Tufin Orchestration Suite Reviews

There are a couple of valuable features for us.

The first is that it allows us to track every change to our infrastructure, such as when the administrator makes new rules. Not only are we able to track every change, we can roll them back very easily as well.

The second valuable feature is that when you have huge growth within your firewall, it predicts what the growth may be and makes adjustments accordingly.

There are several security devices that are not on their list, so Tufin needs to improve this list. There are also a few design elements that could be improved as well.

We've had no issues with deploying it.

The stability is quite good. We are deploying the solution on physical machines, and it's on a lot of devices in our company. I think that if we did reports every day and every week, there would be no problem with the stability. It needs no maintenance and it's very stable.

For us, it's a new product so we don't know about scalability right now. We may need to scale it in the next year or two.

The customer service is superb and quite good.

The technical support is online and it allows us to get very fast answers to our questions. We appreciate the speed very much.

The initial setup is neither easy nor complicated. We have I5 hardware, and we had a little bit of difficulty installing our devices and Tufin.

Try it and you will like it.

The most valuable feature is that we can see what changes are happening on all our security devices at the very moment that they're done, so if any mistakes happen, then we can catch them very quickly before there is a big disaster and outage.

Mistakes like firewall policies where people put in wrong IPs instead of allowing permits and traffic stops. That is why it is very, very important.

On one of my earlier deployments, I was actually able to quickly diagnose about 100 VPNs that went down because one the administrators made a wrong encryption domain in the tech point, so we were able to catch it right away as the change happened. We were able to revert the changes very, very quickly, and it did not cause a long amount of downtime.

We are able to look at any objects that are not used, rule usage, which, for wide-open rules, we can put in tracking on those rules so we can turn down the rulebase, so those are the good benefits. The rulebase actually shows the same way for all the devices, so if you have checkpoint firewalls, or if you have five load balancers, you can actually have a similar view of all this, so you can understand it very easily.

The other good part is that whenever changes happen, we have to go through change control. We can put in our changer card numbers, and then those all come in the dashboard as the changes that were done on that particular change record, so then you can correlate the changes to a particular request which was approved.

New features would be when you look for any of the rules that are unused, then I would like to see whether there was a way to also make sure that the objects that exist are actually live or not. What I mean to say is, if you have a server that you had allowed in the rulebase, and you decommission the server, now the rulebase is there, which shows their logs, but I want to make sure that the server is actually decommissioned and not still alive. If there is a way that we can check for those objects, whether those objects still are alive in the network, that would be great.

I've been using the product since 2007, since its very early stages.

At one time, it had processed for a year. When I was in my previous company, I had installed one of the T500 boxes, and it had actually processed about 2.7 terabytes of logs, and we were able to trim down the biggest firewall. We now do about 11,000 rules, and they had never been cleaned for about five or six years, so by the end of the whole exercise, we trimmed down the rule base to less than 300 rules.

I've used about 200+ devices. That was all the environment was, so I definitely know, talking to other customers who have thousands of devices, so it scales very well.

Technical support is great. I've worked with several people within the company.

It was straightforward. I was able to get all my firewalls and a lot of the other networking devices in less than half a day.

I compared it to the usability and the easy way to actually add devices. We compared it to AlgoSec and FireMon. Both of them I did not feel were very intuitive to work with, so a lot of training would be required.

Just buy it. Don't even think about any other product. Just buy it.

We're able to generate reports to know what's going on with our rules, specifically expiration dates and PCI's, for our firewalls. It lets us know exactly what's happening.

When we make changes, we need to know exactly what's going on between each firewall and why a rule may pass or not pass between each. It would be good if Tufin gave us the ability to do this in a graphical way.

We have sixty firewalls, and sometimes the path between any two firewalls may have five rules. We need to know exactly what is going on and where we have to implement a rule. It's very complicated to do right now, and that's why we want to implement a security change.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.

We need a vendor that has good, responsive support. Tufin support has been that.

We have a virtual firewall and when we ran our system, there was a problem with mismatched object rules. We called support to help us clean the firewall. The rep looked around and, after an hour-and-a-half, confirmed the problem. Then another five or six technicians analyzed our request and, after three or four days, released a fix for us.

We had no issues with the setup.

There may be a better product a year from now, but we're using Tufin now and we're satisfied with it. We'll use it until it doesn't do the job. It's a big deal changing firewall vendors, so we don't want to change unnecessarily.

Tufin provides Unified Security Management across heterogeneous environments. This is one of the great features of Tufin. We could easily compare the revisions of the devices, analyze the network and generate reports.

Before we started using this product, to resolve the network problems, it used to take a week or so. But once we started working with Tufin the problems are resolved in a day or two. And also, we can monitor different firewalls under a single GUI using Tufin.

I think SecureApp could be improved because, many organizations who implement Tufin majorly use SecureTrack and SecureChange, SecureApp is rarely used basing on their requirement. SecureTrack and SecureChange have been updated a lot and I personally can't see any changes in further in these. So, I think SecureApp has scope in developing more.

3 months.

The best 10/10.

10/10 They maintain good sessions in providing support

The initial setup is a straightforward, not that complex; just had a few Linux commands to setup the software part and of course there will be some physical effort in setting up hardware as well.

In-house.

Above 100%.

Nominal and market competitive.

I couldn't find other products which have similar features as Tufin.

Surely, I would recommend this product in implementing. If the organization has a large network and different firewalls/network devices; Tufin really helps a lot.

We are a Cyber Security Products and Services company. We resell Tufin products and provide Tufin technical services.

1. It's easily deployable.
2. It provides change and reporting on changes 
3. One of the features helps you clean up firewall rules, and maintain a good, clean rule set.

From an organizational standpoint, it can help improve for one by streamlining the change process, assisting and streamlining the change process for firewalls, routers and switching ACLs.

Also, it can help with compliance from an organizational standpoint, maintaining a certain level of compliance. Also, reporting - it provides reporting to auditors for the organizational level that need to provide evidence and for other auditors outside the organisation.

They could improve their support. 

They've already known about their support being kind of shaky. They can make the product more MSP ready, managed service provider ready. They can do that.

Outside of that, I can't really think of anything right now, but making it MSP ready and providing better support, I think they can definitely improve upon.

5 years.

I am impressed with the deployability. The set-up is really straight forward. I mean, I had one of my guys who has never really touched a computer before set one up.

I believe it is stable, well not every time, but 99.9% of the time.

It scales okay. They can add some scalability to it, yes, they can definitely add scalability to it.

Their pricing is too expensive, and I think they're one of the best products on the market but I think they can't get enough market share because of the pricing (the licensing). It's too expensive. They changed licensing models a couple of times I think, but I think they need to be more cognizant of the middle market, as far as licensing. 

My advice would be to do your research first on the product. Make sure it's going to cover everything you need, which it does. They have several uses for Tufin, several models as far as function like Securetracks, Securechange and the Secureapp, so you've got to do your research and someone may need all of the orchestration, the full Orchestration Suite.

I would ask you to just research it, make sure you get what you need because quite often people go to buy Tufin and they go to buy the Securetrack just the Securetrack firewall changes, that they end up getting a quote for Securechange, Secureapp, and not even know it, and they say "Oh, that's too expensive," but that's not really what they wanted, they just want the Securetracks.

I would also have them get a competitor, a demo ware competitor and compare it to Tufin just so they can see how well Tufin out-performs their competitor.

In regards to my rating of 8, if they did mark the price down, change the licensing model to include more middle market, so they can reach the middle market and get more market share, and also provided their partners, and this is going to be a big one for them, provide their partners with two-way licensing so their partners can use the product for free.

If I am partnering up with Tufin, and I've got to keep downloading demos to use it and I have to advise potential users about the Tufin product, it's just not going to work. They should give me the product for free, especially if I have sold a few deals for them, they should give me the product for free with a couple hundred licenses that I can use anywhere I want to. This should be done every year, so long as I'm a partner.

That would help increase their visibility, their market share, and bring them up from an eight to maybe a nine or so.

The most valuable features for us are object looking, rule documentation, and reports. We use it for cyber security as well, so risk features and violations features are huge.

Even just looking up rules before we can make changes is a lifesaver. Previously, we'd have to go to the CMS of whatever firewalls we had. So instead of having to do that, now we can go to one location and search the rules that way.

Another major thing is the topology feature for the network part. Also, the SecureChange and automation means that the checkpoints can be done automatically, and they do the provisioning throughout the process. Looking up rules and understanding how they affect your environment.

It's also quite easy to use - there's nothing hidden, it's all laid out and that is much appreciated.

From a security standpoint, we have it in place where it will notify us if an engineer inadvertently violates a high-risk rule, and it even does this if they pre-stage a rule, so before they push it we can find out.

From an auditing standpoint, because we get audited three or four times a year, our auditors have access to see exactly what's happening in each firewall, and we've had fewer issues with auditing because of it.

For us, in man hours, it saves about 70 hours a week on checking rules and implementing the changes.

For implementing the rules of SecureChange, and trying to implement it with all of the software we have on our side, change management, and workflow management, we need better integration with our existing tools that will make these changes a lot faster. We have so many things on our side that we need to integrate. We now have HP Switches, so we'd like to have those covered as well in order to monitor them.

We've used it for three years.

No issues.

We had one bug - a year or so ago - and Tufin had an update that addressed the issue. The long implementation time was on our side. No other problems.

No issues.

Both customer service and technical support have improved during the three years we've used it. They're really quick to get back to us for both customer and technical support. They get on calls with us, WebEx, anything.

We were going through a major OS upgrade. We ran into some problems on our end with four appliances. It was a weekend and we opened a case on-line. We were able to get together with someone in 30 minutes, share the screen, and they walked us through implementing a fix within an hour or less.

Even though we have a remote collector, a distributed collector, and a central server, it was pretty straightforward.

We did it internally ourselves, but with some input on architecture from Tufin's professional services.

As far as licensing goes, the good thing is that the licensing for the firewalls is great. The licensing changes for the routers has improved because we no longer have to pay for topology monitoring.

We also looked at AlgoSec and FireMon. Algosec was good, but Tufin had the edge in the automation process and the reporting was even better. So it was basically between AlgoSec and Tufin.

Functioning monitors (not just marketing hype) for most types of firewalls and firewall managers, overall stability, scalability (could be better, but the still best on the market), and the ease of performing OS and software updates.

Having one vendor for both TOS operating system and TSS application makes it much easier to form relationships with Tufin sales, engineering and support, and improves product maintenance.

They should include a way for customers to add third party RPMs to expand system functionality that's retained across updates. A single central (master) database does not scale well past 1000 firewalls.

Also, it needs to expose a remote collector for central message (queues) metrics, monitor Java, Tomcat, web and database performance, to provide better intra-application data monitoring and alerting capabilities.

I've used it for seven years.

TufinOS 2.10 has been the easiest OS release to install to date. I haven't had the system running TSS R15-3 long enough yet to know if REST API improvements are usable.

None, so far with TufinOS 2.10 or SecureTrack R15-3. Postgres database (v9.0) should probably be updated to a newer version for improved performance and stability enhancements.

The SecureTrack R15-3 central-database shows significant performance strain, handling policy revisions, and rule/object usage updates from our 1600+ base of firewall devices. However, it continues to function, albeit slowly, day-in and day-out.

USA support M-F has been very good, and with pre-arrangement, weekend assistance is also available. Over the years, US Tufin support has had to escalate distributed application (remote-center db) performance problems to their Israeli R&D and developer teams for remediation. When this happens, mean time to repair can be measured in weeks instead of hours.

Very good, technical expertise from the US support staff, and exceptional technical expertise from the Israeli R&D people.

I have looked at other vendors, but we have been a Tufin customer since 2008, and have benefit from the maturity of their TOS and TSS products.

Upgrading from TOS 1.x to 2.x is a bit painful; the process requires wiping the system clean and reinstalling OS and applications, and then recovering data from a backup. But overall, the appliance approach that Tufin has taken greatly simplifies upgrades and patching.

Since 2008, we have purchased products through a Value Added Reseller. Our VAR intercedes for us on annual maintenance (support and update) calculations, and helps with unexpected contractual problems.

We have not calculated ROI, because we are always changing how we use the TSS application to obtain security information.

We have not performed a cost analysis on other similar products, but I'm confident that Tufin does and remains cost comparable.

In 2008-9, the choices were thin (Tufin, FireMon or AlgoSec); of those only Tufin offered the promise of an appliance based system that would scale large enough to warehouse data for reports and analysis from many hundreds of firewalls installed across the US.

Tufin is still growing and adding new features to its TSS applications suite. I don't believe your company would make the wrong choice if the products meet your company's requirements. Their latest product offerings of TOS run on virtual machines, and their near-future promise of a distributed central database (scalability improvements) should not be overlooked.

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

The module we have used the most is SecureTrack. Our technicians use that for firewall audits and analysis. We use other drivers due to PCI regulations, so we have to have proper reporting compliance, change management, and network changes. Also in our road map is to implement secure change.

Based on the work our technician has done on it, I think it serves the purpose we brought it in for. The only issue we have had is that we have been working a long time, from the build and configuration, and we still have one issue that our Palo Alto devices are still not reporting correctly to Tufin and that needs to be resolved. I believe it’s a software compatibility issue, so it might require an update on our side. That’s still an outstanding issue. We have a known issue integrating Palo Alto, but if they have a roadmap with other customers we would love to know.

We've used it for almost a year.

Performance is good and any queries we run are smooth and straightforward. But we haven’t loaded too much on yet. There’s a lot of build still to come. For the basic purpose of what we are using it for, it’s pretty good.

They are knowledgeable and available. I've had no issues with professional services.

Exactly because we had no firewall analyzer or a compliance and reporting tool, we brought it in. We have business requirements like PCI, and we are yet to use it for reporting or secure change.

We just put it in to the rack, consoled in, and did the basic set up.

We did it ourselves. Just looked at the PDF.

When I did the self-service for licensing, I encountered some issues. Perhaps it’s because I didn’t know how many we had purchased before I had arrived, as it was sold through a WebEx.

Pretty good, very supportive, understanding and recognizing we need to move in a phased manner. They are definitely in it for the long term. Support and professional services, we will require going in to the future.

We use it to track changes and the policies that we've implemented into our system.

It allows us to evaluate and build matrices, and see how rules work with it to see whether they are secure.

The biggest benefit of this is that it allows us to see how security functions as a hole. Also, it lets me see where the holes are and how things function.

The rules and configurations can be clunky. I have to wade through different things to get what I'm looking for, but the more I use, the more it makes sense to me.

The company has used it for 2 years, but I've used it for 1.

No issues with stability.

The scalability has been great, and we've implemented it on 25 devices now.

The implementation is straightforward.

I did it in-house, but tech support helped me walk through it and find missing pieces.

Try to get a training course on what it can do, so that when you go to implement it you can get the most out of it. If I had known all the features from a training class, I would have implemented it differently from the guy who did it for us.