Check Point NGFW Reviews

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.

We use five NGFWs for four of our sites, with our primary site having an active/backup HA pair. All sites are running anti-virus/malware/bots as well as HTTPS Inspection, IPS/IDS, threat emulation, application filtering, and identity awareness. These are our first line of defense at the perimeter of our network and we have seen a decrease in the number of detections on our endpoints. We've also implemented these firewalls to handle our external VPN connections from remote clients. We've had a few small hiccups, however, there was nothing Check Point support wasn't able to resolve.

This solution has improved our organization by allowing us to use one management point where everyone can see the current state, future changes, and logging for our perimeter. We've been able to streamline our staff to use one primary and two backup users for support. Previously, we did not have a good way to allow Remote Users to VPN directly to our network. Once we implemented and worked with Check Point, they showed us what their solution was capable of and worked with us to allow 300 remote workers to connect to our network and share policies. 

We've found threat emulation, application control (with identity awareness), and HTTPS inspection to be the most valuable aspects. It allows managers the flexibility to grant access to high-risk sites based on groups/roles and yet still be protected with threat emulation and HTTPS inspection. We've seen the rate of detection on our endpoints plummet. 

I've found that, over the last 4 years, they have constantly improved the user interface (SmartConsole) as they have moved away from four Control panels for different functions and are constantly adding new features with no impact on our availability during upgrades.

The improvement could come from better monitoring of traffic data in and out of the firewall. I'd also like to see more built-in automation in regards to activity against the firewall to trigger an automatic response for a period of time.

There is currently no way to allow a user to have access for X period of time. I also find that keeping up with the IPS additions to be a three-stage process which includes having to go to email to see new updates, reviewing those updates on the firewall, and then making necessary changes. I would like to see these new IPS updates shown as a notification when I log in (as an alert) so I can review and modify from one pane.

I have been using this solution for four years, however, they've been installed for six years at our company.

In the four years I have worked on the five firewalls we have not had any downtime caused by stability issues. We've had more issues with our ISP/people hitting the ISP equipment, for example there have been three accidents at the near by intersection that has damage the network cabinet or digging has cut the line.

We haven't had any issues where the Firewall has had a memory leak, rebooted, corrupted or had a NIC fail. 

Our team didn't account for a vast increase in workload as new features were added to our firewall (HTTPS inspection, threat emulation, etc.) and therefore we bought the lowest tier for what we thought we would need. We've found that this is a little too strenuous on our gateway and are working on purchasing more powerful firewalls based on the recommendation of our local Check Point engineer.  

I've always been able to get in contact with Check Point at the right level within their SLA. Everyone has been helpful with tickets requiring escalation.

Positive

I have not been here while a different solution has been used. We do use a separate brand of firewall internally to prevent an exploit against Check Point, allowing someone to penetrate the perimeter and the internal firewall containers.

I was not involved with the initial setup. That said, I have brought up three new sites, and adding a new firewall to our infrastructure has gone off without a hitch.

We handled the implementation in-house.

Check Point Firewalls are more expensive from what I have seen compared to the competition and the yearly licensing does periodically increase. We've seen an increase of 8% over one year (new features were wrapped into the license). 

I was not involved with the evaluation process; I was told that Cisco Firewalls and SonicWall were evaluated at that time.

You're paying a premium price, for what is a premium product and support. I have opened several tickets with their support team and have had excellent service each time.  

Several enterprises, from financial institutions to hospitals, use this product mainly as edge solution. In most cases, the setup was based on a redundant configuration. Other cases which have been rolled out are based on smaller devices in office locations and larger devices in the central datacenter of the customer. As an MSSP we trust the reliability of the solutions, since we cannot risk having our reputation being harmed. Our team is perfectly able to manage the devices on a day by day basis using the central management solution.

The tension of being well protected from the outside world has decreased due to the sturdiness and reliability of the solution. 

Results are predictable and managing everything is easy with the right tooling. The management solutions are easy to use and make it possible for our administrators to manage numerous amounts of devices in one console. 

Software updates/upgrades contain valuable additions and it is clear that Check Point has the right focus on the requirements of what should be added as functionality.

Trustworthiness and stability are the key aspects when looking at these products. 

The up to date-ness of the threat intelligence and the underlying network of devices adding value to it is good. 

With many of their own investigators adding their findings to the threat database, Check Point has become a leader in having their product in the higher ranks of the spectrum of efficiency. 

The different hardware models focus on a wide spectrum of the market, so any company can choose a model that makes sense for them from the range.

The world is changing rapidly, and even though Check Point is delivering security solutions on many levels such as endpoints, cloud, and on-premise. 

A more centric solution would be preferable. They should take all existing products and make them a part of a suite that is easily manageable from one platform. This would leverage the use of the different products since no administrator wants many interfaces to manage the complete environment. 

Pricing needs to be lowered from start, this would be more effective than lowering it during negotiations.

We've used the solution for more than 10 years products and have been delivering the solution to our customers.

The product is very stable.

The solution is less scalable when using hardware-based solutions. Especially the smaller models have limited possibilities to expand on port / performance level. Both issues can be resolved using the Maestro solution, but that is limited to specific models.

Technical support is very good and easily accessible.

Positive

We previously used Cisco and Fortinet. Check Point is a long-lasting vendor that we use, based on trust.

The initial setup is pretty straightforward, especially when working with preset best practice profiles.

We handled it on our own. 

In the end, the ROI is good once a company knows the protection level on offer.

Pricing and licensing are not the best within the market. That said when you get to know the products they offer you will be happy to pay a bit more.

We also looked at Palo Alto previously.

We use Check Point firewalls to secure our internal network from the outside world and to provide a good, comfortable, and secure environment for our employees.

We have various models from the R80 series, such as the R80.10 and the R80.30.

Before, we were using firewalls from Palo Alto. The benefit of the Check Point firewall is that it has more security features. It has antivirus signatures and additional features for which we should require additional hardware devices in the firewall. It also gives us a central management system, which was not present in the Cisco ASA.

Check Point's Next Generation Firewall has many good features. It has a central management system, and that means we do not have to go to each and every firewall to configure it. We can manage them with the central device. 

There are also additional features, compared to a Layer 4 or Layer 3 firewall, such as AV signatures and devices, which are very helpful for securing the company's network.

The only thing which I think should be improved is that training should be increased. In my position I also interview potential employees and I haven't found many people in the market, nowadays, who are familiar with the Check Point firewall. They are more familiar with Palo Alto and Cisco ASA and they are more comfortable with them. Check Point is one of the good firewalls and training should be increased by the company so that more people are familiar with it and with their switches.

I have been using Check Point's firewalls for the last three-and-a-half years.

The stability is very good. The updates we get for the antivirus and the URL filtering sites are also very nice and happen very often. That is a good thing because there are various new attacks coming out but we get their updates on time. 

In terms of the scalability, it is very easy to extend the utilization of Check Point firewalls. We did so in the past. We extended our environment in our organization and it was very easy to extend it.

We have around 4,000 to 5,000 people who are using the Check Point firewalls directly or indirectly. They are passing their traffic through it. Expansion of our usage completely depends on the organization. If they want to do so they will tell us and, if that happens, we will definitely go for Check Point firewalls.

We have used Check Point TAC to resolve our issues. We have had good support. They have good engineers there.

We were using Palo Alto and Cisco before and we replaced them with Check Points.

We used Palo Alto in a  few of our sites, but we found Palo Alto was more expensive and its updates and services were also more expensive compared to the Check Point firewall.

Cisco is a very basic firewall in the market, and it has a limited set of features, compared to Palo Alto and Check Point. Palo Alto has rich features, but it is one of the more expensive firewalls in the market. The Check Point firewall is not too expensive, but it is also a third-generation firewall.

The drawback of the Check Point firewall is the lack of training materials. That should be increased.

We have a team of seven to eight people who have all installed and configured environments so the initial setup, for us, was a very straightforward process. And these are the people who handle maintenance of the firewall and manage it, during different shifts. They are all network engineers.

It took us between nine and 12 months to do the implementation. We have Check Point hardware so we followed the recommended, three-level architecture, in which there is a SmartConsole, the hardware security gateway firewall, and the central management device.

The pricing is good. It is less than Palo Alto's firewalls. Check Point has the same features as Palo Alto, but the licensing and cost of these firewalls are not too expensive. It is one of the best firewalls in the market in this range.

Check Point firewalls have many features. Before configuring it in an environment, you should know each and every feature of the firewall. You should also follow the three-level hierarchy which is recommended by Check Point.

There are a few add-on features for Check Point firewalls. I only learned that by using the firewalls. I'm very happy with the way Check Point is progressing. They continue to work on their firewalls even after making their name. That is something we should follow in our lives as well: Once we have made our name, we should not stop there. We should further build the reputation of the company and product.

We are very happy with the Check Point firewalls. The only thing missing, as I mentioned earlier, is that training should be increased for the firewall by the organization. Otherwise, we are very happy with investment in this solution.

*Perimeter Firewalls - to protect regional hubs and local offices from public space and provide L3-L7 filtering

*Internal Segmentation Firewalls - to secure company's internal network from movement of malicious actors and reduce traffic flows only to authorised ones

*Public and Private Cloud - to secure hybrid environment either onprem or in the cloud while achieving micro segmentation per host

*Cloud Compliance - to get a visibility into cloud environment and and related vulnerabilities 

*Data Center

*SaaS

Check Point is able to satisfy almost any security tool for enterprise clients. This allows us to deploy complex changes from a single management interface, get better visibility, and significantly reduce operational complexity.

I have to emphasize the value of Diamond support here where most senior engineers can provide great support with any challenges. Thinking out of the box, sense of responsibility, professionalism and much more - such an attitude helps to provide resolution to any crisis in the shortest term

With the new capabilities embedded into R80.XX flavor it is possible to achieve great flexibility while defining your security policy. It is possible to utilize a variety of objects to define static or dynamic criteria for inspection and reduce general rule base size and complexity, while not giving up on security

The security research team is doing a great job staying on top of ongoing threats and releasing fixes for ongoing attacks within days or sometimes hours.

Check Point always actively listens to its customers trying to identify emerging needs and satisfy them pro-actively

I would like to see an improvement of built-in monitoring capabilities such as throughput. Practically visualization of CPview outputs into beautiful pink GUI will do it. 

The monitoring of scalable solutions is quite tricky, but it could be relevant for all vendors who possess the same technology.

IPS fine-tuning may require some time to understand the interrelation between IPS protections, core Protections and other IPS profile elements. But in general, Check Point is on the way of great simplification of TP management

Check Point products are being in use for the last 6 years.

The solution is used to provide firewall security to cloud integrations.  

The spoofing prevention feature is the most valuable feature.

The solution provider needs to upgrade the IPSec VPN port because VPN branch-to-branch configuration can be easily implemented at our company, but several difficulties arise in a cloud environment like AWS or Azure cloud. The aforementioned cloud providers often need to create VPN interfaces, but in a few cases, these teams don't have the knowledge for configuration or IP points; their knowledge remains limited to the architecture of the clouds on a networking level. 

In future releases of the solution, a remote access VPN feature should be added. Our organization expects the aforementioned feature because we have a secure validated configuration in our remote access VPN, and the feature would allow easy configuration.

For instance, if a customer wants to connect a VPN to a particular domain laptop, our company can integrate the domains with our network's remote access VPN, but the user is unable to connect with other personal laptops.

I have been using Check Point NGFW for five years. 

I would rate the stability of the solution as seven out of ten. The tech support is not operational sometimes, and in a few cases, the tech team of the vendor is unable to provide support with a proper explanation or resolution. Check Point NGFW fails to provide workarounds for certain issues and thus leads to huge time consumption for a single task. The support team of Check Point NGFW on a few occasions takes five to ten hours to resolve an urgent VPN issue which impacts the stability. 

At our company, if we raise an RMA for Check Point NGFW, it takes immense time, which is around 15 to 30 days, to obtain the box, whereas other vendors offer it within five to seven business days. Due to the aforementioned issue, our organization needs to implement a test device on the environment and purchase temporary licenses for that device so that the customers in a stand-alone environment can access the internet. 

In Check Point NGFW, sometimes the logs consume excess storage, and even the storing or indexing process is not implemented correctly. 

I would rate the scalability a seven out of ten. 

Support is available for Check Point NGFW, but the support team, in most cases, is unable to provide an effective and on-time solution after collecting logs. I would rate tech support a seven out of ten. 

Neutral

I worked with Palo Alto previously before transferring to Check Point NGFW. I wanted to learn about Check Point NGFW in-depth as it's considered a difficult solution compared to others, so I ventured into it. 

In our company, we have the option for both cloud-based and on-prem deployment of the solution. The management server integration is different for the aforementioned options. If the traditional management server is present locally, in that case, at our company, we are using the solution for integration, but if a cloud is involved, some keys need to be integrated with the cloud management to let the firewall have internet access. 

Almost every time when the management server reaches or expands to another country in our organization, we face difficulty with integrations. The deployment time of Check Point NGFW depends upon customer requirements, but it takes approximately 15 to 30 days. More feature integrations demand the involvement of more teams in the deployment process. In my area of business, about 50 to 70 customers are using Check Point NGFW. 

If the solution is in a cluster environment, a maintenance window is not required and most of our customers are using the solution in a clustering or stand-alone mode. 

It's an expensive solution. 

Most of our organization's customers are using Check Point NGFW for networks, as enhancing the firewall's performance is not required; if the firewall goes inactive, total protection decreases. Our organization's customers don't want to depend on any particular product and are thus investing in multiple security products. 

On a few occasions, integrating a RADIUS configuration with Check Point NGFW has been difficult because some versions are not supported. I have also faced trouble regarding authentication when integrating Check Point NGFW with Azure EAD. 

Recently, Check Point NGFW has been integrated with zero-threat AI security features. In our organization, we are installing the solution on the Blade architecture, where the aforementioned features function well enough. I would recommend Check Point NGFW to others. I would rate Check Point NGFW overall a six out of ten. 

The primary distinction between an NG Firewall and a traditional firewall lies in their configuration flexibility and scalability. Regarding options and features, the spoofing functionality in Check Point has been instrumental in enhancing security in our critical environment. It plays a crucial role in securing our internet connectivity.

Its functionality is highly satisfactory. In the newer Check Point version, there are additional features in VPN and IP security that enhance tunnel security. This flexibility extends to the Check Point MDM platform, allowing for streamlined management across different domains. In my current client's complex infrastructure, there's often a need to replicate rules from one firewall to another within the same room. With Check Point, it's a straightforward process of creating the rules in one policy and then easily copying and pasting them into other policies.

The log management process in MDS consumes a significant amount of storage, so it would be highly beneficial if there's an opportunity to optimize these logs and save storage space. While it does enhance network security, it tends to consume substantial resources, including CPU, memory, and storage. It could be an exceptionally useful and efficient solution if there were outgoing or AI-driven algorithms to streamline log management and periodically delay the logs.

I have been working with it for almost four years.

Regarding stability, I would rate it seven out of ten. While there have been occasional issues like false positives and blocking misreads in my NGFW, overall, it's a good product.

In terms of scalability, I would rate it seven out of ten.

The level of support provided depends on the specific contract. With a premium contract, it gets you treated as a top-priority customer, and they respond promptly, making every effort to find solutions. If you have a standard support contract, your experience might be more like that of an ordinary customer. In general, I've found them to be helpful, and I would rate their support six out of ten.

Neutral

I was working with Palo Alto for a couple of years, and I found their data protection functionality to be particularly interesting. I believe this feature is quite innovative and that other vendors should consider taking inspiration from it.

When it comes to the setup process, I've noticed that publishing and informing policies in different steps can be a bit complex. The typical sequence of publishing policies, configuring them, and then deploying them to the firewall can feel suboptimal at times. There are situations where an immediate policy installation is needed and it would be beneficial if there were options to install policies directly before the publishing step. Overall, the setup process is not overly complex, but it's not as straightforward.

When it comes to the quality-price ratio, I've found that Check Point offers a competitive balance in the market. I would rate it four out of ten.

I would rate it six out of ten.

Check Point NGFW proved to be highly scalable, secure, and stable, among other alternatives of multiple firewalls present in the market.

At an organizational level, the integration and implementation of Check Point NGFW took place on a priority basis due to data and system security concerns against malware and phishing attacks.

Check Point NGFW bifurcates, channels, and segregates the internal network and builds a secure VLAN, and separates it for every department.

Check Point NGFW is highly scalable and provides end-to-end resolution and customized productive service making Check Point NGFW more promising and user-friendly than its alternatives and services like navigation, control, and filtering ensure that all users stay connected to business applications and restrict traffic.

At the organizational level, the integration and implementation of Check Point NGFW took place on a priority basis based on our data and system security concerns about malware and phishing attacks.

Check Point NGFW bifurcates, channels, and segregates internal networks. It builds a secure VLAN and separates it for every department.

It's scalable and provides end-to-end resolution. It offers services like navigation, control, and filtering and ensures that all users stay connected to business applications while restricting traffic.

Check Point NGFW is great for data and system security management against malware and phishing attacks.

Check Point NGFW Firewall requires frequent updates to build more user-friendly dashboards. They need to begin the implementation of more active VPN support.

A few services of Check Point NGFW require immediate improvements, like the customer support portal and the ads management on the platform. These services need to be improved to help ensure mass adoption of Check Point NGFW.

Check Point NGFW Protects from all types of internal and external attacks, and it is easy to use. 

The integration of Check Point NGFW in my organization has taken about 1.5 years or so, and it's still going smoothly.

I haven't gone through any other platforms or solutions. However, these platforms have become a key part of our organization & work management.

Check Point NGFW is a highly scalable and secure solution that is user-friendly. It is up to the mark in terms of data and system security management. Potential users should just go for it. 

I haven't personally evaluated other solutions via reviews from some software review websites.

Go for Check Point NGFW. It's the best among market alternatives and is a must-have solution for professionals.