Tufin Orchestration Suite Reviews

The primary use case is automation.

We are using the latest version.

We find that the change workflow process is flexible and customizable. If we want to change approvers, that is very easy. If we wanted to add a step or get rid of a step, this is easily customizable.

We are using the visibility with notifications on every firewall change and what those changes were. We have visibility to see who is making the changes, and when. This is the biggest thing because we are underutilizing the product right now.

This solution has helped us meet our compliance mandates. Everything is all auditable. Every change is tracked down to the person and time.

The auditing is a valuable feature. We can be audited, because it has the ability for approvals to be set up and to put in policies. It is all automated.

So far, the stability is good.

With scalability, we are going to run into some issues. We have been talking about converting over to actual hardware as opposed to virtual. Therefore, I don't think we are scalable at this time, especially with the updates coming. I'm told that they're going to need a lot more horsepower to push them. 

As far as scalability, it is great for adding network objects and so on.

i have not talked to technical support.

As we start to dive in, I'll be reaching out to the customer success team.

The initial setup was straightforward. We did it in three days.

We used a reseller for the deployment. They were very good.

There was one other solution that we evaluated, but it didn't stack up. Tufin was the best solution.

Everything is good right now.

Reach out to whoever does your implementation and support. Ask as many questions as you can and do research.

We haven't got to the point where we've used the solution to clean our firewall policies yet. That is the next phase.

This solution won't help us ensure that our security policy is followed across our entire hybrid network until the next stage.

We're not in the cloud.

We use SecureTrack and SecureChange to manage all of our firewalls. 

We use the latest version.

The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days.

We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls.

Risk analysis is automatically in our policy.

The most valuable feature is automation.

The visibility of the policies are very good. It sees different things. The recordings are very good.

We use a lot of workflows and have a lot of custom things developed by Professional Services. It is very customizable.

We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting.

At least in our environment, the dynamic learning of the topology needs improvement.

If you would have asked me two weeks ago, I would have said the stability was excellent. However, we had some upgrade problems. They were worked out and the support was excellent in helping us get it fixed. In general, the stability is very good.

We have a very big environment. The scalability works well.

Pretty good. They know when to escalate. We never put in easy tickets, They know to escalate quickly if they have to. We have our own technical account manager too.

We invested in SecureChange to do automated workloads. When we deployed SecureChange, part of it was to automate our workloads to have more time to do more things, like making the ticketing process shorter.

Firewall rule changes went from a week and a half to around three and a half days.

We have not recently evaluated any new solutions.

Tufin is not perfect, but it's really good.

Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies.

The approval process is a lot more automated, but the implementation process didn't change.

We don't use Tufin in the cloud yet.

We don't have compliance mandates.

We make use of the SecureChange and SecureTrack modules. In SecureChange, we use the Workflow, and we use the USP to see if there are any rule violations.

Using the workflow has made it easier to get approval from the manager or the CISO. Whereas earlier we used to send an email, it is now a very easy process to get approval.

I have not used the Tufin workflow to clean the firewall rules, but I have used the reports to assist me. I have built reports based on six months worth of data, then selected the rules that were not needed and performed the firewall cleanup accordingly. Now that we have SecureChange and the workflow, I think that I should use the workflow to clean the firewall rules. However, to this point, I have been using the Tufin report.

The rule cleanup and checking for rule violations are not any easier for a technical person, as they are firewall operators. At the same time, it is very much easier for the management team, such as the CISO or company managers, to perform these tasks.

With respect to visibility, many vendors claim that they are number one on the market. What I can say is that Tufin works with the Check Point firewall and the Fortinet firewalls, and this is helping us.

This solution has helped us with meeting our compliance mandates. Based on the company standards and guidelines, we configure the USP. When somethings violates it, we can make a decision whether to approve it or not, based on whether it is complying with company policies.

The most valuable feature is the workflow.

Using this solution makes it easier to manage the firewall policy.

The reports that this solution provides are very useful. The report includes information about duplicate objects, duplicate services, shadowed firewall rules, and the firewall rules that have not been needed for a specified number of days or months. It sets my Check Point database.

My team does not have a good relationship with Tufin because the provisioning team, and even our Tufin account manager, are not friendly or helpful to us. The product, itself, is fine.

I would like to see Tufin as a standalone product that does not strictly manage other firewalls, such as Check Point, but works independently. Ideally, it should not have to rely on other products.

This solution increases the time it takes to make changes. It is easy to manage the firewall policy with the Check Point management server, so the time spent with Tufin is extra.

The fact that all of the firewall policies are pushed to the CMA is a major drawback of the schedule window.

Tufin is very stable, and I would say that there are no major outages. Sometimes the connection between Tufin and the management servers gets broken, and I don't know the reason, but apart from that, it is very stable.

We can add as many firewalls as we need to, as long as we purchase the licenses, so it has good scalability.

Technical support for this solution is the worst. I would give it a zero ranking. Compared to Check Point and Fortinet, Tufin technical support is the worst.

Even the provision service team does not like to respond to email, which is poor service.

Prior to this solution, we used email to request approval, and it is now handled by the Tufin workflow.

The initial setup of this solution was straightforward.

Our licensing fees are more than $100,000 USD per year.

We did not evaluate other products before choosing this solution.

I do find that the change workflow process is flexible and customizable, but not fully. I would say that it is seventy percent customizable, as there are pros and cons in the workflow. You cannot fully customize the workflow by yourself. There are certain limitations in the workflow, such as the inability to create a Firewall object or an IP object. You can only create or modify the Firewall object group. The other problem is the schedule window, as it pushes all of the firewalls on the CMA.

For us, this solution is a supplement. Tufin is partners with Check Point and Fortinet firewalls, but I can manage firewalls without using it. At the same time, while it is not mandatory, it is helping us.

For anybody who is considering this solution, I would say that Tufin helps you to get approval and it will help you to push your firewall policies. In the long run, when you have to manage hundreds of firewalls, it is a good thing to have.

I would rate this solution a six out of ten.

Our primary use case for this solution is firewall automation for rule requests.

We use Tufin to clean up our firewall policies, and it has benefited us by reducing our policy set. It has sped up the change request process as an overall whole.

This solution helps to ensure that our security policy is followed across the entire hybrid network. We are able to see both on-prem and cloud, and whether there are things preventing on one side or the other.

The time that we require to makes changes has been reduced from weeks to days.

Our engineers are spending less time on manual processes, with the majority of our tickets being same-day.

The most valuable feature of this solution is the ability to develop it further than what's out of the box.

The visibility is not as good as it should be. There are certain things that it doesn't have visibility to yet, but I'm hoping that it's coming. Once it has greater, fuller visibility, we can do more.

The change workflow process is flexible and customizable to a certain extent. The GUI is limited with respect to how much you can develop and visualize the process. However, there is good flexibility in the number of fields and text that you can add.

SecureTrack needs improvement, and access to SecureChange needs improvement.

Some of the features that I would like to see in the next release of this solution are:

• I would like Tufin to be supported on a container that is based in the cloud.
  
• I would like the database to be separated from the backend.
• I would like better automation support for Palo Alto.

This is a pretty stable solution. I won't say that there are no issues, but it does what they say it's going to do.

I think that the way it is architected, currently, is limited in its scalability. In the future, it should be more scalable.

Technical support for this solution is good. For a lot of the issues we have, we go directly to R&D.

We did not use another solution prior to this one.

The initial setup of this solution seemed to be straightforward until we got into the details. At that point, we found it to be complex. Once you start thinking about the things you want to do and how you want to do them, because it's so customizable, it can become complex quickly. However, not in a bad way.

We used G2 to assist us with our deployment, and they are great to work with. They're easy.

We have seen ROI, but I do not have any data points that I can share.

Our licensing fees are approximately $100,000 USD yearly.

We considered other products, but Tufin came with the best out-of-the-box solution, and with the greatest flexibility to change in the future.

We do not yet use this solution to automatically check if a change request will violate any security policy rules. We have not yet utilized this solution to help with compliance.

With respect to the cloud-native security features, we are not leveraging the cloud as much as we should with Tufin.

There could be better things out-of-the-box; However, I know that it is a solution that has to cover a wide range of industry and supportability, so therefore it's a challenge to get everyone's wants and needs.

My advice to anybody who is implementing this solution is to spend more time than you think you need on SecureTrack because it sets the standard for using SecureChange in all of the other products.

I would rate this solution a seven out of ten.

We are using the SecureChange and SecureTrack components of this solution for rule re-certification and change automation. We are still in the implementation phase, but we expect to have this solution in our production environment by October 1st.

With respect to visibility, my impression is that it will do what we need it to do, but it will take some work.

We have tested the system to see if it will automatically check to see if a change request will violate any security policy rules, and it will do what we need. We intend to use this feature in production.

We expect that this solution will help us to meet our compliance mandates.

The most valuable features are the GUI interface and the API. 

We’ve found the change workflow process to be flexible and customizable. If it could not be customized then it would be very hard for us to make it work for our company.

The integration with different products needs to be improved.

For the most part, this solution will ensure that security policy is followed across the entire network. There are certain policies that are not baked into the product yet, like our proxy solution.

The options for certain things are pretty rigid, so they need to be more customizable.

So far, the stability of the solution has been good.

We have some work to do with scaling the product, so I don't yet know about the scalability.

Technical support for this solution has been great. They've been very responsive.

We will be using Tufin to clean up our firewall rules, but we currently use AlgoSec.

Our previous solution was an end-of-life product, so we had to evaluate the options that were out there.

The initial setup of this solution is straightforward, although we haven't done full-on production yet, so I don't know what we're going to run into.

Nexum assisted us with the deployment of this solution. They are good, and we use them for everything we can.

At this stage, we have not yet seen ROI.

We evaluated other solutions, but Tufin had a better workflow.

I am unfamiliar with the cloud-native security controls that are provided. They may be worth further investigating.

Reducing the time it takes us to make changes is the goal of our implementation. We expect that our engineers will spend less time on manual processes.

We expect that this solution will do what we need it to do, but there are some quirks with the integrations for the software.

My advice to anybody who is researching this solution is to pick what's right for you and do your homework.

I would rate this solution an eight out of ten.

We primarily use SecureTrack for viewing and tracking changes to policies.

This has helped us to better clean up and audit changes to the firewall policy. Also, giving access to the other teams without giving them direct access to the firewalls, themselves, is very helpful.

This solution has also saved our architects time. They are unable to view the firewall policy directly, so they use this product to find the rules that they need. If something is being moved then they can easily create a document that has all of the existing rules.

The most valuable feature is to give people outside of the firewall group access to view the policy. Tracking is the most useful feature for us, right now. It saves time but I cannot give an estimate as to how much.

The visibility is good. We can see the policies and what changes need to be made, based on the report.

When viewing the policy there are a lot of Check Point user's inline rules, and you don't see those in our policies. It just labels them from top-down. We use a lot of inline rules, and it would be beneficial to see those from within Tufin. 

Overall the system is stable, and we have had no issues configuring it with our firewalls, or otherwise.

It is scalable in the sense that we use a lot of policies and we haven't run into any limits yet.

The solution has been pretty straightforward and I haven't had to contact tech support. Again, we're not using all of the features so perhaps that is why. I do know that there are plans to use the SecureApp and SecureChange in the future, but the trust isn't there yet for us to push down those changes.

We did not use a solution prior to this one, but we needed Tufin to give access to other teams to view the policies. We did not want to give them direct access to the firewall management system.

I would say that the initial setup was of medium difficulty. I and one other engineer completed it, and it wasn't too difficult.

The deployment, in total, took more than a year. This included bringing in every single firewall policy and making sure that it was updating and tracking.

We handled the deployment in-house.

We did not evaluate other options before choosing this solution, and I don't know who else is competing in this space with exactly the same features as Tufin.

We don't use SecureChange at the moment, although hopefully, we can get to it in the future.

With respect to having this solution automatically clean up our firewall policies, we run the report but we don’t always push those changes on. We consider the recommendations but review it manually ourselves. This does point out what we can get rid of, and where we can optimize it. Once we have the trust of our team to push these changes automatically it will be implemented, but we're not ready for that yet.

Part of the reason is that we want to be in control of the firewall policy changes. We don't want developers or anybody recommending what we should be doing.

If somebody is looking to integrate a ticketing system, and not push changes directly through their firewall management system, and they would like a third-party verifier and checker then I don't know any other products that can do that. This is especially true for Check Point firewalls, and Palo Alto.

I would rate this solution an eight out of ten.

We use this solution for firewall compliance reviews.

This solution has helped us to speed up our review process. After we do make a change, we're able to quickly review what has actually changed. 

This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas.

From our perspective, the most valuable features are the compliance and firewall reporting modules. Indirectly, we use Tufin to clean up our firewall policies. We run reports, and then use those reports to drive improvement in the firewall rules. The visibility into the Check Point firewall rules is a lot easier to look at using a Tufin report as opposed to a Check Point report.

This provides good visibility of our firewall rules. Using Check Point is a little cumbersome to get what you need, so with this solution, we’re able to filter through and better get the information.

Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance.

One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in.

I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.

The stability of this solution is fine. We don't have any issues with it, at least as far as I know.

It seems to be really scalable once you have all of the modules working together. We have a broad array of subgroups that we're working on compliance with, from really small to really large, and it works well with all of them.

I've never had to deal with their technical support.

I was not part of the initial setup of this solution.

Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent.

This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP.

For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do.

I would rate this solution an eight out of ten.

We use this solution for workflow intake and policy cleanup. It is also used for firewall policy requests.

We make use of the ability to automatically validate changes to security policy rules. For example, we have four workflows currently in SecureChange, and for two of these workflows, the very first thing that we do in response to a policy request is to evaluate it. We check to see if the new policy is needed or not, and we determine how to proceed from there.

The biggest benefit for us is from an efficiency perspective. The longest part of our firewall policy implementation has been verifying the network and finding out where policy needs to be put in place. Tufin takes this job down from a day, to sometimes five minutes.

This solution provides a more organized manner for us to track towards compliance for our PCI audits.

The most valuable feature for us is the topology validation that is part of the workflow.

This visibility that this solution provides is better than that of the competitors that I have looked at.

When this solution works in the way that we need it to, my impressions of the change impact analysis are very good. The hardest thing for us is the inefficiencies with topology. This often means that the results we get are inaccurate.

One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled.

For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising.

We have had issues with the stability of this solution, and the basic technical support is not very good.

In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.

So far, our impressions of stability are not very good. We have already had to RMA one of our boxes, and it was not being utilized very heavily. We've had different issues on some of our other devices, as well.

Scalability is hard for me to say based on what we have deployed so far. We do have issues, but it's hard for me to say whether they are because of the hardware, or are an issue of scale.

The basic technical support for this solution is not very good. However, the Critical Situation Team is actually very good. I would say that the support experience depends on which group you get put under.

Prior to implementing this solution, the majority of our security engineering's time was spent working with these policy requests. It was a manual process where a requester would submit and Excel sheet, and the changes were being done from there. This was not leaving time for that team to work on projects and initiatives that were furthering or bettering the company. We started looking into Tufin as a way to automate some of that process and free up some of their time.

The initial setup of this solution is very complex. Putting all of the devices into the topology, and then getting it to a place where it can provide meaningful and accurate results, and then building the USP on top of that, are all very complex. Out of the box, I don't think that Tufin really provides very much until you get through a lot of those complexities.

We handled the deployment in-house.

I'm sure that there is ROI with the time savings that we received, or that we get as part of working the secure change workflows, but I couldn't speak to any hard numbers.

The shortlist included both Tufin and AlgoSec. Our evaluation showed that Tufin's features were on par with AlgoSec, but Tufin was the better financial choice.

Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days.

For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally.

My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network.

This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient.

I would rate this solution a seven out of ten.