Check Point NGFW Reviews

We have multiple customers that use this product.  Integrated logging is the best around.  

It's clear and does the job it's supposed to do.  

We typically install this as the network edges and encourage our customers to have one at each location. Some prefer to backhall the smaller sites to the main branch where it handles all the inspection and rules.  

We also set up multifactor SSL VPN solutions at the main location which allows visibility into remote worker traffic. Overall, it's used mostly by small to medium businesses.

We have been able to sell this product for a long time as it's highly rated and has a deep feature set. We have probably sold millions of dollars worth of Check Point products over the years.  

When the customer comes to us wanting the most protection we typically suggest Check Point first. Our engineers enjoy being able to quickly deploy a solution and have the familiarity with the product to be able to troubleshoot it quickly once it's deployed. For the most part, we train our customers to be able to manage it themselves.

Mostly the logging features of the Check Point NGFW are the most valuable.  Being able to search in clear text is simple for the customer and for troubleshooting an environment. 

I also like that you can get trial licenses for just about every product solution.  This allows us to suggest a feature, implement it, and then show the customer that it has value. We tend to retain the customer on that product for the long term once it has been deployed and they are able to see what it's doing to protect them.

The only thing holding it back is the price. It's too expensive for mid-market companies. There are other platforms that have emerged that have a similar feature set, however, are more difficult to deploy. This is really only a problem for the engineers as the customer doesn't care how many hours the engineer has to put in to make it work in their environment. If the Check Point product came in at a lower price point it would make it easier for the customer to see the value in cost, thus making it easier for us to sell.

I've used the solution for seven years.

It has been the most stable for a long time.  That track record is something that you can show the customer. 

The product is highly scalable especially if you integrate the orchestration solution. 

Support is hit or miss lately. They have lost too many good reps to other companies. 

Positive

We have used other solutions, however, we continue to use Check Point NGFW.

The initial setup is simple once you have the appropriate infrastructure setup.  Once Check Point gets away from the central management solution and allows for on-box management it will make small businesses happier. 

I am part of the vendor team. We do a good job implementing it, although sometimes it takes too much time to deploy a product. 

We tell the customer that the ROI is the protection they are receiving and the stability of the product.  

We tell customers truthfully it's the best product, however, it has the highest cost and you'll pay for each license.  

We are always evaluating other solutions for our customers. Palo Alto and Fortigate are the top two others at the moment.

They just need to get the pricing down or do a better job of bundling the licensing.

The customer's use case involves employing it to safeguard their internal applications from external threats. They utilize various gateway features, including user identity-based policy, anti-spam, antivirus, IPS, anti-BOT, and other security measures, effectively creating a robust defense against a wide range of potential risks.

The primary focus is on safeguarding the customer's internal applications, especially for traders. When it comes to security, the main advantage lies in risk mitigation, akin to insurance.

The most valuable feature is its unique inspection model, which was initially a basic firewall inspection. Over time, they've developed and refined this model to cater specifically to trade-related intelligence. It is now a crucial and central component of their security infrastructure.

From an administrative perspective regarding Check Point NGFW, there are two key suggestions to improve efficiency. Firstly, administrators should be able to create a unified policy which means that when administrators set up policies in Check Point, they should have the flexibility to configure different security profiles and other security parameters all within the same access policy, simplifying the process. Secondly, the upgrade process for Check Point Firewalls currently involves extended downtime as it often requires a fresh installation. This downtime can last up to around sixty minutes, causing disruptions to business operations. To enhance the user experience, Check Point should consider adopting an incremental upgrade approach, similar to competitors like Palo Alto or Fortinet, as it would help minimize downtime and streamline the upgrade process, making it more efficient and user-friendly.

I have been working with it for about ten years.

It provides good stability features. I would rate it six out of ten.

Scalability is achievable in the cloud environment. By following the appropriate processes, you can configure automated scanning and other necessary functions to ensure it.

From a technical support perspective, there is room for improvement in Check Point's services. They have increasingly outsourced a significant portion of their support, primarily to third parties. This outsourcing has raised concerns, as it often results in longer resolution times and troubleshooting processes. In my experience, working with Level 3 engineers is more satisfactory and efficient, whereas Level 1 and Level 2 support can sometimes fall short of expectations and extend the time required to address issues.

Neutral

When comparing Check Point to Fortinet and Palo Alto solutions, there are several advantages and disadvantages to consider. One key advantage of Check Point is its robust logging capabilities. Administrators can access detailed traffic flow information, providing valuable insights into network activity. Another strength is the trust associated with Check Point. They pioneered the concept of "stateful firewall," which has established a strong foundation for trust in their security solutions and is built on their extensive experience and history in the field.

The initial setup is a medium-level complexity task.

When deploying on AWS cloud, I typically opt for CloudFormation templates to facilitate the setup of Check Point. This approach offers the advantages of infrastructure as code. When it comes to on-premises deployments, the process is manual and involves tasks such as physical cable connections, configuring interfaces, setting up routes, and defining network policies. For a typical mid-sized project, a single person is usually sufficient for the cloud deployment, taking no more than two hours if the implementation plan is well-defined and the design is in place.

The cost can vary depending on the specific model and feature set requirements, as well as the unique value it offers to the organization. The price may be perceived as relatively high when compared to the features and capabilities they provide.

My advice for anyone considering it would be to begin by thoroughly understanding their specific needs and requirements. It's crucial to assess budget constraints and security priorities. If an organization has a sufficient budget and prioritizes a robust security posture, I would recommend considering Fortinet. They often provide a more comprehensive security exposure when compared to Check Point. For organizations with legacy systems or a strong preference for Check Point's Endpoint solutions, my advice is to segregate the management and gateway components. Avoid running both on the same platform to prevent complexity and potential issues. Separating these functions can lead to a smoother and more efficient operation. Overall, I would rate it six out of ten.

We use the NGFW to give security and protection to our local network and internet user from internet threats like viruses, worms, bots, and intrusion. 

We also use it to control the internet URLs accessed by the user. We subscribe to two internet service providers with total bandwidth available of 450 Mbps and we have more than 700 internet users connected. 

Check Point's firewall does a good job of protecting the user from malicious threats. It is able to run smoothly without being a bottleneck in the network. 

Check Point NGFW helps us to secure our user's computer and our server and therefore helps us to maintain business operations. It has important features like an intrusion prevention system, anti-virus, and anti-bot capabilities. 

It also helps us manage bandwidth efficiently by managing what website is allowed to access by users. 

We're limiting user access to websites with high bandwidth demand like video streaming and social media, of forbidden websites like adult websites. 

We can manage which users have access to certain websites.

The antivirus, antibot, and intrusion prevention systems are great. It's very important due to the fact that to prevent is better than to recover. The features play a critical role in preventing any security incidents from happening and minimalizing them before they become bigger problems. 

Its URL filtering feature is great. We can manage which users are allowed access to which websites at a certain time. We can also manage which application is allowed and forbidden for the users. 

Check Point has a vast list of applications it is able to manage - from torrents to games, social media, etc. 

The product could provide an easier user interface and management, by combining all functions (network and policy configuration) into one single application rather than splitting it into different applications. 

Users will also really appreciate it if Check Point provides a free management and logfile analysis module. In the existing setup, a user must pay an extra subscription fee to have access to the firewall management module. It makes the user without a subscription unable to fully gain insight from the firewall log file so they are unable to fully utilize the device

I've used the solution for four years.

It's stable. The system runs with minimal problems. I said minimal because yes there were problems. In 4 years using checkpoint, we have maybe 2 major problem. One was hardware modul failure, that replaced as soon as possible by support team, and the other was software/configuration problem, that get solved also with the help of support team

It has the ability to scale depending on the product model.

They provide good support, depending on your troubles. For more complicated requests, maybe you will have to pay.

Neutral

Check Point is the company's first NGFW.

The initial setup is simple, however, customizing it could be complex.

We implemented the solution through a vendor team. The score I'd give for their expertise is seven out of ten.

if you pay for the setup cost, make sure you get it set up exactly as you need it to be.

We looked into Sophos, Sangfor, and Palo Alto.

It's used for a small business network which needed additional protection and threat prevention, remote work capabilities, and excellent support. It's capable of handling multiple public IPs and directing traffic to the appropriate interfaces.  The solution can handle multiple ISPs for backup or aggregation of traffic. 

The environment consists of eight PCs and six other devices which need Internet access and which must be protected.  The ability to restrict traffic to specific network addresses as well as the ability to block malicious hosts trying to get into the network has been great.

Check Point's Next Generation Firewall solution was perfect for reviewing logs, providing an initial layer of anti-virus/malware protection, and providing the support, when needed, to ensure that the product remained up-to-date.  

The ease of searching through the logs for specific incidents is outstanding and very easy to understand. In addition, the categories for web content blocking have been helpful for setting base traffic standards, can block P2P networks, social media, and content not suitable for business.

The protection has been outstanding! I have not had an infected machine behind the firewall since I first installed and started using NGFW. I appreciate the network health reports, the infected devices report, they make my job a lot easier by providing the information right there in the interface. 

With the web category blocking turned on, I can set it and forget it so that inappropriate business content is not brought into my network, it makes it easier to ensure that time isn't being wasted on non-business-related activities.

I really want to see geo-blocking as a feature of NGFW. Way too many hacking attempts from other countries are coming from where we don't travel. In addition, would like to see the VPN use MFA easily, just as another layer of protection.  

Another area of improvement would be a click to block when there are attempted hacks. While the infected device blocking is a good start, you should block traffic from the originator of the traffic; it would be great to be able to do that with any traffic. 

Also, it would be helpful to set thresholds on attempts and then autoblock that traffic for X amount of time, or permanently.

I've used the solution for six years.

I have not had any issues with the device for the past six years; it has just worked.  By that I mean that unlike some cheaper firewalls (consumer grade), the Checkpoint NGFW is enterprise grade, I never had to reboot the firewall to get traffic working again, I would just leave it up and running until a firmware upgrade was available and after the upgrade, the firewall would automatically reboot, but aside from those times, firewall was on 24/7.

The solution is very scalable. There are a lot of different types of devices to choose from.

Anytime I needed support, they've worked with me until the issue has been resolved.  I'd give them an A+.

Positive

We used Watchguard, however, we needed better protection and also wanted to try out Check Point NGFW as I'd heard good things about it.

The initial setup was straightforward. I just needed to figure out how to migrate policies (recreate them) from a different vendor to Check Point. It was relatively easy to figure out and there has extensive documentation available.

We handled the initial setup in-house

Peace of mind is my real ROI.

The pricing is a little on the high side, however, the protection afforded is worth it.

I did not evaluate other solutions. I previously utilized devices from Sonicwall and Watchguard.

Do your research and size the appliance correctly.

We are using Firewall Intrusion Prevention and URL Filtering, and we just purchased the Endpoint Protection package for our workstations.

It is deployed on-premises. We have two Check Point systems in place. We have one that's between our business network and the outside world, and we also have one that's between our business network and our internal SCADA system.

We haven't updated to version 81, so we're still at version 80.

It has provided us with great protection from threats. I've been here 30 years, and we've had two incidents, and none of them were within the time we've used Check Point.

The console or the single interface on the blades is most valuable.

The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.

I have been using this solution for probably 10 years.

I would rate it a nine out of 10 in terms of stability.

Its scalability is very good. Our entire force is about 190 people, and most of them use it at some point just because they are going out to the internet and have that protection for the workstations. 

It is being used extensively. Everyone is using it, and we do have plans to increase the functionality on the device.

They provide really good support. I would rate them a five out of five. 

I can't remember the product, but what we had initially was an entry-level device. It was a single-purpose firewall. We went up to an enterprise solution that had additional features.

It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.

It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.

We used a consultant. Our experience with them was very good.

For deployment and maintenance, we have five people on our staff. We have to do some maintenance on it. It's pretty much scheduled to rotate between us so that we keep our skills fresh.

We've not done an initial study on any kind of ROI. We rarely do. In positives, we try to perform a yearly risk assessment of our systems, and we find very few vulnerabilities. So, it is doing what it's supposed to. It is keeping us safe.

Its cost is a little higher than other products.

We evaluated other options, but I don't remember their names. We basically went to the consultant we deal with for security-related things and said, "What's out there? What do you recommend?" He gave us three and recommended that the Check Point was probably the lead one.

I would advise comparing it to the other products.

I would rate it a nine out of 10. It has served us very well and given us very few headaches.

We are using this product as a firewall which does have the capacity to block the IPS signature as well. 

It is highly accurate for the IPS engine and has the best-in-class log monitoring and report generating facility in the firewall. 

It is easy to manage, as it has a centralized management console. We are using the firewall as a VPN service as well. It is very easy to troubleshoot the issue with the VPN. We are using IPSEC features where we can enable tunnels with the client and we can safely communicate with vendors due to encryption.

Checkpoint NGFW improved the security posture of our network infrastructure to the point where we can use antivirus, IPS, and antibot features to tighten up the security. We can also use URL filtering where we can block malicious URLs in communications. We can easily stop and detect Day-Zero attacks. 

The throughput of the firewall is very big for data transitions. The antivirus also includes DPI (deep packet inspection), which examines the data within the packet itself rather than only looking at packet headers. This enables users to identify, categorize, or block packets with malicious data more effectively. 

The IPS feature is the most valuable feature. We can block zero-day attacks within stipulated time intervals. The up-gradation activities are much simpler when we are dealing with Check Point firewalls. 

If there is a critical issue observed, the Check Point support team can create a custom package that we can deploy on the gateway to mitigate critical issues/bug fixes. 

The support reachability is very promising, as we can directly connect with them via call or chat from the support portal.

Sometimes the KB article does not include all the steps. There is a chance for improvement in the content of global KB articles. It's nearly impossible to add an exception for threat prevention services - such as antivirus and anti-bot. You will be stuck with Indicators of compromise marked as detecting only, caching issues, and random effects. There is no clear way to report incorrect classification to support. 

Sometimes we need to find a resolution by ourselves as the solution's knowledge base is not enough.

I have been using this solution for five years.

The stability is good.

We can easily scale the gateways with a few simple clicks. 

Technical support is great.

Positive

We did use a different solution. Check Point provides better visibility where security is concerned. 

The setup was very straightforward

We can implement it by ourselves.

The ROI is double annually.

It is pretty cheap as far as the setup cost, pricing, and/or licensing are concerned.

We looked at Palo Alto firewalls.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.