Tufin Orchestration Suite Reviews

The primary use case is firewall analysis.

We use SecureTrack, which is great.

The solution has helped us to meet our compliance mandates. We have to be PCI and SOX compliant. Some of these rules and systems might meet those requirements. Knowing which system can talk with which system is definitely helpful in that sense.

This solution has helped us reduce the time it takes to make changes.

Comparing the rules and policy browser is valuable to me. It gives me the ability to pull running configs and be able to analyze them without having to go directly into the firewall.

The visibility is great.

When you make changes, you have to enter the password each time for each firewall. This is sort of annoying.

They are sort of at the pilot stage on some of their products. I saw the Orca and Iris products yesterday. My initial impression of these products were that they were good products, but I felt like some of their features overlapped with SecureTrack and SecureChange, which they are already doing. So, I just wondered what direction they're going in? I understand that they are cloud products, but are these security products going to overlap each other's features at some point? This is my initial concern.

It is very stable.

It seems pretty scalable. From what I have seen in the training, you can use it on multiple firewalls. It seems like a solution which was built for very large enterprise level networks.

I haven't dealt with the technical support yet.

If you want to be able to manage your firewalls efficiently and securely, then use Tufin.

It is a pretty solid solution. As with any security solution, I think is it is growing. It seems like it is at a good point. It could still use some work, but it's growing, and that's good.

We saw in the training yesterday the changes for part of SecureTrack 2.0, which isn't out yet. Those changes, that they will be implementing, look very good from what I can see.

The primary use case is locking down the firewalls to Zero Trust and automating the risk assessments.

We use Tufin to clean up our firewall policies. It very easily shows us what is not used, so we can take it out. It shows us head counts as well, so if something is used once or twice a year, that might not be something we want to keep. Thus, we can have the conversation. We also like how it has a business owner of the firewall policy, so we'll be filling that in. So, those people will be involved ongoing with the approvals.

This solution has helped us meet our compliance mandates by providing visibility into firewall rules.

Today, we can check to see how our lockdowns have gone and what unusuals are still there. We have a long way to go, but we've done a lot already.

We were hit by the NotPetya attack. Therefore, our whole company and all its sites were down for several months. So, you don't have an attack like that and not need something like Tufin. Other companies can prevent these attacks, or at least slow them down, by having this type of a tool. We will never go back.

In the future, we will be using this solution to automatically check if a change request will violate any security policy rules.

1. Being able to see all the firewall rules in one place. 
2. Being able to query them. 
3. SecureChange will automate and put the rules into Remedy.

The visibility is incredible. It has never been there before.

The UI was a little clunky at the first. It was confusing. They are working on that. The new one is better.

We haven't really overburdened it yet. What we have has been very stable. There have been no issues that I have seen.

It seems very scalable.

We have 40 consultants and too many people.

The regular technical people seem okay when you put in a help call, and they do get back to you. We actually had a key issue, which was a bug, that the development team didn't want to fix. We escalated it, then it got fixed. So, the management level seems very responsive at least, but at a support level, they are just regular support people and not outstanding.

I asked our firewall team if they had the tools that they needed to do their job, and they said, "No."

We did not have a previous solution.

The initial setup was pretty straightforward. The problem was getting people to pay attention to it.

It is a lot of work to implement.

We used Tufin for the deployment.

We have not seen ROI yet. What we are going to see is fewer cyberattacks. When you have a multimillion dollar cyberattack, you don't care about three million dollars in a one time cost.

Engineers are spending less time on manual processes by weeks. Huge amounts of time have been saved.

Our licensing costs are three million total and then we pay for maintenance, which is an additional cost for three years.

We did a comparison of three products and Tufin was recommended at the time. We got quotes from Tufin and another product, and Tufin came in under.

I just talked to two people who switched to Tufin from another product. It seems to be the leader of the pack.

Tufin seems like a high quality product from a company that cares. It focuses on exactly what we need.

We would like to get to having Tufin make changes on firewall rules, but we are going to need help convincing our management of that we should be using Tufin to do that. It looks very promising, but we can't use it for that yet.

We haven't implemented the change workflow process yet.

While we didn't buy it for the solution’s cloud-native security features. I'm interested in that, but it is not in my mandate right now.

The product has been fabulous.

We use it with SecureTrack, mainly for auditing purposes. We also use SecureChange for workflows on temporary firewalls.

We use Tufin to clean up our firewall policies. From an auditing perspective, it is centrally managed in one place for all of our firewall vendors.

One of the biggest quick wins that we had with Tufin was cleaning up our firewall policies and rules. We cleaned out a lot of rules which helped our devices, longevity-wise, as well as speed-wise.

• Easability
• Audit features
• SecureTrack
• Change of work allowance
• It is very open to changing it and making it do what we need it do. 
• We get a holistic view of the infrastructure, as well as automation workflows.

The visibility is great, so far. We are still building it out because we have a lot of firewalls from different vendors. Overall, it's a good product in the way it works.

The change workflow process is flexible and customizable. We use this process a lot. We have developers do custom integrations with different vendors, especially ones that are technically supported, as well as doing some custom integrations with our Juniper products, which are not officially supported.

The solution’s cloud-native security feature is definitely welcome. We are starting to embrace the cloud. We are a little more legacy and timid in our approach, considering the amount of data that we have and the way that we want it to be accessed. However, the cloud-native applications are going to be big, so I definitely think that's a welcome feature that they're working on.

We would like Tufin to have interoperability with Juniper products, along with official support.

They could maybe update the interface. However, I know there is an interface update coming, I just haven't seen it yet.

There is room for improvement, as far as making the product easy to use and having training available.

In my training with the workflow, it always kicks me back every time that I do a step backwards. I think that automatically it should take you to the next step in the workflow, that would be appreciated.

So far, the stability has been great. One of my colleagues just did an upgrade from the previous version to 19.1, which had a bit of database issues. Those have now been resolved.

The scalability seems good. We have a distributed system right now, and it seems like it can scale up or scale out, as needed.

So far, the technical support has been good. I haven't had to deal with support a lot yet. We have weekly check-ins with our account manager where we go through what we can do with it. Overall, I think it's adequate.

We didn't have a previous solution.

It is nice to see the capabilities that Tufin has, and we look forward to building it out.

I wasn't there for the initial setup, but from what I've seen, it was pretty straightforward for the engineers who set it up.

The solution has helped us reduce the time it takes us to make changes. From the auditing perspective, it definitely saves a lot of time. Once we get our USP built out with the automatic calculations, as well as having validation and seeing where the roles need to go in place, this solution will be very helpful. 

It is helping engineers spend less time on manual processes.

We did look at a few other vendors.

The power that Tufin has behind it is the reason they chose it. They saw that it had a lot of capability compared to its competition.

Check out this product and see what it can do for you. Talk with the marketing team and account reps and see what direct benefit the platform gives you. Then, see what strengths it has compared to the competition, as well as its value proposition.

We are not to the point of using the solution to automatically check if a change request will violate any security policy rules, but it is coming.

We are building the security policy part of it out across out hybrid network, especially with the USP.

The primary use case is monitoring routers, switches, firewalls, but mostly routers and firewalls.

We are just using SecureTrack, either version 18-2 or 18.3.

We use it to aid with firewall reviews. We don't have SecureChange active, but we can take the info and use it to help. We have found a lot to work with.

Tufin has been helpful with making sure all parts of our organization are following change management:

• If you are changing rules, then you have tickets, and there is the approval process associated with it.
• Seeing people are sticking with those temp rules, if they end up staying there for awhile. 
• Sometimes, there are just bad rules where something that should've been "deny" and should not be allowed.

Those are more direct examples without getting too far into the weeds.

It is greatly aided in helping us meet our compliance mandates. There used to be manual reviews for certain compliance requirements. Now, this solution helps automate a lot of that, and even the parts which are still manual. It's a lot more comprehensive than trying to read raw text files of the configs and making sense of those.

The solution helps us ensure that security policy is followed across our entire hybrid network. It is like a centralized single pane of glass where comprehensively shows things, especially coupled with the Network Topology piece that they have. You can say, "Here's where the DMZ is, and here's that. These are the amount of firewalls crosses this through." Whereas before, it was this big spreadsheet of all the firewalls and zones. Except for like two or three legacy knowledge people, no one really understood how it flowed before Tufin.

It has helped us troubleshoot, e.g., why isn't this still working? "Oh, they put it on the wrong firewall or they typoed it." The solution has helped with that.

The firewall reviews for compliance used to be a more labor intensive process. It used to take a few months, and now, it's down to just a couple of weeks.

It provides a comprehensive overview of what our network looks like in terms of what is allowed and what is not, then how the traffic' is flowing with the Network Topology Map.

With the Unified Security Policy, the more you improve it, the more you will get out of it.

For the things that Tufin is able to work with, it is really great. It sort of provides a comprehensive view. It is easier to explain to people who don't really work with firewalls everyday:

• Why this is an issue.
• Why certain things are an issue.
• Why some things are the way they are.

I wish they had a credentials vault or something. Right now, you have to manually add a username and password per device, and if they are using something like in a centralized, like an AD account, that password rotates eventually. Now, I have to go back and change information for all these hundreds of devices. Whereas, if they just had some credentials vault for credential one, two, and three, then you could just reference them per device and change it in one place. It would make our lives a lot easier.

I wish there was a read-only admin option. I don't like that you have to be a full admin just to see the Network Topology Map. That option is great out there if you are a user, multi-domain user, etc. However, that piece is very helpful for us, but I also don't want to be handing out admin access to every single person so they can see that network tab. 

Tufin covers a lot of vendors, but there are still some that they don't, like Radware. Some of these vendors that they don't cover are at critical points in our company, as far as explaining the full picture of our routing. Since it can't show the full picture, it can't support that. 

The stability is pretty good. We have run into repeat issues with Palo Alto Panorama, where it doesn't seem to play nice if we change the vice group names in Palo Alto or if one of the Palo Alto servers is down, but it is in Panorama, because we're pulling everything through Panorama. Sometimes, it'll freak out and cause everything else to stay and be unable to get configed. Then, our Palo Alto products will sort of cease, usually a good majority of them, which is not ideal.

So far, scalability has been doing well. 

The technical support is very good. They respond pretty fast. They are always available whenever I need it. It is usually my fault when there are delays because I just don't respond to an email. I forget, then a few days go by and email again like, "Oh, shoot." The technical support has always been on top of things.

Someone before me had stood up the actual server on the network. They had one device, and it was monitoring. Then, I took it over. I've expanded it out to over 400 devices.

They made getting new monitoring devices in pretty easy. From the monitoring devices tab, it was pretty straightforward. You pick the vendor, then under there, this is a drop-down. I struggled a bit under the Cisco tab where they have a router, then a Nexus router. They have a lot of different vendors, and figuring out which category it falls under was confusing. The help docs don't exactly specify between the two or what commands it will be running. This is usually more for our older devices. 

We had Professional Services hours. However, as far as getting the actual devices and scaling it out, that was all just me.

Understand your DNS or network segment. What all these different subments and how they will fit into what categories, because you are going to directly take that info when you build out your USP. If it's too messy, your USP is not really going to do anything. You need to have a good dictionary for the USP to follow.

We aren't really using the cloud-native security features in our current environment.

Our primary use case is firewall automation. We use SecureTrack and SecureChange. We have distribution serves, Remote Collectors, but what we primarily use is SecureChange integrated with ServiceNow for users to submit firewall requests. They then go to SecureChange which designs the rules and implements them.

When it comes to the turnaround of firewall rule requests, it used to take about a week to implement and have the customer test for firewall access. Now, it can take just one day. The implementation itself takes a minute or two. For the customer, it may take the rest of the day, by the time that the policy is installed and the customer tests, either that evening or the next day.

While I'm not involved in the leadership, I believe the solution has helped us to meet our compliance mandates: from a firewall perspective, as well as an audit perspective, as well as review of the rules and source and destination port requests.

As for ensuring that security policy is followed across the entire hybrid network, we're getting there. That's part of why we implemented Tufin. We are implementing that across our multiple offices. Once we get to that state, it will ensure that security policy is followed.

Finally, using the solution, our engineers are spending less time on manual processors.

In general, the automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product.

In terms of cleanup of our firewall policies, we don't officially use Tufin, but I, as an architect, do use the Automatic Policy Generator to review existing rules: high hit-count rules and open rules which aren't very secure. We use that to then build firewall rules which tighten up our firewall policy.

The change workflow process is flexible and customizable. We have had to edit and alter some of our workflow and it's pretty easy, pretty simple, pretty straightforward. We use Tufin support, their helpdesk, for that because we're a very new customer.

In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all.

We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.

My impression of the stability is positive. We haven't had any issues. We even went through an upgrade about a month ago and it was a smooth process.

As for scalability, we're finding that out right now. We're building out two new Remote Collectors for our global deployment of an additional 150 to 180 firewalls, plus additional Layer 3 appliances. We're working through that right now. Hopefully, it will be a smooth transition but I can't say for sure because we haven't actually implemented it yet.

I would rate tech support as "fair." Response time is a little slow, but when they do respond, and when time is available for them, we work through things pretty quickly to resolution.

I wasn't involved in the initial setup, but from what I've heard from others from whom I took it over, it was very straightforward.

I know they reviewed other solutions but I don't know which, for sure, since I inherited the project. I would assume AlgoSec and FireMon were reviewed as well.

Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation.

We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client.

I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.

We are using it mostly for reporting, as well as NERC CIP compliance for rule documentation. The primary use case is for doing rule cleanup, knocking down overly permissive rules, and cleaning up old unused rules. Basically, we are using the reporting functionality out of SecureTrack.

We use Tufin to clean up our firewall policies. We use an automatic policy generator. This is huge for us because certain rules, especially if they're overly permissive rules, have to have an analyst go through log file after log file, which is just impossible. Versus just setting Tufin, letting it run for a couple of weeks, then going back and looking at the results. That has definitely been a big win for us.

The policy comparison reporting has been a definite big improvement for our organization. 

We've used it to give read only access to look at actual policies for different departments who might not necessarily need access to the actual firewalls. This has created some efficiencies for us because an engineering team can go in and check to see if they need to engage us for firewall rule changes without having to engage us first, because they have the direct access. 

The solution has helped us meet our compliance mandates. We use the policy browser metadata to do documentation for rule justifications. That is what we supply to our external auditors.

The most valuable features are the rule set analysis reporting that you can do. We use it day in and day out for doing rule cleanup and policy analysis.

The policy comparison reporting is one of the more basic functions that it has, but it is very critical for us. We built it into our processes that before we push any change to production, an engineer will stage actual date rule changes and policy changes. Another engineer will go in and do a comparison report of the last push policy to the last save, making sure what has been changed is what is expected to. From an operational excellence, it's huge for us. We have huge policies. All it takes is one accidental right click, delete, or backspace button, which could impact our business. So, this is something that we use almost day in and day out.

We're definitely happy with the visibility. It gives us a lot more visibility and can do a lot more reporting that just wouldn't be possible for a human to do, who might just be looking at traditional log files.

We had a discussion in the Customer Advisory Board yesterday around use of SecureChange. We would like to have an opportunity for an engineer to choose if you want to make or take the policy which has been suggested by the designer functionality, making it more human readable or less human readable (more or less granular). This would be huge for the customers who are using SecureChange. They said this was one of their issues with it, especially for anything that was going into a regulator's or auditor's hands. The more human readable, the better that it would be, and this would definitely be applicable to our industry. It sounds like they are working on this issue, or they took the feedback, but that would be a big one for us in being able to make the jump to SecureChange.

Stability has been rock solid. We were joking about that last night. There was a good amount of time where we weren't running reoccurring backups on a couple of our older appliances. They ran into no problems, whatsoever, for hardware or software for years. So, we were sort of joking, "The product's so good that we don't even have to back ours up half the time." Thus, stability has been very good for us.

Scalability is to be determined at this point for us. Right now, we have five or six isolated instances, and we're going to collapse those down to a single front-end. Then, we'll scale up to how many devices that we're monitoring. At this point, we haven't had any issues with scalability, but we haven't really pushed the appliances too hard yet. 

Making sure that you are designing or coming up with a solution and architecture which is scalable and as holistic as possible. We had some discussions yesterday with some other customers, and having the complete visibility of your entire environment rather than just a subset like we do today at our company will make or break your functionality of the product. Being as all inclusive as possible is probably critical, especially if you're looking at things like SecureChange.

The few times that we have had to engage tech support, they have been good to work with. They were pretty simple cases in both instances for us.

Our engineers are spending less time on manual processes, specifically for the reporting functionality. For doing the rule cleanup and policy analysis, it would be a nightmare to do that manually. So, it is saving our engineering teams time from not having to do manual log reviews.

We are siloed. We have separate areas of responsibility for parts of the network. The pieces of the network that our team manages, and what our Tufin instances are monitoring, is all for the data control system for anything real-time, e.g., the gas and electric control systems. Therefore, we don't have complete visibility of the entire network because we are only monitoring that subset of the network.

We don't use any workflows because we're not using SecureChange.

We haven't used the solution’s cloud-native security features.

We are using SecureTrack and SecureChange to make policy changes.

For us, it's all the features that Tufin provides, including the 

• USP
• rule design
• documentation
• implementation
• auditing.

They're all important. We could not have one without the others.

In addition, it provides greater visibility, once the setup is configured correctly. It provides a real-time sense of how the policies are configured and whether there are any shadow rules. Another great thing is that it provides greater reporting based on how the rules have been set up.

There are at least two things that need improvement. One is the business workflow and the second is the integration with logging solutions.

The product is stable. Regardless of the software we are running, the current or the new one, it is stable.

The solution is scalable if we have to add more devices, more distinct resources, or also high availability. That's part of the solution. It's not like after-thought, it's there.

Tech support is very helpful. If there are any issues, we bring them to support and they get addressed immediately.

You should definitely be looking at this as in your top-two choices, before even considering any other solutions.

We are in the midst of a transition, going to a newer version. All the features which I talked about above, we want to implement them in a new production infrastructure. We are working with Tufin and Professional Services very closely, so we can enable it. There is the old way - the way we are using it - versus the way we want to. It is not there yet. 

Currently, it's not helping us meet compliance mandates, but the new way will definitely help us to meet them. In addition, once we go with the new way of doing things, the solution will ensure that security policy is followed across our entire hybrid network. At that point it will follow business practices.

The primary use case is tickets.

Tufin has made handling firewall rule request tickets more centralized and easier to manage.

We have previously use Tufin to clean up our firewall policies, but we are not doing that currently.

The workloads are the most valuable feature right now, as it stands.

We find that the change workflow process is flexible and customizable. We change our workflow several times a year.

The visibility is good for the most part, but there are limitations to it. E.g., there is a lack of certain routing/networking protocols across all the vendors that they support.

The solution is not sophisticated enough for us to automatically check if a change request will violate any security policy rules.

Tufin's cloud-native security features are lacking in support.

I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there.

I would like more support for Juniper and Junos Space. I would like more of the features which are offered for other platforms being extended to the Juniper platform.

The USP needs improvement. It is pretty much not usable right now for us. It is all IP-based. The issue with that is we may have one subnet, but we have multiple things that would go in different zones all in that same subnet. Therefore, to use the USP, we would have to bring it out in tons of /32s, and it's not usable. Whereas, it would be far better if we could just put tags associated with IPs, then do USP based on tags.

In the sense of operating, the stability is good, but in the sense of performance efficiency, it is bad.

The scalability is bad.

We did not have a previous solution that we were using. We were looking to work towards improving the whole requesting of firewall policies.

We used a reseller for the deployment. Our experience was not that great, which has more to do with how our supply chain works and why we picked them. However, I don't ever really talk to them or hear from them.

We have seen ROI from the side of operations, and we'll probably get to more of that as time goes on. However it took a while to get to that point.

The solution has helped us reduce the time it takes us to make changes by at least a day.

It did reduce the time part of engineers manually spending time on processes from the aspect of manually having to go through the network and finding the path that a request would take to know where to put the rules. We have had some issues with topology, so not all of our tickets get that advantage. Probably 40 percent of them are that way, so that's why right now it is not as big of a gain.

We did consider other solutions.

Do proper research. Look at Tufin and all of the other products.

The primary use case is role recertification.

We are trying to get into it for compliance, but we are having issues with that.

This solution helps us ensure that security policy is followed across our entire hybrid network.

We actually review our firewalls now. Before we started using Tufin, our firewalls never got reviewed and we had no idea what was on them.

We use Tufin to clean up our firewall policies. This makes it a lot easier to find out the things that are wrong.

It removes things which shouldn't be there. It has helped with that. Things that don't get used anymore and nobody tells us that they have been retired, it helps us identify those items. Then, once we get the compliance piece going, it'll help us make sure nothing violates policies.

The most valuable feature are role and objects usage for individual objects and app usage.

If we could get the compliance part working, that would help out a lot.

Currently, we have to get different data from different sections of the site. It would be nice if it was all combined into one.

A big improvement would be on the USP policy. If we could use Palo Alto to take those zone names and auto import them into the policy, then just do the policy based on the zone names instead of having to put in every single subnet.

The user interface needs to be redesigned because things are not where you would expect them to be.

Stability is sometimes good, and sometimes not so good. 

There is an issue with all of our Palo Alto devices, where if one gets disconnected in Panorama, they all show as disconnected or with errors or wrong arguments, which is very generic. They are supposed to have a fix for it now, but we haven't implemented it yet, because they are not releasing it until eleventh of this month.

We haven't had any issues with scalability yet. We can scale as much as we need to.

The technical support is good. The guy with whom we have been working the most with lately has been pretty on top of everything. We had a couple people in the past who were a little iffy, but we haven't had to talk with them in a long time. I don't know if they're still there.

Our licensing costs are pretty low. We were grandfathered in, so we are at about $35,000 per year.

Test every feature. Make sure the third party vendors that they implement into it function properly with it. We have had issues with our Palo Alto connections.

We just started a PoC on the change workflow process of the solution.

We are just now moving stuff to the cloud.

The primary use case is data flow analysis.

We use Tufin to clean up our firewall policies of unused policies.

It gives our firewall administrators visibility into the total infrastructure.

The most valuable feature is troubleshooting.

I would like something that addresses security in the cloud.

The stability is bulletproof. 

It is extremely scalable. It really addresses the scale of a company's firewall footprint.

The technical support is excellent.

Our account manager and Tufin support have been a big help to us.

We were getting to the size where manual administration of firewalls did not make sense anymore.

The initial setup was straightforward, but time consuming.

This solution has helped us reduce the time it takes us to make changes. We have seen the reduction on the front end, when doing an analysis of the data flow.

We also considered AlgoSec.

I would recommend taking a look at the solution.

I use the solution daily and can see it anytime that I want. I find it invaluable in day-to-day management of firewall policy and policy changes.

This solution has sort of helped us to meet our compliance mandates.

The cloud-native security features will be more important in the future. I am just learning about them now.

I have not worked with SecureChange. I just took the SecureChange track, and from all of the exercises that we did, it seems like a very valuable tool after your firewall population reaches a certain density. If there are a certain number of firewalls, manual administration doesn't make sense anymore.