firewall management

[icecream-guy]

what's that tool some of you guys use to manage mixed firewall environments.  i remember it being mentioned on another site, but I can't find it...

[javentre]

Firemon.

[deanwebb]

Tufin, and I love it.

[icecream-guy]

looks like they are competitors?

[deanwebb]

Yes, they are. I'm not going to be a Tufin fanboy, because there are places where that product can still improve, but I am still a big fan of the product because it provides some solid management tools.

[mmcgurty]

What types of firewalls are you using to Tufin to manage?  We have CheckPoints, Cisco ASA's, and most recently added a pair of Palo Alto PA-5050's.

We still use Cisco Security Manager for our FWSM's and the basic Cisco ASA ADSM for individual units (5520's).  CheckPoint is SmartDashboard/SmartView Tracker.  Palo Alto is another team, but I think it is just a web interface.

[Seittit]

Palo Alto is another team, but I think it is just a web interface.

Palo Alto uses a central manager called Panorama, but you can get down and dirty on the CLI too.

[deanwebb]

What types of firewalls are you using to Tufin to manage?  We have CheckPoints, Cisco ASA's, and most recently added a pair of Palo Alto PA-5050's.

We still use Cisco Security Manager for our FWSM's and the basic Cisco ASA ADSM for individual units (5520's).  CheckPoint is SmartDashboard/SmartView Tracker.  Palo Alto is another team, but I think it is just a web interface.

Tufin will manage all those vendors, also F5, Stonegate, and Fortigate. We are also looking at using it as our router and switch config manager, since we have it set up and it can perform in that capacity, as well.

[mmcgurty]

What types of firewalls are you using to Tufin to manage?  We have CheckPoints, Cisco ASA's, and most recently added a pair of Palo Alto PA-5050's.

We still use Cisco Security Manager for our FWSM's and the basic Cisco ASA ADSM for individual units (5520's).  CheckPoint is SmartDashboard/SmartView Tracker.  Palo Alto is another team, but I think it is just a web interface.

Tufin will manage all those vendors, also F5, Stonegate, and Fortigate. We are also looking at using it as our router and switch config manager, since we have it set up and it can perform in that capacity, as well.

Oh wow!  We have lots of F5.  Do you have a rough idea of the costs for this?  Is it like $100K out of the gate or like $5K to $10K?

[deanwebb]

I'm no pre-sales engineer, let alone a sales guy, so I don't have any price sheets handy. There's a one-off expense for initial hardware, then license costs for each device monitored. How many boxes do you have?

[mmcgurty]

I'm no pre-sales engineer, let alone a sales guy, so I don't have any price sheets handy. There's a one-off expense for initial hardware, then license costs for each device monitored. How many boxes do you have?

6 CheckPoints, 12 or more Cisco FWSM/ASA's, 22 F5's, 2 Palo Alto's.  Not extensive but enough that it drives cost upwards I'm sure.

[deanwebb]

That's about the size of our pilot deployment. What's your budget for a monitoring system?

[mmcgurty]

No budget in 2015 for monitoring.  We were considering a basic deployment of NetBrain for like $20K and even that got shot down.  However, if we had money free towards the end of the year we might be able to swing something like this.  Firewall management has been a real thorn in our side which is why we are doing everything on the individual systems.

[deanwebb]

With 40-50 firewalls, you really do need a monitoring system. $150-200K might be the pricetag, by my guess.