Tufin Orchestration Suite Reviews

We use this solution for workflow intake and policy cleanup. It is also used for firewall policy requests.

We make use of the ability to automatically validate changes to security policy rules. For example, we have four workflows currently in SecureChange, and for two of these workflows, the very first thing that we do in response to a policy request is to evaluate it. We check to see if the new policy is needed or not, and we determine how to proceed from there.

The biggest benefit for us is from an efficiency perspective. The longest part of our firewall policy implementation has been verifying the network and finding out where policy needs to be put in place. Tufin takes this job down from a day, to sometimes five minutes.

This solution provides a more organized manner for us to track towards compliance for our PCI audits.

The most valuable feature for us is the topology validation that is part of the workflow.

This visibility that this solution provides is better than that of the competitors that I have looked at.

When this solution works in the way that we need it to, my impressions of the change impact analysis are very good. The hardest thing for us is the inefficiencies with topology. This often means that the results we get are inaccurate.

One feature that is missing is the ability to assign a step in the workflow to a specific user at a specific time, based on how the previous steps of the workflow have been handled.

For the traditional application, SecureChange, my impressions of its cloud mandated security features are not very good. Tufin Iris looks more promising.

We have had issues with the stability of this solution, and the basic technical support is not very good.

In the next release of this solution, I would like to see the normalization of configuration files as they're brought in so that there can be some regular expressions set up to parse them. I would like to see additional cloud support, and the inclusion of security tags as a way of determining risk in the USP.

So far, our impressions of stability are not very good. We have already had to RMA one of our boxes, and it was not being utilized very heavily. We've had different issues on some of our other devices, as well.

Scalability is hard for me to say based on what we have deployed so far. We do have issues, but it's hard for me to say whether they are because of the hardware, or are an issue of scale.

The basic technical support for this solution is not very good. However, the Critical Situation Team is actually very good. I would say that the support experience depends on which group you get put under.

Prior to implementing this solution, the majority of our security engineering's time was spent working with these policy requests. It was a manual process where a requester would submit and Excel sheet, and the changes were being done from there. This was not leaving time for that team to work on projects and initiatives that were furthering or bettering the company. We started looking into Tufin as a way to automate some of that process and free up some of their time.

The initial setup of this solution is very complex. Putting all of the devices into the topology, and then getting it to a place where it can provide meaningful and accurate results, and then building the USP on top of that, are all very complex. Out of the box, I don't think that Tufin really provides very much until you get through a lot of those complexities.

We handled the deployment in-house.

I'm sure that there is ROI with the time savings that we received, or that we get as part of working the secure change workflows, but I couldn't speak to any hard numbers.

The shortlist included both Tufin and AlgoSec. Our evaluation showed that Tufin's features were on par with AlgoSec, but Tufin was the better financial choice.

Prior to using this solution, our SLA for any change that went into production was ten days. We’ve now lowered that down to two days.

For the most part, our engineers are spending less time on manual processes, but this is when the topology works the way it's supposed to. When it isn’t working the way it's supposed to, then they spend more time than they would normally.

My advice to anybody who is implementing this solution is to start small. Pick an area of your network and deploy Tufin, then get it working in a manner that suits your needs. After this, expand it out to the entirety of your network.

This is a good solution but it is not perfect. There is a lot of stuff that is unsupported and it is inefficient.

I would rate this solution a seven out of ten.

We deployed a proof of concept. We added most of our firewall base to Tufin, although not all. We checked and tested Check Point, Palo Alto, Juniper, Cisco routers, Juniper routers, and F5 load balancers. Mostly we grabbed one instance of each of our technology devices, added it to Tufin, and tried different things. We tried SecureTrack and some basic SecureChange to try to automate our firewall partitions, the firewall "tickets." We presented a form to users to enter the source, destination, service, etc. This was our PoC.

Right now, we're in the process of purchasing Tufin.

With path analysis, you can specify a source, a destination, and a port and it will tell you whether it's blocked or not, and where; which firewall is doing the blocking or the allowing, or whatever. That part is very useful. When you have feedback from the user and you have your source, destination, and port, instead of trying to search on the Check Point console or the Panorama console or the Juniper console to figure out where that packet being dropped, you go to Tufin, put it in and, in 30 seconds, you have your answer. 

It saves time on each ticket. Instead of playing around for 15 or 20 minutes, it's down to 30 seconds. Any first-line of support can go to Tufin, put in the source, destination, and port and they can at least know what to look for, who to involve to further troubleshoot the issue. It's a first-step investigation that saves time.

It also helps us ensure that our security policies are followed across our entire hybrid network.

SecureChange is the most interesting part. It all comes down to having the user request firewall access and SecureChange, based on workflows, takes care of it, sending two or three emails to the business approvers. With one click, you can automate a firewall rule. We have many problems like, I imagine, the whole industry, with delays in implementing firewall rules.

SecureTrack provides all these regulations, PCI kinds of things, so you can try to match all your security policies and firewall configuration to the standard. 

There is also a feature to optimize firewall policies that will delete duplicate objects and rearrange the rules so the machine will function faster.

In addition, the change impact analysis capabilities allow you to do automatic checks of whatever rules you are implementing.

Finally, the change workflow process is flexible and customizable. I was really impressed with it. It's pretty easy. You can add automatic validation steps. Depending on the security matrix, you can pre-allow whatever flow you want. You can do your change analysis automatically or risk analysis automatically; whichever steps you want. It's pretty cool.

The visibility that Tufin provides us with is improvable. The interface is like a 1990s kind of thing. It's a little ugly. There are many things that you cannot tweak, little things like the column width and how you display the information. You end up exporting everything to an Excel file and doing your work there. They tried to put too much stuff on the screen. It's a little difficult to find what we want. It's a design issue, it's not a functionality issue.

The web interface is really like going back in time 20 years. You have to move columns back and forth and make them big to see the whole text in them. If you hover over a name, it won't show the content. You have to click on it and open it. It's a bit cumbersome.

The documentation site is horrible as well. It has a tree structure, and you really get lost quite easily. If you have the patience to browse through that hell of documentation, you will find what you need, but it is hell to browse and search. The information is there, it's just difficult to filter and search it. Documentation is one thing they can improve on.

I haven't found any issues with the stability. In the beginning, it was our problem, our mistake, because we configured the box with eight gigs of RAM. Then we checked and, obviously, we needed 16. After enlarging it to 16, there was no issue whatsoever. It was pretty responsive. Obviously, it was only one user, me, doing things, but I didn't find any issues performance-wise or stability-wise.

We don't have that big of an environment. We added some 20 pairs of firewalls and another 20 or 30 routers, and one F5. I don't think we have scaled Tufin sufficiently to put it under some stress. Our DC is pretty small, we don't have many devices.

Tufin's technical support is excellent. In my old job, I also implemented Tufin, and I was in touch with their Israeli people, the technicians; they're really good. They really know their stuff. In Spain, for southern Europe, they have a couple of people. The technician there is excellent, and the commercial guy is fun. It's the perfect combination.

The setup was straightforward, absolutely. The only problem we had was with Check Point, but I think it's a Check Point problem, not a Tufin problem. Check Point is horribly configured. Managing it is hell. You have to define the OPSEC server with a user name and password, and you have to create the same thing on the provider one. They have to be same user but have different passwords. It's a little difficult. You have to pay close attention so you don't make a mistake. But I think that's a Check Point issue, not a Tufin issue.

The whole Tufin deployment took us about four months, with SecureChange, etc.

Up to the point with Check Point, it was easy. We created a read-only user for our infrastructure, and once we had connectivity from the Tufin box to all the devices, it was pretty simple. It was just IP address of the device, username, password, and go. Except Check Point. We needed to spend a day or two on that.

In terms of our implementation strategy, we wanted to test each of our technology manufacturers: F5, Check Point, Palo Alto, etc. We left our main public-facing networks out of the equation for the PoC. Whenever we implement the whole thing, we will include those. We made SecureTrack work well. We will define our security matrix correctly with all our networks, as granular as we would like it to be. Once we have that, we will go to SecureChange. So it's SecureTrack, do a good security matrix and, once we're confident with that, we'll go to SecureChange.

For deployment, it was just myself and the people who deployed the VM, with the help of Tufin's team. I'm the only one who was involved in maintaining it.

Tufin's team helped us mainly with the Check Point stuff when we ran into some problems.

In a PoC it's difficult to see ROI. Seeing how the tool performs, I think we will see a return on investment, of course.

It's not that expensive, except for Security Groups. For us, just the Security Groups were about half of the total price. The total was about €500,000 a year, of which €200,000 was for Security Groups. For the rest, it's not that expensive, given all the benefits we will get and all the time we will save.

We could only test AlgoSec for a little while. Our group is part of a larger group of products. When we were doing our PoC for AlgoSec, we were told to stop. The decision was made to move to Tufin because it has group-wise technology, chosen for the acclimation of firewall policies.

AlgoSec is much prettier, it's much simpler, and has a cleaner interface. Functionality-wise, it's pretty similar, from what I read in the AlgoSec documentation. Tufin has a few extra features, but AlgoSec is much cleaner, it's prettier.

Going with Tufin was not a technical decision, it was "politics." The largest group uses Tufin, so other group members have to use Tufin as well. It's mandatory.

Don't bother with the web interface, calm down, don't worry, everything will be fine. They will improve it. The rest of it, I don't have any issues. They're technically prepared, the tool does its thing. The only two things I would be patient with are the web interface and that documentation which is not really well organized. Besides that, it's pretty easy. It's pretty easy to configure and, once you start using it, you will see the potential. AlgoSec, Skybox, and all those tools probably have the potential as well. But Tufin is easy enough for everybody.

What we don't use, and what we are not planning to use, is the third module, the SecureApp. We haven't played with it and we're not planning on using it, for the moment.

In terms of using Tufin to automatically check if change requests will violate any security policy rules, we would love to do that. What we didn't do is build the security matrix. That part is the one that takes a lot of time to build. You have to work with the security team and all the players involved. Because we did not design the security matrix, we couldn't match a firewall rule with the security matrix and say, "Okay", or "Not okay," and do some automation there.

What we did is prepare a form for a firewall petition, and some automatic steps. For instance, in the first step, you enter the request and it sends an email to a business approver. Depending on whether that firewall or that flow is predefined as allowed or not, you can skip that step and go to the next step. We did a little bit of logic with the change-request form. It worked pretty well for us.

The purchasing process takes a little bit of time because of all the different groups involved. But we're planning on implementing it and to finish around next summer, 2020; to have both SecureTrack and SecureChange up and running.

As for compliance, we don't have many requirements. Of course, we are bound to some ISO certifications, because it's the car industry, but we don't have any specific PCI. We don't sell cars over the internet, so we don't have to do that.

When it comes to Tufin's cloud-native security features, what we have is our landing zone in AWS - a VPN tunnel from on-premise to Amazon, with Transit VPC. We have a couple of Palo Altos, securing the track from on-premise to the cloud. And we added those Palo Altos to Tufin. We needed to tweak and include some virtual devices in Tufin so the routing would be okay. But that was quite easy. It was well-documented as well.

The only problem is that we got our quotation from our supplier, and the Security Groups are extremely expensive. They bill you $1,200 dollars per Security Group per year, which is really high. We're not that big, we may have 100 or 150 Security Groups. That's would be about $200,000 just to manage Security Groups. We were put off by that. From the start, we won't have the Security Group feature. We think it's too expensive.

As for increasing our usage of Tufin, we'll go day by day and see how it responds to our requirements. SecureTrack at the beginning, then SecureChange. Maybe, if everything goes well, we will think about SecureApp. It's not in the scope at the moment, but maybe we will implement it.

I would rate Tufin a seven out of ten. It will get better once they get their act together with the documentation and the interface.

We deployed the solution based on the preferences and needs of our clients. The solution was deployed on cloud and on-premises. However, it was primarily deployed on cloud.

The firewall security was very valuable.

The firewall management is complex for beginners, and the solution could be improved by including icons that provide insight into what they are and how they function. For example, the ability to understand what an icon does by hovering over it.

We have been using this solution for three months.

The solution is stable.

The solution is scalable.

We have had a good experience with customer service and support.

I rate the initial setup a seven out of ten. Deployment on cloud is done through a web platform, and deployment on-premises takes two to three days.

We implemented it in-house but got assistance from someone with hands-on experience with the product.

The licensing costs for this solution are decent for the services provided. From my perspective, the prices should be higher because the organization that often uses this solution is critical.

I rate this solution a ten out of ten. The solution is good, and no clients complained about it. Therefore, I recommend this solution for people seeking to use it, as they can never go wrong with it. However, for a beginner, it could be tricky to implement.

The solution is predominantly used for managing firewall changes, policy changes, and understanding those aspects.

Most people use it for the basics, even though they could use it for a lot more.

The most valuable feature is being able to customize your own clarity to that aspect of change management.

Having better visibility of what is going on. If it gets out of control, you can keep it in your head no matter how smart your administrators are.

From what I have seen, it's user-friendly.

It's a bit clunky, but that may be because of different environments, and it is struggling to get the information. It's possible that the performance issue is because of the network and not the right architecture.

I would like to see anything that is graphical, as much graphical representation of things. Modeling, and what-ifs. It becomes more intuitive and allows you to close some of the gaps between drawing stakeholders in, for example. If they ask "Why are you spending so much money on this tool?"  or "Why are you doing this?", you can show them examples and it becomes more obvious.

I would like to see AI elements included with this solution. There is quite a lot of human element in understanding the consequences of change within the firewall environment, but they might benefit from more of an AI element as well.

I am a security architect and I have been involved with it periodically for approximately five years.

It's a reliable solution.

It's a scalable product. I have dealt with companies that are pretty sizeable, and it seems to handle it.

I personally have not contacted technical support, but the information that is available on their website is pretty useful, it's pretty good.

You need to allow a fair amount of time. That is the case for all firewall management tools.

It gives the appearance of being straightforward to get going but they need a bit of time particularly to do the sorting of the matrices for example.

When planning, people should estimate it then double it, just to make sure they get things right.

Price could always be better, but there are always consequences. Normally, there are other issues that come into play. For example, you pay more and expect to lean on the vendor more for the services and support.

I have recommended this solution from time to time and I would definitely recommend it to others.

I would rate Tufin a seven out of ten.

Our customers use Tufin to manage multiple firewall access rules through a single console. We have done on-prem, public, and private deployments of this solution.

It provides very good reports. It can easily integrate with multiple firewalls, such as Cisco, Juniper, Palo Alto, and Checkpoint. 

We can push a policy from Tufin to a firewall, which is a very good feature. We can monitor all access rules and the operating system of a firewall.

Currently, we are able to monitor access rules and the operating system of a firewall. It would be great if we can also monitor the configuration of the firewall through Tufin.

I have been using this solution for the last three years.

It is very stable. It has good stability.

It has very good scalability.

Their technical support is good.

Its initial deployment is not very easy. It is a little bit complex. After the deployment, it is easy to work with it in the GUI. Its deployment takes at least two or three days.

Customers usually evaluate AlgoSec. 

I would advise others to go for it to manage firewalls from multiple brands in a single console.

I would rate Tufin a nine out of ten.

We have a lot of ASA firewalls. We primarily use the product in order to lay down the rules and try to find out if there are any duplicate rules that need to be cleaned up, et cetera. It is mostly tasks like that.

The solution is very straightforward to use. It makes doing our work easy. The product is very good at helping us clean up rules.

We've found the stability to be quite good.

The solution is quite scalable.

The older version that we have doesn't support some newer firewall vendors. I'm not sure what the status of integration is right now on the latest version, however, it would be nice if they updated the older versions to allow for better integrations with firewalls. 

Sometimes the solution does take a bit of time to load. That said, it is a pretty old version, and that may be the main reason this is the case. It's possible that if we just upgraded to the latest version everything would go faster. 

Everybody wants to implement some kind of standard rules, however, it's difficult to standardize everything due to the fact that each company is unique. That said, if there was some sort of universal guide to ensuring firewall rules were compliant, that would be helpful. 

I've been using the solution for a year and a half to two years at this point. It's been a while. I've definitely used it over the last 12 months or so.

The stability has been good. I haven't experienced any bugs or glitches. It doesn't crash or freeze. The stability has been reliable in terms of performance.

I find the product to be easy to scale. Adding new firewalls is pretty straightforward and it handles the process well. If a company needs to expand and add more firewalls it shouldn't be a problem at all.

I would say six or seven people are using it and they're network operation people who have to deal with day-to-day firewall management, putting in new firewall rules, et cetera.

I've never had an opportunity to reach out to technical support. I can't speak to how knowledgeable or responsive they are. I have no experience.

The initial setup happened before my tenure with the company. I was not present when it was set up, and therefore I can't directly speak to my experiences with any implementation. I do not have a sense of if it was difficult or straightforward, and I can't say how long the deployment took. 

There is a bit of maintenance required, in terms of adding new rules, et cetera. We have individuals on staff that can handle that.

I don't have any issue with the pricing, however, I was not the purchaser. I can't speak to the exact cost for our company.

While I was using Tuffin, I did want to evaluate AlgoSec. I wanted to compare the two to see which was better. In the end, I've decided I would stick with this product.

We are just a customer and an end-user.

We are not using the most up-to-date version of the product. We are using one of the previous versions. I cannot at this time remember the version number, however, it was pretty old. We had a plan to upgrade, and then unfortunately ended up not doing that.

I'd rate the solution at a nine out of ten as it helps us do our work. We're mostly quite happy with its capabilities.

We were primarily using the solution in order to grade the firewall rules.

How the solution benefits the organization is something that is currently being tested. We're considering doing something different, as we just used this product as a POC.

The compliance aspect of the solution is its most valuable aspect.

The stability is very good.

You can easily scale the solution if you need to.

The number of features is very robust - and there are a large number of features. That's a huge selling point, which is why its popularity is where it is.

I have heard many people complain that there is a high level of complexity. It may make it difficult to work with for some people. That said, I don't have those issues with the product.

The initial setup can be tough.

The product could use better integration with the cloud.

I've been using the solution for years at this point, It's been a long time.

The stability is very, very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. The performance is good.

The scalability of the product is excellent. If a company needs to expand it, it can do so relatively easily.

In our case, while I don't have an exact user count, I can say that there were quite a lot of people on the product.

We're talking about shifting potentially away from Tufin, however, if we had kept it would have been used extensively.

While other people have the opinion that it could be better, I've mostly been satisfied with the level of support we've received. They've been okay. I've had three or four run-ins with them and they were all positive experiences.

I also work with AlgoSec. We use both solutions currently.

The initial setup is not straightforward. It's a little difficult, a little tough. New users need to expect this before they get started.

Often, a consultant is involved in the process, as there is a large learning curve, and many companies don't have the bandwidth to ramp up the staff. Bringing on a consultant can speed up the processes a bit.

The deployment took about a month or so.

We're still working on how many people we actually require to handle the maintenance aspect of the product.

Typically, we get a consultant for everything, however, this last deployment, in particular, seemed to be more challenging for the consultant and for the staff.

That said, our experience with the consultant was very good overall.

While we are getting what we need out of the solution in terms of functionality, I haven't really looked into an exact ROI. We got what we were looking to get out of it. 

The billing and licensing aspect of the product is not something I'm a part of. I don't have any insights into the costs involved in using the solution. I cannot see if there's just a flat licensing fee or if there are other costs needed on top of that.

We are considering moving away from the solution currently. We're looking for other options. We might shift towards FireMon, however, nothing is set in stone.

We're just a customer and end-user.

We're likely not using the latest version of the solution. Currently, there is a team that directly supports it. I can't remember the exact version number off-hand.

I'd advise organizations considering the solution to do their homework first and see if they can find out from industry associations and professionals what their experience has been.

In general, I would rate the solution at a nine out of ten.

The primary use case of this solution is for monitoring, automation, policy orchestration, and security.

The most valuable feature is the monitoring. I quite enjoy the monitoring this solution provides. It allows administrators to visualize the traffic flow, and troubleshoot when necessary. It's a useful tool.

The interface is quite user-friendly and intuitive.

The cost of this solution should be improved.

They need to offer more support to vendors, such as Cisco, Checkpoint, Fortinet, and Forcepoint.

They have an API, but it needs more service on this.

While technical support is good, they could still improve.

I have been working with Tufin for one year.

It's a stable solution. There are some bugs that they are working on but that is common with any vendor.

They do mention that they don't support specific features from Nexus for some automation but it does actually work, although it is not listed as working.

Technical support is relatively good. They are not the best but they are good.

They could improve but they do respond with accurate responses.

The initial setup was straightforward. It was deployed in less than an hour.

The first time without training, it took an hour or so, but it was quite easy.

It's quite an expensive solution.

I would recommend this solution to others who are interested in using it.
I have not worked with any other vendors with this type of solution, for example, FireMon. I haven't worked with it. 

I would recommend it specifically to start with a secure track, which is a monitoring tool. Once the customer sees it, they want the solution. Afterward, for automation and secure change.

I would rate Tufin an eight out of ten.