Tufin Orchestration Suite Reviews

The most valuable features for us are object looking, rule documentation, and reports. We use it for cyber security as well, so risk features and violations features are huge.

Even just looking up rules before we can make changes is a lifesaver. Previously, we'd have to go to the CMS of whatever firewalls we had. So instead of having to do that, now we can go to one location and search the rules that way.

Another major thing is the topology feature for the network part. Also, the SecureChange and automation means that the checkpoints can be done automatically, and they do the provisioning throughout the process. Looking up rules and understanding how they affect your environment.

It's also quite easy to use - there's nothing hidden, it's all laid out and that is much appreciated.

From a security standpoint, we have it in place where it will notify us if an engineer inadvertently violates a high-risk rule, and it even does this if they pre-stage a rule, so before they push it we can find out.

From an auditing standpoint, because we get audited three or four times a year, our auditors have access to see exactly what's happening in each firewall, and we've had fewer issues with auditing because of it.

For us, in man hours, it saves about 70 hours a week on checking rules and implementing the changes.

For implementing the rules of SecureChange, and trying to implement it with all of the software we have on our side, change management, and workflow management, we need better integration with our existing tools that will make these changes a lot faster. We have so many things on our side that we need to integrate. We now have HP Switches, so we'd like to have those covered as well in order to monitor them.

We've used it for three years.

No issues.

We had one bug - a year or so ago - and Tufin had an update that addressed the issue. The long implementation time was on our side. No other problems.

No issues.

Both customer service and technical support have improved during the three years we've used it. They're really quick to get back to us for both customer and technical support. They get on calls with us, WebEx, anything.

We were going through a major OS upgrade. We ran into some problems on our end with four appliances. It was a weekend and we opened a case on-line. We were able to get together with someone in 30 minutes, share the screen, and they walked us through implementing a fix within an hour or less.

Even though we have a remote collector, a distributed collector, and a central server, it was pretty straightforward.

We did it internally ourselves, but with some input on architecture from Tufin's professional services.

As far as licensing goes, the good thing is that the licensing for the firewalls is great. The licensing changes for the routers has improved because we no longer have to pay for topology monitoring.

We also looked at AlgoSec and FireMon. Algosec was good, but Tufin had the edge in the automation process and the reporting was even better. So it was basically between AlgoSec and Tufin.

Functioning monitors (not just marketing hype) for most types of firewalls and firewall managers, overall stability, scalability (could be better, but the still best on the market), and the ease of performing OS and software updates.

Having one vendor for both TOS operating system and TSS application makes it much easier to form relationships with Tufin sales, engineering and support, and improves product maintenance.

They should include a way for customers to add third party RPMs to expand system functionality that's retained across updates. A single central (master) database does not scale well past 1000 firewalls.

Also, it needs to expose a remote collector for central message (queues) metrics, monitor Java, Tomcat, web and database performance, to provide better intra-application data monitoring and alerting capabilities.

I've used it for seven years.

TufinOS 2.10 has been the easiest OS release to install to date. I haven't had the system running TSS R15-3 long enough yet to know if REST API improvements are usable.

None, so far with TufinOS 2.10 or SecureTrack R15-3. Postgres database (v9.0) should probably be updated to a newer version for improved performance and stability enhancements.

The SecureTrack R15-3 central-database shows significant performance strain, handling policy revisions, and rule/object usage updates from our 1600+ base of firewall devices. However, it continues to function, albeit slowly, day-in and day-out.

USA support M-F has been very good, and with pre-arrangement, weekend assistance is also available. Over the years, US Tufin support has had to escalate distributed application (remote-center db) performance problems to their Israeli R&D and developer teams for remediation. When this happens, mean time to repair can be measured in weeks instead of hours.

Very good, technical expertise from the US support staff, and exceptional technical expertise from the Israeli R&D people.

I have looked at other vendors, but we have been a Tufin customer since 2008, and have benefit from the maturity of their TOS and TSS products.

Upgrading from TOS 1.x to 2.x is a bit painful; the process requires wiping the system clean and reinstalling OS and applications, and then recovering data from a backup. But overall, the appliance approach that Tufin has taken greatly simplifies upgrades and patching.

Since 2008, we have purchased products through a Value Added Reseller. Our VAR intercedes for us on annual maintenance (support and update) calculations, and helps with unexpected contractual problems.

We have not calculated ROI, because we are always changing how we use the TSS application to obtain security information.

We have not performed a cost analysis on other similar products, but I'm confident that Tufin does and remains cost comparable.

In 2008-9, the choices were thin (Tufin, FireMon or AlgoSec); of those only Tufin offered the promise of an appliance based system that would scale large enough to warehouse data for reports and analysis from many hundreds of firewalls installed across the US.

Tufin is still growing and adding new features to its TSS applications suite. I don't believe your company would make the wrong choice if the products meet your company's requirements. Their latest product offerings of TOS run on virtual machines, and their near-future promise of a distributed central database (scalability improvements) should not be overlooked.

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

The module we have used the most is SecureTrack. Our technicians use that for firewall audits and analysis. We use other drivers due to PCI regulations, so we have to have proper reporting compliance, change management, and network changes. Also in our road map is to implement secure change.

Based on the work our technician has done on it, I think it serves the purpose we brought it in for. The only issue we have had is that we have been working a long time, from the build and configuration, and we still have one issue that our Palo Alto devices are still not reporting correctly to Tufin and that needs to be resolved. I believe it’s a software compatibility issue, so it might require an update on our side. That’s still an outstanding issue. We have a known issue integrating Palo Alto, but if they have a roadmap with other customers we would love to know.

We've used it for almost a year.

Performance is good and any queries we run are smooth and straightforward. But we haven’t loaded too much on yet. There’s a lot of build still to come. For the basic purpose of what we are using it for, it’s pretty good.

They are knowledgeable and available. I've had no issues with professional services.

Exactly because we had no firewall analyzer or a compliance and reporting tool, we brought it in. We have business requirements like PCI, and we are yet to use it for reporting or secure change.

We just put it in to the rack, consoled in, and did the basic set up.

We did it ourselves. Just looked at the PDF.

When I did the self-service for licensing, I encountered some issues. Perhaps it’s because I didn’t know how many we had purchased before I had arrived, as it was sold through a WebEx.

Pretty good, very supportive, understanding and recognizing we need to move in a phased manner. They are definitely in it for the long term. Support and professional services, we will require going in to the future.

We use it to track changes and the policies that we've implemented into our system.

It allows us to evaluate and build matrices, and see how rules work with it to see whether they are secure.

The biggest benefit of this is that it allows us to see how security functions as a hole. Also, it lets me see where the holes are and how things function.

The rules and configurations can be clunky. I have to wade through different things to get what I'm looking for, but the more I use, the more it makes sense to me.

The company has used it for 2 years, but I've used it for 1.

No issues with stability.

The scalability has been great, and we've implemented it on 25 devices now.

The implementation is straightforward.

I did it in-house, but tech support helped me walk through it and find missing pieces.

Try to get a training course on what it can do, so that when you go to implement it you can get the most out of it. If I had known all the features from a training class, I would have implemented it differently from the guy who did it for us.

We use both modules, SecureTrack and SecureChange. With Securetrack, we follow rules implementation and compliance; with SecureChange we manage the workflow of firewalls openings.

Thanks to Tufin we're able to manage the life cycle of rules and to keep logs of each firewall modification. Policies are also optimized using the tool.

Checkpoint and Cisco products are well implemented and managed. For Fortinet firewalls some features are not yet available.

In networks where the WAN is managed by a third party, some features may be missing if you're not able to have information about routing, ACL, etc

2 years.

Product is quite complete. The hard work concerned building a topology on the product base on reality of the network. Some workaround we do in reality may be hard to model using the tool. Topology is mandatory for SecureChange to work.

Product is stable and we've had no problems concerning stability, even if we're not able to have a clear view of the capacity of this tool. There is no reporting on capacity. For instance, there is no alarm.

No issue specifically, but for large networks several appliances are required to have a distributed architecture. Also, for SecureChange it's necessary to have a separate instance so the topology calculation has no impact on user interfaces.

Excellent, even if we have more contact with support team, customer service is always checking that everything is fine.

Excellent, the support and the post sales service is the best I ever had. They're always available and listen our concerns. Even some features required have been delivered a few weeks after the requirement.

We used another solution some years ago, but we switched, first of all, for performance and stability issues. The old solution was not able to handle the number of rules we can manage in our network.

The main setup subject will be to check what's the first need you want to answer. In our cases we want to manage our life cycle of rules and we work on it. Start small and grow up smoothly while you understand your network topology.

Vendor was quite good. This is a tool with which the need to understand your network is mandatory. You must have an in-house team to be fully operate this tool. This is also the easiest for support.

Our main ROI is to be more agile and flexible for rules lifecycle. We're able to answer faster with the same number of people.

Pricing is correct. You've got one or several appliances and pricing is not too high. After licensing is per firewall managed by the tool, so you can grow smoothly.

We did an evaluation of the different solutions on the market, and it was our vendor that recommend us the solution.

I recommend this solution. In our case, it was the missing part to be able to provide a better service to our clients.

Our primary use case for this solution varies on the customer's needs. However, we primarily use it to augment the safe firewall and consolidate various firewall vendors.

The consolidation of other firewall vendors is very valuable because many customers have different firewalls and the management administration has to be done differently. However, with Tufin SecureCloud, you can do things together.

The reporting during the initial setup could be better by including more automation, and the pricing should be reviewed, as it is a little too high.

We have been using this solution for two years.

The solution is scalable.

We have had a decent experience with customer service and support. The response time has always been within 24 hours, so we usually get a response within several hours of logging a technical issue.

The initial setup was straightforward, and it took us approximately 24 hours.

The licensing costs are charged annually but are higher than similar products.

I rate this solution an eight out of ten. The solution is good, but the reporting available could be improved, and the pricing could be reviewed as it is costly. Nevertheless, I recommend this solution to any organization that wants to implement a firewall analyzer. Additionally, I would advise new product users to read sections in the recommended requirements and ensure it is properly communicated to the vendor they choose to work with.

Our primary use case is the policy request automation workflow.

Tufin saves a lot of time on the policy requests deployment. It enhances the SLA of the policy requests or changes and enhances the accuracy of the policy deployment.

I like the policy topology map, which allows us to visualize the picture of the security policy of the whole organization.

I would like to see the hardware specifications improved. The solution requires very high specifications of hardware platforms to run it. These high requirements are quite difficult to be acquired for users. 

I have been working with Tufin for the past three or four years.

Tufin performs very well.

Tufin is definitely scalable.

Technical support is very good when escalating questions with them.

Positive

The initial setup is straightforward and easy.

I think the pricing, comparatively, is good.

The functionality, roadmap, and technical support are important to most customers. It is important to consider the integration support with other security tools and compatibility. I would rate Tufin a eight out of ten.