Tufin Policy Management Reference
tufin firewall policy-management
Overview
Tufin provides network security policy management and automation. It analyzes firewall rules across multi-vendor environments, tracks changes, and automates access requests.
Core Products
| Product | Purpose |
|---|---|
| SecureTrack | Policy analysis, compliance monitoring, rule documentation |
| SecureChange | Access request workflow, change automation |
| SecureApp | Application connectivity mapping, dependency visibility |
SecureTrack - Common Tasks
Policy Search
- Search by IP (source/destination)
- Search by service/port
- Search by rule comment or ticket number
- Cross-device search (find rules across all firewalls)
Rule Analysis
- Shadowed rules: Rules that never match due to prior rules
- Redundant rules: Rules that duplicate existing coverage
- Overly permissive: Rules with
anyin critical fields - Unused rules: No hits over defined period
Compliance
- Pre-defined policies (PCI-DSS, SOX, HIPAA frameworks)
- Custom policy creation
- Violation reports and exceptions
SecureChange - Access Requests
Typical Workflow
- User submits access request (source, destination, service)
- Tufin calculates which firewalls need rules
- Risk analysis runs automatically
- Approvers review and approve/deny
- Rules pushed to firewalls (if automation enabled)
- Verification confirms traffic flows
Request Fields
- Source: IP, subnet, or address object
- Destination: IP, subnet, or address object
- Service: Port/protocol or service object
- Application: (if App-ID firewall)
- Justification: Business reason and ticket number
Key Concepts
Unified Security Policy (USP)
Abstract policy layer that maps to vendor-specific implementations. Define intent once, deploy to multiple firewall types.
Topology
Network map showing routing paths, firewall placement, and NAT translations. Used to calculate which devices a traffic flow traverses.
Zone Matrix
Defines allowed/blocked communication between security zones. Violations flagged when rules don’t match matrix.
Integration Points
| Integration | Use Case |
|---|---|
| ServiceNow | Ticket creation and updates |
| SIEM | Rule change events |
| IPAM | Address validation |
| Vulnerability scanners | Risk-based analysis |
Troubleshooting
Common Issues
- Topology gaps: Missing routes cause incorrect path calculation
- Object mismatch: Source address object doesn’t resolve correctly
- Stale data: Run manual sync if recent changes not reflected
Useful Checks
- Verify device credentials/connectivity in SecureTrack
- Check collector status for log collection
- Review audit log for failed automation attempts