FireMon Security Manager Reviews

FireMon is nice and provides 360-degree user views. You can also find the information you're looking for pretty easily.

I don't like that it comes with bugs, constant issues, and limited functionality. I would like to have enhanced change management reporting support for UTM features in the next release.

I have been using FireMon for six months.

On a scale from one to ten, I would give FireMon a five.

The primary use case is optimizing firewall rules.

The firewall administrators have gained time back by using this tool, simplifying the firewall rule set. The solution helps to clean up rules which have not been reviewed in several years.

It gives us the ability to go to one place to look for potential firewall rules that are inappropriate, or which don't meet compliance. Instead of manually searching hundreds of firewalls for a policy, we can go to this one location and find the rules which are now out of compliance.

The policy overview is the most valuable feature for each of the firewalls that we manage right now, as it reduces the complexity of the firewall rule set.

The AWS integration is still not mature for us to use. It is just not ready for our use case for AWS connectivity. Therefore, it does not provide us with a single pane of glass for our cloud environments, because we can't manage our cloud environment with the tool.

The map needs improvement in our network. The tool should be able to map out the path of flow from one firewall through our network. However, it does not understand our routing environment, so it cannot do that for us.

We would like it if this solution could provided us with end-to-end change automation for the entire rule lifecycle, but the map feature cannot support our environment, for now.

It is stable, which is acceptable. I don't have any negatives with it. This is not a concern of mine, as we don't have any issues with stability.

We have probably one full-time equivalent managing the tool right now. Our ultimate end goal, that I am envisioning, is that we would need more support to manage the tool.

All the vendors in this space seem to overpromise and underdeliver on scalability. They all claim they scale the best, but none of them really do. This is an area that could be improved. It is the same with high availability. High availability for geographic separation is also an area that could be improved.

Right now, at this stage, only our firewall admins are using it. This is a team of about 20.

The technical support has been very responsive. They have helped us with all of the issues that we have encountered.

We didn't use a previous solution.

The initial setup was straightforward. The wizard was easy to use. So, the initial installation of the tool was easy. However, when you get back into configuring the details for the map to obtain that single pane of glass view for the entire network, it was not well thought out and it could use improvement.

I would still consider us in an early phase of deployment, even though we've been using it for two years. We don't have all the firewalls licensed, so they are not all being managed by the tool. I would say we're still not done deploying it. We're still waiting on features to be developed by FireMon, so we can use it in our environment.

Our implementation strategy was to license the high value firewalls first, trying to start getting them managed by the tool, then we were hoping to do an initial pilot for firewall rule change management. However, we were never able to get to that step because the tool can't manage our network, or doesn't understand our network.

We used FireMon Professional Services.

We have not met a return on investment with this tool yet.

For the firewalls that we manage, it does help reduce our overall audit time.

We don't license all of the devices in our network, so it does not provide us with a comprehensive visibility of all devices in a hybrid network at this time.

I'm not involved in our licensing costs, but I do know that FireMon has a wide variety of different licensing options.

During our proof of concept phase, we also evaluated Tufin, AlgoSec, and Skybox. We chose FireMon based on a few different things, but the main one was that they were a US-based vendor and the others were Israeli.

Each deployment scenario will be unique. A robust proof of concept is key to make sure it will meet all of your intended use cases.

The solution is managing 25 percent of our firewalls right now. We probably won't increase usage until we can get the required features for firewall change rule management to work correctly. We probably will not increase usage until that works.

I would rate it as a six (out of ten). We need the end-to-end mapping feature working to make it a ten. That is just our next phase. I don't know what other problems that we will run into. There is a lot to deploy before we can give all the details of what we need to make it a ten. There is integration with ServiceNow and some of our other tools. We have to make sure all that is working before we could give it a ten.

The primary use case is for compliance and monitoring of firewall changes. This solution allows us to secure our firewalls.

It is the single place where we go to review all of our firewall changes. The solution makes it easier for us to track all the changes made. It is a central place where we can look at all the firewall rules, because we have three different firewall vendors. It saves us time and creates efficiencies by looking at the general picture. 

This solution has helped to clean up rules that had not been reviewed in several years. It is used for all of our firewall changes. At the moment, we are not looking to do more than use it for that.

This solution has helped to reduce our overall audit time. We are under PCI, so it was a requirement. We had to do something like this, and it just made it easier. The solution was prebuilt to do that, and we didn't have to build our own spreadsheet.

The most valuable feature is being able to review all the firewall changes in the Policy Planner, and then in the policy review feature.

This solution provide us with comprehensive visibility of all our devices in a hybrid network.

It is fairly straightforward to use.

We had a few minor issues with it. However, it's worked pretty well for us overall.

The stability has been fairly decent, but there have been a few issues. My coworker has had some issues in the past where he has had to work with support.

It seems fairly scalable.

There are not a whole lot of users. It is mainly just my team. Every once in a while, one of my users will submit a request for it, but that doesn't happen very often. It is primarily just my team.

From what I have heard, the technical support is fairly good. However, I have not used them in a few years.

I didn't really have another solution that I was using before it.

We had it when I started here five years ago.

We had another guy who primarily worked on the setup because he actually used to work at FireMon. So, I haven't really done the setup on it in quite a few years.

The deployment was fairly straightforward.

We did the implementation in-house.

We have one guy, who previously worked for FireMon, managing the solution right now. 

We pay for it yearly.

We might have looked at Tufin.

It is fairly straightforward to use, and I haven't really had a whole lot of issues with it.

This solution provide us with end-to-end change automation for the entire rule lifecycle of firewalls. It does it from the request, then all the way through the approval cycle.

We really haven't done much with this solution’s cloud support automation for public cloud platforms. We are just doing on-premise.

We use FireMon for compliance reporting. Also, because it provides a roadmap for us to start doing workflow automation - not to be confused with other forms of automation that occur in the firewall realm - we use it to see the processes and procedures that we can automate and enforce. These include approval processes, review processes, and pre- and post-implementation validation.

Any organization will have a best practice of looking at their firewalls at least once a year, going line-by-line. But whenever we have something like a PCI assessor coming in, we want to make sure we do our due diligence. We want to look at anything that has popped up, or that we might be unaware of, or that we put on the back burner, because it's impactful to the business. We can't really do that unless we can query our environment or set it up to keep us informed of everything that conflicts with our best practices. That's where we get the great majority of the value out of the product.

One of the most concrete examples of how it has helped our organization - and it's not the most spectacular example - is that with Security Manager specifically, we have the ability, as security engineers, to review and approve firewall rules before they are implemented, even though that task is performed by our networking engineers. What that allows us to do is maintain a separation of duties, which is very important for a lot of compliance checks. I can't be the person who makes a rule and the person who says that the rule that I just made is okay and up to standards. There's a conflict of interest there.

So one of the main things that adds value or improves the security posture of our environment is the ability to separate roles and responsibilities. As part of our processes, I can say to the networking team, "Submit to me what it is that you're planning on doing." Using FireMon, I can look at the firewall and the firewall rule without having to have access to the actual firewall. After they are done with their change, I can validate that what I said they could do matches what they actually did do. Having that mechanism as an option in our environment holds everyone up to a higher level of best practices, because they know someone can validate that they're not just doing whatever they want to do without anybody being the wiser about it.

The solution helps to close a visibility gap we previously had. That goes back to reemphasizing the fact that we're trying to maintain that separation between security engineers and network engineers. I don't want access to the firewalls themselves, but I am accountable for every rule that's on them. Everything we do goes through FireMon. Is it instrumental in my being able to see something and correct it? Absolutely.

Because of FireMon, we have found several instances of objects that were created where the intent was for it to be four ports, but it got fat-fingered and someone put in a much wider port range. It has helped us to identify misconfigurations. It has helped us to identify out-of-band changes, where stuff was done that wasn't necessarily approved. Because it has its own repository of industry best-practices, it has helped us to highlight hundreds of rules that have unwanted objects in them. If I don't have to spend two days walking through all of our firewalls to do that, and I can run a report that I know is pulling back authoritative information, then I'm able to accomplish more because of it.

It certainly helps reduce our overall auditing time. The alternative to not having the product is doing a manual review. What the product is designed to do is to show me everything that violates this standard or that rule. If I can do that - and even if I have to spend a day or two coming up with standards and the rules for me to check against - in two days I have the results that a manual process would take me several weeks to achieve. Now, cleanup still takes just as long. I can't say, "Fix all of these," and it automatically cuts tickets for me - yet. With proper future-proofing, optimization, and integration, it would be able to do that for us as well. But overall, it definitely helps reduce auditing time.

Another advantage is that is has helped to clean up rules that have not been reviewed in several years. There are thousands of rules every year that we clean up directly, based off of the reports.

To give more context to this answer, one of the main functions of anyone in security is: If we don't need it, we need to get rid of it. But there's always that battle between the needs of enforcing best practices and accommodating the business. Anyone who has ever used this solution, or competitors' solutions, or gone through a firewall cleanup process, has experienced this scenario: "Well, we deleted 300 rules and something broke and now we need to find out which of those rules we need to turn back on." And that happened because they were working from a report that they only ran once a month or once a quarter. What this tool allows me to do is not only disable unused rules, but to specify conditions like, "anything that is unused for at least six months, or at least a year." I can now put unused rules into different categories. Something hasn't been used in a year is very low risk. If it was used two months ago, there's a higher risk if I disable it. So it helps reduce potential impact, which is a unique feature.

The most valuable feature is the reporting capability because everything that we do is a result of our being able to query a report, based on our environment and our PCI compliance efforts.

The current health and monitoring of the devices is atrocious. I know of several engineers within the company to whom I've mentioned this to and they say, "I know, I've been telling the devs that." They would back me up on my statement.

Here's the bad part, and it's hard to articulate without having like a visual that you and I are sharing. But imagine you have a list of 200 devices, and you can grade each of those devices as either green, yellow, or red. However, there might be three different reasons for you to go to red, or eight different reasons to go to yellow, and all of those things could be combined. As long as all of them are good, that's the only way that you're going to get green. Out of all those categories, I only find one or two of them that are, perhaps, pertinent. I only care if it's not communicating at all, or it hasn't communicated in the last 48 hours. If the last time that it pulled down information it took three minutes instead of one minute, I don't care about that. 

The way that the health and monitoring works right now is that for all these devices, instead of breaking out all those different things, or allowing me to judge what I think is pertinent or not, I have to see the lowest common denominator. I might have 40 percent of my devices saying that they're in a critical state, when in reality, according to my standards, maybe only five percent of them are. I don't have the time to sit here and click on a dropdown and dig into 100 different devices every day of the week. Essentially, because of the way it works right now, I don't resolve something until I've become personally aware that a firewall isn't communicating with FireMon at a given time.

It's not something that is optimized so that an engineer can run a report, take screenshots, and make a little run-book to hand over to level-two support and say, "Here, you guys do this every day as a repeatable process. Make sure that if we have any issues, we open tickets about them." Right now, the overhead of conducting a thorough day-to-day assay of the health of our environment would take several hours. Functionally and logistically, we just can't accomplish that goal right now.

The solution is stable. The main platform has gone through many iterations of version upgrades with no problems, no hitches. The devices themselves are very stable. The most frequent problem that we have is the loss of connectivity between firewalls and FireMon. That's more due to configuration changes on the firewall side, as opposed to anything that has to with the actual FireMon devices.

It's very scalable.

We have about 60 users configured and that's because everyone on both my team and the networking team has access to it. But we never have more than four concurrent users.

We intend to increase usage, but the goal is to move down the path of integration with our ticketing solution and the actual firewalls themselves. Right now they communicate, but they're not necessarily integrated. Once we achieve that, then instead of network engineers logging into firewalls to do firewall things, they'll be shoehorned into performing everything that they're doing now within FireMon - meaning Security Manager - rather than it being something they pull up whenever they have a use for it. The intent is to make it more of a foundational piece of our operational procedures.

Tech support is really good. If I've praised anything so far, as far as the vendor or the product goes, it would pale in comparison to how much I want to give credit to all of their tech support and their higher-level engineers, like the regional engineers and some of the folks back at headquarters. Whenever I call in and I say, "Hey, I need someone to walk me through this thing that I'm trying to do and I don't want to open up a ticket for it," at several different levels I've always received some of the best customer support and competent feedback, compared to any other solution that I've used.

I've been an engineer for about 15 years so I've owned a lot of technologies for different things in the security arena. I used to be a Cisco firewall admin. That's not necessarily a competitor, but I know what it's like to own IBM products, or Cisco products, or Check Point, or a whole wealth of smaller vendors. To put FireMon's support service on a pedestal, in comparison to everyone else, is pretty accurate as far as I'm concerned.

For this type of use, we did not have a previous solution. Another team already owned this product in our company and we assumed ownership of the product from them.

The initial setup was very straightforward. There are three different versions of the appliance that you can have, but they all come from the same ISO. They're just set up differently, depending on how you go through a configuration process. Everything is virtual. Even if I had to completely rebuild my entire infrastructure, it wouldn't take more than a day.

With all the processes and procedures around testing and only doing stuff during change windows, our original deployment took less than two weeks. For us, that is a pretty good turnaround time for deploying something, going through all the proper procedures and pre-requisites, validation tasks, etc. It wasn't a dedicated two weeks. I only have certain four-hour change windows for when I can accomplish tasks.

Our implementation strategy was that we sat down with a vendor engineer and we talked about how this needs to look. We took that and ran with it. It wasn't a run-book implementation strategy, no. But the vendor made sure that we were very clear on what we were building, how we were building it, how it all needed to talk to each other, and what access it needed to the rest of our network. It's simple enough that we didn't need more of a strategy, the kind you might need with a more complex infrastructure product.

In terms of the staff for maintenance and deployment, maintenance is a vague term. Let me give you two different answers. The actual maintenance of the solution really only occurs whenever the networking team has made a change on a reporting device, and I need them to make sure that they get it working with FireMon again; or, whenever we perform an upgrade. So that's a minimal amount of time, maybe five hours monthly. But, the whole job of one of my operations team's members is to review firewall changes, approve them, validate that they were done correctly, and to run reports monthly and quarterly against out compliance posture. All of that is done within the solution. There are some folks who spend 80 hours per paycheck inside of FireMon.

I, and another engineer from the networking side of the house, managed the deployment independently with FireMon technical support.

Even if it wasn't financially related, I don't have the background where I could authoritatively speak to you about any specific ROI. I can say that I'm sure it's paid for itself several times over, but I would actually have to have seen what a calendar year was like before and after having the product.

The best advice that I could give, honestly, would be not to look at a product for a short-term goal. Speak with the vendor about the maturity model that you want to go down and the roadmap that you have for your organization. They have a lot of different components and products that complement each other. I'm still waiting to do stuff now or next year that I wish I could have gotten funding for three years ago.

If you're going to engage and move forward with something, try to future-proof what you're signing yourself up for. Take into consideration where your roadmap is taking you. If there is something you know you're going to do in two years, and they have this other product that supports that effort and can provide greater ROI between now and then, go ahead and lump that into it.

As far as the solution's cloud support automation for public cloud platforms goes, I have used it and looked at it enough to ensure that it aligns with our roadmap. I feel it's there, but we're not currently utilizing the functionality. The solution would provide us with a single pane of glass for on-premise and cloud environments, but we're not using a production cloud environment at this time. However, I have made sure that whenever that does become a bigger footprint in our infrastructure, everything's going to be in place for us, as far as FireMon as a solution is concerned.

The solution provides us with the option to have comprehensive visibility of all devices, but a prerequisite to it being able to provide that information is that the owners of the solution have to optimize and educate FireMon. That has not necessarily been a high concern of ours. It hasn't been a primary responsibility over the years for me to take my network map and input it into the device. For me, it doesn't fulfill that function, but that's not necessarily a reflection of the tool's abilities.

In terms of using the solution to conduct a full inventory of our assets to secure everything, the Security Manager portion of it, alone, won't be able to perform that function. I think that there are a couple of other options that the vendor provides which address that need, but it's not something that we've invested in. Immediate Insight is the tool that associates itself with that kind of task. It's not something that we currently have the plugin for.

End-to-end change automation for the entire rule lifecycle is something we're moving towards. It is something we have on our roadmap and that we've worked out with the vendor, to make sure we'll be getting funding for that integration. Integration is required to create that full automation. FireMon does support that and it's something that we're actively pursuing, but we have not submitted funding for it yet.

I would certainly give it a nine out of ten because there's always room for improvement. Also, once I'm happy with a vendor, I'm not necessarily interested in whatever their competitors are doing. If I was sitting down with FireMon and all of their competitors every year, I might be able to say, "Hey, Tufin is doing this, why aren't you guys doing this?" But I don't do that. I would only feel comfortable giving a ten if I went through that process. I'm very happy with the solution for what it is, for how much it reduces my overhead, and how much it allows me to do things that, otherwise, I just wouldn't have the option of doing.

We use it to go through unused rules, for cleaning up stuff. We have a bi-weekly meeting where we go through firewalls and look for any unused rules or any rules that are redundant and any high ports that are being used that we're not supposed to use. 

We want to eliminate all firewall rules that have FTP access on them. We don't want to use FTP any longer. With the help of FireMon, we were able to go in and check all the firewalls that have rules with FTP on them and we opened up a project with the network team so we could eliminate all those rules.

FireMon has been very helpful with closing visibility gaps we previously had. Since I got here, it has helped us dig into stuff. And whatever help we need, any projects we have that we haven't been able to figure out by ourselves, they have gone in and helped us out.

I called them once because I wanted to see if they had a report that I could run for rules that have not been used in 365 days. With their help, I was able to run that report and provide it to the network team so they could eliminate those rules that had not been hit in a year. The list I gave to the network team had 7,917 rules.

Finally, the solution has helped to reduce our overall audit time by about 50 percent. That's awesome.

I'm working mostly with the Security Manager part of FireMon. It gives me an eye on everything that's out there, everything that I cannot see. Because I'm not a network admin, I cannot go to a firewall itself, but at least I have FireMon so that I can go in and view everything that I want to view. And I can eliminate whatever I see that is wrong.

We also use FireMon to conduct a full inventory of our assets so that we can secure everything. For example, our parent company has three retail brands. The other day, my director asked me for an inventory of all brands: every firewall, Cisco device, whatever we are using, and to give him a break down. I was able to go to FireMon, grab everything, put it in an Excel sheet, and break it down by brand and by DMZ and PCI environment as well.

In addition, it's very easy to navigate. Very easy.

We're working on implementing FireMon with our ticketing system service now. Having that would be an improvement. I believe they said that they are working on that for the future. That would help us out a lot. For example, when somebody wants to open a request for a firewall change, we'll go through ServiceNow, and then go through FireMon, make the changes, and make sure everything is recorded, who did it, etc.

The stability is very good.

The scalability is great.

Technical support is very helpful. On a scale from one to ten, I give them a high ten. You can either use their User Center and open up a ticket via the web, they're pretty quick about it, or you can call them directly. They have a number to call their Help Desk and they pretty much pick up right away. 

They'll go into your machine right away if you need help. I have hardly escalated anything to a Level 2 or Level 3 because right away, whoever picks up the phone is knowledgeable and will resolve it.

I'm not sure if FireMon has saved us money, but I know it has saved time in cleaning up the whole company and has helped reduce all that ugliness that we had.

We pay on a yearly basis but my manager takes care of it. Regarding additional costs, if you want things like Policy Optimizer, extra features, that's extra.

Before the parent company bought us, we used to have another product - I don't want to say its name - but it wasn't like FireMon. FireMon is way out there. It has all these features. I'm still learning it and I have almost a year-and-a-half of experience using it. It just has a lot of stuff that my other tool did not have at all. There's so much visibility in it and stuff to play with that my other tool did not have. I really like FireMon.

One of the products I used was Tufin. It wasn't like anything like FireMon. You couldn't do the stuff you can do with FireMon, in terms of the Policy Planner option and the Policy Optimizer. All you could do in Tufin was view the rules, how many hits; basic stuff.

In terms of what I've used so far in my career, FireMon is one of the best. Try it out, it won't hurt. Give it a shot. It's the best, for me. It has everything that any company would need. It's easy to navigate, there is a lot of helpful stuff in their User Center, in their Knowledge Base. Everything's there. You don't really need to bother them a lot. If you want to know something, they have documents in their User Center. It's a very good product.

In terms of FireMon's cloud support automation for public cloud platforms, we did ask for that. We are actually going to the cloud in a few months. We just asked that question last week. They did say that they do support that, but that's all we've talked about in terms of cloud.

We use FireMon every day. And we have plans to increase usage. Where I came from, we only have regular firewalls in there right now. We're looking to implement our retail stores' firewall devices as well, which is about 200 stores. We're definitely going to implement that so we can see our retail stores' environments in it.

We do have Policy Planner, but I haven't started playing with it yet. We're also looking to get Policy Optimizer, but we still haven't gotten the license for it. Security Manager is the one I mostly play with.

When I came to this company, I have to say, they were very sloppy. That's why they gave me this role, to focus on stuff like this.  We have cleaned out a lot in a year-and-a-half and we're still cleaning. It's so big, so many firewalls out there.

We have the network team as read-only users. There are about six of them on that team. The network team members are the ones who handle the firewall; they're the ones that make the actual changes. So sometimes they go into FireMon and run reports to view things. I don't know what types of reports they run, but we gave them the read-only access for that. In addition, there are three admins: me, as an InfoSec ops technician, my coworker, and my manager. My director is also a user. For deployment and maintenance of FireMon, it's just me and my coworker.

I rate FireMon at ten out of ten. I am very happy with the tool.

We use it for firewall cleanup, redundant rule removal, and unused rule removal.

We are using the solution to identify anything that might have overly permissive rules or things outside of PCI compliance. We use it to proactively find those kinds of issues. There's more we could be doing with it for sure, we just haven't had the time yet.

We currently have it covering every single firewall we have, which is a lot. There are potential plans to add routers and switches into it again, or even start adding in hybrid cloud solutions, things like that, that we won't be able to see. Honestly, we won't have a single pane of glass without FireMon, so we do have intentions of deploying it at a larger scale, and actually turning on some of those features which we don't use today.

We have some really complex firewalls out there, a lot of rules - too many rules. It's to the point where the firewalls become physically unhealthy. The config is so large that the hardware can't keep up. FireMon allows us not only to very easily identify those firewalls that might be getting overly complicated, but it also allows us to easily remediate those complications. It's probably saved us a lot of downtime that could have resulted from firewall issues caused by the config.

It helps close a visibility gap we previously had. For example, Cisco's primary firewall management tool, either using command-line or GUI, does not cover all the appliances at once. You have to go in one-by-one. FireMon is able to see across every appliance, in a single view and that makes it easier to manage things.

In addition, it reduces our overall audit time. I don't deal enough with the audit side of the house to know by how much it has been reduced.

I have found the reporting on unused rules and redundant rules to be the most useful to me. We run those reports and then we can come back and fix things that are bad.

And overall, the reporting mechanism for anything is pretty good. We use it to baseline, to make sure our configs are accurate across all of our devices.

It provides us with a single pane of glass for our on-prem environment, to see configuration. We have not implemented into the cloud yet. We can search for an object group and see where it lives on any firewall in the enterprise, or find security rules no matter what firewall they're on. We don't use the automation feature, which means we don't do a deployment of any changes, so we don't yet have a single pane for deploying all policies. We know it's capable, it's just that we don't have that function on.

Some of the core functionality in our environment doesn't seem to work. We will get buggy code releases. They need to work on their Q&A of every code release. Too many bugs pop up between releases, and that's where I would like to see the most improvement.

It's recently become much more stable. We had an undersized box, and FireMon actually gave us a very much bigger server for free, which was very good of them to do. It brought our stability to about 99-percent-up.

It's highly scalable, as long as you have servers. You can scale it to pretty much anything. We've had thousands of devices in it.

There front-end technical support is really good, very responsive. To me, it takes a little bit too much time to resolve some issues, but that's to do with their development team, so I don't know if that should get lumped in with support or not. But the time to resolve problems that we identify is something of an issue. I'd give tech support a six out of ten.

We did not have a previous solution.

The initial setup was on version 7, which is a totally different ballgame, but the setup of both versions 7 and 8 were straightforward enough for me. I can't imagine something being much easier. It required minimal configuration and the documentation was excellent on how to set it up on your own. It's just easy.

A single-server deployment wouldn't have taken more than a day or two. We did multiple virtuals so we got slowed down by our virtual team building the servers. As a result, it probably took a few weeks. But that was not because of the product, it was because of our own internal teams.

Our implementation strategy was just to get the system up and running and onboard all of our firewalls into it.

I deployed it mostly by myself.

In my opinion, we have seen ROI. We're able to share data that other groups need, by harvesting it out of FireMon, which is extremely powerful. Another group can look up their own NAT, for instance, even if they're not very savvy. It has helped reduce a lot of casework that was coming into our queue, that was along the lines of, "Hey, what NAT does this belong to?" 

Going back to the complex rules, it has literally prevented devices from falling over and dying. It's maintained uptime, which is invaluable when you're dealing with millions of customers connecting through one firewall.

Our licensing is done yearly. There are different levels of support to pay for, but there are no hidden fees. The pricing is very good, very straightforward. It also came in cheaper than AlgoSec and Tufin.

We demoed and looked at other solutions but we did not implement any. AlgoSec and Tufin were the two main solutions that we checked first.

In the end, it really came down to the support. FireMon is more attentive than these very large companies, and we needed that attention. Their attention to our needs is what sold us on the product.

Make sure that you get the correct hardware for whatever size environment you have.

End-to-end change automation for the entire rule lifecycle is not something we're using yet. It's something that I'm looking to get a beta for.

There are about 20 people currently using the solution. However, the functionality allows us to extend the information that FireMon can gather out to hundreds of people, if not more. In some ways, there are hundreds consuming the information that FireMon gathers, and using it in some way. Network security engineers are the primary consumers, and network engineers are another consumer. In addition, anything related to our audit teams means those guys consume the data.

Two people could do deployment and maintenance, although I tend to do it by myself.

I'd put FireMon at an eight out of ten right now. To me, ten is something you only get if have no bugs or have very few bugs, and everything works perfectly. If you want a ten you've got to be perfect. I don't think any product would get a ten from me.

Optimizing and cleaning firewall rules and objects to maintain the security of the firewall and other devices.

Not experienced yet with the product. We are still doing our evaluations and having other discussions with different vendors to understand product capabilities.

The Policy Optimizer and Firewall Manager for different brands of firewall. 

Continuous firewall policy improvement should available out-of-the-box for firewall operation. We are also looking for more integration with SIEM and other tools.

The version is an important choice for the product.

• Vendor agnostic when it comes to integrating with other product.
• Reliable
• Excellent customer support

This product has enabled Kaiser Permanente Clinical Technology technicians with proactive/remote monitoring of highly critical systems.

A phone app would be nice. This is the reason why it is not perfect yet.

12 months.

No problems.

No problems.

A 10 out of 10.

No previous solutions were used.

Since a non-IT person like me was able to setup the system from scratch, I would say that it is not complex at all.

Relative to what it offers, the price is fair.

FireMon Immediate Insight was the only product that would work for us, due to the limitations that the Clinical Technology Department has at KP.

It is a very versatile and sustainable product.