How to Keep a Bouncer Healthy – Comparing Algosec/Firemon/Tufin vs indeni
If you are an Algosec/Firemon/Tufin customer, you should seriously look into indeni as a means of providing you an overall solution for getting the job done.
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article explains how indeni complements firewall rule-base management tools like Algosec, Firemon, and Tufin by monitoring device health and operational readiness across firewalls, routers, switches, and load balancers. It addresses the real-world problem of ensuring that security devices not only have correct policies but also remain live and healthy to avoid traffic loss and downtime in large enterprise networks. Key outcomes include cross-device analysis (e.g., detecting router-caused issues that can break Check Point cluster failover), the requirement that indeni reach each firewall directly, and a 45-minute demo to see indeni in action.
How does indeni differ from policy-focused tools like Algosec, Firemon, and Tufin?
indeni focuses on device health and operational readiness rather than rule-base correctness and policy workflows. While Algosec, Firemon, and Tufin monitor and manage changes to firewall rule bases to ensure policies are enforced, indeni ensures the devices (firewalls, routers, switches, load balancers) stay alive, healthy, and able to perform their functions. This complementary approach means indeni detects hardware and network-level issues that could cause traffic loss or downtime even when policies are correct.
Why must indeni reach every firewall directly rather than through management servers?
According to the article, indeni requires direct access to each firewall to accurately analyze the health of the device. Connecting only to management servers (for example, Check Point Provider-1/MDM) is insufficient for indeni to perform a true health analysis because management servers do not expose all the device-specific operational data indeni needs. Direct connectivity enables indeni to detect device-level problems and cross-device interactions that might not be visible from centralized management alone.
What advantages does indeni provide by covering routers, switches, and load balancers in addition to firewalls?
By analyzing a variety of network devices—not just firewall ACLs—indeni can identify cross-device issues that affect overall network and security operations. The article gives the example of a Check Point firewall cluster failover going wrong if surrounding routers drop GARP replies; indeni identifies such conditions as part of its ongoing analysis. This broader device coverage helps prevent scenarios where correctly configured security policies still fail due to problems in adjacent network infrastructure, reducing traffic loss and downtime.
Many of our users work in the information security operations departments of mid-size to very large enterprises. As such, they regularly work with Check Point firewalls (which indeni supports), When you work with a firewall, you need to make sure the rule base matches the organization’s security policies.
To help with that, there are companies such as Algosec, Firemon and Tufin, that have developed solutions for monitoring changes in the rule base and building a workflow around the on-going work done with it. While I hope these companies will excuse me for referring to them as a group (I’m sure each of them considers itself as the best in class, rightfully so), we see them as a group because they fulfill a certain need.
indeni fulfills a very different need. The best way to understand it is to imagine the firewall being a bouncer at a party. The Algosec/Firemon/Tufin solutions help make sure the bouncer knows who to let in and who not to. indeni makes sure the bouncer stays alive, healthy, and can do his/her job.
Therefore, every user of Algosec/Firemon/Tufin should look into indeni. We are complimentary solutions that together ensure your firewall will achieve the security goals you have set for it while at the same time ensuring the firewall doesn’t become a source of traffic loss and downtime.
Note that there is one major difference in the way indeni is set up: indeni must be able to reach every single firewall on the network directly. Connecting to the management servers (such as Check Point’s Provider-1/MDM) is not sufficient for indeni to be able to truly analyze the health of the firewalls.
Another difference is that indeni isn’t directed solely at security devices. indeni can cover the networking aspects of routers and switches (not just ACLs) as well as devices like F5’s load balancers. Adding this entire variety of devices to indeni’s analysis engine will allow you to identify cross-device issues. For example, a Check Point firewall cluster failover can go very wrong if the routers around it are dropping GARP replies. We identify that as part of our on-going analysis and are unique in that capability.
Bottom line: if you are an Algosec/Firemon/Tufin customer, you should seriously look into indeni as a means of providing you an overall solution for getting your job done. It takes just 45 minutes to see indeni in action on your network.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.