to scale out.

I haven't had the opportunity to use technical support.

The driving force behind implementing this solution was to obtain reports that help us get to the heart of the matter, ultimately saving time.

I have worked with Tufin before, so I found it to be straightforward, out of the box.

We used a reseller and an integrator, and we are working with an integrator right now. They are G2 Deployment Advisors LLC.

I am not aware of any other solutions that were evaluated before choosing this one.

The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals.

We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are.

In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise.

My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you.

This solution saves us a lot of time that we don't have, but there is always room for improvement.

I would rate this solution a nine out of ten.

Automate the firewall change via SecureChange Workflow

1. Policy Optimization by using Tufin APG under SecureTrack. If you have a wide open policy, and you want to restrict it into fewer lines of policy based on last 30 or 90 days hits, you can use APG tool to build restrictive policy.

2. Firewall Cleanup: Deletering unused Rules, unsed objects, duplicate objects from firewall database, by using the report created by Tufin under SecureTrack. You can run this report on Tufin SecureChange to delete all the unwanted space. This will save tons of space on your Firewall database.

3. SecureChange Workflow: You can link Tufin to ticketing system to upload the firewall change ticket, and use the workflow to fully automate the firewall change process, from start to finish

4. Topology: If you a good topology, you don't need to see routing table on Firewall, or going through any visio network design to find the L3 networks in your enterprise. Topology under SecureTrack helped me a lot

6. Enterprise Unified Security Policy: Once I do have an Approved Unified Security Policy from the CISO, I don't need to ask approval for each low risk firewall change. USP not only saved CISO busy time, but also increased the efficiency of firewall team. The firewall change request doesn't have to stay in Approver Pending steps

SecureChange Workflow: It is Firewall Admin Robot, which handles the ticket right from receiving until the implementing process with documenting all the approvals.

1. Tufin workflow doesn't support IPS module, Identity Awareness Module, Policy Inline layer (Checkpoint)

2. Limitation on edit/create Group object: You can't create group Service object

3. You have to run Designer to Assign Firewall Rule Name, and Rule Number. By default, Tufin uses topology

3

Tufin is very stable. There have been no major outages. 

Sometimes there is an SSL correction between Tufin and the management server. Sometimes it gets broken but I don't why. Apart from that, it is very stable.

We can add as many firewalls as we need. It's just a matter of purchasing the licenses. It has good scalability.

Tech support is very bad. I would give a zero rating to tech support. Compared to Check Point and Fortinet, Tufin tech support is worse. Even the Professional Services team doesn't like to respond to email. It is poor.

My team doesn't have a good relationship with Tufin. The Professional Services and even our Tufin account manager are not friendly. They're not helpful to us. But the Tufin product is fine.

The initial setup was straightforward.

I believe our cost is more than $100,000 per year.

We haven't evaluate any competitors or consider other products.

Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help.

We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.

Right now, we are just using it for SecureTrack. Next year, we have plans to buy the license for SecureChange as well.

I think we're using version 18, and we are in the process of upgrading it to 19-2

We got Tufin from a company that we acquired, so its helping us do mitigations there. Now, we are extending the scope and implementing it in our HQ, as well. It has helped for PCI and compliance.

The solution helps us ensure that security policy is followed across our entire network. It is important to configure and define all the networks right.

One of the primary reasons why we want to use Tufin is currently we are having issues with companies from overseas who manage our firewalls. It is very inefficient where they say that they have implemented the rules, then later on we find out the implementation has not been done properly and they are missing firewalls. Hopefully, once we fully implement this tool, it should be able to tell us if firewall rules are missing. It should be able to tell them before they communicate with us. After the implementation, we can verify and make sure that everything is working and do all the validations.

It is a great solution. If you have all the devices and firewalls in place, the amount of details that you get along with the network topology is very good.

If we had the budget and money, the SecureChange is really great. What you can do and where you can push everything from one console. You can create a change and do the whole automation: create the change, implement the change, and close the change. Right now, I have to go to two, three, or four different consoles. Whereas if I had SecureChange, I could do everything in one place. From an auditing perspective, it becomes easy. Right now, I have to give a change ticket number, then show the auditor and tell them to search for that change ticket number in a different place. If everything is in one place, that makes your life easier.

The change workflow process is flexible and customizable.

I would like more API integration, API integration with the cloud, and API integration with other chain management solutions. I would also like more scripts, which would help us not have to write scripts. If you give me all this, I can use the scripts to automate stuff, making my life easier.

I haven't seen the cloud integration yet, and I would like to see if we could audit the cloud firewalls, like the cloud-native, Azure, and Amazon. That would be nice. You want one tool to do everything. I don't want to use another tool, or manually go and audit the cloud firewalls.

I have seen some issues with the stability. One of the things that we noticed was when R18 was released about one or two years back, it couldn't discover the newer versions of firewalls, then we had to upgrade it. After the upgrade we ran into some other issues. However, it looks like with the patches it is getting there.

With the scalability, you have to use different components: the reporting server and distribution server. When we implemented it earlier, we didn't design it properly, which I feel is our issue. Once we design it properly, the way that we are implementing it now, I feel the scalability should be there.

I have used auditing tools in the past, so I was already aware of Tufin. When I saw the processes in my company where I worked were manual, I recommended a solution, saying, "We need to expand the solution from our other company to here, as well. It will simplify our processes."

The initial implementation was done at an acquired company, so it was already installed. However, we are doing upgrades now.

I think we will be using Tufin for the upgrades.

We have seen ROI:

• The productivity has increased. The team is more productive.
• It will decrease the time of firewall implementation, which will increase the productivity in the sense that now other teams don't have to wait for their projects. 
• This helps us simplify our processes.

Our engineers are spending less time doing manual processing. Their productivity has at least increased by 50 percent.

We haven't purchased the license yet for SecureChange. We do have plans to buy it next year.

The additional piece, which we are buying and doesn't include our other solution, is close to 300,000.

We did not have have time to evaluate other solutions. Also, we already had Tufin in place in our other company. 

This seems to be a better solution than AlgoSec, which I have used in the past. I have also seen FireMon, and Tufin gave us what we needed. I didn't see a reason to explore other solutions.

It is a great tool. It will help you increase your productivity and simplifies your workflow.

We should use it to clean up our firewall policies since the tool is there.

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

Our company uses the solution to auto deploy and analyze locks for hundreds of Layer 2 firewalls which are more challenging than Layer 3. 

We write script for manual configurations, create policies, analyze all rules and locks, and then auto deploy.

We currently have 40 engineers and 100 staff who use the solution. 

Maintenance of the solution is easy because we copy the latest configurations. 

I am improving rules for hundreds of firewalls to increase security and rigidity with confidence that the solution is handling it well. 

The solution's most valuable features are its security policy and steps for deployment. 

The solution is flexible and easier to integrate in a Layer 2 environment. Other solutions such as AlgoSec and Skybox have Layer 2 speakers but are complicated to implement.

Integration for Layer 2 devices could be improved because it requires manual scripting. Other layers are very simple to integrate. It would be a benefit to have a form field for firewall names, user names, and passwords which then auto integrate. 

Licensing options are confusing and require additional fees for high availability. Competitors include high availability with their standard licenses. 

I have been using the solution for two years. 

We monitor stability all the time and find that the solution is quite stable. 

We have not yet scaled beyond our initial deployment that included hundreds of firewalls. The solution handles our complex environment with no issues. 

Technical support is great. Our company has a complex environment and we asked Tufin to make integration easier for us. They rose to the challenge and tailored the solution to our existing environment. 

The technical support team in Singapore is quite responsive when we ask for help. 

Our initial setup was more complex than others because we implemented Layer 2 firewalls. 

Setup would have been somewhat complex using any solution. Our entire deployment took one year but most of that time was spent integrating Layer 2 firewalls and building baseline security policies. The solution itself did not cause delays but rather it was our internal protocols that required a large investment of time. 

I rate the complexity of setup a six out of ten. 

The implementation was handled by a local Indonesian partner. 

The solution is more reasonably priced than its competitors. 

We subscribe to the yearly license and find it to be quite budget friendly. 

A high availability license was an additional cost so we opted to purchase the standard license but were later given high availability at no additional fee. 

We conducted a proof of concept exercise before making a vendor selection. 

We did not choose Skybox because security is bundled in the solution and we only needed one tool for a specific reason. 

AlgoSec is the best solution for file management but Tufin is very comparable and reasonably priced. 

I rate the solution an eight out of ten. 

Currently, we're an electric utility. We use it for NERC CIP for validating rules into ESPs, which makes it easier for us to pull out the rules and justifications for auditors.

We are using either Tufin 18-2 or 18-3 and testing 19-2.

As a company, we don't have anything in the cloud.

It has helped us immensely on the compliance side. We are able to look for overly broad rules. E.g., rules with any-any using the USP to see if we have violations. This was pretty impossible to do before by just looking at the CLI on the firewall and spreadsheets.

We use Tufin to clean up our firewall policies. The biggest use in the last couple of months has been to pull rules out of firewalls rather than putting them in. We're cleaning up and pulling rules out.

We use this solution to automatically check if a change request will violate any security policy rules. Even though we've been using the product for several years, we've just now started rolling out SecureChange, updating our USPs, and building USPs. We are using those to do security checks.

This solution helped us meet our compliance mandates. With the USPs, we can control what is being put in, then we know when violations are occurring ahead of time.

The ability to write reports to figure out what ports and services are allowed into specific zones. For instance, we know that there are certain devices which are only allowed to have interactive remote access into an electronic security perimeter (ESP). We've written reports which can tell us if someone inadvertently opened something up that shouldn't have been, then we can pull it out. Now that we are using SecureChange, it can alert us to that fact as the rules are being built, which is huge for us.

The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously.

It makes it a whole lot easier for rule clean up because we can find rules that haven't been used. We can find rules that are too broad and pull those out, putting more specific rules in, which could be done before but this cuts the time way down to do it.

The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor.

I got a sneak peek of a release or two. There are some new features coming out that we could use today. E.g., SecureChange won't allow us to put in more readable ACLs rather than try to compress them. Sometimesm we don't want it to full optimization of a rule set. I would love the ability to tell it, "Thank,s but no thanks. I don't want to optimize this rule. Please put it in the way that I want it." Right now, that's hard to do. It's almost impossible.

It is a very stable product. There have been a few times where we have had to call support and have something fixed. It has happened, but it's very rare.

It seems to scale very well. We have had the same servers in for four years now, and everything's keeping up. We haven't had any issues yet, and we are probably monitoring around 400 firewalls today.

The technical support has been very responsive. If they can't figure it out, they are not afraid to go to Israel, back to the developers, and find an answer to the problem. Typically, within a day or two, they have the answer and we are back up and running. They've been great to work with.

We knew that we had to invest in something which could help us clean up our rule sets. 

We took baby steps, so the initial setup was pretty straightforward. We just started with SecureTrack, getting it talking to the firewalls, and initially using it to document justification for rules on our compliance firewalls. We have been doing more with it over the years.

We used Tufin for the deployment.

This solution has helped us reduce the time it takes to make changes. We have been using SecureChange for the last six months, and it has streamedlined the process. We can usually do changes now within two or three days, where sometimes it used to take a week or more.

Engineers are spending less time on manual processes. We can push the changes to the firewalls. The engineers don't have to log onto the firewalls, then cut and paste.

I just wrote a purchase order for it. It is a $150,000 a year.

We looked at three solutions at the time, then chose Tufin. We felt that Tufin was one of the more customizable solutions and had the best price. They came in cheaper than everyone else, and at our company, that means a lot. Thankfully, they were the best. We felt they were best of breed at the time.

Give Tufin a good, hard look. From my experience, it is the best of breed.

Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.

I am responsible for the management of network devices, including firewalls. Security management is handled by our parent company.

It's a great tool for checking compliance of network device configurations against our company's rules and industry standards like NIST 2.0.

It made us look at security policies more holistically, from the perspective of the entire network across all our devices.

We used a version from a few years ago. So, I think my opinion would be a little outdated. Moreover, at the time, there were no huge complaints.

Customizing it can be a little tricky, but that depends on your use cases.

I have worked with Tufin Orchestration Suite, but we no longer use it.

Every case was solved by our partner. They were licensed partners. They were certified and licensed by Tufin.

I was satisfied with the support.

Positive

We didn't work with any system of compared functionality.

Moreover, opting for any solution is a corporate decision made at a much higher level than mine.

The deployment wasn't difficult. It's just connecting the system to network devices using some pre-deployed credentials and reading the device configurations. The difficult part is setting it up for the specific tasks you need from Tufin Orchestration Suite. 

Customizing it can be a little tricky, but that depends on your needs. So specific use cases could be challenging.

From my perspective as an engineering manager, it saved my team time.

And looking at it from a higher level, it saved the organization money. As an organization, that's paying for my people's time.

So, ROI is something each organization has to figure out based on its own usage patterns.

The pricing depends on the business case. For us, the pricing was six out of ten, with ten being the most expensive and one being the cheapest. 

We didn't use the entire suite. So, I would rate it a seven out of ten. 

We use this solution for firewall rule management.

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

We used a consultant from Tufin, itself, for our deployment.

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

I believe that FireMon was considered before we chose this solution.

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.