Tufin Orchestration Suite provides centralized management of OpenStack Security Groups and Instances alongside on-premises data centers and other cloud platforms for full visibility across the enterprise using a single console.

OpenStack is an open-source cloud infrastructure service provider for compute, storage and networking. OpenStack’s Firewall-as-a-Service (FWAAS) plugin applies firewall perimeter management to routers, router ports, and projects.

Manage Your Firewall Rules & Policies

When IT and Security teams deploy Tufin with OpenStack Neutron, they get central firewall policy and network connectivity management across their enterprise. Tufin gives you a single pane of glass where you can:

  • Gain full visibility into your complex networks, whether on-premises, in the public cloud, at the edge, or a hybrid.
  • Visualize complex network infrastructure and architecture.
  • Implement network changes quickly and securely.
  • Design, deploy and monitor a global security policy.


Go to Tufin Knowledge Center for docs on supported devices, platforms and version numbers.

Related Resources


What is Openstack’s Firewall-as-a-Service?

This plugin applies Neutron firewalls to objects like projects, routers, and router ports. Openstack’s Neutron FWAAS centers on firewall rules and firewall policies. The firewall rules specify attributes like port ranges, protocol, and IP addresses to reconcile match criteria and act on matched traffic.

In Openstack’s new FWAAS v2 implementation, more granular actions are available. The firewall will consist of a ingress and egress policies, and firewall groups will apply at port level instead of router level. FWAAS uses iptables to apply policies to virtual routers within a project.

FWAAS supports:

  • L3 router firewalling
  • L3 router port firewalling
  • L2 firewalling (VM ports, including isolation using VLANs and tunneling)
  • CLI support
  • Horizon support
  • Multiple protocols (tcp, udp, icmp, any)

For teams to manually configure firewalls, they must permit traffic through the ports that each OpenStack service uses.

What is OpenStack Neutron?

OpenStack Networking enables teams to create and manage network objects like networks, subnets, and ports. Neutron, the OpenStack networking manager, has an API for defining network connectivity, addressing, and networking routers. There is also API functionality to configure and manage a variety of services including L3 forwarding, NAT, load balancing, routing, and perimeter firewalls.

Using Neutron, teams can configure rich network topology with networks, subnets, and DNS resolvers. Teams can also enable dual stack (IPv4 and IPv6) instances on a subnet. If your organization runs many virtual machines that run on one or more physical nodes, Open vSwitch allows for virtualizing the networking layer but connecting VMs to virtual ports on virtual bridges.

How can I manage OpenStack Security Groups?

Teams can also manage OpenStack Security Groups on OpenStack and through Tufin. Security groups are sets of IP filter rules that apply to project instances. Teams can create security groups and add security group rules that allow users to ping (ICMP) and use SSH to connect to an instance.

It’s also easy to add rules to a security group to specify network access rules for servers and other resources on the network.

How can I use and manage OpenStack instances?

Instances created in OpenStack are automatically assigned a fixed IP address in the instance’s assigned network. To modify associations at any time, teams can also attach a floating IP to the instance.

Teams can also make high availability compute nodes by configuring the environment to include multiple instances of the API and other services.

Get the visibility and control you need to secure your enterprise.

Only Tufin provides automation and a unified security policy, from on-prem to cloud, across NetSec and DevOps.