Tufin Orchestration Suite Reviews

It is an important application for controlling and monitoring firewall rules. It is useful for making and monitoring the changes.

Its price is reasonable, but it could be lower. 

It could have a more effective approach for creating and changing rules. It could provide advice or suggestions for a better understanding of rules and changing the rules. There should be suggestions for the rules that need to be changed to make them less risky.

I have been using this solution for eight months. We have recently done an upgrade, and we are using the latest version.

It is stable.

We have not been using it for a long time. So far, it is scalable for us. We have more or less ten people.

Their technical support is good.

We have worked with AlgoSec but in a restricted topology of the network. Both of these solutions are useful. It mainly comes down to the price. Even though Tufin is more costly, it has been more cost-effective for us, but it is not the same for all companies. It also depends on the integrator.

Its initial setup has medium complexity. It was not complex, but it was also not easy. We had some problems because it was a fresh installation.

Its price is reasonable, but it could be lower. It has been cost-effective for us. We have a contract for three years.

I would rate Tufin a nine out of ten. 

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

We were primarily using the solution in order to grade the firewall rules.

How the solution benefits the organization is something that is currently being tested. We're considering doing something different, as we just used this product as a POC.

The compliance aspect of the solution is its most valuable aspect.

The stability is very good.

You can easily scale the solution if you need to.

The number of features is very robust - and there are a large number of features. That's a huge selling point, which is why its popularity is where it is.

I have heard many people complain that there is a high level of complexity. It may make it difficult to work with for some people. That said, I don't have those issues with the product.

The initial setup can be tough.

The product could use better integration with the cloud.

I've been using the solution for years at this point, It's been a long time.

The stability is very, very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. The performance is good.

The scalability of the product is excellent. If a company needs to expand it, it can do so relatively easily.

In our case, while I don't have an exact user count, I can say that there were quite a lot of people on the product.

We're talking about shifting potentially away from Tufin, however, if we had kept it would have been used extensively.

While other people have the opinion that it could be better, I've mostly been satisfied with the level of support we've received. They've been okay. I've had three or four run-ins with them and they were all positive experiences.

I also work with AlgoSec. We use both solutions currently.

The initial setup is not straightforward. It's a little difficult, a little tough. New users need to expect this before they get started.

Often, a consultant is involved in the process, as there is a large learning curve, and many companies don't have the bandwidth to ramp up the staff. Bringing on a consultant can speed up the processes a bit.

The deployment took about a month or so.

We're still working on how many people we actually require to handle the maintenance aspect of the product.

Typically, we get a consultant for everything, however, this last deployment, in particular, seemed to be more challenging for the consultant and for the staff.

That said, our experience with the consultant was very good overall.

While we are getting what we need out of the solution in terms of functionality, I haven't really looked into an exact ROI. We got what we were looking to get out of it. 

The billing and licensing aspect of the product is not something I'm a part of. I don't have any insights into the costs involved in using the solution. I cannot see if there's just a flat licensing fee or if there are other costs needed on top of that.

We are considering moving away from the solution currently. We're looking for other options. We might shift towards FireMon, however, nothing is set in stone.

We're just a customer and end-user.

We're likely not using the latest version of the solution. Currently, there is a team that directly supports it. I can't remember the exact version number off-hand.

I'd advise organizations considering the solution to do their homework first and see if they can find out from industry associations and professionals what their experience has been.

In general, I would rate the solution at a nine out of ten.

I'm using the Fortinet firewalls, so I need the firewall manager tool to manage those files, together with the FortiManager. The Tufin guys provided a solution for our data center where we have a box server, which was specifically developed for Tufin. It would run the scan on the network, get to the firewall, or go to the router, run the scan and give me the compliance, and then send it to me. Then I get a report from there.

The features I have found most valuable are its capability to check on the firewall and the routers. Afterward, it checks out all the configs, checks the vulnerabilities, checks the risks - it checks everything that may end up causing our router to be compromised. In the end, it recommendations what we should do.

Then, if we apply the recommendations, it will scan again and give us a percentage. Sometimes we find out that at first that we didn't meet the compliance, getting a 46% maybe. Then, when after I apply the recommendations, after discussing with my team, and approving the recommendations, it is all remedied. After that, it goes to 80-something percent. And that is what we are looking for.

One area in which I need it to improve is that I need it to accommodate all the files and all the tools. For example, when I buy the firewall management tool, I want it to manage the firewall of every firewall I use across my organization. If I'm going to depend on only one vendor, and it looks likes a vendor or a catered tool, it can't help on any vendor to scan the technology and give the auditing compliance. This is something they can improve from their side.

The second thing I need is that if Tufin comes and deploys their solutions on my premises, I would like to have full support from them. Unfortunately, I didn't have their full support. So what worried me is that whenever the box is no longer working, then I'm no longer going to be able to see my compliance. I know I'm not going to charge whoever is not complying on my premises.

To sum up, the two main negative points with Tufin Orca are the absence of full support and that accommodation of files and tools is not provided in a good way.

Additionally, what Tufin should include in the next release is the ability to see the logical bullets points. In my case, I wanted to see the physical report because when things tripped and went wrong we needed to start fixing it on the physical side. So I would like to have the physical tool policy before we can have the looks side.

But on the looks side it was very good. We need to filter up to it regarding the beneficiaries in the policies. So it was very good on that side of the data, but when I'm using it as a firewall manager, and then find the firewall is down, I need to see it on the Tufin. Also, I need the capability for Tufin to start alerting me whenever there is a change on the firewall.

I can say that we didn't know about that function on Tufin and when we try to communicate with the Tufin guys, they are not able to assist us on that. So we end up having someone go to our firewall and start to make a change, and we end up not having the right thing and not being able to manage our firewall accordingly. The main point of using the same tool as a firewall manager is to have the daily health check of the box.

I have used Tufin for the last two years and then I left it when Skybox was introduced to me. Unfortunately, I didn't have the capacity to use Skybox because I didn't have the skills on my team, so I decided to leave it. But I am looking forward to getting the new tool which will help me to do what I need.

The initial setup was very complex. What worried us at first was that we didn't know how to integrate it with the network. We had to call the Tufin guys to help with that and they physically brought it to us for the integration to the network. So that was challenging.

When you ship the product to our country, to my organization, it is quite expensive. It's not cost-effective. It's quite expensive because we end up paying extra for accommodation, the transport, everything for that person to come and assist us on the integration to the network. 

Generally, you need to pay for everything -  for the support and the implementation with the integrator.

We can also add this to the areas for the improvement, that implementation is difficult and it would be great if they could simplify the way the person can implement the products.

On a scale of one to ten, I would give Tufin Orca a five. I would recommend it only if the organization has the skills and enough requirements so that they are able to run it. It is a very good tool when you use it because it basically gives you what you want. It is just hard in terms of support, patching, and upgrading. Overall, it's challenging if you don't have the skills or resources.

This product will work for those organizations that have the knowledge of how to install the solution.

We are a solution provider and this is one of the products that we implement for our clients. We also use it ourselves.

We have this solution installed in our data center, where we have a box specifically for Tufin. It scans our network, looks at the firewalls and the routers, assesses compliance and sends me a report.

The most valuable feature is the compliance check and the recommendations that it makes. This solution will connect with the firewalls and routers to check out the vulnerabilities, risks, and anything that can lead the organization to be compromised. From there it will make recommendations about what is required in order to ensure compliance. My team discusses the recommendations and then we remedy the issues.

My worry with Tufin is that it cannot connect to Fortinet, which is what I want to do. In order for this solution to be useful, it needs to be able to manage every type of firewall that I come across in my organization. I do not want to be tied to one vendor. Integration with all types of firewalls and related tools is necessary.

When Tufin deploys solutions on-premises then they should provide full support, but this was not the case in my organization.

The implementation, including integration with other solutions, is complex and should be simplified.

I want to see the physical topology of the network in order to help with troubleshooting.

I would like Tufin to alert me whenever there is a change in the firewall.

I have used Tufin Orca for the past two years.

We do not have full support for Tufin and it was expensive to have support visit us during our deployment.

The initial setup was very complex because we needed help to integrate it with the network. Unfortunately, we needed to have an engineer come to assist us, which is why it was challenging. Getting an engineer to visit our country is quite expensive because you have to pay extra for accommodation, transport, and everything. It is not cost-effective.

This is a solution that I would recommend, but only in cases where the organization has the skills. I would rate this solution in the middle because it meets my requirements, it is a very good tool, and it immediately gives you what you want. At the same time, when it comes to the support, setting it up, and upgrading it, it is challenging if you don't have skilled resources.

I would rate this solution a five out of ten.

Automate the firewall change via SecureChange Workflow

1. Policy Optimization by using Tufin APG under SecureTrack. If you have a wide open policy, and you want to restrict it into fewer lines of policy based on last 30 or 90 days hits, you can use APG tool to build restrictive policy.

2. Firewall Cleanup: Deletering unused Rules, unsed objects, duplicate objects from firewall database, by using the report created by Tufin under SecureTrack. You can run this report on Tufin SecureChange to delete all the unwanted space. This will save tons of space on your Firewall database.

3. SecureChange Workflow: You can link Tufin to ticketing system to upload the firewall change ticket, and use the workflow to fully automate the firewall change process, from start to finish

4. Topology: If you a good topology, you don't need to see routing table on Firewall, or going through any visio network design to find the L3 networks in your enterprise. Topology under SecureTrack helped me a lot

6. Enterprise Unified Security Policy: Once I do have an Approved Unified Security Policy from the CISO, I don't need to ask approval for each low risk firewall change. USP not only saved CISO busy time, but also increased the efficiency of firewall team. The firewall change request doesn't have to stay in Approver Pending steps

SecureChange Workflow: It is Firewall Admin Robot, which handles the ticket right from receiving until the implementing process with documenting all the approvals.

1. Tufin workflow doesn't support IPS module, Identity Awareness Module, Policy Inline layer (Checkpoint)

2. Limitation on edit/create Group object: You can't create group Service object

3. You have to run Designer to Assign Firewall Rule Name, and Rule Number. By default, Tufin uses topology

3

Tufin is very stable. There have been no major outages. 

Sometimes there is an SSL correction between Tufin and the management server. Sometimes it gets broken but I don't why. Apart from that, it is very stable.

We can add as many firewalls as we need. It's just a matter of purchasing the licenses. It has good scalability.

Tech support is very bad. I would give a zero rating to tech support. Compared to Check Point and Fortinet, Tufin tech support is worse. Even the Professional Services team doesn't like to respond to email. It is poor.

My team doesn't have a good relationship with Tufin. The Professional Services and even our Tufin account manager are not friendly. They're not helpful to us. But the Tufin product is fine.

The initial setup was straightforward.

I believe our cost is more than $100,000 per year.

We haven't evaluate any competitors or consider other products.

Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help.

We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.

• Firewall audits
• Firewall rule processing
• Path analysis

We use Tufin to clean up your Firewall policy. We can look at the historical rules and find out what is violating our USP, then make a change accordingly.

This solution has helped us to meet our compliance mandates. We implemented the Unified Security Policy (USP). This helped enforce our compliance requirements. We have mitigated and remediated issues that have been brought forth due to that USP showing us issues.

Firewall rule processing and compliance are its most valuable features.

The visibility is good. Overall, I can see the rules and headcount.

The change workflow process is flexible and customizable. I made my own custom workflow.

The metrics need improvement. They need more consistency or understanding of automation, along lines of customization of automation.

Going forward, we would like a whole bunch of stuff regarding metrics and reporting. Also, a whole bunch of stuff regarding stopping SLAs when it goes back to the user or requester.

I'm struggling with cloud right now.

It is very stable.

We own nearly two million dollars worth of equipment. It is scalable.

I have not placed a technical support query.

We used Professional Services with consultants for the deployment.

I'm saving 20 man-hours a week, so I am seeing some ROI.

In January, it took us 25 days to process a firewall rules request. By June, it took us eight and half days using the solution.

This solution helped reduce the time it takes us to make changes by 66 percent.

The licensing costs are a significant amount of money.

I am a previous FireMon customer. Tufin beats FireMon hands down.

Give it a try. Get a full list of Layer 3 devices available, import it into Tufin, look at the topology, and work forward from there.

Currently, we are still not provisioning.

We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.

It has improved our organization through the beginning of automation. It has also helped in terms of auditing. Tufin is a convenient way for us to show and prove what changes were done, when they were done, and by whom they were done.

Tufin also helps ensure that security policies are followed across our entire hybrid network. We use the USP, Universal Security Profile, which is governed by our cyber team. That team sets up the parameters and then, through the automation, when a request comes in, the first thing it does is check if it meets or violates. If it violates, it sends it right back to the requester. Another way we do it is that when somebody puts a request in, it goes through the USP. Then the cyber team combs through it to make sure that whatever service they're asking for can happen. For example, if someone wants Dev going to the internet, of course that's not going to happen. They'll filter all that out before it comes to us. Once it comes to us, we'll implement it, and then we comb through all the reports and make sure that nobody missed anything.

It also helps expedite changes.

The reports are very valuable. In terms of cleaning up firewall policies, we use Tufin to gather information in the reports. However, we don't automate Tufin to do the work. It's still done by a firewall engineer.

But the best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, "Hey, where's my server?" I can just go to Tufin and say, "Hey, where is that server?" and very quickly it tells me where it is, what policy it's on. That is a life saver. Without that, I'd be a janitor.

The visibility it provides is also very good.

The change workload process is flexible and customizable. For example, we have it working with ServiceNow. When somebody requests to have a rule in place or requests a firewall, they will first go to ServiceNow and put all their information in. ServiceNow then sends that over to Tufin and Tufin does its magic - verifies the USPs and does the design. That part is simplified. However, there are little mechanics in between that could be a lot better.

We use the solution to automatically check if a change request would violate any security policies or rules. Our cyber team is on it as well. We comb through all the changes done for that rule and verify. Before we do a push, we verify that there was no compromise to our security posture.

For me, there are two things that can make Tufin a bit better. This could be something on my end that I don't understand or maybe it can already be done and I don't know, but the two things that I am hoping to get out of this couple of days here at Tufinnovate 2019 are: have a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it.

In my industry, the banking industry, we're heavily regulated. Auditors are everywhere and they want everything accounted for. When I do a rule re-certification, I have to justify why that rule still there, who is using the rule, what's going on. Or if it hasn't been used, I want to get rid of it. But I don't want the onus to be on the firewall team. I want that onus to be on the person who requested the rule. I'm trying to figure out a way that I can have Tufin say, "Hey, look, John or Joan, your rules haven't been used in a year," or "Do you still require these rules or these servers?" and it would give them buttons to click, either "yes" or "no".

If they hit "no," Tufin would say, "Thanks very much," and disable them for 30 days, in case they made a mistake, and after 30 days, it would remove them. That type of automation would save us so much time. Right now, there are three people doing that job.

As an example with rules, when I look at a rule it will tell me how many days it was hit, when the last hit was, when it was last modified, but I can't get a creation date. What date was it created? It must know when it was created because it created an OUI for the rule. I asked support and they said, "Well, go here, go there, do this, spin your head and tap three times, and if you're lucky..." And I'm thinking, "Can you not just tell me the date it was created?" Then I could filter on those as well. Right now, I can't filter on rules that are over five years old, for example. Even when they're in use, I still want to see old rules. Maybe they've got old services that shouldn't be working anymore.

I would also like to see better logging.

SecureChange could be a bit better, at least with integration with ServiceNow or some of the other ticketing tools.

The scalability is amazing. We have it in two data centers. We have full redundancy with it. I have no qualms about its scalability, whatsoever.

Technical support has been very good. I've dealt with Professional Services and I dealt with a programmer when we did our ServiceNow with Tufin. They were really good; two of the best guys. Top-notch. My Professional Services guy is awesome. He's my go-to guy. The other gentleman, whose name is Neil, was really good. He was very kind, very accommodating, top-notch.

The switch to Tufin was done before I got to this company, but if I had to guess, I imagine somebody tried to jump out of the window or thought, "I'm going to go nuts if I have to look up one object in a pool of 30,000 and 8,000 rules." It's over 80 firewalls.

The initial setup was complex because we had to integrate with ServiceNow. That's what made it complex. Tufin would say, "Hey, we can do this," and ServiceNow would say, "Yeah, we can't do that." Or ServiceNow would say, "We do it this way," and Tufin would reply, "Yeah, that's not going to happen."

If it was just a stand-up and write some custom workflows, that would have been a lot easier.

We had a vendor or reseller with us, but they didn't have much experience with the size of network we have, so they were more listening in and trying to get experience while things were going on. I'm okay with that. At the end of the day, it was the Tufin guys who actually brought it all together.

If we look at the cost of a firewall engineer and the time saved as return on investment, we have seen a return. If we didn't have Tufin at all and the work that I'm doing now had to be done manually, those hours are about a four-to-one ratio. So that is a return on investment.

The cost is too much. For us it's around $40,000.

I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin.

We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year.

In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management.

Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction.

I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.