Tufin Policy Management Reference

tufin firewall policy-management


Overview

Tufin provides network security policy management and automation. It analyzes firewall rules across multi-vendor environments, tracks changes, and automates access requests.

Core Products

ProductPurpose
SecureTrackPolicy analysis, compliance monitoring, rule documentation
SecureChangeAccess request workflow, change automation
SecureAppApplication connectivity mapping, dependency visibility

SecureTrack - Common Tasks

  • Search by IP (source/destination)
  • Search by service/port
  • Search by rule comment or ticket number
  • Cross-device search (find rules across all firewalls)

Rule Analysis

  • Shadowed rules: Rules that never match due to prior rules
  • Redundant rules: Rules that duplicate existing coverage
  • Overly permissive: Rules with any in critical fields
  • Unused rules: No hits over defined period

Compliance

  • Pre-defined policies (PCI-DSS, SOX, HIPAA frameworks)
  • Custom policy creation
  • Violation reports and exceptions

SecureChange - Access Requests

Typical Workflow

  1. User submits access request (source, destination, service)
  2. Tufin calculates which firewalls need rules
  3. Risk analysis runs automatically
  4. Approvers review and approve/deny
  5. Rules pushed to firewalls (if automation enabled)
  6. Verification confirms traffic flows

Request Fields

  • Source: IP, subnet, or address object
  • Destination: IP, subnet, or address object
  • Service: Port/protocol or service object
  • Application: (if App-ID firewall)
  • Justification: Business reason and ticket number

Key Concepts

Unified Security Policy (USP)

Abstract policy layer that maps to vendor-specific implementations. Define intent once, deploy to multiple firewall types.

Topology

Network map showing routing paths, firewall placement, and NAT translations. Used to calculate which devices a traffic flow traverses.

Zone Matrix

Defines allowed/blocked communication between security zones. Violations flagged when rules don’t match matrix.

Integration Points

IntegrationUse Case
ServiceNowTicket creation and updates
SIEMRule change events
IPAMAddress validation
Vulnerability scannersRisk-based analysis

Troubleshooting

Common Issues

  • Topology gaps: Missing routes cause incorrect path calculation
  • Object mismatch: Source address object doesn’t resolve correctly
  • Stale data: Run manual sync if recent changes not reflected

Useful Checks

  • Verify device credentials/connectivity in SecureTrack
  • Check collector status for log collection
  • Review audit log for failed automation attempts