Tufin Orchestration Suite Reviews

We deployed the solution based on the preferences and needs of our clients. The solution was deployed on cloud and on-premises. However, it was primarily deployed on cloud.

The firewall security was very valuable.

The firewall management is complex for beginners, and the solution could be improved by including icons that provide insight into what they are and how they function. For example, the ability to understand what an icon does by hovering over it.

We have been using this solution for three months.

The solution is stable.

The solution is scalable.

We have had a good experience with customer service and support.

I rate the initial setup a seven out of ten. Deployment on cloud is done through a web platform, and deployment on-premises takes two to three days.

We implemented it in-house but got assistance from someone with hands-on experience with the product.

The licensing costs for this solution are decent for the services provided. From my perspective, the prices should be higher because the organization that often uses this solution is critical.

I rate this solution a ten out of ten. The solution is good, and no clients complained about it. Therefore, I recommend this solution for people seeking to use it, as they can never go wrong with it. However, for a beginner, it could be tricky to implement.

We are an IT service provider. We are using it in our company and on the customer side. So, we have internal customers, and we are also a solution provider for external customers.

We can check and analyze the current status of our firewall rules.

Their pricing can be better. It is not very transparent. 

In terms of functionality, we have not had any particular or special disadvantages other than the integration, but every tool that you take to integrate with your infrastructure is more or less complicated. For example, you have a history in your firewall infrastructure, and the longer the history is, the more you have to work on it to integrate. We see that in our infrastructure. We have been a service provider for more than 40 years, and we have been on the market for 20 years. We have a lot of customers, and there are some individual requests and setups. For the integration of Tufin or any other tool, you need a certain level of standardization. We have more disadvantages on the site from different firewall vendors. For example, with Drupal, you can integrate any individual firewall, but for Fortinet, you have to use a Fortinet manager.

We are not looking for any additional features at the moment. We are not planning to buy any other modules.

I have been using this solution for five years.

Until now, we have not had any problems in terms of stability.

It has been scalable so far. We don't have any issues.

On the administration side, 15 people are working with it.

I would rate them a six out of 10. In many cases, we had to escalate.

I didn't work with a similar product previously.

Its implementation process is complicated.

It is expensive, but as compared to other players, it's more or less okay. Their pricing is not very transparent. This is my biggest point regarding Tufin. I've never seen a price list or something like that. It's always individual, and in many cases, it's very confusing to know what is the base and what is the price.

I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. 

I would rate it a seven out of ten.

We use the solution on-premises.

Policy management and the cartography of the network have been the most valuable features.

The network part of the solution could be improved, specifically the licensing model for routing devices. Customers need to get the license easily in order to have the cartography of the network and build the other solution of Tufin, such as a secure change and secure application. To do that, we need the licenses for the network devices in complex environments where customers have a lot of network devices. It is too hard to get a license for each device, so Tufin should remodel the license model for these kinds of devices.

For the license for the security devices, it's okay that Tufin has a model for physical devices and for virtual devices. For the network devices, the main reason to have a license is to get topological information, routing information, and so on. With Tufin, it's a bit hard to tag all the devices that you need to build the topology of your network. 

We have already talked to Tufin in order to simplify the license model for the routing devices because these devices are the main technology. The RN is just for routing information, not for the security and building access list, and building VPNs, and stuff.

In order to have that topological view, you need a license for each device. For that, the cost of the solution rises exponentially. Because there are a lot of routing devices for your network, in order to build the topology of your network, you have to spend a lot of money just on licenses for devices that aren't security but do routing work only.

They have to rebuild their licensing model in order to fit the needs of their customers.

For routing devices, we would like to have something related to the orchestration for the solution because we know that there is one for Tufin, but I don't know how it works, if it has to work with all the models installed, what the features are for that orchestration, and what the needs are for that model to work properly in a complex environment. 

For example, we work in complex banking environments where there are a lot of bricks to communicate with. For that, what is the information needed for the orchestration in order to have an extensive look at the topology of our network, and after that, how the orchestration is going to implement the right accesses to main privileges on security devices all around the topology of our employment.

I have been using this solution for five years.

We didn't have a lot of problems regarding the solution. It's a stable solution.

In order to have it running correctly, we had to dedicate a person to manage the solution. I work on it with Tufin and with some of our partners in the group. We have our Société Générale in the group. We have some other partners inside the group with Tufin in order to build this kind of model for the time to market objectives.

We didn't have a lot of problems concerning maintenance. We had two or three hardware problems that were solved remotely by support and for the upgrade and the OS upgrade because there are two kinds of upgrades to operate. The OSTs and the secure channel also have upgrades, which we did ourselves.

Tufin has a policy of publishing new versions of the Dell OS, so two versions a year. One is a final version, and the other one is a beta version. In a year, you get two or three updates. It's not very hard to follow the stream of changes in one year.

We didn't have to expand the solution, but management has had thoughts about expanding the solution for other environments, for other clients, and for the customers.

Technical support was present and responsive for our needs. We had some problems with the appliances. They were very quick to respond to our support tickets and to give the right solutions for the problems we had.

On a scale of one to give, I would give technical support a four.

We needed someone from Tufin in order to get it installed. It's not a straightforward process from scratch. You have to build your own network with someone from the PS, and after that, you have to give a lot of information about your network, your devices, where they are located, what is the networking scheme of your network so that the PS can implement all that. After that, they can build the model for you.

On a scale of one to five, I would rate initial setup a three.

We used engineers from Tufin for setup. They were responsive. They were experienced with the solution they sell.

There is a permanent license for devices, but it's not relative to a device itself. Once you purchase 10 licenses for virtual appliances or virtual context, you can put them into different virtual firewalls, but you can reuse these licenses for other devices if you don't need them for the old ones. 

For example, if you deploy new ones, and you don't need these licenses for the old context, you can redeploy them in another one relative to a device, like a Mac address.

The problem is that once you redeploy the license for another context, another rhythm, or another virtual appliance, you lose all the history and reports from the Syslog from the old one.

I haven't looked into the competition because we don't have the ability to choose between solutions for central management.

I would rate this solution 7 out of 10. 

The main brick in order to build your solution is the first step, which is having a good understanding of your network and good people to talk to when you want to build your topology. Once it is done, the solution runs by itself. Exporting, reporting, topology, and changes are all handled by this solution.

After the initial deployment, it is a stable solution. It can suit customer needs in complex environments.

A con is that it is very needy in terms of implementation such as small configurations. We had that problem with networking devices. We had to implement it to get all the information from all the routing devices. Even if they don't belong to our network, we had to have the information from MPLS devices on the telecom operator. Sometimes it was difficult to build the solution from scratch.

The Syslog part was a little difficult to handle. For the appliance we have right now, it handles the management, the Syslog, and all the needed modules in order to operate the solution. Sometimes, it is a little bit hard for the appliance to get straight to all the models it runs. Maybe with the new models of the appliances, it's easier for the appliances to run all the models. With the newer generations of the OS, I suppose that now it's more effective and less of a time-consuming process, but it's okay for us to upgrade after that in order to get all the new features in the new OS.

There are five people using this solution in my company. I manage the team that utilizes Tufin. I have had experience with the demos that my team has given me in relation to the auditing of our Palo Alto platform.

I'm a consumer of reports. The reports are clear as long as they're set up correctly. I'm able to see auditing changes, and changes in our firewall platform more clearly than with the native tools. It seems relatively useful. It can also provide guidance on different configurations that we have. 

The solution is on-premise.

The clarity around the auditing provides the most value for us.

They are a little bit behind on some of their support for the Palo Alto firewall platform. I'd like to see that catch up, specifically around importing certain objects.

From the Palo Alto platform, I remember hearing that Tufin required an update, so that would've been the only flash issue.

Their customer support is responsive.

The pricing is reasonable.

I would rate this solution 7 out of 10.

My advice is to look at what is currently supported in whatever security technology you have because some of the features may already be covered. However, if you identify a gap in what you currently have, specifically around auditing, then I would definitely suggest looking at Tufin.

Our primary use case is trying to make sure that when firewall rules are requested, they meet our compliance. Tufin has a notion of a universal security policy, where you line up the policies and we use the solution for that. We also use it to track all of the changes. I'm the executive director of the company. 

Tufin gives us the rule, definitions and things of that sort, which is great. All the basic functions work well. 

Our compliance goes through SecureChange and they give us the rule set and then the recommendation. Ideally we'd like to press a button and create a Terraform to put into the build and deploy. We can't do that yet and there are several manual steps which can lead to errors. We'd like that to change. 

I would also like to see the ingest of flow data enhanced, so that multiple flow data can be ingested from different points on the network and be mapped out. The basics work, the issue is when you have a complex network because maybe you want flow data from the firewall and with Tufin it's only from a single source.

I've been using this solution for over two years. 

Tufin is a good company. I think most of the products in this market have difficulty working across a multi-vendor solution, and that also applies with Tufin. It works really well when you have a single vendor solution but it's just not as intuitive if you have back-to-back firewalls or you have a complex topology. For simple topologies, it works really well.

There are currently some issues with this solution but if things improve with the new version, which apparently has some enhancements, I would give them a higher rating. For now, I rate this product a seven out of 10. 

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

Automate the firewall change via SecureChange Workflow

1. Policy Optimization by using Tufin APG under SecureTrack. If you have a wide open policy, and you want to restrict it into fewer lines of policy based on last 30 or 90 days hits, you can use APG tool to build restrictive policy.

2. Firewall Cleanup: Deletering unused Rules, unsed objects, duplicate objects from firewall database, by using the report created by Tufin under SecureTrack. You can run this report on Tufin SecureChange to delete all the unwanted space. This will save tons of space on your Firewall database.

3. SecureChange Workflow: You can link Tufin to ticketing system to upload the firewall change ticket, and use the workflow to fully automate the firewall change process, from start to finish

4. Topology: If you a good topology, you don't need to see routing table on Firewall, or going through any visio network design to find the L3 networks in your enterprise. Topology under SecureTrack helped me a lot

6. Enterprise Unified Security Policy: Once I do have an Approved Unified Security Policy from the CISO, I don't need to ask approval for each low risk firewall change. USP not only saved CISO busy time, but also increased the efficiency of firewall team. The firewall change request doesn't have to stay in Approver Pending steps

SecureChange Workflow: It is Firewall Admin Robot, which handles the ticket right from receiving until the implementing process with documenting all the approvals.

1. Tufin workflow doesn't support IPS module, Identity Awareness Module, Policy Inline layer (Checkpoint)

2. Limitation on edit/create Group object: You can't create group Service object

3. You have to run Designer to Assign Firewall Rule Name, and Rule Number. By default, Tufin uses topology

3

Tufin is very stable. There have been no major outages. 

Sometimes there is an SSL correction between Tufin and the management server. Sometimes it gets broken but I don't why. Apart from that, it is very stable.

We can add as many firewalls as we need. It's just a matter of purchasing the licenses. It has good scalability.

Tech support is very bad. I would give a zero rating to tech support. Compared to Check Point and Fortinet, Tufin tech support is worse. Even the Professional Services team doesn't like to respond to email. It is poor.

My team doesn't have a good relationship with Tufin. The Professional Services and even our Tufin account manager are not friendly. They're not helpful to us. But the Tufin product is fine.

The initial setup was straightforward.

I believe our cost is more than $100,000 per year.

We haven't evaluate any competitors or consider other products.

Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help.

We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.

• Firewall audits
• Firewall rule processing
• Path analysis

We use Tufin to clean up your Firewall policy. We can look at the historical rules and find out what is violating our USP, then make a change accordingly.

This solution has helped us to meet our compliance mandates. We implemented the Unified Security Policy (USP). This helped enforce our compliance requirements. We have mitigated and remediated issues that have been brought forth due to that USP showing us issues.

Firewall rule processing and compliance are its most valuable features.

The visibility is good. Overall, I can see the rules and headcount.

The change workflow process is flexible and customizable. I made my own custom workflow.

The metrics need improvement. They need more consistency or understanding of automation, along lines of customization of automation.

Going forward, we would like a whole bunch of stuff regarding metrics and reporting. Also, a whole bunch of stuff regarding stopping SLAs when it goes back to the user or requester.

I'm struggling with cloud right now.

It is very stable.

We own nearly two million dollars worth of equipment. It is scalable.

I have not placed a technical support query.

We used Professional Services with consultants for the deployment.

I'm saving 20 man-hours a week, so I am seeing some ROI.

In January, it took us 25 days to process a firewall rules request. By June, it took us eight and half days using the solution.

This solution helped reduce the time it takes us to make changes by 66 percent.

The licensing costs are a significant amount of money.

I am a previous FireMon customer. Tufin beats FireMon hands down.

Give it a try. Get a full list of Layer 3 devices available, import it into Tufin, look at the topology, and work forward from there.

Currently, we are still not provisioning.

We use it for rule re-certification and rule review. Twice a week, we use the Tufin report to see what changes or adds were done to the policies. Finally, we also use it for rule automation. We have it integrated with ServiceNow for rule requests.

It has improved our organization through the beginning of automation. It has also helped in terms of auditing. Tufin is a convenient way for us to show and prove what changes were done, when they were done, and by whom they were done.

Tufin also helps ensure that security policies are followed across our entire hybrid network. We use the USP, Universal Security Profile, which is governed by our cyber team. That team sets up the parameters and then, through the automation, when a request comes in, the first thing it does is check if it meets or violates. If it violates, it sends it right back to the requester. Another way we do it is that when somebody puts a request in, it goes through the USP. Then the cyber team combs through it to make sure that whatever service they're asking for can happen. For example, if someone wants Dev going to the internet, of course that's not going to happen. They'll filter all that out before it comes to us. Once it comes to us, we'll implement it, and then we comb through all the reports and make sure that nobody missed anything.

It also helps expedite changes.

The reports are very valuable. In terms of cleaning up firewall policies, we use Tufin to gather information in the reports. However, we don't automate Tufin to do the work. It's still done by a firewall engineer.

But the best feature for me is being able to look up objects within all of our policies, because we have a little over 12,000 rules and over 30,000 objects. When one person says, "Hey, where's my server?" I can just go to Tufin and say, "Hey, where is that server?" and very quickly it tells me where it is, what policy it's on. That is a life saver. Without that, I'd be a janitor.

The visibility it provides is also very good.

The change workload process is flexible and customizable. For example, we have it working with ServiceNow. When somebody requests to have a rule in place or requests a firewall, they will first go to ServiceNow and put all their information in. ServiceNow then sends that over to Tufin and Tufin does its magic - verifies the USPs and does the design. That part is simplified. However, there are little mechanics in between that could be a lot better.

We use the solution to automatically check if a change request would violate any security policies or rules. Our cyber team is on it as well. We comb through all the changes done for that rule and verify. Before we do a push, we verify that there was no compromise to our security posture.

For me, there are two things that can make Tufin a bit better. This could be something on my end that I don't understand or maybe it can already be done and I don't know, but the two things that I am hoping to get out of this couple of days here at Tufinnovate 2019 are: have a better focus on automation - automating a lot of the processes; and automating rule re-certification, or at least finding a way to simplify it.

In my industry, the banking industry, we're heavily regulated. Auditors are everywhere and they want everything accounted for. When I do a rule re-certification, I have to justify why that rule still there, who is using the rule, what's going on. Or if it hasn't been used, I want to get rid of it. But I don't want the onus to be on the firewall team. I want that onus to be on the person who requested the rule. I'm trying to figure out a way that I can have Tufin say, "Hey, look, John or Joan, your rules haven't been used in a year," or "Do you still require these rules or these servers?" and it would give them buttons to click, either "yes" or "no".

If they hit "no," Tufin would say, "Thanks very much," and disable them for 30 days, in case they made a mistake, and after 30 days, it would remove them. That type of automation would save us so much time. Right now, there are three people doing that job.

As an example with rules, when I look at a rule it will tell me how many days it was hit, when the last hit was, when it was last modified, but I can't get a creation date. What date was it created? It must know when it was created because it created an OUI for the rule. I asked support and they said, "Well, go here, go there, do this, spin your head and tap three times, and if you're lucky..." And I'm thinking, "Can you not just tell me the date it was created?" Then I could filter on those as well. Right now, I can't filter on rules that are over five years old, for example. Even when they're in use, I still want to see old rules. Maybe they've got old services that shouldn't be working anymore.

I would also like to see better logging.

SecureChange could be a bit better, at least with integration with ServiceNow or some of the other ticketing tools.

The scalability is amazing. We have it in two data centers. We have full redundancy with it. I have no qualms about its scalability, whatsoever.

Technical support has been very good. I've dealt with Professional Services and I dealt with a programmer when we did our ServiceNow with Tufin. They were really good; two of the best guys. Top-notch. My Professional Services guy is awesome. He's my go-to guy. The other gentleman, whose name is Neil, was really good. He was very kind, very accommodating, top-notch.

The switch to Tufin was done before I got to this company, but if I had to guess, I imagine somebody tried to jump out of the window or thought, "I'm going to go nuts if I have to look up one object in a pool of 30,000 and 8,000 rules." It's over 80 firewalls.

The initial setup was complex because we had to integrate with ServiceNow. That's what made it complex. Tufin would say, "Hey, we can do this," and ServiceNow would say, "Yeah, we can't do that." Or ServiceNow would say, "We do it this way," and Tufin would reply, "Yeah, that's not going to happen."

If it was just a stand-up and write some custom workflows, that would have been a lot easier.

We had a vendor or reseller with us, but they didn't have much experience with the size of network we have, so they were more listening in and trying to get experience while things were going on. I'm okay with that. At the end of the day, it was the Tufin guys who actually brought it all together.

If we look at the cost of a firewall engineer and the time saved as return on investment, we have seen a return. If we didn't have Tufin at all and the work that I'm doing now had to be done manually, those hours are about a four-to-one ratio. So that is a return on investment.

The cost is too much. For us it's around $40,000.

I've already recommended Tufin to other people, absolutely. There was another company that has Check Point, I'd meet with them at Check Point expos and we'd talk. I would tell them I'm doing the rule re-cert with the bank and tell them, "Get Tufin." The first thing you want to do is get SecureTrack. Get it set up, get it working. Then you can grow from there. If you don't know what's going on with all the policies, you're blowing your brains out. I always recommend Tufin.

We're working on getting the solution to help us meet our compliance mandates. That's one of my projects, starting this year.

In my opinion, the solution’s cloud-native security features are good. I just don't have anything to compare them to. I can't say I have worked with AlgoSec or FireMon so I can't compare Tufin and say, "Oh, you guys are much better than that guy." Tufin is the only product I've worked with in policy management.

Tufin is better than the way we're using it. I firmly believe that we're not using it to its full capability. It's like having a Ferrari in the garage but using it to go get groceries. Someone might look at it and say, "Oh my God, we could be on the Autobahn, flying." And I say, "Yeah, I know, but I need groceries." I don't think we're using it to its full potential. However, from what I'm seeing now, and in future developments based on this conference, it's going in the right direction.

I would rate it at eight out of ten. We are strictly a Check Point shop for firewalls. We don't have other vendors. I can see where, if I had Palo Altos and Fortinets and Ciscos, Tufin would be Godsend. I wouldn't have to go combing through every vendor. Whereas for us, it's already together. That may be why I don't rate higher.

The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment.

It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated.

We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.

We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack. 

At this stage, we are doing only manual checks. We are only using SecureTrack to verify the flows through Tufin. At a later stage, when we will also automate certain types of rules to be done through SecureChange, this will tremendously help us. We are not there yet, but this will help us in terms of time and resource costs.

In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play. 

We use Tufin to help us clean up the firewall policies. It provides very easy reporting. We get all the aged or unused rules listed very quickly, as soon we run the report. It's a quite easy way of doing it. However, we have not automated our process. We are hoping that at some point that we will be in a position to automate that process.

We use the solution to automatically check if a change request will violate any security policy rules. If a request comes in, and it is from an Internet zone going straight out to an inside secure zone, then we definitely flag it. There are other policies that we find in our USP, which we flag. These are the type of things that we check.

We definitely use the compliance reports, which has simplified things. However, we haven't fully integrated it into the GRC process with Tufin yet. The desire is to make sure our GRC resources are fully aware and engaged in our Tufin deployment.

We are leveraging some components to provide reports for our GRC process, but there is no plan to integrate those processes. Those are run by different teams. We were planning to integrate our ticketing system (ServiceNow) with Tufin, which is ongoing. We are working on that now.

The central repository of information provides a consistent way of doing things, eventually shortening the time period to make changes. This is the most valuable thing at this point in time. 

I'm very happy with the visibility component. It gives us a reasonable insight into the most of the application flows. Obviously, most east-west application flows are missing from what we have. That is a component which we will need to eventually fill in the gaps.

Between the cloud and physical data centers, we definitely share Tufin policies. That definitely gives us visibility into both.

I would like to drive value from is to getting to a point where we are almost like a DevOps operation for security changes.

We have put in a lot of requests. Some of them are high level related to cloud. Others relate to some of the reporting structures that we have. E.g., some of the automated reporting capabilities for specifics on certain regulations. Certain countries have certain regulations, and with GRC, if we can associate that on certain regulations, then we can spit out reports from that.

We would like to see integration of the different versions of this product, e.g., SecureChange and SecureTrack. They eventually need to start amalgamating all these into an end-to-end product for visibility. 

We do have an ongoing issue with capacity. If one of our resources is working on it, nobody else can do anything. If a particular report is being run on the server, nothing else seems to work. We haven't done anything about it as of yet. Maybe some of my team members have opened tickets to Tufin for it.

I am not sure about the scalability. The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it. 

We have a global implementation.

Whenever we have had a problem, some of my engineers contact Tufin and they have been very easy to get a hold of. From my team, they have not had any problems with the technical support.

We were using Tufin before, as well, but it was not the same. It was separated into localized instances and regions.

We sort of saw that the volume of changes were coming in high. The patience from the business side was getting low to invest the time that it used to take to make firewall changes. Therefore, it was inevitable that we need to purchase a solution.

Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America (US and Canada), causing a slightly complicated approach.  Prior to Tufin, we had three instances which were separately managed, so we did not have end-to-end visibility. Therefore, we rearchitected the Tufin environment and created one global Tufin instance. The retail instances became local collectors, which reported back to the single environment.

From the start of the project to the end of the project, the deployment took us a while, at least five to six months. Most of the time involved was not because of Tufin. It was primarily for us to handle all of our separate service providers and outsourcers globally, so they could all provide us with read-only access to the firewalls that they manage.

We deployed the solution in-house. It was pretty straightforward to deploy.

The solution has helped us reduce the time it takes us to make changes from weeks to days.

Engineers are spending less time on manual processes by about 15 to 20 percent. I would like to get a bigger number.

We didn't buy this based on ROI, so we didn't measure ROI. Overall, from a time savings perspective though, it is definitely there.

The licensing costs are around $250,000 to $300,000.

There are ways to deploy the license to different types of firewall. However, if we decide to change the physical brand of the firewall, we need to go back to Tufin and modify the licensing. This is a hassle.

We did not consider anyone else, because we already had an unused, unimplemented Tufin license. We eventually thought to start consolidating everything into one place.

We decided on Tufin because:

• It was an existing tool.
• It served our purposes. It provided us the essential components for managing a varied environment of different types of firewalls. 
  
• We felt that there was enough potential in the organization to grow with us and provide capabilities, like cloud, VM environments, etc., under the same umbrella.

It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product.

Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit.

We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that.

Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments.

All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.