Tufin Orchestration Suite Reviews

The biggest thing is regarding the automation that it allows our customers to do at the end of the day so that they can go and scale their environment a lot more than they could in the past. I think that's really where it comes in. It's the process behind it which can be very painful and tedious. They help make it easier and it's pretty simple from that perspective. You can review compared to past policies.

It's a multi-stage process. When you first start using it, you can go based on rules and find a lot of things that you didn't know before automatically. Then over time, you can go and see points along time. See what's happened, what's changed and also make sure they're applying the appropriate policy.

Without Tufin it's a lot of manual reviews, and you'll miss things. Humans miss lots of things especially as rule bases get big.

The integration with other parts of the system, so it  a lot about process. If you have ticketing systems, other things that you're using can be helpful. For the really leading edge customers, they're able to integrate it with their other processes to the end users. The end users can be the ones requesting, saying, "I have this application and I need it to work this way." Take the technical out of it and make it a lot more business oriented so that's pretty powerful.

It's still challenging in some cases to get it integrated with other systems. Anything that Tufin or any company can do over time to make that easier and easier is going to make it easier for the end customer. A lot of times with implementations, companies don't get using it we've seen. A lot of times, we'll go in and help them which is good. In the early stages, like any product sometimes it can be hard to start using it. Ways to make it super easy for somebody coming into the game could be useful. Then from our perspective, we've seen so many services go and come. So many applications go service based (software as a service) so they certainly have an opportunity there too to do some things.

I'd rate it an 8.

We've been working with it for a long time and it's been good from that perspective. Again, we have a lot of customers. It's been really scalable. We've had some customers that are on a hundred gateways on it.

It's straightforward to set up but like anything, there can sometimes be an initial gap with usage. Get it set up, get it running and then it's the habit. Forming that habit for companies, like anything new, can be hard.

The space is pretty targeted. AlgoSec and Firemon are certainly their direct competitors. Those are really the big three in the space.

Criteria when selecting a vendor  -I think it's looking at your current processes and where you'd like to be is really what it comes down to. If you're frustrated with the ways things are working, think about the way you'd like it to be and then see what product fits into that mindset for you.

There are a few things. One is that from the portal people are able to request access. It is going to be able to stage the policy, add the rules or objects or whatever is needed for us so that all we need to do is push the policy at the time. It almost doesn't need a human being to be involved in the rule staging of provision process.

We've been using Check Point for 10+ years and some of the rules were converted from other systems, mainly from Cisco devices. The conversion process or the migration process is not the cleanest. We end up with rules that we call over-saddling. Rules which are really not needed.

We're talking about a ton of rules. We have policies that have 3,000 rules. It's able to give us reports that tell us these 10 rules or 100 rules in our policies are not needed. Either we need to fix the rule which was a bad rule or we do not need another rule.

One thing it's not currently able to do is remove rules. For instance, one of the biggest things is that we have a server what we call decommissioned. That means they no longer need it. Either the application is end of life or they bought a new server and they took on new IPs. But we still have rules that allow the IP, so there's a hole there. Right now you cannot say, "Hey, Tufin, this IP is obsolete. Please remove all the rules that allows this IP."

Another good thing is that Tufin has a good portal. 

We were using Skybox. Tufin has that fun end to the user which Skybox doesn't.

I would recommend it.

With a tool like this, spend a few dollars to bring in their professional services to help out. Tufin is not going to be for a really small company. One of the important things is that you need to get your network team on-board.

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

There have been no stability issues whatsoever. It’s rock solid.

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

I would rate it a nine out of ten, since there's room for improvements, as always.

The most valuable feature is the ease of use. Creating workflows for users is very easy. It's also pretty straightforward to look at audits and compare policies.

Before Tufin, we had a very antiquated way of doing firewall requests. It was a terrible workflow system. Workflow was one of the main reasons we looked at Tufin, since it is really easy for users.

I would like to see more customization with the emails that go out, the UI, the things that I look at, and the things that I see when I log in. We mostly use SecureChange, and when I look at my tasks, I would like to have more customization to maybe add a column, for example.

We deployed it well over a year ago - Tufin SecureChange and Tufin SecureTrack.

There have been no stability issues whatsoever. It’s rock solid.

Right now, with what we're using it for, it has been scalable. We haven't had an issue with scalability at all. It's been able to keep up.

We had to work with technical support to get the certificate set up and get SSL initially configured. It went well.

Putting it together and getting it up and running was a breeze.

The top two we looked at were AlgoSec and Tufin. We felt that Tufin was the leader in the space and we chose it because it was easy to use, very customizable, and it gave us every one of the requirements that we were looking for.

I would give it a nine out of ten. It’s been a great product so far. I'd just like some more customization.

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

We have only had the product for four or five months.

There have been no problems with stability.

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.

Tufin has helped us a lot. It lets us clean up the rule base in a short period of time and remove unused rules. Tufin provides you a report on rules for this that lets you delete objects that are obsolete and no longer needed in the rule base. If you don't use a tool like Tufin, this is done manually and may take days, because for every object, before you delete it, you have to make sure that it is not being used by someone else.

From a security point of view, Tufin can provide the posture of your environment, meaning whether your rule base is secure or not. It will analyze the file rule base, tell you if the service you enabled is secure, and give you some advice how to deal with the situation.

I want Tufin to be used by my entire team, but due to a lack of training and lack of resources, we are not able to do that. I would like to see more training videos that can be distributed to my team in order to really take advantage of the product.

We have been using it for about 3 years now.

I find it very stable. We haven't had any big issues since we started using it. Issues we have had have mostly been related to new features being added that weren’t supported by the device. In those scenarios, we submit the case to Tufin and they tell us about the new release.

We are a big company and I can say that we are not using the product in its fullest capacity. We have a different type of policy because we are using different vendors and different technologies, and while we have some issues with the juniper devices, it has absolutely been scalable.

Tech support has been fine. Right now I have an ongoing case and there is a delay, but it mostly comes from me because I took time to respond and they are telling me other ways that I know.

I implemented FireMon three years ago for a customer because the customer specifically requested it. I found it very hard to put in place. I wasn’t a part of the Tufin implementation, but in terms of the product itself, Tufin is easier to use.

I would give Tufin an 8 out of ten because some vendors own multi-contexts, and there are challenges supporting these devices. We are having issues with the Juniper device, for example.

Being able to run reports to see what rules are there and which rules are not needed is very useful to me. It allows me to optimize the policies. Also, every time someone pushes policy it sends an email to say that the change was made. I have it set up to run reports every two days to let me see the state of the firewall or the state of the policies.

The ability to get a sanity check for the rule base is important. Right now, we write our own firewall rules, and with Tufin, we can cut those down to four hundred.

The upgrade was a bit cumbersome because we had to do a complete reinstall. We removed it from a version of Linux that wasn’t supported and we had to do our first fresh install.

We’ve used it for a couple months now.

We haven’t had any issues with stability so far.

We’re a small team and we manage five clusters, so it’s not too bad.

We used technical support for the upgrade and they were very helpful. We haven’t had any issues, apart from the fact that we had to do a fresh install, but we were provided support through that process. They were online with us right through using WebEx. That was great.

My experience with Tufin has been good. We haven’t had any technical issues and the features that I have seen in the software so far are excellent.

I use Tufin SecureTrack, which means I use it for looking at things and not for making changes. The value of it there is that, since I deal with Check Point policies a lot, I can use it to see what changes have been made to the policy since the last time I looked at it, because it may have been a couple of weeks since I last installed a policy or maybe somebody else has had their hand at it.

Tufin gives me a really easy way to graphically look at the policy, before and after changes are made, through two panes. As you drag around one pane, the other moves with it, and they resemble the Check Point dashboard view so it’s very familiar. You can easily spot all the differences and see what has changed in the policy to make sure there are not any mistakes and that nobody accidentally added a block edited any rule at the top of the policy—that’s probably happened to everybody, right?

I also use a feature where you can run a report on rule and object usage. This helps me spot rules or objects that aren’t really ever hit, so I can remove them from the database if they no longer exist.

Tufin is easy to use, which was really important for us. Also, it’s not a dangerous solution because we can’t make changes with it.

I'm running R77, and I'm concerned with how well it will work with R80, the new release of the operating system. R80 changes the way that the dashboard you use to manage the policy looks and operates, and we will have to see whether Tufin keeps up with that or not. Also, in the current R77, the various blades appear as different tabs in the interface and dashboard, and Tufin doesn't look at any of those tabs except the security policy. I'd like it to be able to look for changes in some of the other configurations. In R80, it's all tied together, but for now, it's in a separate panel. I don't currently have any way of using Tufin to audit what changes have been made to the web filtering configuration, for example.

It's very stable.

I don't have a huge environment, but it doesn't seem to require a lot of horsepower. We're running it as a virtual machine, and that's working fine.

We haven’t needed technical support since we moved from a physical to a virtual world.

It was straightforward. It’s been a few years, but I don’t recall any problems with setup.

I have no problems with Tufin, and it works great, but I would have to give it an eight out of ten. It’s just not as amazing as some of the other technologies I use, like Lancope StealthWatch. I wouldn’t tell anyone to stay away from it—It’s just a good idea to look at the competition and see what’s out there.

Tufin gives you the ability see what changes have been made and who made them, as well as pinpoint what has changed so if there is an issue you can easily review it. I also like that if there is a new request that's coming in, you have the ability to compare the request with what is already in the system so you don't have to go into the firewall rules to try to figure it out. You can just do a comparison between different policies.

We use reports a lot for cleaning up, which is part of our regulatory requirement. You need to review the policies for any old reports, used objects or used services. That's basically what draws the purchase of this product.

I also like the product’s ability to reduce security risks. Being able to do some of the compliance checks has been very good for us.

The ability to search could be improved, and it would be helpful to be able to display more than a hundred results on a search or share when you do the workflow with multiple people at the user level on your same team. If you have a team of three people each one should be able to see each other's request without having high-level access rights.

Also, the workflow is very rigid. It's not very easy to manipulate. The graphical interface needs to be a little more user-friendly. You need to be able to move objects around to make a nice display. Right now, if you select an object, it just sits there and everything goes sequentially. I want to be able to move objects around to make the interface more presentable in the way you would normally code something. That's a big concern, because we've gotten several complaints.

We have used Tufin for at least seven years.

We haven’t had any problems, except for some licensing issues a long time ago.

For what we do we haven't seen any performance issues so far.

Technical support has been good. We've had different engineers help us out and they've all been very helpful.

We compared Tufin to AlgoSec. At that time, we felt that what Tufin had in terms of their workflow and the option to transfer over our existing workflow was more flexible. It was a hard decision. One of the other reasons we picked Tufin up versus AlgoSec was the responsiveness of the people we were working with. They understood the company and our relationship, and we felt that it would be easier to have the ear of the company if we needed customization. They did the changes that we requested, which made life easier. We felt that if we were to go with AlgoSec, it would be a lot harder.

We closed the deal after they made a change to DNS lookup. Objects need to be created on our DNS system before they’re populated, and you didn’t have a way to validate your IP with a host name at that time.

If I had to rate it one to ten, I’d give it a nine, since there’s room for improvement, even though they’ve been doing a lot of improvements over the years. I would also say that if you buy the product make use of it. There are more features available than you always realize, so a lot of times you might try the harder way first because you are used to working that way. You might discover that your life can get a lot easier.

We use it as an auditing tool, since it’s a risk-based approach, which fits a lot of the needs of our auditors. We're able to clean up our firewall rules and use the security score in our monthly reports to executive management, showing them that we are making improvements within the security of our firewall policy. We can generate different inventory reports when rules are not in use. It allows us to print policy out for our auditors as well.

You can print off reports, either in Excel format or PDF format and deliver them to whoever needs those reports. It can also send you any report on a regular basis. For example, if you want to see your security scores, you can have that sent to you weekly.

Before we had Tufin, we had to do firewall policy cleanup and it was pretty painful. It would take us 6 weeks just to get through one review, and we had to do it quarterly. With Tufin, you can generate a report in 20 minutes and start taking action on it right away. It's a huge difference. You build up trust with the product. When you are looking at a rule and you don't know if it's been used before, you're kind of rolling the dice. When you have a tool that can look out 6 months and it hasn't been used, then you have a lot more confidence in cleaning that rule up.

Some of the challenges we have include getting the reports and the tools to look at our specific environment. There are some challenges with setup for that. You want to make sure that your PCI environment, your wireless environment, your DMZs and your internal network are all laid out in Tufin so they can be correctly scored and rated. A little more ease of use in that area would be helpful.

We've had Tufin for 8 or 9 years. I was the one that brought it in.

We don't have any issues with stability of the product.

We have a relatively small environment. We've got 30 firewalls, basically 15 clusters that Tufin monitors, and our policy rule base isn’t huge. We moved over to VMware and haven't had any issues with caring for the product.

We actually used one of Tufin’s competitor’s products, AlgoSec, but found that the Tufin product is a lot more flexible from a reporting standpoint.

It’s easy to set up. I would say to do a proof of concept and give it a try. It doesn’t take much effort to get it set up and start getting benefits.

I would give it an 8 on a scale of 1-10 because it works really well in helping you create your own reports. You can drill down into each of the different risks that are in the environment and take action on it. It actually tells you, in a descriptive manner, what the issue is and how to fix it.