Tufin Orchestration Suite Reviews

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

We use this solution for firewall compliance reviews.

This solution has helped us to speed up our review process. After we do make a change, we're able to quickly review what has actually changed. 

This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas.

From our perspective, the most valuable features are the compliance and firewall reporting modules. Indirectly, we use Tufin to clean up our firewall policies. We run reports, and then use those reports to drive improvement in the firewall rules. The visibility into the Check Point firewall rules is a lot easier to look at using a Tufin report as opposed to a Check Point report.

This provides good visibility of our firewall rules. Using Check Point is a little cumbersome to get what you need, so with this solution, we’re able to filter through and better get the information.

Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance.

One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in.

I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.

The stability of this solution is fine. We don't have any issues with it, at least as far as I know.

It seems to be really scalable once you have all of the modules working together. We have a broad array of subgroups that we're working on compliance with, from really small to really large, and it works well with all of them.

I've never had to deal with their technical support.

I was not part of the initial setup of this solution.

Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent.

This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP.

For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do.

I would rate this solution an eight out of ten.

We use this solution for workflow intake and policy cleanup. It is also used for firewall policy requests.

We make use of the ability to automatically validate changes to security policy rules. For example, we have four workflows currently in SecureChange, and for two of these workflows, the very first thing that we do in response to a policy request is to evaluate it. We check to see if the new policy is needed or not, and we determine how to proceed from there.

The biggest benefit for us is from an efficiency perspective. The longest part of our firewall policy implementation has been verifying the network and finding out where policy needs to be put in place. Tufin takes this job down from a day, to sometimes five minutes.

This solution provides a more organized manner for us to track towards compliance for our PCI audits.

The most valuable feature for us is the topology validation that is part of the workflow.

This visibility that this solution provides is better than that of the competitors that I have looked at.

When this solution works in the way that we need it to, my impressions of the change impact analysis are very good. The hardest thing for us is the inefficiencies with topology. This often means that the results we get are inaccurate.

One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled.

For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising.

We have had issues with the stability of this solution, and the basic technical support is not very good.

In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.

So far, our impressions of stability are not very good. We have already had to RMA one of our boxes, and it was not being utilized very heavily. We've had different issues on some of our other devices, as well.

Scalability is hard for me to say based on what we have deployed so far. We do have issues, but it's hard for me to say whether they are because of the hardware, or are an issue of scale.

The basic technical support for this solution is not very good. However, the Critical Situation Team is actually very good. I would say that the support experience depends on which group you get put under.

Prior to implementing this solution, the majority of our security engineering's time was spent working with these policy requests. It was a manual process where a requester would submit and Excel sheet, and the changes were being done from there. This was not leaving time for that team to work on projects and initiatives that were furthering or bettering the company. We started looking into Tufin as a way to automate some of that process and free up some of their time.

The initial setup of this solution is very complex. Putting all of the devices into the topology, and then getting it to a place where it can provide meaningful and accurate results, and then building the USP on top of that, are all very complex. Out of the box, I don't think that Tufin really provides very much until you get through a lot of those complexities.

We handled the deployment in-house.

I'm sure that there is ROI with the time savings that we received, or that we get as part of working the secure change workflows, but I couldn't speak to any hard numbers.

The shortlist included both Tufin and AlgoSec. Our evaluation showed that Tufin's features were on par with AlgoSec, but Tufin was the better financial choice.

Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days.

For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally.

My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network.

This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient.

I would rate this solution a seven out of ten.

We deployed a proof of concept. We added most of our firewall base to Tufin, although not all. We checked and tested Check Point, Palo Alto, Juniper, Cisco routers, Juniper routers, and F5 load balancers. Mostly we grabbed one instance of each of our technology devices, added it to Tufin, and tried different things. We tried SecureTrack and some basic SecureChange to try to automate our firewall partitions, the firewall "tickets." We presented a form to users to enter the source, destination, service, etc. This was our PoC.

Right now, we're in the process of purchasing Tufin.

With path analysis, you can specify a source, a destination, and a port and it will tell you whether it's blocked or not, and where; which firewall is doing the blocking or the allowing, or whatever. That part is very useful. When you have feedback from the user and you have your source, destination, and port, instead of trying to search on the Check Point console or the Panorama console or the Juniper console to figure out where that packet being dropped, you go to Tufin, put it in and, in 30 seconds, you have your answer. 

It saves time on each ticket. Instead of playing around for 15 or 20 minutes, it's down to 30 seconds. Any first-line of support can go to Tufin, put in the source, destination, and port and they can at least know what to look for, who to involve to further troubleshoot the issue. It's a first-step investigation that saves time.

It also helps us ensure that our security policies are followed across our entire hybrid network.

SecureChange is the most interesting part. It all comes down to having the user request firewall access and SecureChange, based on workflows, takes care of it, sending two or three emails to the business approvers. With one click, you can automate a firewall rule. We have many problems like, I imagine, the whole industry, with delays in implementing firewall rules.

SecureTrack provides all these regulations, PCI kinds of things, so you can try to match all your security policies and firewall configuration to the standard. 

There is also a feature to optimize firewall policies that will delete duplicate objects and rearrange the rules so the machine will function faster.

In addition, the change impact analysis capabilities allow you to do automatic checks of whatever rules you are implementing.

Finally, the change workflow process is flexible and customizable. I was really impressed with it. It's pretty easy. You can add automatic validation steps. Depending on the security matrix, you can pre-allow whatever flow you want. You can do your change analysis automatically or risk analysis automatically; whichever steps you want. It's pretty cool.

The visibility that Tufin provides us with is improvable. The interface is like a 1990s kind of thing. It's a little ugly. There are many things that you cannot tweak, little things like the column width and how you display the information. You end up exporting everything to an Excel file and doing your work there. They tried to put too much stuff on the screen. It's a little difficult to find what we want. It's a design issue, it's not a functionality issue.

The web interface is really like going back in time 20 years. You have to move columns back and forth and make them big to see the whole text in them. If you hover over a name, it won't show the content. You have to click on it and open it. It's a bit cumbersome.

The documentation site is horrible as well. It has a tree structure, and you really get lost quite easily. If you have the patience to browse through that hell of documentation, you will find what you need, but it is hell to browse and search. The information is there, it's just difficult to filter and search it. Documentation is one thing they can improve on.

I haven't found any issues with the stability. In the beginning, it was our problem, our mistake, because we configured the box with eight gigs of RAM. Then we checked and, obviously, we needed 16. After enlarging it to 16, there was no issue whatsoever. It was pretty responsive. Obviously, it was only one user, me, doing things, but I didn't find any issues performance-wise or stability-wise.

We don't have that big of an environment. We added some 20 pairs of firewalls and another 20 or 30 routers, and one F5. I don't think we have scaled Tufin sufficiently to put it under some stress. Our DC is pretty small, we don't have many devices.

Tufin's technical support is excellent. In my old job, I also implemented Tufin, and I was in touch with their Israeli people, the technicians; they're really good. They really know their stuff. In Spain, for southern Europe, they have a couple of people. The technician there is excellent, and the commercial guy is fun. It's the perfect combination.

The setup was straightforward, absolutely. The only problem we had was with Check Point, but I think it's a Check Point problem, not a Tufin problem. Check Point is horribly configured. Managing it is hell. You have to define the OPSEC server with a user name and password, and you have to create the same thing on the provider one. They have to be same user but have different passwords. It's a little difficult. You have to pay close attention so you don't make a mistake. But I think that's a Check Point issue, not a Tufin issue.

The whole Tufin deployment took us about four months, with SecureChange, etc.

Up to the point with Check Point, it was easy. We created a read-only user for our infrastructure, and once we had connectivity from the Tufin box to all the devices, it was pretty simple. It was just IP address of the device, username, password, and go. Except Check Point. We needed to spend a day or two on that.

In terms of our implementation strategy, we wanted to test each of our technology manufacturers: F5, Check Point, Palo Alto, etc. We left our main public-facing networks out of the equation for the PoC. Whenever we implement the whole thing, we will include those. We made SecureTrack work well. We will define our security matrix correctly with all our networks, as granular as we would like it to be. Once we have that, we will go to SecureChange. So it's SecureTrack, do a good security matrix and, once we're confident with that, we'll go to SecureChange.

For deployment, it was just myself and the people who deployed the VM, with the help of Tufin's team. I'm the only one who was involved in maintaining it.

Tufin's team helped us mainly with the Check Point stuff when we ran into some problems.

In a PoC it's difficult to see ROI. Seeing how the tool performs, I think we will see a return on investment, of course.

It's not that expensive, except for Security Groups. For us, just the Security Groups were about half of the total price. The total was about €500,000 a year, of which €200,000 was for Security Groups. For the rest, it's not that expensive, given all the benefits we will get and all the time we will save.

We could only test AlgoSec for a little while. Our group is part of a larger group of products. When we were doing our PoC for AlgoSec, we were told to stop. The decision was made to move to Tufin because it has group-wise technology, chosen for the acclimation of firewall policies.

AlgoSec is much prettier, it's much simpler, and has a cleaner interface. Functionality-wise, it's pretty similar, from what I read in the AlgoSec documentation. Tufin has a few extra features, but AlgoSec is much cleaner, it's prettier.

Going with Tufin was not a technical decision, it was "politics." The largest group uses Tufin, so other group members have to use Tufin as well. It's mandatory.

Don't bother with the web interface, calm down, don't worry, everything will be fine. They will improve it. The rest of it, I don't have any issues. They're technically prepared, the tool does its thing. The only two things I would be patient with are the web interface and that documentation which is not really well organized. Besides that, it's pretty easy. It's pretty easy to configure and, once you start using it, you will see the potential. AlgoSec, Skybox, and all those tools probably have the potential as well. But Tufin is easy enough for everybody.

What we don't use, and what we are not planning to use, is the third module, the SecureApp. We haven't played with it and we're not planning on using it, for the moment.

In terms of using Tufin to automatically check if change requests will violate any security policy rules, we would love to do that. What we didn't do is build the security matrix. That part is the one that takes a lot of time to build. You have to work with the security team and all the players involved. Because we did not design the security matrix, we couldn't match a firewall rule with the security matrix and say, "Okay", or "Not okay," and do some automation there.

What we did is prepare a form for a firewall petition, and some automatic steps. For instance, in the first step, you enter the request and it sends an email to a business approver. Depending on whether that firewall or that flow is predefined as allowed or not, you can skip that step and go to the next step. We did a little bit of logic with the change-request form. It worked pretty well for us.

The purchasing process takes a little bit of time because of all the different groups involved. But we're planning on implementing it and to finish around next summer, 2020; to have both SecureTrack and SecureChange up and running.

As for compliance, we don't have many requirements. Of course, we are bound to some ISO certifications, because it's the car industry, but we don't have any specific PCI. We don't sell cars over the internet, so we don't have to do that.

When it comes to Tufin's cloud-native security features, what we have is our landing zone in AWS - a VPN tunnel from on-premise to Amazon, with Transit VPC. We have a couple of Palo Altos, securing the track from on-premise to the cloud. And we added those Palo Altos to Tufin. We needed to tweak and include some virtual devices in Tufin so the routing would be okay. But that was quite easy. It was well-documented as well.

The only problem is that we got our quotation from our supplier, and the Security Groups are extremely expensive. They bill you $1,200 dollars per Security Group per year, which is really high. We're not that big, we may have 100 or 150 Security Groups. That's would be about $200,000 just to manage Security Groups. We were put off by that. From the start, we won't have the Security Group feature. We think it's too expensive.

As for increasing our usage of Tufin, we'll go day by day and see how it responds to our requirements. SecureTrack at the beginning, then SecureChange. Maybe, if everything goes well, we will think about SecureApp. It's not in the scope at the moment, but maybe we will implement it.

I would rate Tufin a seven out of ten. It will get better once they get their act together with the documentation and the interface.

The solution is predominantly used for managing firewall changes, policy changes, and understanding those aspects.

Most people use it for the basics, even though they could use it for a lot more.

The most valuable feature is being able to customize your own clarity to that aspect of change management.

Having better visibility of what is going on. If it gets out of control, you can keep it in your head no matter how smart your administrators are.

From what I have seen, it's user-friendly.

It's a bit clunky, but that may be because of different environments, and it is struggling to get the information. It's possible that the performance issue is because of the network and not the right architecture.

I would like to see anything that is graphical, as much graphical representation of things. Modeling, and what-ifs. It becomes more intuitive and allows you to close some of the gaps between drawing stakeholders in, for example. If they ask "Why are you spending so much money on this tool?"  or "Why are you doing this?", you can show them examples and it becomes more obvious.

I would like to see AI elements included with this solution. There is quite a lot of human element in understanding the consequences of change within the firewall environment, but they might benefit from more of an AI element as well.

I am a security architect and I have been involved with it periodically for approximately five years.

It's a reliable solution.

It's a scalable product. I have dealt with companies that are pretty sizeable, and it seems to handle it.

I personally have not contacted technical support, but the information that is available on their website is pretty useful, it's pretty good.

You need to allow a fair amount of time. That is the case for all firewall management tools.

It gives the appearance of being straightforward to get going but they need a bit of time particularly to do the sorting of the matrices for example.

When planning, people should estimate it then double it, just to make sure they get things right.

Price could always be better, but there are always consequences. Normally, there are other issues that come into play. For example, you pay more and expect to lean on the vendor more for the services and support.

I have recommended this solution from time to time and I would definitely recommend it to others.

I would rate Tufin a seven out of ten.

Our customers use Tufin to manage multiple firewall access rules through a single console. We have done on-prem, public, and private deployments of this solution.

It provides very good reports. It can easily integrate with multiple firewalls, such as Cisco, Juniper, Palo Alto, and Checkpoint. 

We can push a policy from Tufin to a firewall, which is a very good feature. We can monitor all access rules and the operating system of a firewall.

Currently, we are able to monitor access rules and the operating system of a firewall. It would be great if we can also monitor the configuration of the firewall through Tufin.

I have been using this solution for the last three years.

It is very stable. It has good stability.

It has very good scalability.

Their technical support is good.

Its initial deployment is not very easy. It is a little bit complex. After the deployment, it is easy to work with it in the GUI. Its deployment takes at least two or three days.

Customers usually evaluate AlgoSec. 

I would advise others to go for it to manage firewalls from multiple brands in a single console.

I would rate Tufin a nine out of ten.

We were primarily using the solution in order to grade the firewall rules.

How the solution benefits the organization is something that is currently being tested. We're considering doing something different, as we just used this product as a POC.

The compliance aspect of the solution is its most valuable aspect.

The stability is very good.

You can easily scale the solution if you need to.

The number of features is very robust - and there are a large number of features. That's a huge selling point, which is why its popularity is where it is.

I have heard many people complain that there is a high level of complexity. It may make it difficult to work with for some people. That said, I don't have those issues with the product.

The initial setup can be tough.

The product could use better integration with the cloud.

I've been using the solution for years at this point, It's been a long time.

The stability is very, very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. The performance is good.

The scalability of the product is excellent. If a company needs to expand it, it can do so relatively easily.

In our case, while I don't have an exact user count, I can say that there were quite a lot of people on the product.

We're talking about shifting potentially away from Tufin, however, if we had kept it would have been used extensively.

While other people have the opinion that it could be better, I've mostly been satisfied with the level of support we've received. They've been okay. I've had three or four run-ins with them and they were all positive experiences.

I also work with AlgoSec. We use both solutions currently.

The initial setup is not straightforward. It's a little difficult, a little tough. New users need to expect this before they get started.

Often, a consultant is involved in the process, as there is a large learning curve, and many companies don't have the bandwidth to ramp up the staff. Bringing on a consultant can speed up the processes a bit.

The deployment took about a month or so.

We're still working on how many people we actually require to handle the maintenance aspect of the product.

Typically, we get a consultant for everything, however, this last deployment, in particular, seemed to be more challenging for the consultant and for the staff.

That said, our experience with the consultant was very good overall.

While we are getting what we need out of the solution in terms of functionality, I haven't really looked into an exact ROI. We got what we were looking to get out of it. 

The billing and licensing aspect of the product is not something I'm a part of. I don't have any insights into the costs involved in using the solution. I cannot see if there's just a flat licensing fee or if there are other costs needed on top of that.

We are considering moving away from the solution currently. We're looking for other options. We might shift towards FireMon, however, nothing is set in stone.

We're just a customer and end-user.

We're likely not using the latest version of the solution. Currently, there is a team that directly supports it. I can't remember the exact version number off-hand.

I'd advise organizations considering the solution to do their homework first and see if they can find out from industry associations and professionals what their experience has been.

In general, I would rate the solution at a nine out of ten.

The primary use case of this solution is for monitoring, automation, policy orchestration, and security.

The most valuable feature is the monitoring. I quite enjoy the monitoring this solution provides. It allows administrators to visualize the traffic flow, and troubleshoot when necessary. It's a useful tool.

The interface is quite user-friendly and intuitive.

The cost of this solution should be improved.

They need to offer more support to vendors, such as Cisco, Checkpoint, Fortinet, and Forcepoint.

They have an API, but it needs more service on this.

While technical support is good, they could still improve.

I have been working with Tufin for one year.

It's a stable solution. There are some bugs that they are working on but that is common with any vendor.

They do mention that they don't support specific features from Nexus for some automation but it does actually work, although it is not listed as working.

Technical support is relatively good. They are not the best but they are good.

They could improve but they do respond with accurate responses.

The initial setup was straightforward. It was deployed in less than an hour.

The first time without training, it took an hour or so, but it was quite easy.

It's quite an expensive solution.

I would recommend this solution to others who are interested in using it.
I have not worked with any other vendors with this type of solution, for example, FireMon. I haven't worked with it. 

I would recommend it specifically to start with a secure track, which is a monitoring tool. Once the customer sees it, they want the solution. Afterward, for automation and secure change.

I would rate Tufin an eight out of ten.