Check Point NGFW Reviews

The solution is primarily used as an edge firewall safeguarding any organization or company which are really considering it as their number firewall of choice. In addition, there were also companies that are only using the specific blades, for example, IPS or IPsec, only as their primary solution. It is mostly used as an edge firewall. Sometimes, all security blades are utilized. As a significant part of the whole network infrastructure, Check Point delivers high detection and prevention rates when talking about suspicious and cyberattack types of activities.

Primarily, Check Point played a very vital role in protecting our whole network infrastructure. Having been able to implement such a solution will keep one's organization's security posture well guarded. The best part of Check Point NGFW's operational mechanisms were the Threat Extraction and Threat Emulation blades respectively. The former delivers documents with zero malware in zero seconds and the latter analyzes the original document in an isolated sandbox, identifying unknown threats. 

I'd recommend this kind of firewall for companies considering it since the detection rate for any cyberattacks/suspicious activity is very high (more than 90%).

Check Point NGFW has all the security blades a certain company would want to implement for a network firewall facing the public internet. The upsides of choosing this kind of firewall are traffic acceleration, core acceleration, and interface acceleration which would help in maintaining smooth sailing activity, giving administrators less dilemma. 

Administrators always find it hard and disturbing when such a network bottleneck occurs spontaneously out of nowhere. With that said, Check Point still ranks first among other vendors.

It would be best if the security management server console access is simpler for ease of management. System administrators find it really difficult for the management settings to incorporate easily. Most administrators nowadays are looking into something that offers easy access to a management console or GUI. 

I could not think of other areas for improvement. This is the firewall that I liked the most among other vendors in the market. It's by far the best firewall in the security industry.

I've used the solution for three years already - since the start of my Network Security Engineer career.

Stability-wise, it is perfect! 

When you perform sizing, make sure that the necessary scalability is considered. There's no going back when things like this are compromised.

Lately, Check Point support is nowhere to be found.  We are always attending other customer sessions when, in fact, support is needed for a P1.

Neutral

Mostly, they are the Gartner leaders for NGFW. A switch was made when customers found the solution more secure per doing the proof of concept.

I could say that it is complex even though they are already CCSE and Check Point Expert. There is no way I could find its management easy to use.

We handled the setup in-house.

That there is a money-back guarantee for their business. A business being secured is a business of high return.

There are a lot of evaluations to be done prior to choosing the solution. It caught the customer's attention when the threat extraction/emulation blade really did well during the proof of concept activity.

So far I have mentioned all the things needed to be given importance with regard to an NGFW solution.

I have used this product in chemicals, insurance, and industrial sector companies.

The primary use case is to secure the inbound and outbound traffic and secure the DMZ servers. We use this solution for Remote access VPN (on smart view event can see reports more granular level) and IPSEC VPN for using the applications hosted on Public cloud and integrate the customer 3rd parties vendors. 

Using threat prevention helps in securing the customer environment from cyber attacks, ransomware, malwares etc. We use the Sandboxing features to protect the network from zero-day attacks

It improved the performance of the network on large scale. 

It's easy to use and configure. We can build the new firewalls with minimum effort. 

It's easy to upgrade the device. 

You can van view the device health on the smart view monitor and smart event monitor at a more granular level. We're achieving great performance using the latest quantum gateways. You can see the real-time logs on the management and also can configure the logging in redundancy mode. 

Using TCPDUMP, a firewall monitor, and firewall zdebug drop, you can troubleshoot the real-time issues.

We like the SecureXL, CoreXL, and Multi-que.  Using these features improved the performance of the gateway at a more granular level.

The Smart View Event monitor is great. You can see the real-time events on the firewall - including remote access VPN usage.

The smart licensing is great. It's easy to generate the license and apply it on the gateways.

The solution offers very good anti-virus and anti-spam capabilities. It's good security on the network.

Threat Prevention and Sandboxing are useful to have. We're protecting the network from zero-day vulnerabilities and securing the network from the latest cyberattacks.

Pricing for the gateways is too high as compared to the other vendors.

Whenever there is any issue comes checkpoint support ask to keep the gateway on the latest hotfix and OS which is difficult to roll out on all the gateways present in the customer environment.

I am using this product for more than five years.

We can achieve great stability using Check Point Quantum Gateways which improves the performance of the network.

We can achieve great scalability using Check Point Quantum Gateways.

We did not use a different solution. 

The initial setup is straightforward.

We did not evaluate other options.

The solution is primarily used for firewall protection for an enterprise environment, The Check Point firewalls are implemented on the perimeter (DMZ) and Secure Access Domain (SAD) environments. 

We use physical VSLS clusters but have many virtual systems (Vsys) configured for different sub purposes. The Entire management domain is protected by Check Point firewall virtuals running on multiple physical boxes.

We have multiple virtual routers configured on the physical firewalls which connect L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone Environments 

Check Point firewalls have helped our organization to securely promote the traffic flow in a secure way that is fast and swift.

There's faster identification of customer traffic issues identifies via a smart view tracker and centralized management of rules. It has an ease of access policy and a human-readable format.

We have multiple virtual routers configured on the physical firewalls which connect with L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone environments.

Dashboards for rules management and trackers for firewall logs capture are useful.

Traffic flow in Check Point is very structured so that it is easy to understand the path it checks to understand which elements come first and which elements come later.

The smart log compiles from multiple CMAs is an important feature that is very attractive. 

The MDM dashboard is very organized compared to other vendors. The use of CLI tools like TCPDUMP and FW monitor are very useful in verifying the traffic logs.

Objects search and tracker logs are useful.  

To combine CLI routing and GUI application in a way that both interact together would be ideal.

The pricing could be better. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

In the CLI, while viewing configs, there is no easy way to snapshot configs. 

I've used the solution for more than 15 years.

The product is very stable.

The solution is scalable.

Technical support is super.

We switched from Cisco to Check Point. Cisco was CLI-based and cumbersome with rulesets.

The setup is straightforward as there are many videos available on the net to practice with.

We had vendor involvement.

It serves the purpose and primarly gets the best output.

The pricing is high. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

Yes, the vendor ran through the options and based their decision on the company security standards.

We are satisfied with the product and support.

We are a financial institution and we use Check Point as a firewall that is positioned for external connections, like the Internet, leased lines, and site-to-site VPNs for other companies. Check Point protects our mobile applications connected to the internet, as well as the main company website. Some firewalls are positioned on some of our HQs.

We're on version R80.40 (some minor firewalls are on R80.30) and we use 13000, 23000, and 26000 series appliances. We use Application Control, Identity Awareness, IPS, URL Filtering, Anti-bot, Antivirus, Threat extraction, and Threat emulation blades.

I've been in the same company for 11 years, and Check Point has been running in a stable manner for our company's main internet connection (and 7 years before that).

It has protected our main applications successfully without any performance drops, and with its flawless logging capabilities, we were able to pinpoint any issues every time.

The management is also the best among any other firewall, with the convenience to create the objects and rules on the same page. This has helped us save time on operations. We can use APIs to create objects and rules to easily finish some projects.

The best features are the stability and the performance of the firewall and its software blades, simplicity to write the firewall rules on its GUI, and its logging capabilities.

The firewalls are working stably, without any interruptions. As we planned our capacity well, we've never had any performance issues.

The firewall rule writing and object creation are the best and simplest I've seen on a firewall (I've looked at 6 different vendors). I often wonder why the other vendors don't do it Check Point's way.

To see the logs, we can search like a search engine, and we can combine different search strings to pinpoint the interesting traffic.

The product can be improved with fewer hotfixes, and if more generally available jumbo hotfixes were used.

We don't often hit bugs. It's perfectly normal for an NGFW device as other vendors are always fixing bugs too. However, when we hit a bug, the support team recommends some hotfix, and if we upgrade to that, we have to uninstall it before we apply some newer jumbo hotfix. If those fixes were included in a fast manner in the jumbo hotfix (as jumbo hotfixes are tested thoroughly for general availability), it would be ideal.

I've used the solution for 11 years.

Our primary use case is as a perimeter firewall for main and DR sites for a financial institution. It secures Internet access for users through IPS/AV/Threat Emulation/Application control and URL filtering with HTTPS inspection and geolocation restrictions. 

It secures our email and MDM solutions. 

We also use it to create site-to-site VPNs with vendors. Remote access is achieved through the use of a secure workspace and SSL network extender. Securing and inspecting HTTP traffic to our web servers is another important task. 

It secures several DMZs and segregates them from the rest of the network.

We use all of the security features available. 

It has helped us with controlling internet access, securing our external websites, and providing remote access that you can trust (secure workspace). The latter provides with a virtual Windows 7 desktop that only allowed apps can be initiated from. In our case, we launch RDP sessions from secure workspace. 

The latest version of the software is a big win overall, with major improvements in how the rulebase is scanned (it's not the top down classical rulebase checking, but a column based checking) and overall efficiency.

Remote access with a secure workspace provides a clear separation between the client and corporate network. 

Threat Emulation (sandboxing) is great for zero-day malware and it is easy to configure. 

Logging and administration are best-of-breed. You can quickly trace back on all sorts of logs in no time. 

IPS and AV rules are granular and specific for the rules that you need. 

The geolocation feature is good for dropping irrelevant traffic. 

Configuration through SMS is quick and easy. It eliminates administration errors while checking consistency before applying a policy.

I would like to have an improved secure workspace solution for remote access. I hear that the Apache Guacamole solution has been integrated into R81. 

The site-to-site VPN options are numerous, but they can get confusing. Interoperability with other vendors is not the strongest when it comes to setting up VPNs. It's totally different from any other VPN vendors I have come across. 

Improvements are needed in policy backups and reverting to the previous policy. This used to be better in R77.30. 

Policy installation tends to take a long time when the rule base increases in size, which can become frustrating. 

I have been using Check Point NGFW for 10 years.

We have never had any unexpected crashes or issues.

It should scale well as they now support more than 40 CPUs on a single system. 

Our experience has been great, although we don't have direct support. This means that sometimes, it takes a while to get to the bottom of issues.

Check Point is really the best NGFW I have come across and I have worked with many vendors including Cisco, Juniper, and FortiGate. It's a platform that a huge amount of research has gone into over the years. It has a great support community and clear guides to solve all sorts of problems and issues.

I didn't switch to Check Point, as it was always there. We haven't switched away from it over the past 10 years. 

We always need some help on installs or major upgrades. 

We have used several vendors and some are better than others. 

It is difficult to calculate ROI when it comes to security products. 

The hardware cost is not huge, but you need to push for good pricing on software licensing and blades.

Check Point was implemented in the company before I arrived. 

It's demanding for the administrator, as it takes years to get an in-depth knowledge of the platform. Otherwise, it is easy to use from day one.

The role NGFW plays is to protect the organization against Layer 7 network attacks.

The solution has helped us to guard our perimeter security on a wider level. This is not like plain vanilla firewall. We have got a wider visibility with the help of this next-generation firewall; it shows us the traffic flowing across the network and based upon that, we have made the modifications required to restrict access.

Also, the active cluster module has helped us to balance the load during peak hours. Since moving to the active-active module, we have got the much-needed breathing space.

It has helped us to inspect traffic, not only with a limited protocol base but on the application/service level inspection too.

The service base access policy has provided us with a next-level restriction, which wasn't there on old school firewalls.

The integrated threat & anti-bot blade gives us protection from zero-day attacks and these can be blocked using analysis & signature matching.

The integrated intrusion prevention blade not only gives an additional level of security but also cuts down the load to manage an extra device.

The threat emulation blade and user identity awareness feature has helped us a lot in terms of perimeter security and have given us granular visibility of user access.

The integration with third-party vendors is quite easy and well defined, which really helps you with the automation.

The integration of gateways with a centralized managed server gives you full control in a single place.

The setup and implementation are quite easy and the logs and reports are elaborative and effective for securing the network.

The one area that I would like to see a change in is policy installation. Right now, with a larger user database and a high number of rules, it takes a bit of time for policy installation. There is definitely some improvement in the R80 version; however, I believe that it should not take more than one minute to refresh the database. Also, there is a significant spike in gateway resource utilization during policy installation. 

The additional blades have an impact on resource utilization, hence scope of improvement is needed here too.

I am using Check Point NGFW for the past five to six years for perimeter & internal security.

The solution is quite stable, however some issues also observed in new version release & same is fixed through hotfix/portfix once it is highlighted to the TAC 

The new hyperscale module gives you the much-needed breathing space, which the industry was looking at for quite a long time.

When it comes to technical support, Check Point is on another level. The support engineers are very well versed with the solution they are managing.

The initial setup & integration was quite easy, and the support during migration was outstanding.

It was a collaborative effort of our in-house and vendor teams. The support was good & quite appreciable.

It's good & the same as expected.

We have two clusters. We are using them as both perimeter firewalls and data center firewalls.

In the past few years, we encountered attempted attacks on our company and we succeeded in finding that we were those attacks, or that some user or workstation was communicating with malicious sites. Without the Check Point Next Generation Firewall, we wouldn't have had the tools to identify these things and to remediate the problems.

A firewall is a firewall. It's a Layer 4 machine that blocks or allows traffic for ports. That's the basics and we don't need a next-generation firewall for that. But the features that are important include:

• IPS
• sandbox
• SandBlast
• Anti-Bot
• URL filtering.

A basic firewall is a basic firewall. You don't need Check Point and you don't need Palo Alto or the other vendors to block ports from source to destination. But we need the advanced features of this product to give us the visibility into, and the security and protection from, scenarios that are not the usual source-to-destination attacks. The solution needs to understand what the connection is, what the behavior of the connection is, and what the reason for the connection is. It can't be a stupid machine. It needs to know that if you're allowing port 53 from source to destination, that it has to check and give us the information that this communication is legitimate, and not something that is malicious.

We just upgraded to the latest software version of Check Point so we have a lot of new stuff to learn. The older version had a little bit of a problem with identity awareness and with HTTPS inspection with the visibility of the logs, and the implementing of rules. But as far as I can see now, with the new version, most of the problems were fixed.

In terms of new features, maybe it would help if we could start to manage all the stuff in the cloud and not in the on-prem servers. The management side could also be faster when you install policies. But other than that, I'm satisfied.

I've used Check Point NGFW firewalls for more than eight years.

In all the time I've been using Check Point there have been no major issues or problems. It's a very stable environment and a very stable solution, in my experience.

We have around 600 to 700 endpoints, workstations, points of sale, and mobile devices. We also have about 200 servers, a WiFi environment, and a networking environment that is not small. We have implemented it 100 percent but, because of the Coronavirus, the company itself is not 100 percent capacity.

For now, we have implemented everything that we wanted and the firewalls are working 100 percent. There are no plans in the near future to grow. Of course, if everything goes back to normal, maybe we will grow.

There are no problems for us in terms of scalability because we're not working at full capacity. We designed the new solution to give us the resources that meet our needs for the moment and for the future. There is no problem with scalability and we can add new firewalls, or replace what we have with bigger firewalls. Everything is okay in terms of scalability from our side.

We continue using our partner for resolving problems and doing the changes that we need. That is the way that most vendors are working. First of all you need a partner and then the partner will open up a case with Check Point.

But one of the best things about working with Check Point, especially here in Israel, is that there is a direct line to the support, because we have such a good relationship with them, to speed things up.

The support is fast, professional, and thorough. Those are the most important things when you have a problem. If we need to call for support from either our partner or Check Point, we get a quick response and, usually, a fast resolution of the problem.

We migrated from Check Point to Check Point

It was really pretty straight forward because we upgraded from an older Check Point product. The installation and the assimilation of the new firewall was very quick with almost no downtime and almost no problems.

We deployed four firewalls in two clusters and, all in all, it took about one day of work; half a day for each side. That includes the installation, the configuration, and the exporting of the configuration from the old system and, of course, all the fixes and patches.

On our side there was one person involved in the initial setup, just to make sure that everything was going okay and, after the installation, to do all the checks and verify that everything was working fine and as needed.

We deployed it with the help of a partner, called Spider Solutions, here in Israel. Our experience with them was good. The technician that came here to install the firewalls was professional and thorough. Everything went according to plan, with no issues.

The whole initial setup was done by the partner and our role was more oversight to see that everything was okay and to give the information that was needed to proceed.

The pricing in this category is a jungle, but Check Point was very competitive. They were very forthcoming and agile for our budget needs.

I have checked a few other vendors and solutions but, in the end, Check Point is the best candidate for our organization. That's true technology-wise and because of the support. Because Check Point is an Israeli company, it's very easy to get help very fast. We speak the same language and that helps as well. Doing support in Hebrew is very helpful for us. 

Other vendors were either more expensive or, to get some of the features, we would have had to upgrade to a bigger, stronger, and more expensive machine. But with Check Point, that wasn't the case.

Check this solution and see how it fits with your organization. See how easily you can manage and control the environment. The visibility and the management provided by the product is one of the most important things, other than the security features that the product has. And check the sizing carefully. Check that the machines you're going to buy are sufficient for your current needs and the future needs of your organization.

Our primary uses for the Check Point NGFW are network segmentation, identity awareness, and application control.

The most valuable features for us are identity awareness, IDS and IPS, and application control.

The speed of technical support is very slow and is something that should be improved.

We have been using Check Point firewalls for about 20 years.

There were times in the past when it wasn't as stable as it is now. However, with the current version, we have been running for the past year without any issues.

Our company has about 1,000 users that generate traffic that passes through the firewall. Beyond that, we haven't had much need to scale.

The technical support is very slow.

The two firewalls that we having implemented are Check Point and Fortinet.

I have also worked with Juniper but it does not have all of the advanced features that Check Point has, such as application control and identity awareness.

The initial setup is pretty simple. The amount of time required for deployment depends on the number of rules that need to be configured. The initial setup can be done in one day, and the post-setup configuration depends on the rules to be applied.

The initial setup was completed by a partner, who was a certified system integrator.

Our in-house team handles maintenance.

This product is not cheap and there are additional costs that depend on what model or package that you buy. If you need more features then you may have to buy additional modules. In our case, we knew what we wanted in advance so there were no additional costs.

Overall, I am pretty happy with Check Point firewalls. My advice for anybody who is implementing this product is to get somebody with experience to help choose the correct, stable version, and assist with the configuration. All of the new features take time to implement properly, but if the correct steps are followed then they won't run into problems when the system goes into production. 

I would rate this solution a nine out of ten.