Check Point CloudGuard Network Security Reviews

The architecture proposed is based on Microsoft’s Cloud Adoption Framework enterprise-scale landing zone architecture. Enterprise-scale is an architectural approach and a reference implementation that enables effective construction and operationalization of landing zones on Azure at scale.

We're using CloudGuard solution in a NorthBound - SouthBound design to protect and filter both incoming and outgoing traffic.

Also, we are using a VMSS solution deployed in Azure, with a minimum of two instances

The design is based on a "Hub & Spoke" model in which the environment is set up as a system of connections arranged as a kind of bicycle wheel where the spokes are connected to a central point in the hub, and all traffic to and from the spokes passes through this hub.

The NorthBound/SouthBound design solution allows traffic to be scanned and filtered both when entering (NB) and exiting (SB) the organization.

This design is also extremely suitable for segmenting a network. Network segmentation is usually done to reduce the attack surface of the network and limit the ability of a malicious threat to spread freely across the network.

Also, CloudGuard came with a new benefit in terms of scalability, with the VMSS solution capable of auto-scale in or out, depending on the resource demand.

The most valuable aspects of the solution include:

• Easy to administer and also to deploy, thanks to automated setup with pre-configured templates. On top of that, security comes first.
• The proactive threat detection results in huge risk reduction.
• It has a user-friendly interface; it's best in the market for policy management and log monitoring.
• There are multiple options to deploy (clustering, standalone, VMSS and single management solution, SMS or MDS, and even better: Infinity Portal).
• It has a really strong user community, which seems to compensate for the very poor vendor support.
• The capability to auto-scale in or out, depending on the resource demand is great.

Vendor support might be the weakest point of the CloudGuard solution. You really struggle to find a CloudGuard specialist, even for simple tasks. As mentioned before, you can find better answers to the user community (which is actually a downside of the product).

There are lots of limitations and discrepancies across different Cloud provider deployments.

Documentation might become too complex or too spread out, especially for newcomers.

As in the past, with traditional Check Point firewalls, it sometimes seems to be moving too fast with software releases and upgrade cycles, which are difficult to keep up with.

I have been using Check Point for more than ten years - and CloudGuard for almost a year.

My customers use the solution for technical and internal Azure resources, including remote access VPN.

Some retail customers find the scale-up and scale-down features valuable, particularly with scale sets. This is useful for handling increased loads on devices and utilizing firewalls, similar to on-premises setups with active standby configurations.

The solution allows customers to migrate workloads securely into the cloud space with a trusted vendor, maintaining everything under a single platform. This ensures visibility into their cloud environments similar to on-premises setups, all managed through a single smart console. 

Unified security management simplifies operations by providing visibility into both cloud and on-premises infrastructure. The skill set required to manage it remains the same for both environments.

The level of confidence in CloudGuard Network Security, both for myself and my customers, is very high. The product operates familiarly, consistent with what customers are used to, and it is a trusted name in the space.

Based on my previous experience, there were improvements, especially in in-place upgrades. Regarding cost, it might be potentially cheaper considering resource utilization in Azure and VM costs, but licensing could be improved, possibly moving towards a simpler model.

I have been using the product for four to five years. 

CloudGuard Network Security has improved its stability. It is a stable platform. 

The tool has improved its scalability over the four years. 

The support experience can be hit or miss. It depends on the expertise of the support representative. Some are highly skilled and knowledgeable, while others require more guidance. There might be room for improvement in this aspect.

Neutral

The tool's deployment is straightforward, whether through the marketplace or templates. It offers flexibility for making amendments before deployment. 

On a scale of one to ten, I would rate the solution an eight. The ease of deployment, the single management function, and the features it provides, especially in terms of scale sets and scaling, contribute to it being a solid platform. Many customers are increasingly interested in using it to protect their assets within Azure and AWS, which are the two main areas of operation.

If a colleague is considering purchasing the solution for its security features and licensing, my advice would be to ensure correct deployment. While the solutions are generally straightforward to deploy, there are nuances, especially in Azure infrastructure, that can make troubleshooting more challenging. It's crucial to either use a knowledgeable partner for deployment or ensure a clear understanding of the process before proceeding, as it may be more complicated than anticipated.

We use the product as an internal firewall between Azure, on-premises, and the internet. 

The tool's most valuable features are the REST APIs that help to automate the deployment and maintenance process. It helps us to reduce time to 15-25 minutes compared to the manual process which used to take around two to three hours. 

It eliminates the need to manually import hundreds of IP addresses into firewalls and architecture objects. This process now happens automatically. 

The tool helps us to automate processes. Operating it is relatively easy, especially for standard tasks like implementing firewall rules for source, destination, port, or URL. Our team can handle these tasks. 

We miss full blade support for all blades that are compatible with the cluster. Especially notable is the lack of support for Identity Awareness in active standby environments for customers. In our setup, transitioning to Connective clusters would be preferable for maintaining connections during failover situations.

I have been using the product since 2016. 

The product is stable. 

CloudGuard Network Security's scalability is easy. 

The tool's first response is usually prompt, and issues are generally resolved. Additionally, the support team proactively follows up, reminding us to provide necessary details when we might be on a high workload.

Positive

The deployment experience varies depending on the structure of your environment. In our case, we invested significant time in designing our network and aligning it with our existing Check Point environment. Once the overall design was complete, the actual deployment was straightforward. We have automated most of the process, enabling us to set up the environment within a few hours. Additional nodes can be added in just 20-30 minutes.

We had evaluated Barracuda before CloudGuard Network Security. We chose CloudGuard Network Security since Check Point knowledge was available in-house. 

Invest time in analyzing the templates provided by Check Point and tailor them to your specific requirements. Understanding the deployment process is crucial, as it allows you to benefit from it in later stages. You can optimize it later based on the needs. I rate the overall product a nine out of ten. 

Positive

Our use case is simple. We utilize CloudGuard Network Security with a bridge to connect all components in the cloud directly to the on-premise. By establishing peering with the bridge, we route traffic to the Google Cloud-based cluster. We apply our standard on-premise environment rules to CloudGuard, utilizing threat prevention, EPS, etc.

The most valuable feature for us is the simplicity of creating this environment. Even though our current cloud usage is limited, the process of setting up machines in the product and establishing an HR system was straightforward. 

CloudGuard Network Security helped us create stable VPN connections from our Google Cloud to our data center. This was important because we had issues with dependencies between Google, the data center, etc.

We have an on-premise management system, and it's straightforward. We use it within the same management of our other files. 

In the past year, I noticed that the challenging part, especially in the cloud, is upgrading to the next release of the firewall. Unlike on-premise upgrades, it's not as simple in the cloud. You need to recreate the machine, which makes the process more complex.

We have been using CloudGuard Network Security for four years now. We initially adopted it when we began using the Google Cloud platform. It helps us enable connections between the cloud, data center, and hybrid infrastructure. 

The solution is stable. 

The tool's pricing is not cheap. 

I rate the solution a nine out of ten. 

We use CloudGuard Network Security to protect Azure's networking environment. 

The CloudGuard Network Security's most valuable feature is implementing IPS for accessing our data center and server environment in Azure. It helps us to prevent attacks. By protecting our environment with Check Point, which we were already familiar with, it provided a solution that extended into the cloud environment.

The product needs to improve support. They don't consider my case the number one priority even though I want a quick resolution. 

I have been using the product for three years. 

The solution is getting better. We faced issues a few years back. Its stability depends on Azure. 

The solution's scalability is not good. Our upgrade process was not straightforward. It took one day to complete. 

The solution's support is very good. We have Check Point certified engineers. At times, Check Point's support can take a day or two to respond. 

Positive

We opted for CloudGuard Network Security after evaluating what Azure had to offer. It proved easy to manage, and the crucial aspect for us was the ability to see the activities on our central log system. We can see everything in the environment. 

The solution's deployment is straightforward. We required some time to learn it. 

The tool's pricing is reasonable. 

CloudGuard Network Security provides unified security management across both our hybrid clouds and on-premises environments. I rate it a nine out of ten. I would recommend others to install the solution. 

Check Point CloudGuard Network Security is a highly advanced security solution that prevents any incoming threat, issue, or malware entry and secures the cloud network end-to-end by creating a secure virtual gateway that proactively diffuses and creates a unified, secure environment for users to work securely without any tension. 

The unified security management is an important characteristic of the software which differentiates the same from other similar products and stand out from the crowd. 

It can efficiently work on multi-cloud environments and different hybrid and online premises without any compatibility issues.

The software has significantly improved the security system, resulting in increased productivity and improved performance by the team. Also, it has the great potential and immense capability to work in different kinds of software environments, from offline to online and hybrid premises, with full vigor without any issue.

Advanced threat prevention and data protection in hybrid and private business environments is critical. Check Point is truly a savior here, and it promotes security enhancement in a true sense without any problem.

Data protection and threat prevention across hybrid and private cloud environments is an extremely important aspect. Check Point has aced this. Any kind of cloud environment anywhere can be protected through this effortlessly. 

The encryption technology to prevent data loss and leakage works really well for us. All security instructions and policy processes are auto-scaled up and operate on their own and keep everything in check. 

Security management is unified and can be singularly managed from a place without any hassle.

They can improve their security features to the next advanced level so that their efficiency in catching the malware can become 100%, and there is no scope for any data loss or leakage from the system due to any issue. 

The compatibility factor often poses some integration issues and consumes a lot of time for APIs. The business and tech team should be more responsive to our clientele and tech requirements, as it is critical in today's era.

The auto-remediation and risk management segment can be further researched and made more flexible and customizable.

I've used the solution for almost six months.

The solution is stable.

The solution is scalable.

Technical support is good.

Positive

I did not use a different solution previously. This solution is used in trial mode.

The initial setup is easy.

We handled the setup in-house.

The ROI is good.

It offers good security and everyone should be signing up for a trial for sure. It is easy to license and use.

We evaluated FireBox, SRX Series, Sonic Wall, Cisco firewalls, etc.

Try the solution today.

Most security solutions traditionally have been protecting physical assets within an environment, or reliance on an inline hardware appliance. CloudGuard takes the security controls that were previously packaged with physical appliances in mind and extends them to the virtual infrastructure.

It's an add-on capability to an existing virtual infrastructure, such as an AWS, Azure, or even on-premise solutions. It adds a security layer on top of your existing infrastructure with zero latency.

We're hosting it ourselves on our hypervisors, as well as starting to do so in some of our private cloud instances. It's solely managed by us with a pair of consolidated management servers.

This virtual platform is unique in the way that it augments our existing physical controls through a centralized management system. When many organizations, like ours, went from physical servers to virtual servers and desktops, there was a blind spot there. We no longer had visibility into what was happening within our environment, and that extended to the cloud as well where it's difficult, if not impossible, to introduce hardware — firewalls and other security protection. This solution takes what is still required around intrusion detection/prevention, anti-malware, and other threat protection capabilities and extends it to all of our virtual assets, regardless of where they live, in a private or public cloud.

CloudGuard has closed a significant gap that we had in our environment. We were searching for the right solution for many years, to gain visibility into, and protection of, all of our virtual asset servers, desktops, and workloads. There have been other products throughout the years that provided a similar type of technology, but had we purchased and move forward with those, we would have seen a degradation of performance within our environment, as traffic would have to be what's considered "hair-pinning" and going in and out of the virtual environment to another either virtual or physical appliance. We intentionally delayed our purchase of this kind of solution because we were not satisfied with that architecture. We weren't willing sacrifice performance degradation on our network. That's really the big benefit of the CloudGuard, it is able to live within the same virtual instances as the other virtual assets and workloads.

What's most valuable to me is that it's a contiguous solution that aligns well with the components that we've relied on and trusted from a traditional hardware, firewall, and unified threat management system. My engineers and analysts don't have to learn another platform. We have already entrusted our security controls to Check Point for perimeter and physical security, and now we can do so at the virtual layer as well, which is key to us. It really augments their current stack of capabilities. It all aligns well under their umbrella of their Infinity architecture, which we have adopted.

It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can go without the partnership and enablement of the virtualization platform vendor as it relies on "Service Insertion" to maintain optimal performance. 

We are frequently in contact with Check Point's Diamond Support, Product Development Managers as well as their sales team, as we look to keep apprised of where the product ius and should be going. Most of our requests have been around our physical assets, the physical UTM devices — Check Point Maestro, as an example — as well as their endpoint systems. There has not been anything at this time where we've said, "We wish CloudGuard did X differently." CloudGuard, in my opinion, having recently talked with them, is continously improving and is incorporating some of their recently acquired capabilities, such as Dome9 cloud compliance. Those are areas I have been evaluating and looking to add to my environment. My preference would be that it be included in my CloudGuard subscription licensing, and not an add-on; But that's the only thing that I could say that would be beneficial to us as an enhancement to the system.

We've been using Check Point CloudGuard IaaS for about three years.

The stability has been great. There has been no concern at all. We have not had any known downtime or issues to speak of.

Scalability was well thought out and designed. I've spoken about this at several Check Point CPX events. Throughout the instances that we have, if a single Check Point CloudGuard instance is overloaded due to event load, it will intelligently redirect that workload to another service on a different host, so that it's not delaying the interrogation of the traffic.

It's being used throughout our environment. We will increase usage only when we augment our cloud offerings.

Users, in this case, are the IT security and networking folks that support it and rely on these controls being effective. They analyze the output of the event interrogation. Right now, I have three resources supporting CloudGuard. I don't have dedicated staff for maintaining the solution. They're shared resources who work on other network and security devices. From an operational standpoint, it's a fraction of an FTE that is required.

Check Point's technical support for this solution, overall, is very good. Check Point has architected this solution well enough that it has similar, if not the same, code base as the physical devices. It doesn't appear to be a big lift and can leverage the same support engineers for CloudGuard as we would have for our physical devices.

We never found a solution we were satisfied with, and which would not affect our overall operational performance.

I was not personally involved in the initial deployment, as I'm the CISO of the organization, but I was closely engaged with my engineers. The CloudGuard portion of our installation and setup was extremely simple, in comparison to the integrated component on the virtualization side of things. Check Point made it extremely easy to deploy and configure, especially because it's done from our consolidated management devices that we're already familiar from our physical unified threat management devices.

The delays in deployment were mostly due to the virtualization side of things. If it was just CloudGuard alone, we probably could have had that done in about six to eight weeks. But there were several starts and stops due to the accompanying VMware component, which has really extended, I hate to say it, over 12 months.

In terms of our implementation strategy, the intent is that every host in our environment that serves up virtual assets and workloads would have an instance of CloudGuard installed on it. And then all respective HTTP/HTTPS traffic would be routed through Check Point for visibility and interrogation, so that if any of its threat controls determined that an asset was rogue or infected due to some malicious insider or outsider, it would automatically quarantine that device. We have tested that and it worked successfully.

We installed it with the help of Check Point-badged engineers. To be honest, we had to ask for a new lead engineer. And once that occurred, the project implementation went very smoothly.

ROI is a very difficult metric in the security space. We've been fortunate that we haven't had an event in which we would say that because of CloudGuard our MTTD and MTTR was low and we quickly identified and stopped a malicious adversary.

However, we are now more confident in our security controls and visibility. CloudGuard plays a significant role in our SOAR (Security Orchestration Automation and Response) initiative. We can now automate the isolation of an infected machine with the help of CloudGuard.  This in itself is the best ROI as it doesn't require manual intervention to detect and respond.

The pricing and licensing of this is much more digestible than that of its hardware equivalent. I've found, in times past, especially on the hardware side of things, that the licensing support and maintenance could be very daunting to understand. If that has scared folks away in the past, CloudGuard is much simpler. 

Licensing is simply by the number of hosts that you are looking to protect within your environment. It makes it much easier to ensure that you are covering your environment.

If you are not already a Check Point customer for the UTM and the SmartEvent, there likely would be an additional cost, beyond the standard CloudGuard licensing, if you wanted the reporting. It's a unique instance where we already had an established infrastructure of Check Point devices on our network, and then we added CloudGuard to it. Had we started with CloudGuard, and only had virtual assets to protect, it is possible that there would be additional cost. I would urge folks to look into what it would cost to add the reporting capabilities and log event management.

We looked at offerings from Cisco (ACI), Illumio and Gigamon. This was about three-and-a-half years ago.

The main differentiator, and the reason we selected Check Point, is how it integrated with our virtualization platforms. It lived there natively. It had the least amount of overhead to interrogate the traffic within our environment. It also aligned well with our consolidated reporting and management solutions that we have come to rely on from our Check Point physical UTM devices.

Intently know and understand the integration points within your environment. It is a great security solution, but understand how integrated it is with, and what level of partnership there is between, Check Point and the virtualization platform that you're looking to add it on top of.

The biggest lesson I have learned is that the Check Point CloudGuard features, although good, are only as good as the accompanying virtual platform and its level of integration. I have to be honest: Overall, this is the ideal solution for us and our organization, but it is slightly more complex. There are newer competitive products that take a different stance, that are agent-based. We did not want — and this is another key distinction — a solution that wasn't agent-based in which we had to deploy a piece of software on each and every virtual endpoint. Having this done at the hypervisor level definitely was the right strategy for us. However, the lesson learned, with this type of solution, is that it is very important to understand the nuances of your virtualization platform and what is required on that side to enable the Check Point CloudGuard.

You're relying heavily on the partnership and the capabilities of that virtualization platform. Going in, understand the degree of that partnership and the respective road maps of each, because the CloudGuard solution is only as good as the capabilities it has with the virtualization platform. That's especially true for large enterprises that want to constantly move workloads around and have their rule set follow in an event where they're having to ensure that systems are always alive and always protected.