Tufin Orchestration Suite Reviews

From my perspective, I think that it’s hard to break it down to a single feature. The visibility it gives and the customizability it provides is invaluable and the change automation is the most powerful capability, at least for now. The application awareness component is a close second. As more organizations adopt this revolutionary way of visualizing enterprise connectivity, SecureApp will fundamentally change the way connectivity is provisioned and decommissioned.

The product suite itself brings together organizational units. So when you talk about operations, development, management and auditing, all of these organizations have their own interface and abilitie to understand what different parts of the company are doing.

I think Tufin is continuously moving towards broader support for other platforms. Including a significant focus on the cloud. This approach is critical to the model of normalizing policy management across the environment - regardless of platform.

We've used it for nearly eight years.

It's absolutely stable and this is why I always promote it. They have the finest set of coders and developers you can find.

The distributed architecture capabilities allows this solution to scale to anybody’s needs.

The support team is second to none. They have multiple offices in multiple countries. They're always available. I know the support teams and leaders personally and they are of great quality.

It’s very easy to get up and running. With anything that is so feature rich and customizable, the installations range from a couple of days to more complex with many days and script writing. It just depends.

Spend the time to evaluate all of the components of the Tufin suite. When you bundle different features together and you bundle components, you get a better price.

We often find customers that have purchased this product for a specific purpose and they limit its use to only that purpose. Do yourself a favor and really explore the entire product and maximize the features and functionality of what you have purchased.

Following installation, we mentioned to the SE what ports were on the rule already, and he responded that those were the right ports. So immediately, Tufin already saved us work. And there was already traffic to the destination of a requested rule that needed to just be added to another group. Previously, we would have had to make a new rule and type in the source destination ports. With Tufin, however, the group already existed and we just needed to add it to another group.

Object look-up is also valuable. When someone needs to know about a particular endpoint and what's allowed to it, we only need to type in the IP address and are then able to see every rule associated with that address line by line.

From the very beginning, Tufin has kept our rule set compact so that we don't have to keep stacking up rule after rule. We still have to analyze and find rules that are too open, but it helps use make the right rules in the right places.

It's also a huge deal to us to be able to see the configurations as they change over time, and to know which firewall is responsible for which segments. It allows us to look at all our firewalls at the same time and not have to SSH one after another. We've got it all right there with Tufin -- one pane of glass that shows us everything.

With new engineers to the company, I pull them aside and show them Tufin. Within one hour, they have all the information they need to start creating firewall rules. It's incredibly easy to use. I can't imagine life should it if it should go offline. It's made a huge difference for us.

I'd like to see code provisioning.

It's been up for two years.

We had no issues with deployment.

I believe we had one reboot due to a code upgrade. This was only a single incident.

Our current machine handles all firewalls for one of our business units. We're at a point where we've ordered a larger one to handle 200 firewalls. We'll take the smaller one to have an additional collector. The scalability is very good.

Excellent.

These guys have been amazing. They will work tirelessly. I've only had a few calls, but every time I've had a call, the answer came through in a timely fashion and we got things sorted out. Usually it was user error, they told us, and they didn't lecture us about it.

We simply turned it on, gave it an IP address, and logged into that IP address. Getting it set up with other firewall was straightforward, as was setup for interoperation with Active Directory. We now have group-managed logins.

We looked at FireMon because it's able to analyze rules. But for daily, operational stuff, such as finding rules that already exist and which firewalls are involved, Tufin is much easier and more efficient to use. It was a no-brainer.

It already does traffic analysis and secure change. We've got the secure app so we can keep track of the business critical things. They shouldn't change that. I love the left-hand pane, and being able to navigate that and being able to see things in the split pane on the right-hand side. There are other vendors out there who will decide I need to just have everything at the top and scroll down.

The best thing to do would be get all your firewalls in there and let it bake overnight. It does take some time to collect the data in the config files. Once that's done, teach your help desk staff and the firewall operators how to use this to look up existing conditions and to determine right away whether a rule needs to be made, or whether a group needs to be added, or whether the rule already exists.

Policy management.

A lot of policy is legacy. With SecureTrack, I can track the policy and find all the policies that we're not using. Basically, we create a process out of it and actually get rid of those legacy policies.

I don't have a real idea of how many policies we’ve found, but the outcome for that policy management is usually better for our file work because it runs much more smoothly because of less policy, less memory usage, and less CPU.

We try to make the file work much more efficient. We also do auditing for file work, such as who made changes on the file work. You can use it for accountability, if needed. 

We also use some of the compliance features. We define policy on what is compliant. If anyone tries to create certain stuff that is not compliant, we get notified. I haven't fully utilized Tufin yet and I'm working toward that area. Hopefully I can give it a higher rating as we explore more functions. We know the capability; we just need to get to that point. If we reach that point, it'll be much better actually. We’re just not there yet.

We’re hoping to be able to share the data Tufin’s collecting with other platforms so they can be more integrated with those metrics, because the governance tool is where we create policy. And then using Tufin’s metric, we can actually know what kind of policy we can create. That would help out.

It's good. I haven't rebooted.

We are big, but we are only using a fraction of what Tufin is capable right now. I'm hoping that we can explore a lot more and then try to utilize more on Tufin because my big way to look at Tufin is this ability to gather all that data. If Tufin doesn't have that footprint, you won't get that data. So right now, I'm working on that.

For my current company, I inherited it.

I haven’t thought of using any other solution, so, I haven't looked at other solutions yet.

Let Tufin help you see what can be. Make the tool work for you and be creative.

You can't always use it in a certain way. There are many ways to use a tool. You just have to be creative on how you use the tool. Find holes and ways to use it.

Figure out how you use the tool, and then figure out if you can create a process out of it, so you are not only using it when you are free. You want to use it as a process because it has to be repeatable. If something is not repeatable, there's no way to improve the process.

If I'm going to find a policy right now and I don't repeat that process, those policies will continue to become legacy, so you have to repeat using the tool.

It can compare policy revisions side by side to see when you've made a change, and what the change is. It also lists the detail of the objects and policies. In other words, it has the ability to list all the policies as well as having side by side revisions.

I think we knew we needed to invest in the solutions because of a replacement we had to do last year. We had no other way of gathering the information. It wasn’t replacing anything.

I would like to be able to see the changes made on the software blades that Check Point has, such as URL filtering, IPS.

I’d like to see it work with F5. It's supposed to work and it doesn't. The problems we have with the F5 is what brings the rating down, because that was a big part of the reason we purchased it. If they fix the F5 issue, I’d probably rate it an 8 or a 9.

We have been using it for one year. When we first implemented Tufin, we were replacing firewalls that had been in place for so long, there was absolutely no way of migrating the policy over so we had to recreate it from scratch. We were able to use the information provided from Tufin to do that.

We’ve used the recording tools a little bit, but just for Check Points, not the F5s. They're helpful in a way. Sometimes it seems like they're giving you partial information, like it wants to give you some information that you've made a change to, but it's really hard to track down where that change actually was made. It’s more like configuration-level changes are difficult to read on the report.

We've had issues with using Tufin for the F5 load balancers. We can't get our information out of our F5s.

Using technical support was kind of cumbersome. They couldn't figure out what the problem was with the F5s. After they thought they found the problem, we set up another set of F5s. The problem that they thought was causing it, was no longer in place with the other set of F5s, but they didn't work either.

I was involved in the initial setup a year ago. It was straightforward. It was pretty easy to set up.

We weren’t comparing it to anybody else.

Keep in mind that you're only going to get the network security layer of the Check Point showing up on the recording. You're not going to get all of the software blades that come along with it. One of the things my manager was disappointed to find was that we weren't able to gather that information.

I like how it's able to optimize your policy, look at the objects, and other similar functions. We only have Check Point integrated with Tufin SecureTrack, so that's a key benefit of using it. We can check policies against past policies. It does a kind of compliance check or risk analysis if there are unused policies or unused objects. It highlights them and it gives you a good view of what doesn't need to be there.

It would be better if Tufin could integrate with the Cisco routers, FireEye, and other devices like that, so you can do the routing changes and so on straight from SecureChange. That would be good.

I haven't looked at their latest versions or releases, what's new, and what's not. We're still running a version that's at least a year old, so I still have to look at it. If they have added integration with Cisco routers already, that's good, but we don't have that in the version that we have. It doesn't support Cisco routers at all.

It's been stable in our multi-domain environment. We have more than 20 or 30 policies.

When we were looking at products that can do this, I think we only looked at Tufin. Its integration with Check Point is what led us to Tufin. That was the main reason why we looked at it.

I hope that Tufin just keeps doing what they’ve been doing. We look forward for future enhancements.

The biggest thing that we have been using is the automated reporting. I work on a very specific portion of our network enclaving strategy. For the initial ones we’re working on, I get a big report every Monday that has a full listing of volumes and changes on all the rules. It means I don't have to log into the firewall to see how we're doing as far as progress and what we're doing.

We also use the on-demand stuff every time they make a change, I get a report of the change that's happening. We don't necessarily do the operational side but we have a sort of governance and policy oversight, and consulting oversight. We can determine whether this is the right thing to do for what they're doing. I don’t even have to log in and I don't have to go look for the information. I don’t have to go in to the Check Point console, log in, and do a lot of stuff. I get these reports in my email and I can analyze them and look at them when I want to. That's very helpful for me.
We also use it in the field for the people that have oversight over their zones. They get a change report and a risk analysis report out of Tufin. They don't have to log in every time something happens. It gets pushed to their email. To me that's a big value.

The other thing that brings a lot of value is the ability to get visibility without giving someone admin rights in the Check Point consoles. We are able to specify for these roles. While we're doing policy and strategy in consulting, we don't need admin rights to be able to make changes. That's a big help also. We can get to the info without having to log into the consoles and get those type of permissions that we really don't need in our role.

We've used some of the rules recommendation modules. You can give it a certain data feed and it will recommend a rule set to accommodate that. That's the other tool that has been helpful for us. Our biggest problem is that we have a very complex environment. It can get a little crazy when we throw it at the rule engine. 

I haven't seen where they've gotten recently with the whole zone policy matrix that they showed us a year or so ago, but to me that's going to be one of the big things, it's going to drive us.

There was a feature they were working on that will allow you to go in and set up your zones, and you do a to-and-from policy for each zone. It uses that when it evaluates the rules that you try to put in to determine whether it complies with the zone policy. We need to be able to build out a business decision model with the zone policy that lives on without someone having to look at it every time. I think that's going to be one of the better things for us. So that we can see the zone policy management and we can be assured that policy is being enforced. If they get outside of that, we get notified. We know that nothing can happen unless we get notified. Even if they declare emergency, which sometimes you have to do, that we will get notified. Nothing can happen without us getting notified. To me, that's going to be one of the big things to try and keep the whole environment in the level of security posture that we want to try to get done.

The biggest thing for a very, very complex environment like ours is to keep everything in line with what we're trying to do.

I’m rating the product an 8 mainly because I want it to get into the zone area and those kinds of things. I think it's a great product, but there's a couple of spaces that would be very helpful if they could improve on. It is a good product. Don't think 8 is really bad. It's really good.

Learn it and dig into it, because it's got some great capabilities. For me, it's been great.

We're using it to write down policy changes. We have lots of jobs making firewall changes. We track down all of those in the reports and we can see what is going on. If something goes wrong, we can track down the latest changes and determine how to fix it.

We would like to use Tufin through the cloud. We don't want to keep the hardware or all those devices on premises, where we have to manage them and upgrade them. If we could use Tufin through the cloud, we could just tweak the firewalls, keep the changes, and then track them.

Right now, Tufin is on premises, which means we have to manage it, we have to upgrade it, and we have to take care of the devices. The infrastructure is not very critical for us, and we just need to use it, so we would prefer to use it through the cloud. Everything is in the cloud.

I have not found it to be slow at all. The speed is good. At first, we installed Tufin in one of our offices, but now we are using it everywhere.

Technical support has been good.

The way we've set up our policies are pretty unique in what they do, so there's not a lot of compare between them. But, historic is really important. We look at them and we say what is and what isn't important. We run through the compliance and the best practices. We're just starting to look at real usage and integration. That way, we would be able to say, "Okay, if this hasn't been used in a long time, maybe it's time to get rid of it." And we would be able to do our own cleanup because the tool will then tell us the value on long-term usage so we can take more advantage of it in real time.

We perform a lot of compares that show what was and what is now in our rule sets. In case there are issues or when somebody says, "Hey, this was working but now it doesn't," or, "Oh, I'm pretty sure that was in there and you must have removed it," we can validate those changes and go back in the history, say yes or no and do compares. There's a lot of new features that we're hoping to utilize, learn more about, and take advantage of. It's a timing thing and it's also education. We've been a Tufin customer for a long time and really like the product. We need to grow as much as the product is growing. 

There's tons of stuff in the product. The issue is more about what I don't know about it than what I am using it for. They definitely have kept up with the product and kept it moving forward. It looks like a really great partnership with Check Point and a lot of vendors. We're a Check Point shop, so it works very well.

We’ve asked them how to shorten the length of the change reports for global rules. They're going to try to allow us to select whether the global rule is reporting, or they're going to tell us how to do it a different way. We just brought it to their attention, so we're going to bring it to engineering. We’d like the reporting to be something similar to the reporting that Check Point puts out. There's some functionality that is very simple. I'll call it human reporting, such as a shared secret for a VPN change. Tufin does a really great job providing technical reporting, but it is unreadable to the average person. You look at it and think, "Yeah, I don't know what that did." We're asking Tufin to look at it, go over it with us, and say, "Is there a better way?" Either we're doing it wrong or they can improve the product to make it a little more usable, or at least readable.

It's been a very strong, reliable product.

As long as we keep up with the revisions, it's been very scalable. We just did another upgrade because we considered it a little slow. We were running an old version. Once we upgraded, it's been rock-solid. It's always been there, it's always been good.

We've been with Tufin for a long time. They’ve been very responsive to us. There was some changeover, and we have a new sales team. They called up, we had a meeting, and then, boom, we said, “Okay, let's schedule our upgrades.” That happened within two weeks.

The sales team so far has been great. We mentioned to them we're not educated enough on the product, they've already started talking to us about how to fix that. They're very responsive to our needs. It's a time and place issue, like anything. Unfortunately, we have to make the time and effort just as much as they have. They want to know when we want it. So they've been great for us, we've been very pleased with Tufin as a company.

They've been great. We have a good relationship with them and the product does a lot of things that we want. When I get challenged or it doesn't do what I want, it very easily could be me. I may be using it in the wrong fashion. 

We learned how to use it by just going and figuring it out ourselves. The way I'm doing a lot of things might not be the way they were designed to be done. But, as far response times from the company and everything else like that, I've been really pleased.

We've had it for a very long time. We've just been upgrading it as long as I've been with the company. It was in place before I joined the company.

At the moment, we’re not thinking of switching to another vendor. I know there's a couple of other monitoring solutions, like FireMon, or a couple of other systems that people have looked at.

Try it. It's a great relationship, but it's also a great product to work with.