Check Point NGFW Reviews

We are using this product as a firewall which does have the capacity to block the IPS signature as well. 

It is highly accurate for the IPS engine and has the best-in-class log monitoring and report generating facility in the firewall. 

It is easy to manage, as it has a centralized management console. We are using the firewall as a VPN service as well. It is very easy to troubleshoot the issue with the VPN. We are using IPSEC features where we can enable tunnels with the client and we can safely communicate with vendors due to encryption.

Checkpoint NGFW improved the security posture of our network infrastructure to the point where we can use antivirus, IPS, and antibot features to tighten up the security. We can also use URL filtering where we can block malicious URLs in communications. We can easily stop and detect Day-Zero attacks. 

The throughput of the firewall is very big for data transitions. The antivirus also includes DPI (deep packet inspection), which examines the data within the packet itself rather than only looking at packet headers. This enables users to identify, categorize, or block packets with malicious data more effectively. 

The IPS feature is the most valuable feature. We can block zero-day attacks within stipulated time intervals. The up-gradation activities are much simpler when we are dealing with Check Point firewalls. 

If there is a critical issue observed, the Check Point support team can create a custom package that we can deploy on the gateway to mitigate critical issues/bug fixes. 

The support reachability is very promising, as we can directly connect with them via call or chat from the support portal.

Sometimes the KB article does not include all the steps. There is a chance for improvement in the content of global KB articles. It's nearly impossible to add an exception for threat prevention services - such as antivirus and anti-bot. You will be stuck with Indicators of compromise marked as detecting only, caching issues, and random effects. There is no clear way to report incorrect classification to support. 

Sometimes we need to find a resolution by ourselves as the solution's knowledge base is not enough.

I have been using this solution for five years.

The stability is good.

We can easily scale the gateways with a few simple clicks. 

Technical support is great.

Positive

We did use a different solution. Check Point provides better visibility where security is concerned. 

The setup was very straightforward

We can implement it by ourselves.

The ROI is double annually.

It is pretty cheap as far as the setup cost, pricing, and/or licensing are concerned.

We looked at Palo Alto firewalls.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.

We used this firewall to replace a faulty Cisco 2500. The main solution needed packet filtering and port restriction. We found the functionality handy for filtering email spam. There's a helpful API embedded in the device. 

The online version of the documentation is well written.

The speed of the device is really impressive as it is able to process 1.8 GPS, which is a big improvement over the older device.

The delivery time was really fast. With the help of the reseller, we got the device in less than three days.  

As a replacement for an old solution in the office, we were not expecting big improvements with the firewall. However, we had noticed an improvement while we added rules into the system. The new GUI is really nice and easy to use.

We are now able to use infrastructure as a code and add the firewall into the pipeline with terraform as a controller and everything works really well. 

The API is handy and we are now testing how we can add rules via code. Also, the GUI is easy to use.

The Terraform module for Check Point is complete and really useful for managing the firewall.

Mail filtering is a really good feature that we are implementing for scam protection. 

The graphic interface is really easy to use and easy to teach to other members of the team.

The online documentation is complete and easy to read and understand.

The 3-year warranty offered is nice to have with no extra costs needed from us.

The exterior of the physical device can be improved with the use of a display and not just simple lights.

All the physical devices located in the rack are similar, Just a box with some small lights that does not provide too much information. 

For. me as a final user I will be happy if I can get a display that can show the error code when is a failure and not a simple  red led (This is the common practice). 

I just want more information when I'm on front the device. i know always can walk to my desk and check the GUI with the documentation and the information required. 

I've used the solution for three months now.

I have not had any issues since the moment of installation.

Users get a really nice performance in the order of 2.5 GPS.

Technical support is excellent. I do not have any complaints.

Positive

Yes. We used to use a Cisco 2500 and a Fortinet 110C. 

The Check Point device is better and the speed is superior.

We got full support from the provider and the manufacturer.

The vendor did all the migration in just a couple of hours.

I'm not involved in finance. I can't speak to any ROI.

I was not involved in the pricing; I was only involved in the installation and use it regularly.

The provider offers us the device in three days with the support to import the existing rules and make the migration. We didn't evaluate anything else. 

I really love the device and would choose it over the Cisco and the Fortinet 110C.

We use this solution as a layer 3/4 firewall deploying access rules in our DMZ. We have more than six different centers with different service layers, a core of up to 500Gb per site, and other service centers providing security for all inbound and outbound connections.

VSX gives us the capacity to consolidate hardware in fewer devices, reducing the OPEX, and creating different VFWs to provide service to different environments or services.

Layer 7 features allow us to upgrade our security services. Activating the required features only requires upgrading the license.

This product has provided us the total control of our connections in our very bandwidth and session-intensive environment. It offers high capacity on NAT tables that, with other vendors, needed to use really huge devices to support.

We can control all of our international connections in a central point with a distributed cluster in a very easy way and with good performance.

The layer 7 features (AV, IPS, Web filtering, etc) and integrations with AWS provide us a clear point of management for future deployments on the cloud.

The packet inspection capabilities are great.

ARP protections based on interface works better than it does with other vendors.

There are new improvements related to the upgrade of the solution, making for the easiest upgrade/update procedures.

New features allow for concurrent use of the console in write mode between different users.

The exposed API allows us to automate a lot of actions in a very easy way.

The central console and log collector are basically the best central management consoles, and each day provides new useful features like counts, etc.

There are issues with stability in some specific versions.

The VPN is a little difficult to configure, and sometimes you need help from Check Point professional services.

There are some performance problems with the IPS when the FW is in a high load, but in general, it is working better than in previous versions.

The routing is configured on the gateway, so, you need to remember for migration purposes.

The virtual infrastructure of the central management requires a huge amount of resources to work properly and manage all the logs without problems.

I have been using Check Point NGFW for more than 10 years.

In general, this is a very stable solution. We have had only one incident in the last few years that was with the size or the route tables in memory that finally it was discovered that was a bug in a specific version and was solved upgrading the devices to new firmware that solved the bug

This product is very scalable. There are a lot of different virtual and physical devices to cover any requirement in terms of sessions, performance, etc.

We are very happy with the support. They are very skilled engineers and always fast at analyzing and solving issues.

We did you another solution, but we switched due to prices and solution stability.

The initial setup is not more complex than other solutions.

Was implemented using a third-party vendor.

Our ROI with this firewall is high.

The vendor has a very flexible licensing approach.

Cost per Gb reduced and reduced OPEX compared with other vendors.

We evaluated Fortinet, Juniper, and Palo Alto.

This is a complex solution and there are other vendors that are easier to manage, but it is perhaps the best solution regardless.

I am currently working with Check Point Firewall because most of your customers have it deployed in their networks. Recently, we were involved in a significant firewall micro-implementation for one of our customers. We created configuration templates, specifically for routing and setting up bond interfaces within CheckPoint. These interfaces are similar to Cisco's port channels, where multiple physical interfaces are bound into one. 

I primarily work on the network side, so my expertise lies in configuring and working with firewalls. I have experience in firewall policies and know how to configure them within Check Point, including blocking URLs and specific website categories. However, I acknowledge that there's room for improvement, particularly in areas related to application-level control within the firewall. While I can't pinpoint a specific area for improvement, I am trying to enhance my skills and knowledge in various aspects of firewall management.

I have been using Check Point NGFW for the last 12 months.

During a project where I was working with a customer deploying Maestro in their network, we encountered an issue related to multicast traffic. Check Point's expert team suggested that we install a package called Jumbo Hotfix inside the Check Point, which resolved the problem. Overall, despite this issue, Check Point NGFW is a stable product with minimal encountered bugs.

Check Point is a stable product, but when compared to other vendors like Palo Alto and Fortinet, I'd recommend going with Palo Alto. Palo Alto is a more stable and robust firewall solution than Check Point.

The deployment of Check Point was straightforward. In the Azure cloud environment, it took approximately thirteen minutes to complete the deployment, while on-premises, the initial setup was relatively easy and not complicated. I have deployed Check Point both on-premises and in the Azure cloud. The deployment in Azure took place around four months ago for a customer's proof of concept (POC). The primary reason for this deployment was to address the customer's VPN subnet limitations with Azure VPN. I suggested that moving to a cloud-based CheckPoint solution would provide better VPN connections without IP subnet limitations. In the Azure deployment, I created a hub and VPN and deployed two CheckPoint instances, not just one. To manage these instances, I used a load balancer within the Azure network.

Regarding firewalls, my role primarily involves designing and deploying them, then handing over the management to the operations team. While I find the deployment process relatively easy, the issues the operations team faces later on can impact my perspective. I'd rate Check Point a 7 out of 10. The ease of deployment is a plus, but we've encountered some problems with Check Point, particularly related to documentation. Compared to vendors like Cisco and Juniper, the quality and comprehensiveness of the documentation could be improved.

We have deployed this product for the protection of our MPLS connection between 20 geographic distinct sites, two data centers, and an internet connection.

We are also using the product to establish IPsec tunnels with 5 external entities totally transparent to our users.

We're a new company that started to invest in cybersecurity and protection products and chose Check Point for their cloud solutions that protect a vast majority of our devices. 

We are happy with the deployment of the product and the ease of use.

Since the deployment and go-live of the solution, we noted a rise in productivity of some people, we think it has to do with the deployment of the application control and web filtering capabilities of the product.

We're also happy with the deployment process and the help that the Check Point partner provided in the initial configuration of the product. 

Our users also noted more speed on the internet connection, as I said probably because of the block rules implemented with the features mentioned above.

I have to say that it was Application Control and web filtering are excellent. We knew we had users watching videos and using not approved apps yet didn't have a way to centrally block them. With NGFW we do and we can set up profiles/groups of users with different permissions which allow for example IT to have media streaming access and "regular" users don't.

Also having a VPN concentrator on the same device is a plus since made our user management with Active Directory connection a lot easier and faster.

We're a new company so regarding additional features we can name only a few, for example, a better API for extracting data so that we can integrate with our monitoring solution, at the moment we use Nagios/Icinga.

It would be nice if there is a mobile-friendly console for our techs so that they can help users when not at their desks since they do frequent external work.

Better connection between the legacy console and the new one since we have a company that still uses an on-prem device and we have to use two consoles.

We've been using this product for one year.

We didn't use a previous solution. 

I'd advise others to read the license differences and features.

We've evaluated Fortinet and Forscout products.

The primary distinction between an NG Firewall and a traditional firewall lies in their configuration flexibility and scalability. Regarding options and features, the spoofing functionality in Check Point has been instrumental in enhancing security in our critical environment. It plays a crucial role in securing our internet connectivity.

Its functionality is highly satisfactory. In the newer Check Point version, there are additional features in VPN and IP security that enhance tunnel security. This flexibility extends to the Check Point MDM platform, allowing for streamlined management across different domains. In my current client's complex infrastructure, there's often a need to replicate rules from one firewall to another within the same room. With Check Point, it's a straightforward process of creating the rules in one policy and then easily copying and pasting them into other policies.

The log management process in MDS consumes a significant amount of storage, so it would be highly beneficial if there's an opportunity to optimize these logs and save storage space. While it does enhance network security, it tends to consume substantial resources, including CPU, memory, and storage. It could be an exceptionally useful and efficient solution if there were outgoing or AI-driven algorithms to streamline log management and periodically delay the logs.

I have been working with it for almost four years.

Regarding stability, I would rate it seven out of ten. While there have been occasional issues like false positives and blocking misreads in my NGFW, overall, it's a good product.

In terms of scalability, I would rate it seven out of ten.

The level of support provided depends on the specific contract. With a premium contract, it gets you treated as a top-priority customer, and they respond promptly, making every effort to find solutions. If you have a standard support contract, your experience might be more like that of an ordinary customer. In general, I've found them to be helpful, and I would rate their support six out of ten.

Neutral

I was working with Palo Alto for a couple of years, and I found their data protection functionality to be particularly interesting. I believe this feature is quite innovative and that other vendors should consider taking inspiration from it.

When it comes to the setup process, I've noticed that publishing and informing policies in different steps can be a bit complex. The typical sequence of publishing policies, configuring them, and then deploying them to the firewall can feel suboptimal at times. There are situations where an immediate policy installation is needed and it would be beneficial if there were options to install policies directly before the publishing step. Overall, the setup process is not overly complex, but it's not as straightforward.

When it comes to the quality-price ratio, I've found that Check Point offers a competitive balance in the market. I would rate it four out of ten.

I would rate it six out of ten.