Tufin Orchestration Suite Reviews

The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment.

It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated.

We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.

We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack. 

At this stage, we are doing only manual checks. We are only using SecureTrack to verify the flows through Tufin. At a later stage, when we will also automate certain types of rules to be done through SecureChange, this will tremendously help us. We are not there yet, but this will help us in terms of time and resource costs.

In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play. 

We use Tufin to help us clean up the firewall policies. It provides very easy reporting. We get all the aged or unused rules listed very quickly, as soon we run the report. It's a quite easy way of doing it. However, we have not automated our process. We are hoping that at some point that we will be in a position to automate that process.

We use the solution to automatically check if a change request will violate any security policy rules. If a request comes in, and it is from an Internet zone going straight out to an inside secure zone, then we definitely flag it. There are other policies that we find in our USP, which we flag. These are the type of things that we check.

We definitely use the compliance reports, which has simplified things. However, we haven't fully integrated it into the GRC process with Tufin yet. The desire is to make sure our GRC resources are fully aware and engaged in our Tufin deployment.

We are leveraging some components to provide reports for our GRC process, but there is no plan to integrate those processes. Those are run by different teams. We were planning to integrate our ticketing system (ServiceNow) with Tufin, which is ongoing. We are working on that now.

The central repository of information provides a consistent way of doing things, eventually shortening the time period to make changes. This is the most valuable thing at this point in time. 

I'm very happy with the visibility component. It gives us a reasonable insight into the most of the application flows. Obviously, most east-west application flows are missing from what we have. That is a component which we will need to eventually fill in the gaps.

Between the cloud and physical data centers, we definitely share Tufin policies. That definitely gives us visibility into both.

I would like to drive value from is to getting to a point where we are almost like a DevOps operation for security changes.

We have put in a lot of requests. Some of them are high level related to cloud. Others relate to some of the reporting structures that we have. E.g., some of the automated reporting capabilities for specifics on certain regulations. Certain countries have certain regulations, and with GRC, if we can associate that on certain regulations, then we can spit out reports from that.

We would like to see integration of the different versions of this product, e.g., SecureChange and SecureTrack. They eventually need to start amalgamating all these into an end-to-end product for visibility. 

We do have an ongoing issue with capacity. If one of our resources is working on it, nobody else can do anything. If a particular report is being run on the server, nothing else seems to work. We haven't done anything about it as of yet. Maybe some of my team members have opened tickets to Tufin for it.

I am not sure about the scalability. The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it. 

We have a global implementation.

Whenever we have had a problem, some of my engineers contact Tufin and they have been very easy to get a hold of. From my team, they have not had any problems with the technical support.

We were using Tufin before, as well, but it was not the same. It was separated into localized instances and regions.

We sort of saw that the volume of changes were coming in high. The patience from the business side was getting low to invest the time that it used to take to make firewall changes. Therefore, it was inevitable that we need to purchase a solution.

Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America (US and Canada), causing a slightly complicated approach.  Prior to Tufin, we had three instances which were separately managed, so we did not have end-to-end visibility. Therefore, we rearchitected the Tufin environment and created one global Tufin instance. The retail instances became local collectors, which reported back to the single environment.

From the start of the project to the end of the project, the deployment took us a while, at least five to six months. Most of the time involved was not because of Tufin. It was primarily for us to handle all of our separate service providers and outsourcers globally, so they could all provide us with read-only access to the firewalls that they manage.

We deployed the solution in-house. It was pretty straightforward to deploy.

The solution has helped us reduce the time it takes us to make changes from weeks to days.

Engineers are spending less time on manual processes by about 15 to 20 percent. I would like to get a bigger number.

We didn't buy this based on ROI, so we didn't measure ROI. Overall, from a time savings perspective though, it is definitely there.

The licensing costs are around $250,000 to $300,000.

There are ways to deploy the license to different types of firewall. However, if we decide to change the physical brand of the firewall, we need to go back to Tufin and modify the licensing. This is a hassle.

We did not consider anyone else, because we already had an unused, unimplemented Tufin license. We eventually thought to start consolidating everything into one place.

We decided on Tufin because:

• It was an existing tool.
• It served our purposes. It provided us the essential components for managing a varied environment of different types of firewalls. 
  
• We felt that there was enough potential in the organization to grow with us and provide capabilities, like cloud, VM environments, etc., under the same umbrella.

It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product.

Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit.

We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that.

Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments.

All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.

We do risk, cleanup, and change.

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

• Cleanup
• Visibility
• Scalability
  

Cleanup is its most valuable feature. We use Tufin to cleanup our firewall policies. You can see unnecessary, unused objects. A lot of times, you will create a host, then it's not used. It's like, "Delete that, because we don't need that in the database." Or, it's a rule that is not needed: unused rules.

Its cloud-native security features are good. They add even more visibility to your environment.

I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing.

I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action.

We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.

The stability is very good, especially now that they are developing a lighter weight operating system on top of the OS with 2.0 coming out this year. 

The current version is slow. I deal with a lot of large environments, which is mostly what Tufin has. It is slow because it is a database, Tomcat Server, and web server. Reports are slow. If you're generating manually on the fly, you can set them to run at night, then it's not a big deal.

The scalability is good, because you can have a central server, distributed server, and remote collectors. You can have remote land sites or branch offices. You can have the collectors collect the data for you. You don't have to rely on just one server.

The technical support is very good. It is a lot better than the firewall vendors themselves.

There were not enough resources to do the changes themselves. We definitely went offshoring. Now, you see a lot of that coming back because there is not enough people. We needed a system to do it.

At first, the initial setup is complex. Once you know it, the initial setup is straightforward.

First, you have to install the operating system. Then, you have to install the application, where there are certain version requirements. You can't just go right to the latest OS version. You have to go back to the older one, then upgrade those as well. It is a little cumbersome.

I am an integrator. Sometimes, we have to use Tufin on the back-end.

We have seen ROI just in the time savings and knowledge. Knowledge is power. Having the solution do it automatically for you without you doing the work is huge. If you are spending $50,000 a year, it could have cost you a $100,000 in man-hours without it, especially if you are working with a team..

This solution has helped reduce the time it takes our customers to make changes by 50 percent.

Engineers are spending less time on manual processes by 50 percent.

While licensing varies greatly, it is about $50,000 a year.

We did consider other vendors, but Tufin is the market leader. We only deal with the best of breed. We like to go with the best.

Do a proof of concept or proof of value. You will see the value right there.

The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.

The primary use case is processing change requests.

While our organization has implemented SecureChange and SecureTrack, we are not using either tool rather extensively. Therefore, we are trying to put together a plan for the organization to adopt these tools more firmly.

The idea is to be using SecureChange as the primary portal for entering change requests on both the perimeter and shop floor network firewalls. The way we are approaching this is to do a pilot first among a few sites, then bringing it out to a larger group once we feel more comfortable with how the pilot went.

The pilot will probably last for a couple weeks. After that, we will roll it out in buckets or groups to the rest of the sites. Then, the primary use case will be using tool for change management and SecureChange, while SecureTrack will be used by our security monitoring group who is tracking for threats.

My engagement to date and going forward will be to assist in the planning of the rollout and helping with the rollout. I make sure teams and users who will be using this tool are actually using it, including processes from: 

• Submitting a firewall change request.
• Price or rule requests.
• Opening a port.
• Firewall maintenance or maintenance processes, e.g., rule cleanup.

The additional visibility into network path analysis is really helpful. The ability to provide assistance with role clean up will be helpful as well.

Part of the work that one of our firewall implementation teams is doing is a justification process right now. I think that a clean up is included as part of that effort.

One of the things that we really like is the ability to customize work flow. It seems like there are ways to make a workflow robust and capture multiple different types of things that you would want to do when you are maintaining a set of shop floor network firewall rules. These include things decommissioning a server and performing a common rule maintenance process, like a recertification process. 

The linkage between SecureTrack and SecureChange is nice. The way that you can identify a rule in SecureTrack that needs to be recertified, then create a ticket in SecureChange, which can essentially implement that, and complete the recertification process for workflow. This helps us keep organized, in a big way, a complex, large set of network firewall rules. Otherwise, there is no way for us to track who the business approver or owner is for each of those rules and when the last time each of the rules was looked at. In terms of keeping this set of rules clean, it goes a long way in helping with that.

I had been impressed with the depth of capabilities within SecureTrack, particularly, in terms of generating insights for a user and firewall operator. With SecureTrack, I've been impressed with the level of flexibility with workflow design and its ability to generate different work streams and flows through the tool that are customized for our organization processes.

One of the things that came up this week was the ability to decommission a server, which we thought was interesting. We had a workshop recently that talked about all the things that need to be thought about when managing firewalls. People said, "A lot of times, things get forgotten when you are decommissioning a server." E.g., making sure rules are taken away and taking out the rule set. The fact that there is an automated workload for that can be helpful.

From the training that I've done at the conference, I like the ability to visualize the network paths between different endpoints and servers. I thought that was cool.

I have been impressed with the range of capabilities. The ability to connect with other services and software solutions via APIs is very impressive. In terms of breadth of market coverage, that seems pretty robust.

I would like a USP that was a little like an interface and a bit more intuitive. It seems like the 2.0 version did that better. 

I know when I was performing a search, like in the policy query area, some of those options as your typing could be better defined. That was one thing that came up. I would like it if there was some way to provide real-time feedback or context for each option as you are typing in search fields and search parameters.

Even somebody with relatively little experience like I have should be able to come in and have more intuition towards how to operate the solution. That would be a bit more helpful. There are things that could be explained a little better for somebody brand new to this system, which could be helpful, especially if it was in real-time while you were working in the system. Having the ability in real-time to be able to understand search query suggestions would be helpful.

A limitation right now for compressed firewalls is the limited ability to see above a site level in terms of the Topology Mapping in the policy display. While Tufin's actively working on a solution, or at least they have this in the queue, from being able to view this on a higher level and how all of our site networks are connected, this ability would be useful, as we expect to have these compressed firewalls in place for quite some time.

The Tufin products seem very long-term oriented. The ability to be customized seems good. It seems like there is a good roadmap for what features need to be added.

We did a USP upload earlier this week into SecureTrack, and the upload process was okay. Some of the definitions around the columns and the formatting could be more clearly defined.

The scalability seems good. It is overwhelming to think about how to define a USP potentially for the amount of networks that we have for shop floor firewalls. However, in terms of scalability, it seems like once the information is in there, it can operate well and help speed up change requests.

I don't think we've worked a lot with the technical support teams yet.

It was clear that no one was managing the shop floor network firewalls. 

Right now, there are no tools to do that. As we are hardening and locking down firewalls, the requirement to maintain and manage them becomes increasingly more challenging.

I don't think there was any tool before Tufin. The rules were historically stored in CSM and operated out of CSM. Before that, there wasn't any other way to perform a regular analysis and maintenance of firewall rules in this way from a security and policy perspective.

The initial setup seemed like it required a lot of effort. I wasn't super close to the project during the initial setup. Now that I've gone through the training it seems a little less overwhelming.

For the initial setup, I was only involved slightly on the SecureChange side. The API integration process with BMC Remedy seems difficult. I don't know if that is a result of the way the SecureChange application is designed, or if it's a result of a challenging resource environment for focusing on the implementation and the integration of it with Remedy. But, it seems like a challenging effort.

We used WTT for the deployment. My coworker, Dorothy, had a good experience with them. They were engaged before I joined the project.

The rollout was accomplished largely with an in-house team. The vendor that we purchased it through provided a little bit of support, but very minimal. Then, there is the team who is doing implementation with a lot of the firewall rule changes. Booz Allen has been helping a lot with the rollout, as well. I have been helping to design the rollout and adoption.

For our current implementation, which is temporary, once we move the cleanup process from this implementation team to the permanent team that is when I will be performing the work. That is when I'll be a bit more involved.

The company a good comparison of the different tools. I don't know if they were working with Booz Allen at the time, but Booz Allen seems to feel pretty strongly about the quality of Tufin and their user experience. It does seem like Tufin has reputation regarding its user interface that it is more friendly than other competitors.

I am aware of two other competitors who were possibly considered.

There is a plan for clean up as part of our regular process. There is a process drafted and an intention to do that.

It seems flexible and customizable. The bigger question is whether it will integrate into our existing process effort for change management. There is an existing risk assessment process that sort of fits up into our Remedy change request process, so now we have to think about how does the Tufin change management portal and SecureChange fit into that as well.

Once the USP is defined and we feel comfortable with that, we plan to use the solution to automatically check if a change request will violate any security policy. However, we are not doing that yet.

The program that I am supporting is not engaged in any of the firewalls affecting the cloud, so I didn't have a lot of context with that.

Once we have it up and running, this solution should help reduce the time that it takes to make changes and our engineers should spend less time on manual processes.

I did training at Tufin two weeks ago.

Currently, we're an electric utility. We use it for NERC CIP for validating rules into ESPs, which makes it easier for us to pull out the rules and justifications for auditors.

We are using either Tufin 18-2 or 18-3 and testing 19-2.

As a company, we don't have anything in the cloud.

It has helped us immensely on the compliance side. We are able to look for overly broad rules. E.g., rules with any-any using the USP to see if we have violations. This was pretty impossible to do before by just looking at the CLI on the firewall and spreadsheets.

We use Tufin to clean up our firewall policies. The biggest use in the last couple of months has been to pull rules out of firewalls rather than putting them in. We're cleaning up and pulling rules out.

We use this solution to automatically check if a change request will violate any security policy rules. Even though we've been using the product for several years, we've just now started rolling out SecureChange, updating our USPs, and building USPs. We are using those to do security checks.

This solution helped us meet our compliance mandates. With the USPs, we can control what is being put in, then we know when violations are occurring ahead of time.

The ability to write reports to figure out what ports and services are allowed into specific zones. For instance, we know that there are certain devices which are only allowed to have interactive remote access into an electronic security perimeter (ESP). We've written reports which can tell us if someone inadvertently opened something up that shouldn't have been, then we can pull it out. Now that we are using SecureChange, it can alert us to that fact as the rules are being built, which is huge for us.

The visibility is huge. In order to figure out what was going on previously, we would have to pull stuff out of firewalls and put them in spreadsheets, then do sorts. Now, it's all right there in Tufin. We can write reports to look for what we need, ad hoc searches to find object groups, and know which firewalls are on. This was almost impossible to do previously.

It makes it a whole lot easier for rule clean up because we can find rules that haven't been used. We can find rules that are too broad and pull those out, putting more specific rules in, which could be done before but this cuts the time way down to do it.

The change workflow process is getting better. I wish it was a little more customizable. Right now, my biggest issue is that it wants to optimize everything we put in. Sometimes, we need a rule to be more readable, and we want it to go in a specific way. Sometimes, it's difficult to get Tufin to accept that. It wants to optimize and reduce the number of ACLs. On the compliance side, sometimes you just want more ACLs, so it's more readable for an auditor.

I got a sneak peek of a release or two. There are some new features coming out that we could use today. E.g., SecureChange won't allow us to put in more readable ACLs rather than try to compress them. Sometimesm we don't want it to full optimization of a rule set. I would love the ability to tell it, "Thank,s but no thanks. I don't want to optimize this rule. Please put it in the way that I want it." Right now, that's hard to do. It's almost impossible.

It is a very stable product. There have been a few times where we have had to call support and have something fixed. It has happened, but it's very rare.

It seems to scale very well. We have had the same servers in for four years now, and everything's keeping up. We haven't had any issues yet, and we are probably monitoring around 400 firewalls today.

The technical support has been very responsive. If they can't figure it out, they are not afraid to go to Israel, back to the developers, and find an answer to the problem. Typically, within a day or two, they have the answer and we are back up and running. They've been great to work with.

We knew that we had to invest in something which could help us clean up our rule sets. 

We took baby steps, so the initial setup was pretty straightforward. We just started with SecureTrack, getting it talking to the firewalls, and initially using it to document justification for rules on our compliance firewalls. We have been doing more with it over the years.

We used Tufin for the deployment.

This solution has helped us reduce the time it takes to make changes. We have been using SecureChange for the last six months, and it has streamedlined the process. We can usually do changes now within two or three days, where sometimes it used to take a week or more.

Engineers are spending less time on manual processes. We can push the changes to the firewalls. The engineers don't have to log onto the firewalls, then cut and paste.

I just wrote a purchase order for it. It is a $150,000 a year.

We looked at three solutions at the time, then chose Tufin. We felt that Tufin was one of the more customizable solutions and had the best price. They came in cheaper than everyone else, and at our company, that means a lot. Thankfully, they were the best. We felt they were best of breed at the time.

Give Tufin a good, hard look. From my experience, it is the best of breed.

Right now, we're focusing the implementation on our NERC CIP firewalls (the compliance stuff). We have some other teams who will be working on the corporate side and certain clean up rules along with the rest of the corporate firewalls. We are not there yet, but we're working on it.

The primary use cases are firewall support and generating rules.

It is definitely a time saver. We can process more rules on a daily basis. It allows the customers to request their own rules. Sometimes, they need a little help, but they can submit it. As long as it passes the risk analysis, because it has to get through our NSA group. We just apply and push it that night.

We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them.

The change workflow process is flexible and customizable. When we first got it, Tufin created a workflow based on our requirements. Since then we have modified and tweaked it. We added in Palo Alto, and we just keep adding steps. We can also add scripts. We have multiple scripts for a workflow, which makes it very flexible. You write the script and plug it into the workflow, then it's working.

We use the Unified Security Policy to automatically check if a change request will violate any security policy rules.

This solution has helped us ensure that our security policy is followed across our entire hybrid network. It is the same Unified Security Policy editing each request. It is the same set of rules. If it's good enough for Check Point, then it will be good enough for Palo Alto, and it's all zone based.

The rule provisioning is the most valuable feature. We had a ticketing system, like Remedy, which had a homegrown product. It would take your source destination port and do a bit of analysis, then give us a ticket with the spreadsheet. Then, we had to take the information from the spreadsheet and enter it into the firewall. Now, with Tufin, it identifies which firewalls, generates the rules, and you just apply them. It is a big time saver.

When it comes to searching our firewalls for things, I prefer the Policy Browser as opposed to going to the GUI. It seems just easier to search. I can start off with our Provider-1 for Check Point, search there, and get the information. Then, I can change the little drop down to say, "Okay, now go search Palo Alto." I don't have to change my search criteria, the platform pulls it right up.

We like what we have seen out of SecureTrack 2.0 with its improved search capabilities, where you can do greater than, less than, not equal, etc. Right now, if you're in there and you want to do a search, you have to write it in a specific way, since you can't use a not statement, less than, or greater than. Therefore, it will be a lot easier to maintain your USP because it has the new editor. It looks more like a spreadsheet online. I am just a little disappointed to hear because we are using SecureChange that we can't go to SecureTrack 2.0 yet. We have to wait for a couple of more versions.

On Palo Alto, we were told that you want to go with the panorama. Then, all the gateways are under it, so everything you create has to be as a shared object. When we first brought this to Tufin, Tufin said, "No, it's more secure to only have local objects." However, it sounds like Palo Alto has now convinced Tufin that shared objects is more the way to go. Otherwise, you have a lot of stuff filtering down to all the firewalls. Tufin gave us a script to plug into our workflow to make things shared, but I am expecting this will become more a part of our base product.

They have found some things, like our database is huge, which they finally realize. I guess they didn't really have in their plans to do much with shared objects on Palo Alto, but they are saying that this is what is really making our database swell. They are saying it's on their side and are putting in their fixes to fix it, which is good.

The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless.

It seems stable. We've had problems always with the same box, which is our SecureTrack primary. We are probably on our seventh one. The last one, Tufin took it to their site. They shook it out, tested it, and beat it up, then gave it back to us. Since we were already on the standby box, we just had it up there running. It was in the HA cluster. As soon as somebody did some switch work, it failed over. Within a couple of hours of being on that box, it crapped out. 

We have definitely added gear, so it is scalable. We've added two more distribution servers and probably seven or eight more collectors. It is definitely scalable.

We'll get somebody who is our main person, then all of a sudden they will be doing something else. One guy used to be our support person, and now, he is a TAM. 

We are a tough account. With some of the issues that we have, the support team has told us, "You are the only ones who have ever had this." We are like, "Really? Why?"

They usually come up with a solution. It may take a little longer, but they do come up with a solution.

The previous solution was written in-house. 

We had a product called Skybox and whoever wrote the app would query Skybox for compliance, etc. Then, it would generate a spreadsheet, and we had to work off the spreadsheets. They sort of knew that this wasn't very efficient.

The guy doing the initial setup made it look very easy, but it took us a little while to get up to speed on it.

We used Tufin for the deployment.

This solution has helped reduce the time it takes us to make changes. Previously, it was taking up to seven days. Now, unless there is an issue with the request, we usually have it done in a day.

We did PoCs. We looked at FireMon, AlgoSec, etc. Tufin came out on top, so we started implementing it, as it was the product that we chose.

With AlgoSec, you had to pay them for all of your workflows. So, if you wanted the workflows, you had to pay them. I don't know how quick that would be as a turnaround, because we would have had to do the whole, "Here's what I want." We didn't like that at all.

Tufin has been a good investment. Unfortunately. We've got some people in our organization who are in love with Skybox and think Skybox can do no wrong. They are trying very hard to replace Tufin with Skybox, even though Skybox hasn't even done any provisioning. I think they're just misguided. It's a product that they love, and maybe it is good at compliance, but as far as provisioning, I haven't seen it. 

Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well.

We're not really using the cloud parts of it yet.

Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.

We use this solution for firewall rule management.

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

We used a consultant from Tufin, itself, for our deployment.

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

I believe that FireMon was considered before we chose this solution.

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.

We primarily use this solution for Change automation. We do not use USP, yet.

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

This solution is stable. We don't have any issues with it, but it's a resource hog.

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

We used a G2 reseller for our deployment and it was a good experience.

Our licensing fees are approximately $250,000 USD.

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.

We use the SecureTrack component for several things including the maintenance of firewall rules. Examples of this are identifying rules that are no longer in use and identifying shadowed rules that can be consolidated. We also use this solution to look for violation policies, as well as unused rules.

We use this solution in AWS and in our on-prem firewall.

The number one benefit this solution provides is time savings. Both I and another engineer save hours upon hours of work spent creating reports, which Tufin now does for us. This is reclaimed time now well spent on other things.

Tufin has done a very good job in improving upon the USP policy for violations.

Our engineers save quite a bit of time that was previously spent on manual processes.

The most valuable feature is the ability to gather all of the firewall information without having to do it manually. It makes it much easier and saves time.

We use Tufin to clean up our firewall policies. By doing so, we don’t have a bloated firewall policy that can, in the end, cost more in terms of processor overhead.

The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not.

The USP can be improved, as far as I can tell.

I would like to see better integration and compatibility with the Azure cloud. We are not using Azure today, but I've asked questions about it and there are limitations.

This solution is solid, as far as I can tell.

We haven't pushed this product to the point where we have to scale out.

I haven't had the opportunity to use technical support.

The driving force behind implementing this solution was to obtain reports that help us get to the heart of the matter, ultimately saving time.

I have worked with Tufin before, so I found it to be straightforward, out of the box.

We used a reseller and an integrator, and we are working with an integrator right now. They are G2 Deployment Advisors LLC.

I am not aware of any other solutions that were evaluated before choosing this one.

The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals.

We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are.

In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise.

My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you.

This solution saves us a lot of time that we don't have, but there is always room for improvement.

I would rate this solution a nine out of ten.