What does Tufin do?

Tufin orchestrates and manages security policies across physical networks and cloud platforms.

What is Security Policy Orchestration?

Security Policy Orchestration is the ability to centrally visualize, analyze, control and change security policies across heterogeneous platforms. It enables a high degree of automation for these activities.

What is the “single pane of glass”?

Tufin’s centralized management employs a Unified Security Policy that enables visualizing and controlling enterprise-wide network security from a single console – a single pane of glass – across physical networks and cloud platforms.

What value does Tufin provide to its customers?


  • Security by optimizing security policies and eliminating attack vectors
  • Business agility through automation of policy changes for firewalls and security groups
  • Collaboration between application owners, network engineers and security teams


  • Cost of managing enterprise security policies
  • Effort and time required to comply with regulatory and internal compliance requirements
  • Disruptions to business critical applications and vulnerabilities to cyber threats
  • Mean-time-to-resolution for network and application connectivity problems

Who are Tufin’s typical customers?

  • Enterprises with large or complex networks and cloud platforms and many changes
  • Organizations which require ongoing adherence to regulatory compliance needs, such as financial services, utilities (energy) and healthcare
  • Service providers needing to manage connectivity for multiple clients
  • Any organization seeking to automate security policy operations

Who are the typical Tufin users?

  • Firewall administrators — for daily operational needs such as optimizing policies, troubleshooting connectivity, generating reports, preparing for audits and changing policies
  • Security managers — to ensure that corporate policies are being maintained across all environments and throughout the on-going changes
  • Auditors — to audit their clients’ firewall policies
  • Network engineers — to troubleshoot connectivity problems and gain visibility for their networking configurations
  • Application owners — to manage their application connectivity needs
  • Any user throughout the enterprise — to request network access
  • Developers —  to build and integrate with systems that require information about the network and its security policies

What can Tufin automate?

Tufin automates many aspects of security operations activities, such as rules provisioning, reporting, analysis, troubleshooting, audit-preparation and compliance. Tufin focuses on automating the firewall policy change process using a dedicated tool. Tufin users can automate access requests end-to-end including the following workflow steps:

  • Submitting access requests
  • Business approvals
  • Automatic redundancy check (is the access already in place?)
  • Automatic or manual identification of the firewalls involved
  • Automatic or manual risk analysis
  • Automatic change design for each affected firewall
  • Automatic or manual implementation on the relevant firewalls
  • Automatic verification of each change
  • Automatic documentation of each change

Automation is often perceived as conflicting with security – how can I maintain control while automating a workflow?

Tufin’s automation is designed for network security managers. Each level of automation provides incremental value and can be enabled gradually. For example, you can get an automated design recommendation for each firewall but still implement it manually.

Does Tufin’s workflow integrate with other solutions?

Absolutely. Tufin’s workflow is specially designed for handling network security changes, it integrates with leading industry ITSM solutions, such as BMC Remedy and ServiceNow.

How does Tufin manage application connectivity?

Tufin Orchestration Suite provides the business application context for managing network connectivity and security. Tufin believes that all network security should be managed from an application context. This approach eliminates the complexity involved in traditional network management and enables a close and healthy tie between business, infrastructure and security.

How does the Tufin platform scale to handle very large environments?

Tufin Orchestration Suite is designed to scale out for the following factors:

  • Number of monitored devices
  • Size of policies, ACLs and routing tables
  • Frequency of changes
  • Volume of traffic logs
  • Number of users using the system interactively for analysis, change handling, reporting, etc.
  • Number and size of change requests
  • Number and frequency of API calls
  • Number of applications and connectivity dependencies to be managed

Scalability is achieved through a combination of hardware configuration, distributed deployments and code optimization. Tufin provides professional services for achieving a customized, scalable deployment. Tufin’s Professional Services Team can assist large deployments, integrate with other systems and customize the system.

How does the Tufin Orchestration Suite work?

Applications are the focus of all IT services. Tufin enables network and cloud security policy management based on application needs. Tufin monitors the configurations of firewalls, routers, load balancers and cloud platforms. Tufin normalizes the routing and the security policy configurations to a standard format that enables the various analytics and reporting tools in the Suite. Traffic logs are also collected to enable the detection and removal of unused rules and objects. If routers are monitored, Tufin also automatically generates a dynamic network topology map that enables simulation of network connectivity. Network topology can be used for analysis, trouble-shooting and change automation. Change automation is supported for security policies on the leading enterprise firewalls.

Does Tufin require an agent?

No. Tufin Orchestration Suite is agentless.

How often does Tufin retrieve a device configuration?

There are two modes:

  • Real-time: the device is configured to tell Tufin when it is changed (through a log) which triggers a policy retrieval.
  • Polling: for devices that do not support or are not configured to send change logs to Tufin

Tufin recommends the Real-time Mode. Polling frequency is configurable.

Which platforms does Tufin support?

  • Leading enterprise firewalls: Check Point, Cisco, Forcepoint, Fortinet, Juniper, Palo Alto Networks and more
  • Leading networking devices: Cisco routers and switches, Juniper routers and switches, F5 Networks load-balancers
  • Leading public cloud platforms: Amazon Web Services (AWS) and Microsoft Azure
  • Leading private cloud platforms: VMware NSX, OpenStack

What does Tufin do for Cloud Platforms?

Basically, the same as it does for physical networks: Tufin enables change tracking, visualization, analysis, compliance and reporting for security groups and networking configuration of private, public and hybrid cloud platforms. Plus Tufin adds an additional dimension for cloud platforms which is the visibility of Instances or VMs.

Does Tufin support SDN?

There are three modes of SDN – physical, overlay and hybrid. Tufin currently supports VMware’s flavor of SDN, NSX, which is an overlay network. Tufin will continue to add support for the leading SDN platforms as they approach mainstream.

What Technical Support does Tufin offer?

Tufin provides two levels of Technical Support: Standard Support during business hours and Premium Support 24/7 around the clock. US customers receive local support from Tufin’s Ohio-based support center.
Learn more at Tufin Support.

What is the largest Tufin deployment?

Tufin is used by one of the world’s largest service providers to manage over 1000 firewalls. This large enterprise deployment consists of over 12 Tufin servers in a distributed architecture of multiple sites.

Can I test Tufin in my environment?

Sure. Request a free evaluation.

How much does it cost?

Price depends on the number of firewalls and applications. Request a quote here.