Check Point NGFW Reviews

The customer's use case involves employing it to safeguard their internal applications from external threats. They utilize various gateway features, including user identity-based policy, anti-spam, antivirus, IPS, anti-BOT, and other security measures, effectively creating a robust defense against a wide range of potential risks.

The primary focus is on safeguarding the customer's internal applications, especially for traders. When it comes to security, the main advantage lies in risk mitigation, akin to insurance.

The most valuable feature is its unique inspection model, which was initially a basic firewall inspection. Over time, they've developed and refined this model to cater specifically to trade-related intelligence. It is now a crucial and central component of their security infrastructure.

From an administrative perspective regarding Check Point NGFW, there are two key suggestions to improve efficiency. Firstly, administrators should be able to create a unified policy which means that when administrators set up policies in Check Point, they should have the flexibility to configure different security profiles and other security parameters all within the same access policy, simplifying the process. Secondly, the upgrade process for Check Point Firewalls currently involves extended downtime as it often requires a fresh installation. This downtime can last up to around sixty minutes, causing disruptions to business operations. To enhance the user experience, Check Point should consider adopting an incremental upgrade approach, similar to competitors like Palo Alto or Fortinet, as it would help minimize downtime and streamline the upgrade process, making it more efficient and user-friendly.

I have been working with it for about ten years.

It provides good stability features. I would rate it six out of ten.

Scalability is achievable in the cloud environment. By following the appropriate processes, you can configure automated scanning and other necessary functions to ensure it.

From a technical support perspective, there is room for improvement in Check Point's services. They have increasingly outsourced a significant portion of their support, primarily to third parties. This outsourcing has raised concerns, as it often results in longer resolution times and troubleshooting processes. In my experience, working with Level 3 engineers is more satisfactory and efficient, whereas Level 1 and Level 2 support can sometimes fall short of expectations and extend the time required to address issues.

Neutral

When comparing Check Point to Fortinet and Palo Alto solutions, there are several advantages and disadvantages to consider. One key advantage of Check Point is its robust logging capabilities. Administrators can access detailed traffic flow information, providing valuable insights into network activity. Another strength is the trust associated with Check Point. They pioneered the concept of "stateful firewall," which has established a strong foundation for trust in their security solutions and is built on their extensive experience and history in the field.

The initial setup is a medium-level complexity task.

When deploying on AWS cloud, I typically opt for CloudFormation templates to facilitate the setup of Check Point. This approach offers the advantages of infrastructure as code. When it comes to on-premises deployments, the process is manual and involves tasks such as physical cable connections, configuring interfaces, setting up routes, and defining network policies. For a typical mid-sized project, a single person is usually sufficient for the cloud deployment, taking no more than two hours if the implementation plan is well-defined and the design is in place.

The cost can vary depending on the specific model and feature set requirements, as well as the unique value it offers to the organization. The price may be perceived as relatively high when compared to the features and capabilities they provide.

My advice for anyone considering it would be to begin by thoroughly understanding their specific needs and requirements. It's crucial to assess budget constraints and security priorities. If an organization has a sufficient budget and prioritizes a robust security posture, I would recommend considering Fortinet. They often provide a more comprehensive security exposure when compared to Check Point. For organizations with legacy systems or a strong preference for Check Point's Endpoint solutions, my advice is to segregate the management and gateway components. Avoid running both on the same platform to prevent complexity and potential issues. Separating these functions can lead to a smoother and more efficient operation. Overall, I would rate it six out of ten.

I have been using this solution as a perimeter firewall. 

Our organization has ISP-based DDoS protection on the outer attack surface. Then, we have Check Point Next Generation Firewall with an IPS module as a second layer of protection. And then, we have Check Point Access Control, Application, and URL filtering, anti-virus, and anti-bot modules enabled. We also have the cloud-based Check Point Threat Emulation solution and different segmentations on Check Point Firewall as a DMZ zone, internal zone, and external zone. Our internal zones have different segments to improve our security level. We apply it by dividing our network into different VLANs by using the Check Point solution.

Check Point is the first vendor in which we found the stateful firewall terminology. It is always on the top of the list of best firewall solutions. 

Financially, the benefit of Check Point is very high when I compare it with an average firewall solution. At the end of the day, the benefits it provides are already higher than I paid. 

Our business performance is already doubled by the help of Check Point. If we need to talk about efficiency of administrators while managing a security  solution, I consider it as one of the most important item. 

Thanks to Check Point, our security team can easily handle different problems in time.

Check Point gateway and management installation are very easy. After the console-based installation steps, you can continue on the web GUI interface. This is very valuable. It doesn't let you make a simple mistake, which might be a reason to install all the systems from the beginning. It has been designed to give you flexibility as much as needed; not more, not less. It prevents human mistakes, basically.

If I have to say just one thing as the most valuable; I will say it is the most reliable firewall solution in the world. It is easy to prove that when I compare the number of CVEs which are published in a year among firewall vendors.

The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI. It might be a little bit confusing when an administrator remembers the location of the settings. Also, it is hard to manage the settings by always jumping from GAIA Web-based graphical user interface to Java based Smart Console dashboard. Also, Check Point Next Generation Firewall has a very detailed and well-organized CP view on the console on both CLISH and expert (/bin/bash) shells; which gives an administrator a real-time monitoring option on the console.

I have been using it for more than six years.

On a heavy load, I haven't experienced packet loss or inconsistent behaviors.

In the beginning, I would consider Check Point solution as not scalable enough. However, after Maestro architecture, it is extremely scalable now. The organizations does not have to pay a lot of money to plan for the next 2-3 years. They are flexible enough to allow for the extension of their systems by adding another module like a blade.

The customer service and support team respond in minutes. If it is a critical issue, you can reach them in seconds via chat.

Positive

I used Palo Alto and Fortinet firewalls before. From Fortinet to Palo Alto it was a big change. 

Fortinet was not a good enough solution as compared to PA. Then, due to finances and some other reasons, I switched to the Check Point and it was one of the best decisions in my life.

The initial setup is straightforward. You just need to define disk allocation for logs and system files and backup files as an amount. Then you can continue with Web GUI to set up network, DNS, etc. settings. Then you complete your setup by installing the Smart Console interface.

The Check Point support team is one of the best. When I need them, they can escalate the ticket to an appropriate level of engineer to fix the problem.

As a security solution in this kind of market, prestige and being reliable cannot be measured with money. It costs more than a million dollars to have a defacement attack. The costs to prevent this kind of attack cannot be measured with money, in my opinion.

I'd advise others to worry about changing their firewall habits from any vendor to Check Point. It will be one of the best decisions of their life. If you have time and money to take care of other vendors, go ahead. However, if you are smart enough to manage your money and time, don't be afraid to give a chance to Check Point solution.

I did get some PoCs from other vendors such as Sophos and some other firewall vendors which are focused on small-size organizations mostly.

I recommend to all system managers and security administrators to try all the enterprise firewall solutions. Then, most likely the final decision will be to use the Check Point Next Generation firewall.

We use Check Point firewalls as perimeter firewalls which are restricting the organization's incoming and outgoing traffic and taking advantage of the redundancy capacity of internet providers, which provides fault tolerance when an internet provider has a fault. 

In addition, we use it for the publication of services and with an event viewer that allows us to view alerts about behavior and unusual traffic inside and outside the network. URL filtering and application control are perfect complements to the packet filtering that it offers as a firewall solution.

Check Point offers a reliable firewall solution with VPN options that have allowed us to establish secure and stable connections with other companies and users in a very simple way.

Simple and centralized administration has allowed us to manage all the firewall nodes from a single console, facilitating the deployment of firewalls through the network, since a large part of the configurations and access rules, as well as the protection controls, are managed from a single console and via centralized maintenance.

Check Point is a robust and reliable security solution, whose architecture and design allow centralized administration with a graphical interface that facilitates its management. 

The way in which it manages the nodes within a cluster architecture is excellent, offering fault tolerance which is, in my experience, practically imperceptible when one of the nodes fails. This is thanks to the fact that it maintains a table of shared connections between the nodes and the large number of variables that it takes into consideration to validate the health of the nodes.

As a firewall, Check Point is a great solution and in my experience, there is little that I could indicate how to improve.

That said, a point where it could improve is in the redundancy of the ISP. It should allow more than two internet providers in its configuration of "ISP Redundancy". This redundancy could be managed from variables such as the automatic calculation of the load level between internet lines or load distribution between internet lines in periods of pre-established hours, etc. All could be handled from the same graphical interface.

I have been using Check Point for more than 11 years.

Its stability is one of the selling points. It allows us to have great confidence in Check Point solutions.

The performance is excellent in the new appliances. The solution is very scalable and easy to integrate.

They have a good response time and their personnel have a good technical mastery.

I was using ASA, however, we switched to Check Point as it offered a centralized interface for managing all nodes in addition to having an excellent graphical interface that facilitates day-to-day operational activities.

The initial configuration is very simple and intuitive. Check Point offers a graphical configuration interface that makes the process simple and it is complete in just a few steps.

The provider we have used has highly qualified staff and offers excellent and professional services.

It has an acceptable cost considering the stability and the benefits that Check Point solutions offer.

We did not really look at other options. We are very confident with Check Point solutions and we take the stability it offers very seriously.

You must consider Check Point as your first NGFW option. 

We primarily use the solution for perimeter security - including DMZ and as an internet firewall. We use Check Point Firewalls as the first line of defense from the internet and they are also used to segregate the internet, DMZ, and internal networks. Check Point VSX technology is used to split the hardware into multiple virtual firewalls to cater to different environments so they are well segregated. We have BGP running on the firewalls, such as all of our network devices in our environment, to learn and advertise routes. Check Point does a decent job with BGP and does an excellent job as a perimeter firewall.

Check Point was brought into our environment as a perimeter security device to replace the Juniper NetScreen which was originally used as the perimeter firewall. When Juniper announced the end of life of NetScreen devices, we decided to go with Check Point mainly because of the ease of management and also because Check Point was an Industry leader and Juniper was still in the initial stages of building their own firewalls using JunOS. With the introduction of Check Point with the VSX features, we could use BGP instead of the tedious static routes that we had in place with the old NetScreen.

The VSX has been great. The ability to split single hardware into multiple virtuals along with support for dynamic routing using BGP is very useful for our environment.

We like the management console. The Check Point smart dashboard has made things easier for administration and we've been able to manage all the Check Point devices from one place which is very useful.

The operations support is great. There is a smart log system that is very good for troubleshooting and reporting. We also use the CLI for troubleshooting purposes (for the likes of FWMonitor and tcpdump) while the FW rules are managed via the smart console which does wonders for operations support.

It is common for any network device to compromise on stability when more and more features are packed into it. It may work for small organizations when they want a single device to do everything for security. However, it is a big issue for us as a large financial institution when even a small outage costs dearly. Check Point, being our perimeter firewall, has failed quite a few times mainly when handling BGP. I would like less CPU-intensive features to be introduced to replace the existing heavy-duty processes. They may already have a lot of features, so the enhancement of existing features could focus on robustness rather than introducing new features.

I've been using the solution for three years.

With the upgrade to R80, the solution has become more stable. We have had outages because of the gateways failure while running BGP with older versions. After the upgrade, we havent had such outages.

With the latest upgrades of R80, Check Point has bettered its performance, and hence, scalability has improved a lot. Also, there are multiple NG features that can be utilized that makes it more suitable for multiple solutions.

They offer very good customer support; they're always available and capable.

We previously used NetScreen and they were at their end of life.

Check Point has its own design that is a little complex compared to other products. This has a 3-tier architecture and we need management servers and gateways separate. I would still say its not much of a hassle building it.

We handled everything through Check Point PS. They were very good.

I can't really comment, as I do not have much idea about this space.

The solution is priced well in the market in order to compete with the other products.

I wasn't in the organization when the evaluation happened. However, I know Juniper SRX was one of the solutions looked at as we are using them for our internal firewalls.

We deployed a Check Point firewall on the perimeter as well as on the internal network. Both are in HA & we have enabled all threat prevention blades. All devices are 5600 & 4200. We are managing our two firewalls with two different security management servers.

Currently, we are using the R80.20 firmware version and we have a pretty simple design.

Our primary uses are firewall security, VPN, web filtering & monitoring. We have also used the TE-100X appliance for private cloud sandboxing.

With Check Point, we achieved redundancy but the problem was three public IP addresses that were required to be configured as HA, with two physical IPs & one virtual IP.

Our previous firewall used a single public IP but now, with Check Point using three, it became very difficult for us to make available the same segment of public IP addresses from our ISP. After many support calls, however, we found a solution.

The other option which is helpful is that there are no limits for any objects used in the policy. Our previous firewall does support limited time objects & IP address objects.

Check Point's new Smart dashboard has an all-in-one configuration interface. They provide a very easy configuration for NAT and one tick for source & destination NAT is possible.

Policies can be configured in a more organized way using a section & layered approach.

Application control has all of the required application data to introduce it into policy and the URL filtering works great, although creating regular expressions is complicated.

The software upgrade procedure is very easy; it just needs few clicks & we are done.

Check Point has both GUI (Graphical Interface) & smart dashboard, but it will be better if it sticks to either one of them. 

A threat prevention policy needs to be created in a different tab but instead, if those policies could be related to access policy then it will be easier to apply the threat prevention to our relevant traffic.

One of the most complicated aspects is the VPN Configuration, which should be simplified in future releases. The monitor tab should have a VPN tab, where we can see the current tunnel status.

I have been using Check Point NGFW for more than the last three years.

With respect to stability, we always have ongoing support calls. We have faced lots of issues that have led to upgrading with a Hotfix.

When it comes to scalability, our current Check Point is far better than our previous firewall.

Technical support is very helpful & always there to help us with issues. Also, the TAC response is quick.

Previously, we had a Fortinet firewall, which was pretty slow when it came to operations.

The initial setup was simple.

We implemented the firewalls with our in-house team.

Check Point should provide some basic license for mobile access VPN by default, for at least five to ten users.

The only other vendor that we have evaluated is Fortinet.

This is a complex high availability solution growing by over 100% per year. The complexity of the business environment made the ability to increase capacity without having to remove previous hardware much easier.

We have a large online presence with users needing realtor access to our environment. 

The improvements to our business are easy to explain. It is faster, easy to use, and there are multiple capabilities all in one box. The best examples are the endpoint and anti-virus options.

The ability to add more firewalls and increase the capabilities, rather than remove the hardware, is an exceptional step forward. No competitor was able to compete with this. Not having to continually replace hardware year after year was a massive driver in the decision-making process. The throughput going up by 100% with each added device is exceptional.

There are many features we have found good.

The best feature is the ability to increase the capacity of the solution by exactly what you add, not losing anything for High Availability. This feature alone will save us as we increase the number of devices in the stack.

Having so many top-end products in one box also assists in managing this device. URL filtering and anti-virus and other services are easy to deploy but assist in getting your company a good name.

The Infinity product seems amazing but we have a long way to go before saying it is successful.

One of the biggest disappointments is the GUI. I felt it was a little bit more clunky than some competitors. The screens don't flow as easily as they should. Improving user experience will further elevate this product.

The way the management console operates is not user-friendly, either. It needs to become less intrusive. The user experience is not as high as it should be due to the problems with the user interface. The newer products in the range seem to address my concerns, which I have had for even the older products.

I have been using Check Point NGFW for six months.

Having leading-class firewalls with massive growth possibilities made the purchasing decision much easier. Having carried out a few PoCs, the obvious decision was the Check Point solution of Maestro and 6500s in a high availability environment.

The primary use case of this solution is to protect the organization's LAN network from cyber threats.

With the help of Check Point NGFW, we are able to prevent attacks like phishing, ransomware, zero-day attacks, malware, etc.

The thing I like about this product is its capability of auto NAT and auto zone detection.

Service support can be improved.

I've been using the solution for the last year. 

The stability is the best.

The scalability is good.

Customer service and support can be improved.

Neutral

No, I did not use a different solution. 

The initial setup is easy.

We implemented it through our in-house team.

For the current market situation setup cost, pricing, and licensing look fine.

No, I did not evaluate other options.

We brought all of our cloud platforms to Microsoft Azure. We needed a tool that would give us the security of regulating access control so that we could monitor our environment in case something was penetrating our internal network.

This was the primary movement for which the Check Point NGFW tool was acquired since we needed our collaborators to have secure access to the company's resources and applications since this tool provides us with the alerts and corrections that must be made when finding a security breach in our environment.

Check Point NGFW also provides a great capacity of features that help us apply them to the organization. It has web filtering limited to third parties, SSL encryption, and the application's administration is very simple and centralized since it helps us a lot in reporting and generating alerts.

The organization needed a tool that would provide various security functionalities in the organization, and so far, Check Point NGFW has helped us a lot. It has helped us by applying access control policies and limiting access to third parties and only those who must enter the organization to use resources and applications.

The application behaved very well with the Azure resources in the cloud; it helped us to prevent several security holes found with web filtering and internal DDoS attack.

Check Point NGFW can quickly identify where the attacks are coming from, provides detailed and complete information on the attacks, and provides zero-day attacks in real-time.

One of the valuable characteristics of Check Point NGFW is that it presents very centralized management. Due to this, it's improved our security throughout the organization and outside of it. Many collaborators work from their homes or different places and help us filter, limit of access to packet inspection with flexibility and speed that was not previously possible.

Other characteristics are the records that it shows us and generates depending on its configuration and they are very visible to be able to attack and correct in time, or when superiors ask us for administrative information in that part it provides great value.

As such, the tool provides what is expected in its security functionality. However, some points must be improved, such as the latency in the GUI entry. It takes a while to register and allow access to the administrative panel.

Another point where customer service should be improved, both in the administrative and technical fields. Support cases have been generated several times, and it takes time for the case to be resolved. In addition to that, the solutions need to attend to us. It takes a long time to coordinate a call since they do not handle a comprehensive schedule.

This solution has been used for approximately one year in the company.

The stability of the tool is good. We have not presented any problem even when an update is made.

The scalability presented by the tool is very good and flexible.

The experience has not been very good. That is one of the points that must be improved.

Positive

There was no type of tool that would supply these qualities.

The configuration of the tool is very simple and quick to install.

The installation was done jointly with an engineer provided by the supplier, and his capacity was good.

The prices are competitive. However, it is worth making an investment since, in the future, the profit will be seen against any environmental attack.

Check Point manages a good cost in its products and it is worth making the investment since this can prevent a collapse in the organization.

Check Point was always our first option. With this type of solution, many security teams are from Check Point.

The tool behaves well. The only improvement that I have seen that is necessary is to improve the latency when entering the application and they must improve the support.