Check Point NGFW Reviews

I use it for UTM [Unified Threat Management]. I use a gateway firewall at the office.

Next Generation Firewall, along with Threat Emulation and Threat Extraction, is what I use. Real-time prevention is there to protect against zero-day malware and Check Point Sandbox.

And then, the CPU-based emulation is a better feature than any technologies not having that. Check Point has a CPU-based emulation. Normally, Fortinet and others, they do it differently. But these people work on a technology called CPU-based emulation. 

This CPU-based emulation is a unique CPU-level technology that catches malware before it has an opportunity to deploy or evade detection. They call it SandBlast. Check Point SandBlast Threat Emulation. That is a great feature, which they are using. It controls attempts to bypass OS security controls also. And then it avoids deep security.

I use our Check Point firewall for all the NATing of my applications. I use it for external traffic monitoring where my Internet links are connected, and I use it as a gateway.

The drawback is that I want to push the policy from my management console itself instead of on the Check Point device. For example, if I have two different firewalls, I want to push the policy to the gateway, and then it will take 10 to 20 minutes to roll back the policies. It should be applied faster.

I have been using it for more than a year.  

It is a stable product 99.4% of the time. 

Check Point NGFW has a feature where it can top two of the firewalls, and then we can integrate the performance. 

It's a cluster kind of solution where they can integrate.  

For the firewall, the support is good. 

Positive

I also use CloudGuard Security Posture Management. I also used Fortinet.

The major difference, I feel, is the threat emulation. It's zero-day protection. The supply chain attack is very, very low compared to all firewall vendors. 

For example, being parallel to Palo Alto Networks or FortiGate and NFT OS or Check Point, that supply chain attack was very, very low in our Check Point firewall. And then the maintenance was very, very low compared to all.

That is my takeaway. My one of my takeaways before proceeding with my procurement decision was that there are two things: one is the security point. Another one is performance. The last one is very, very important. That is for the supply chain attack because we need to concentrate more on other products also. 

So I don't want to spend too much time on the maintenance part. So this supply chain attack was very, very less compared to other providers since we are using multiple firewalls. This particular firmware was very stable, and there was no need to update until unless it is necessary and shared by Check Point team. So my takeaway is that the supply chain attack was very less compared to all.

If the person knows the technology and the basic functionalities of a firewall, they can integrate it very fast.

We took three days to deploy.

Three people were involved: my IT security manager, myself, and one L3 engineer who deployed the product.

The architecture and functionalities are managed by me, and then the deployment is taken care of by our team members.

Compared to Fortinet and Check Point, both are the same.

Check Point is coming up withsome AI integration and some AI features. They are using threat emulation on the AI front, but they are also discussing the quantum processor, where they have integrated many new features.

Overall, I would rate it a nine out of ten.

We are using physical appliances along with some VSX's in our network. We mostly use firewall only (due to high traffic usage). We are using CP NGFW to protect the company from the internet and also provide security while we are connecting to the internet.  

We have physical clusters that we manage via our company's external connections through S2S. We are managing our core and client networks with separate clusters. Applying security rules and providing NAT when we need it. We are also using CP in our DRC environment to provide SRC and DST NAT with VSX to provide access to machines that have the same IP addresses.

Back when we had a different brand of firewalls, we were having trouble managing all of them separately. With Check Point's HA capability, we merged all of our Check Point firewall management. With this, we can apply a viable DRC solution that our company needs and also manage, view logs, and administer all of the components together.

With the capable appliances, we don't experience any CPU and Memory utilization most of the time. With the help of new versions, Check Point is moving forward. We hope the upcoming version will provide hyper flow, and this will solve our elephant flow problem.

The solution offers a good GUI. It is easy to use, smart, simple, and user-friendly.

The client VPN and S2S VPN capabilities are great. Check Point's mobile access provides us with flexibility. We don't have a single point of failure regarding the VPN access points anymore.

We can use Check Point NGFW physically, virtually (with Check Point VSX), and on the cloud with CloudGuard. We have most of the features available even within these different environments.

We can apply SAM Rules (without installation needs), and Custom Intelligence Feeds.

It has good API support and provides value when you need it. 

The API support is good. However, Check Point needs to focus on more prepared scripts for some tiresome actions. Other vendors provide this, including Palo Alto). We are in a big organization now, and we need good tools to maintain stability and get rid of the objects and rules that we don't use.

If you are working within a big organization, you may have some CPU and memory utilization problems. Most of the time, we are encountering these kinds of problems, and due to that, we can't use other features and blades other than the firewall or threat prevention.

I find Check Point's log experience a little tiresome as it does not provide information with limited blades enabled. We'd like to see information around session time, sent and received bytes, etc. Even if you manage to get some data, you may find it not very reliable.

I've been using Check Point's NGFW and its features for about five years. 

I found Check Point's stability a little bit so-so. Not that good, not that bad. Most of the time it is reliable. We had lots of problems before due to the utilization of our firewalls. Most of the time, the hotfixes provided the solution. However, applying hotfixes and getting in touch with the R&D when needed may be tiresome.

It's pretty good. The HA Features provide a good solution so far, and with Maestro it will perform better.

I had the chance to work with Fortigate and Palo Alto Firewalls before. Due to the stability and know-how regarding Check Point, we chose this vendor.

We always believed and saw that the money we spent on Check Point was not in vain.

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

We use Check Point Quantum Network Gateways for all our on-site firewalls. It protects the network edge, network core, data center, and our AWS direct connect. 

We are a payment facilitator and security is one of our core requirements. 

We have implemented VSX which enabled us to reduce the hardware footprint. 

We have implemented 6700NGFW, 6600NGFW, and 6400NGFW in different network segments. We have enabled basic firewall, ClusterXL, and IPS licensing. 

Due to the nature of the traffic, we do not use Application Control or URL Filtering.

With our previous firewall solution, we had no automated compliance tools. Now, with the Check Point Quantum Network Gateways, we have the ability to automate compliance reports for both GDPR and PCI3.2, and by using VSX (Virtual System Extension) we have reduced our data center footprint. This will lead us to become a more sustainable organization. 

We have found the central management (Smart Console) to be very helpful in managing all the firewalls and keeping the software/hotfix versions up to date.

By implementing VSX (Virtual System Extension), we were able to reduce our hardware footprint, reducing both direct and indirect costs. This also enables us to quickly scale up or down to meet business needs.

We have also found that the Intrusion Prevention System implemented on Check Point Quantum Network Gateways is robust, efficient, and very easy to implement. Being able to add it later as a software feature is a real boon. The customization options enabled us to zero in on our specific use case.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration.

We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The solution has been in use for one year.

During the first year of operation, we have seen 100% up-time.

Due to the VSX implementation, I would conclude that it is highly scalable.

Customer service and support from the vendor have been excellent. They have assisted in communicating issues back to Check Point and the subsequent response from Check Point has been very good.

Positive

We used Cisco ASA 5500 series firewalls, but these have reached the end of life and needed to be replaced.

The initial setup and migration was complex and we had a vendor team assisting.

The expertise of the vendor team is excellent; I'd rate their services nine out of ten.

It is important to carefully consider your needs. Additional features can be activated easily - for additional licensing costs. However, opting for extended licensing can provide cost savings through discounts.

In looking at replacing the existing firewalls we considered Cisco, Palo Alto, and Check Point. 

Check Point Quantum Network Gateways offered us a more favorable price point without compromising on functionality.

We are Check Point's Authorized partners, and Check Point NGFW is used for our Client's network security. These Next Generation Firewalls are excellent. All of our customers are happy. Check Point gateways provide superior security compared to any competitors in the Indian market. 

Our clients have networking solutions that range from 50 to 200 routers and hubs. Also, their endpoints range from 100 to 2,000 endpoints. Check Point's unique solution helps us to cater to all sizes of companies, from SMEs to large enterprises without compromising on any security vulnerabilities.

Check Point NGFW gateways provide superior security compared to any Indian market competitors. It delivers the highest-caliber threat prevention with excellent SandBlast Zero Day protection out of the box. 

Also, its on-demand hyper-scale threat prevention performance provides our customer with cloud-level expansion and resiliency on-premises. By integrating the most advanced threat prevention and consolidated management, Check Point's security gateway appliances are designed to prevent any cyber attack, reduce complexity, and lower our clients' costs.

The features which are most valuable include:

1] Uncompromising Security

2] Security at Hyperscale

3] Unified Security

4] Check Point's Quantum helps our clients in their overall cybersecurity practice

5] Protects network, data center, endpoints, and IoT

6] Ultra-scalable protection against Gen-V cyber attacks

7] Best Protection with SandBlast Threat Prevention

8] Maestro Hyper-scale Networking

9] Remote Access VPN protects your Remote Users

10] Highest level of security with Autonomous Threat Prevention

11] Modular Hardware and high-performance CPUs

We would like to see the following improvements:

1] Check Point can improve a little better in their technical services, especially in the Indian market. 

2] Check point can add features like log management which would be very useful to get compliant with CERTin standards. 

3] Check Point should look into SIEM solutions as today's Indian market is going towards SOC capability, and SIEM is the backbone of any SOC solution.

4] Automation is the crux of today's digital transformation era, and Check Point should include automation in its products.

5] Incident forensics like UBA or CASB is the next challenge in the security domain, and these features should be included if possible.

Its been three years since I strated using the product.

The solution is highly stable.

This solution is highly scalable.

The technical support is nice.

Positive

We are currently working with Sophos, however, we started recommending Check Point to our clients due to the excellent capabilities that they carry.

The setup is straightforward.

The setup, pricing or licensing cost of other products is on-par or a little higher than Check Point.

We have evaluated Sophos and Palo Alto.

Historically, the primary uses for these gateways were perimeter security and internet filtering. However, we now push all our internal traffic through the gateways for LAN segregation and to isolate obsolete operating systems.

Our isolated operating systems and LANs only allow specific traffic from a specific source to access them, making these critical production/business systems more secure. It's not a simple case of just replacing these legacy operating systems but replacing the industrial machinery that they control - which would require an investment of tens of millions of pounds.

Isolating obsolete operating systems wasn't in the scope when implementing the gateways originally. However, it has enabled us to secure Windows XP/Windows 7/2003/2008 machines which are end of support yet are still required to run industrial software and interface with large machines, which are not easy to replace.

Isolating machines and networks, along with SSL inspection, wasn't in scope when the gateways were spec'd. That said, five years later, they are still rock solid, and along with the Threat Cloud intelligence service, this ensures that our firewall is equipped with up-to-date threat intelligence, enhancing its ability to detect and mitigate emerging threats.

One of the strengths of Check Point Firewall lies in its granular policy management capabilities. We can define security policies based on a variety of criteria, including user identity, application, and content type. This level of granularity allows us to enforce security policies that align with our specific needs and compliance requirements.

One of the standout features of our Check Point Gateways is the user-friendly interface. Smart Console (management console) is well-designed and intuitive and provides administrators with a centralized hub for monitoring and configuring security policies. The web version isn't quite there yet, so to get the most out of it, the console needs to be installed, but it allows users to tailor it to their specific needs, and the menu structure is logical, making navigation a breeze for both novices and experienced administrators.

2FA on login would assist us with compliance however at the moment, it's not a major factor for us - yet may be in the future.

It would be nice to have comprehensive documentation and training resources that can help users and administrators better understand and utilize the full range of Check Point's capabilities. We ended up having to travel to London to sit through lots of training as we didn't find the information readily available.

Finding the costs associated with a particular blade can be challenging. This isn't specific to Check Point, but sometimes we need a ballpark cost quickly and don't have the time to speak to a reseller.

The company has been using Check Point gateways for around five years, myself about two years.

Hardware has been 100%; software has been slightly less as we had an issue where the gateways would failover. 

We run a pair of Gateways in HA mode, this solution has worked for us, and there have been no cases of downtime. Adding additional gateways should in theory be quite simple however for us there is no need.

Support has been quick to respond to any questions or issues.

Positive

The company used to sue Cisco Firepower. I wasn't with the company when switching.

The setup was straightforward; the implementation team went on the CCSA and CCSE courses.

We handled the setup initially in-house.

We ran these gateways for five years and will look to do the same with the replacements.

Work with Check Point's presale team and complete the scoping document. If you are an existing customer, use the CPSizeME. 

The company also evaluated Palo Alto.

We have run Check Point Security Gateways for five years and have had very few issues; they have been rock solid, and the hardware has been 100%.

The customer purchased Check Point 6200 Firewalls to replace their aging Cisco ASA firewalls on the perimeter of their sites. The Cisco Firewalls must be replaced due to insufficient capacity.

It is envisioned that the initial migration will be a direct replica of the ASA configuration, with the client expanding the solution post-migration, with Check Point NGFW features.

This project consisted of the following deliverables:
• Rule base is migrated like for like, in which ASA Firewall zone-based rules will be converted to Check Point Parent/Child layered rules.
• Firewall zones to be imported and reviewed post migration by client.
• NAT rules will be migrated “as-is”.
• Geo-location rules from FTD will be honored and mapped into Check Point.
• Client-based blacklisting will be migrated into the solution, using external feeds via URL.
• A single IPS profile consisting of a clone of the vendor's “out-of-box” balanced profile (optimized).
• 1X site-to-site VPN.
• Integration into Client’s Cisco ISE solution for RADIUS-based admin authentication.
• NGFW licensing and blades to be installed on firewall devices, to allow features to be enabled in the future and expand the solution.

The Client wishes for the ASA firewalls to be replaced with a Check Point systems solution, which consists of 6200 Plus Appliances. 

The initial requirement was to migrate the configuration in an “as-is” state, with the necessary licensing purchased and installed to enable expansion of the solution with next-generation feature sets in the future.

The solution was able to meet and exceed the client's requirements thereby improving the client's environment.

The management server is software-based.

Firewalls and licensing include:
• FW
• IPS

The solution provides a single pane of glass management of rules/logging.

The solution supports IPsec tunnels FOR 1X IPsec VPNs.

The solution integrates with the client’s Cisco ISE RADIUS solution for administrative access.

The compute power of the appliance is great. The Check Point appliances are considered NGFW devices and can process both the ASA and FTD requirements on a single instance, removing the requirement for an expansion SSD module and/or additional hardware.

We'd like an option that can convert other vendors' NGFW configurations to supported Check Point NGFW config for ease of migration.

Check Point configuration options can be very enormous and overwhelming.
Check Point comes with a very lean learning curve even though they offer a robust knowledge base. 

A lot of configuration cannot be accomplished via the web interface or the smart dashboard software and must be done manually via the command line interface.

I'd like to see some built-in automation for the firewall alerts/events to trigger an automated response or recovery.

I've used the solution for three years.

The solution is stable with frequent version and management updates.

The solution is highly scalable and expandable.

The solution offers great customer support.

Positive

We used a different solution and needed more processing power and functionality which this had compared to industry competitors.

The setup was straightforward yet third-party device migration contained a lot of manual configuration conversions.

I implemented this myself.

Pricing can be relatively more expensive when compared to industry peers, however, the functionality makes up for the price difference.

We also evaluated:

• Cisco NGFW
• Fortigate NGFW
• Palo Alto NGFW

This is a great overall solution.

We're using Check Point NGFW for network security, intrusion detection, intrusion prevention, application control, DDoS attack protection, sandblast, mobile device management, identity-based access control, reporting, access control policy, scalability, state-of-the-art security gateway, support, threat prevention, accelerated policy installation, concurrent security policy installation, advanced routing, easy upgrading, logging and monitoring, smart events, and smart console.

Check Point has improved our organization's security posture, especially the IBAC, application control, IPS, and IDS. It's easy to set policies on the firewall, which has greatly simplified cleanup and management.

We recently upgraded from R80.10 to R40, and we've had an overwhelmingly positive experience with this version. Our visibility of threats and vulnerabilities has improved. Check Point added new features and revamped its reporting and analysis.

Check Point's rule management helped us simplify access control. At one point, we had more than 1,000 access control policies, and it was challenging to manage them all. We cut it down to 300 policies using Check Point's management features, and we are still working on reducing this further to achieve the best way to manage policies. Its logging and monitoring enable us to trace and investigate suspicious traffic.

Check Point doesn't warn us when rules are about to expire. It was also inconvenient that we had to change hardware when we upgraded. It would be nice if they made the new version compatible with current hardware or if it only required a minor upgrade.

I would also like it if Check Point cut the number of steps needed to upgrade from R77 to R81. They should also make it possible to convert access control policies from the firewall to the management server and to downgrade from a higher version to a lower one. 

I've been using Check Point NGFW for six years.

The solution has been stable, and Check Point promptly delivers patches and updates.

I rate Check Point support nine out of 10. When we need help, they're always fast and efficient. Check Point's customer service is one of the major reasons we've stuck with this solution.

Positive

We adopted Check Point because of the cost and support.

If you have the right training, you can set up Check Point with minimal supervision.

Before you buy, check which features you need, and if possible, I recommend signing up for at least a three-year license.

We considered several vendors, including Fortinet, Cisco, Huawei, Sophos, and Barracuda.