Tufin Orchestration Suite Reviews

The primary use cases are firewall support and generating rules.

It is definitely a time saver. We can process more rules on a daily basis. It allows the customers to request their own rules. Sometimes, they need a little help, but they can submit it. As long as it passes the risk analysis, because it has to get through our NSA group. We just apply and push it that night.

We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them.

The change workflow process is flexible and customizable. When we first got it, Tufin created a workflow based on our requirements. Since then we have modified and tweaked it. We added in Palo Alto, and we just keep adding steps. We can also add scripts. We have multiple scripts for a workflow, which makes it very flexible. You write the script and plug it into the workflow, then it's working.

We use the Unified Security Policy to automatically check if a change request will violate any security policy rules.

This solution has helped us ensure that our security policy is followed across our entire hybrid network. It is the same Unified Security Policy editing each request. It is the same set of rules. If it's good enough for Check Point, then it will be good enough for Palo Alto, and it's all zone based.

The rule provisioning is the most valuable feature. We had a ticketing system, like Remedy, which had a homegrown product. It would take your source destination port and do a bit of analysis, then give us a ticket with the spreadsheet. Then, we had to take the information from the spreadsheet and enter it into the firewall. Now, with Tufin, it identifies which firewalls, generates the rules, and you just apply them. It is a big time saver.

When it comes to searching our firewalls for things, I prefer the Policy Browser as opposed to going to the GUI. It seems just easier to search. I can start off with our Provider-1 for Check Point, search there, and get the information. Then, I can change the little drop down to say, "Okay, now go search Palo Alto." I don't have to change my search criteria, the platform pulls it right up.

We like what we have seen out of SecureTrack 2.0 with its improved search capabilities, where you can do greater than, less than, not equal, etc. Right now, if you're in there and you want to do a search, you have to write it in a specific way, since you can't use a not statement, less than, or greater than. Therefore, it will be a lot easier to maintain your USP because it has the new editor. It looks more like a spreadsheet online. I am just a little disappointed to hear because we are using SecureChange that we can't go to SecureTrack 2.0 yet. We have to wait for a couple of more versions.

On Palo Alto, we were told that you want to go with the panorama. Then, all the gateways are under it, so everything you create has to be as a shared object. When we first brought this to Tufin, Tufin said, "No, it's more secure to only have local objects." However, it sounds like Palo Alto has now convinced Tufin that shared objects is more the way to go. Otherwise, you have a lot of stuff filtering down to all the firewalls. Tufin gave us a script to plug into our workflow to make things shared, but I am expecting this will become more a part of our base product.

They have found some things, like our database is huge, which they finally realize. I guess they didn't really have in their plans to do much with shared objects on Palo Alto, but they are saying that this is what is really making our database swell. They are saying it's on their side and are putting in their fixes to fix it, which is good.

The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless.

It seems stable. We've had problems always with the same box, which is our SecureTrack primary. We are probably on our seventh one. The last one, Tufin took it to their site. They shook it out, tested it, and beat it up, then gave it back to us. Since we were already on the standby box, we just had it up there running. It was in the HA cluster. As soon as somebody did some switch work, it failed over. Within a couple of hours of being on that box, it crapped out. 

We have definitely added gear, so it is scalable. We've added two more distribution servers and probably seven or eight more collectors. It is definitely scalable.

We'll get somebody who is our main person, then all of a sudden they will be doing something else. One guy used to be our support person, and now, he is a TAM. 

We are a tough account. With some of the issues that we have, the support team has told us, "You are the only ones who have ever had this." We are like, "Really? Why?"

They usually come up with a solution. It may take a little longer, but they do come up with a solution.

The previous solution was written in-house. 

We had a product called Skybox and whoever wrote the app would query Skybox for compliance, etc. Then, it would generate a spreadsheet, and we had to work off the spreadsheets. They sort of knew that this wasn't very efficient.

The guy doing the initial setup made it look very easy, but it took us a little while to get up to speed on it.

We used Tufin for the deployment.

This solution has helped reduce the time it takes us to make changes. Previously, it was taking up to seven days. Now, unless there is an issue with the request, we usually have it done in a day.

We did PoCs. We looked at FireMon, AlgoSec, etc. Tufin came out on top, so we started implementing it, as it was the product that we chose.

With AlgoSec, you had to pay them for all of your workflows. So, if you wanted the workflows, you had to pay them. I don't know how quick that would be as a turnaround, because we would have had to do the whole, "Here's what I want." We didn't like that at all.

Tufin has been a good investment. Unfortunately. We've got some people in our organization who are in love with Skybox and think Skybox can do no wrong. They are trying very hard to replace Tufin with Skybox, even though Skybox hasn't even done any provisioning. I think they're just misguided. It's a product that they love, and maybe it is good at compliance, but as far as provisioning, I haven't seen it. 

Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well.

We're not really using the cloud parts of it yet.

Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.

We use this solution for firewall rule management.

Using this solution has drastically cut down on our implementation time. A customer is able to submit a request for access and Tufin will automatically analyze the system to find out where the rule needs to go, and then design the rule for you. It was a very, very cumbersome process that has been cut from months to days. Some access requests used to take two months to get through the system, whereas now the average is eight days or less, and we even have a same-day turnaround in some cases.

Our engineers spend less time on manual processes. The improvement is drastic, from months to days.

Every single request that comes through, Tufin checks and does a risk assessment against our USP, the Unified Security Policy.

This solution has helped us from a compliance standpoint. During an audit, we were able to pull up the policy browser within the system and show the auditors where the rules actually live, and then show them in the firewall as well. Moreover, we could then show them the ticket and the request, along with the business justification and the entire history behind each individual rule that's in the firewall.

Tufin helps us ensure that the security policy is followed across our entire hybrid network. We have Palo Alto firewalls, Cisco firewalls, and VMware NSX firewalls as well. Tuffin sees all three of those. Every access request that comes through is checked against the USP to make sure that we're not violating any policies, and we're in compliance.

The most valuable feature is the ability to quickly identify where a rule needs to be put in place because right now we manage almost five hundred firewalls.

The visibility that this solution provides is great.

The workflow process is very customizable. I've played with it quite a bit in order to tailor it to our needs.

One of the big things that I want to see, based on feedback that I have received, is to give somebody read access to your ticket. In our previous, in-house system, this was called a "reader". Right now, Tufin's SecureChange ticketing system only allows you to see your tickets, and nobody else's unless you're a firewall administrator. That is by design. However, at our company, many people come and go and there are many large projects. We need multiple people to be able to see multiple tickets. The problem is that we can't open up the entire system to everybody because of compliance reasons. We want to have the ability for a ticket requester to add somebody, or to give somebody view rights to their ticket. A simple drop-down that would allow you to select the name would be sufficient.

This solution is very stable. Once we got to a certain release, somewhere in version R18, it was stable. Before that, it would slow down after about a week or two of running and would cause us to have to restart the system.

We've added more servers to process the load, and it's definitely helped speed up the system.

At this time, we manage almost five hundred firewalls.

Technical support for this solution has been helpful. We also have a Tufin RE (Resident Engineer) on staff, three days a week, so that helps too.

The previous system that we used was something that was homegrown, just built in-house. It was only a ticketing system. Everything else was done manually. My employees would spend days just trying to figure out where the rules needed to be applied, and how the rules needed to be designed. It was a very long, manual process.

We used a consultant from Tufin, itself, for our deployment.

Our ROI is realized through time savings, whether it's in the deployment or redeployment of something, or any other task that requires the creation of a firewall rule. The request would be made months in advance because they knew it would take months to get it place. Nowadays, sometimes they'll find out last minute they need some rules. They'll submit the ticket, contact us, and ask for a rush order on it. If we've got somebody available, which right now we can do because we're able to turn things around faster, we can do a last-minute large request and push it through within a day or two. The savings in time is something that I don't even know if I can calculate properly.

I believe that FireMon was considered before we chose this solution.

This solution works very well and it does the job. The product is pretty solid. At the same time, some of the small customizations would be very useful. It just needs little minor tweaks to really take it to the next step.

My advice to anybody who is researching this or a similar solution is to give it a look. Don't overlook this solution because you haven't heard of Tufin, because it's actually a really decent product. 

I would rate this solution an eight out of ten.

We primarily use this solution for Change automation. We do not use USP, yet.

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

This solution is stable. We don't have any issues with it, but it's a resource hog.

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

We used a G2 reseller for our deployment and it was a good experience.

Our licensing fees are approximately $250,000 USD.

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.

We use the SecureTrack component for several things including the maintenance of firewall rules. Examples of this are identifying rules that are no longer in use and identifying shadowed rules that can be consolidated. We also use this solution to look for violation policies, as well as unused rules.

We use this solution in AWS and in our on-prem firewall.

The number one benefit this solution provides is time savings. Both I and another engineer save hours upon hours of work spent creating reports, which Tufin now does for us. This is reclaimed time now well spent on other things.

Tufin has done a very good job in improving upon the USP policy for violations.

Our engineers save quite a bit of time that was previously spent on manual processes.

The most valuable feature is the ability to gather all of the firewall information without having to do it manually. It makes it much easier and saves time.

We use Tufin to clean up our firewall policies. By doing so, we don’t have a bloated firewall policy that can, in the end, cost more in terms of processor overhead.

The GUI needs more visibility in terms of licensing because it is hard to tell which products and licensed and which are not.

The USP can be improved, as far as I can tell.

I would like to see better integration and compatibility with the Azure cloud. We are not using Azure today, but I've asked questions about it and there are limitations.

This solution is solid, as far as I can tell.

We haven't pushed this product to the point where we have to scale out.

I haven't had the opportunity to use technical support.

The driving force behind implementing this solution was to obtain reports that help us get to the heart of the matter, ultimately saving time.

I have worked with Tufin before, so I found it to be straightforward, out of the box.

We used a reseller and an integrator, and we are working with an integrator right now. They are G2 Deployment Advisors LLC.

I am not aware of any other solutions that were evaluated before choosing this one.

The visibility provided by this solution is invaluable. It's easy to gather this information to share within our group and also outside of our group, with for examples security compliance individuals.

We do not have mandated compliance in our environment. However, we impose it upon ourselves and this solution helps us to gauge where we are.

In terms of the cloud-native security, there are some limitations because you can only pull from it what they’re willing to give you. Overall, it’s the same as whatever we do on-premise.

My advice to anybody who is implementing this solution is to ask a lot of questions. Use this solution to the hilt during the POC, making use of anything and everything. Every place is different, so use it for what you need to and beyond, so that you get an assessment as to what it can do for you.

This solution saves us a lot of time that we don't have, but there is always room for improvement.

I would rate this solution a nine out of ten.

We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.

We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.

I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.

I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.

Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.

The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.

All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.

The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.

The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.

The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.

Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.

Support for Firepower is still ramping up, but meanwhile, some things are missing.

I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.

This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.

There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."

I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.

This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.

Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.

Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.

The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.

We handle the installation and configuration of this solution for our clients.

There are certainly clients that consider FireMon and AlgoSec.

The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.

The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.

This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.

The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.

I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.

We use this solution for firewall compliance reviews.

This solution has helped us to speed up our review process. After we do make a change, we're able to quickly review what has actually changed. 

This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas.

From our perspective, the most valuable features are the compliance and firewall reporting modules. Indirectly, we use Tufin to clean up our firewall policies. We run reports, and then use those reports to drive improvement in the firewall rules. The visibility into the Check Point firewall rules is a lot easier to look at using a Tufin report as opposed to a Check Point report.

This provides good visibility of our firewall rules. Using Check Point is a little cumbersome to get what you need, so with this solution, we’re able to filter through and better get the information.

Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance.

One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in.

I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.

The stability of this solution is fine. We don't have any issues with it, at least as far as I know.

It seems to be really scalable once you have all of the modules working together. We have a broad array of subgroups that we're working on compliance with, from really small to really large, and it works well with all of them.

I've never had to deal with their technical support.

I was not part of the initial setup of this solution.

Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent.

This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP.

For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do.

I would rate this solution an eight out of ten.

We use this solution for workflow intake and policy cleanup. It is also used for firewall policy requests.

We make use of the ability to automatically validate changes to security policy rules. For example, we have four workflows currently in SecureChange, and for two of these workflows, the very first thing that we do in response to a policy request is to evaluate it. We check to see if the new policy is needed or not, and we determine how to proceed from there.

The biggest benefit for us is from an efficiency perspective. The longest part of our firewall policy implementation has been verifying the network and finding out where policy needs to be put in place. Tufin takes this job down from a day, to sometimes five minutes.

This solution provides a more organized manner for us to track towards compliance for our PCI audits.

The most valuable feature for us is the topology validation that is part of the workflow.

This visibility that this solution provides is better than that of the competitors that I have looked at.

When this solution works in the way that we need it to, my impressions of the change impact analysis are very good. The hardest thing for us is the inefficiencies with topology. This often means that the results we get are inaccurate.

One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled.

For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising.

We have had issues with the stability of this solution, and the basic technical support is not very good.

In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.

So far, our impressions of stability are not very good. We have already had to RMA one of our boxes, and it was not being utilized very heavily. We've had different issues on some of our other devices, as well.

Scalability is hard for me to say based on what we have deployed so far. We do have issues, but it's hard for me to say whether they are because of the hardware, or are an issue of scale.

The basic technical support for this solution is not very good. However, the Critical Situation Team is actually very good. I would say that the support experience depends on which group you get put under.

Prior to implementing this solution, the majority of our security engineering's time was spent working with these policy requests. It was a manual process where a requester would submit and Excel sheet, and the changes were being done from there. This was not leaving time for that team to work on projects and initiatives that were furthering or bettering the company. We started looking into Tufin as a way to automate some of that process and free up some of their time.

The initial setup of this solution is very complex. Putting all of the devices into the topology, and then getting it to a place where it can provide meaningful and accurate results, and then building the USP on top of that, are all very complex. Out of the box, I don't think that Tufin really provides very much until you get through a lot of those complexities.

We handled the deployment in-house.

I'm sure that there is ROI with the time savings that we received, or that we get as part of working the secure change workflows, but I couldn't speak to any hard numbers.

The shortlist included both Tufin and AlgoSec. Our evaluation showed that Tufin's features were on par with AlgoSec, but Tufin was the better financial choice.

Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days.

For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally.

My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network.

This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient.

I would rate this solution a seven out of ten.

Some of our customers has Tufin, and we manage it. We're also planning to have our own Tufin that we're going to use as a leveraged service for all of our customers.

Visibility is its largest and most valuable feature. You can see everything or all the devices on the network for each customer. It provides you a larger view of what might be wrong with the network and how you can improve it with firewall rules, etc. 

If you are talking about secure change, being able to automate the entire change process is pretty much the winner for us. It is going to really reduce the time that it takes for us to do changes, and we can just go out and get more customers.

They've got such a large number of APIs, and it is so easy to use their APIs. Effectively, they allow us to use it with anything. The only way to improve it more is by offering support for implementing their APIs into certain hardware or software that we might use. They can provide support for implementing APIs.

We have been using this solution for three months.

I have not contacted their technical support.

We didn't work with any similar product, but we are just going with secure track and secure change, not secure cloud and secure app. That's all that we really need at this time, and obviously, we will work with Tufin in the future if we need more.

A few of our clients have decided to implement Tufin themselves, whilst we just manage their firewalls. We were not involved in the setup of the management suite. However, after seeing the benefits of this, we have heavily considered the use of Tufin on a number of our other clients we manage.

We have identified that setup is a part of this and in our conversations with Tufin sought to address this. They offer a service for the full setup of the platform for use as an MSSP, and then providing a hand off service towards the end of this setup process which teaches engineers how to setup the remaining required devices.

For the full functionality, Tufin utilises all L3 devices on the network, so setup can be quite daunting. However, we identified that it would take ~30 minutes per L3 device, some of which can be done simultaneously. This is the biggest drawback to Tufin integration. However, Tufin can be used to some degree without this, meaning you can reap the benefits of it sooner rather than later.

What we found is that the return on investment will be pretty quick. This is because of the time saving that Tufin offers in FW changes, we can implement more changes at a faster rate. This has huge savings for employee's workload and the cost of their work. We have freed up a large majority of our FW engineer's time. The huge ROI we witnessed has resulted in us identifying that we can go to market to gain more customers and really broaden our customer base without the 'con' of hiring more people.

Because we're quite a large company, the initial price wasn't too much of a factor for us. This is because the ROI was so significant for us.

We identified others, like Firemon and Skybox, however we found that they were not as mature as Tufin, not offering the same range of Firewall Vendors, e.g. Palo Alto, Check Point, etc., and the same level of automation.

I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future.

I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.