Check Point NGFW Reviews

The primary objective was to replace the Cisco ASA firewalls with Check Point NGFWs. In addition to their firewall functions, these NGFWs also provide features like Web Application Firewall and Network Data Security. We used this approach to consolidate security measures into a single, comprehensive solution, much like having a master key at the main entrance rather than separate keys for each window and door. This streamlines security management and ensures a more efficient and robust overall security strategy.

There are several crucial advantages to using Check Point NGFW including its ease of use, as it provides a unified interface for managing multiple security functions. It offers impressive scalability to meet the demands of a large organization and can handle substantial traffic. Its simplified management, enhanced remote support capabilities, and the ability to facilitate secure VPN connectivity for numerous offices and employees are highly beneficial.

The current model is predominantly hardware appliance-based, which can incur substantial costs. These appliances must be purchased separately, contributing to a significant investment.

Our most recent engagement with Check Point NGFW was a year ago when we implemented it for one of your financial sector clients.

The stability of the firewall has been exceptional, with very minimal disruptions. There was only one instance of downtime, and it wasn't attributed to any fault in the firewall itself or the hardware, but due to a configuration issue. I would rate it eight out of ten.

The scalability of Check Point firewalls is a notable strength. These firewalls can handle a substantial number of connections. For instance, they can manage up to one million connections on the NDSW server. Regarding its VPN capacity, it can support around 5,000 to 8,000 users per box, which is quite impressive. This scalability makes Check Point firewalls well-suited for organizations with high connection and user requirements. I would rate it eight out of ten.

Their support team has demonstrated an approximately 24-hour turnaround time, which is considered quite good. We have rarely needed to engage with Check Point support because most issues are resolved internally. Typically, we turn to OEM support only when we encounter challenges that are beyond our capabilities.

I also have experience with Fortinet and Cisco, both of which have made significant developments recently. They have introduced software-based firewall and system solutions, which have garnered attention from customers. This shift in the competitive landscape has led to changes in customer preferences, with more organizations considering Fortinet as a viable option for their security needs.

This process can be a bit complex at times, mainly because it depends on the specific client architecture and how they want to set it up.

The deployment process can be rated at about six in terms of complexity. Several factors influence this complexity, but getting the infrastructure ready is often the most challenging aspect. To successfully deploy, you need to account for downtime, ensure proper backups are in place, and ideally test it in a sandbox environment before going live. After deployment, thorough checks and adjustments are necessary. It typically requires at least two days of parallel operation, where both the new and old equipment run simultaneously. In an environment with no existing infrastructure to replace, the process is generally smoother. Deployment typically involves a team of 2 or 3 people working full-time for 4 to 5 days, equivalent to nine hours a day. Maintenance is handled by a networking team, which includes a Network Operations Center. The team consists of approximately eleven people managing various network components, including L1, L2, and L3 devices.

When considering a POC for a security solution, it's essential to assess the various use cases and functionalities it offers, such as NDSW which is particularly useful for protecting sensitive data. Check Point NGFW is not solely a firewall; it's a comprehensive security solution with various capabilities. It can address a wide range of security requirements, making it a valuable and versatile asset for organizations looking to enhance their security posture. I would rate it eight out of ten.

The primary use case for these firewalls is to protect our perimeter from unwanted traffic in and out of our network as well as to control the flow of data to comply with our company security policies. 

It also plays an integral part in restricting or granting access at a granular level for certain users or vendors allowing us to monitor and protect end-customer data as well as protecting our users and network from malware, bots, ransomware and other bad actors that could disrupt our business operations.

Check Point NGFW products have improved the operation of our organization by allowing us to secure our perimeter from attacks, probes, malware, DDoS, bots and general bad actors. It also allows us to secure outbound traffic from our users. 

It allows us to fine tune how we allow users to access resources both in our DMZ and externally. This helps us to secure customer and user data in order to prevent privacy issues, prevent loss of operations or downtime which we cannot accept. 

Being able to use the products in redundant pairs has also allowed us to provide a more stable network.

There are several useful features that we utilize that are now valuable assets in terms of protecting the network. These would include user identification (ID Collector), IPS, antibot, antivirus, application, and URL filtering as well as the standard firewall security rules. They all work together to provide layers of security to protect both inbound and outbound traffic in order to minimize loss of private data as well as to ensure our network is free of bad actors attempting to use malware or ransomware against us.

Check Point could improve its products by working on stability. Overall, it is a stable platform, however, at times we have issues with 'quirks' and bugs that cause issues for our end users and typically are not straightforward to fix. 

Another issue that presents itself is upgrading. Small hot fixes are not problematic. That said, updating to a new version of the OS has been an absolute nightmare and caused significant downtime and a number of issues - not to mention wasted engineering time. Simplify the upgrade process and they may regain confidence in this area!

I'd like to see more use of applications and URLs in security policies moving forwards.

I've worked with the solution for seven years across two different companies.

The stability is good, yet it could use some improvement.

The scalability is very good.

It has always been slow and difficult to use technical support. It depends on a case-by-case basis, however, you have to chase and manage the case yourself or it will go nowhere. This likely comes down to a lack of experienced agents.

Neutral

We previously used Cisco ASA. We switched due to the fact that Cisco's product was very hard to manage and lacked any real intelligence.

The initial setup is complex. A very large and multifaceted environment will always be complex to configure.

We used vendor support and account teams and in-house technical engineering.

It's expensive, however, compared to the cost of not protecting the network properly, it's worth the cost.

We looked at Palo Alto, Fortinet, and Cisco.

Carefully consider the vendor before making a leap. It's very difficult and costly to change vendors at a later date.

We use the Check Point Next Generation Firewall for whitelisting and blacklisting of addresses. It's part of our identity management solution and is utilized for inbound and outbound traffic services. 

Additionally, it is integrated with our DMZ, managing traffic from an IP addressing scheme. We also use it for monitoring different types of classified and nonclassified applications.

Check Point has improved our organization's ability to manage both classified and nonclassified applications securely, ensuring they pass through multiple layers of security within our firewall infrastructure.

One of the most valuable features is the ability to whitelist and blacklist sources to control access to our ecosystem, ensuring secured SaaS application access. It provides robust security across classified and nonclassified applications and integrates well with our existing infrastructure.

The graphical user interface (GUI) could benefit from some updates, although it is generally satisfactory in its current form.

The solution is stable, and I have the utmost confidence in its software stability.

The application is very scalable, allowing us to manage security across different network layers and support various applications and activities.

Customer support quality depends on the person you interact with. However, the support team we engaged was knowledgeable and well-versed with the application, allowing us to resolve any potential issues effectively.

Positive

We switched to Check Point due to cost and maintenance benefits. The previous solutions required significant resources to handle network and communication alignment during upgrades.

The initial setup is straightforward, with no significant issues arising from the box configuration.

Our implementation team comprised about thirty individuals, including supervisors for each stage, to manage testing, validation, staging, and production.

We conducted a detailed analysis and determined a high return on investment. Maintenance and stability were key factors contributing to a favorable ROI.

We found the pricing reasonable, ensuring the product was not overpriced. However, I am not familiar with the exact cost details.

I would absolutely recommend this solution to others for its robust security and scalability.

I'd rate the solution ten out of ten.

We needed stateful inspection, logging, integration with Active Directory, and the ability to monitor devices using standard SNMP for use cases. Now, with the tool's Skyline product and OpenTelemetry, we can monitor it through Prometheus and Grafana. It has all the features we needed when we certified the solution.

Integration with Active Directory, IPS, standard VPN, and the firewall itself are the most valuable features for us. We haven't yet certified or aren't using Application Control, anti-bot, or anti-virus features.

Significant improvements have been made in the product. I started working with the R65 code and then upgraded to R74.40. When they transitioned from R77.30 to R80.x, they made major back-end modifications, switching from a flat file system to Solaris and Postgres. This was a big step that neither customers nor their support staff were fully prepared for.

Now, they're adding more features due to the increased flexibility of the new back-end. The main improvement I'd suggest is better preparation when introducing new features. Before releasing, they must train their support staff to troubleshoot these new features. The transition from R77.30 to R80.x was problematic due to a lack of preparation by Check Point, customers, and support.

Sizing is crucial, but we've never had issues with the products we've sized for each environment. The Maestro solution provides a lot of flexibility. On a scale of one to ten, with ten being the highest scalability, I'd rate it a ten.

I use Palo Alto firewalls. Check Point NGFW was the first to invent the stateful inspection firewall. They focus more on security and try to keep their motto of "keep security simple". They don't get bogged down in marketing or complicated terminology when using their products.

Even enabling a firewall blade on Palo Alto requires learning about different sync ports, how sync ports differ between chassis, and navigating through multiple GUI tabs for configuration. It's not as straightforward.

On the other hand, Check Point NGFW has kept things very simple for deployment. You set it up once, and then you can repeat the same process repeatedly.

On a scale of one to ten, with ten being the easiest, I'd rate the initial setup as ten. The process is straightforward: you rack and stack, configure the management code, create a standard policy, establish SIC, and push the policy. This process has remained consistent over the years.

For deployment, it took us longer than the typical two weeks because we had to design solutions for different scenarios. Check Point offers various options, such as clustering solutions, Maestro solutions, and standalone solutions. We had different use cases—some required standard clusters with ClusterXL, while others needed scalability solutions like Maestro. We also had to factor in sizing considerations.

The certification process took about the same amount of time as other products. We've been using the Maestro solution for a while now, so when new platforms are released, there isn't much change required beyond certifying the new hardware and ensuring backward compatibility with our certified solution.

Initially, it took a little more than two weeks to certify. However, the actual deployment still follows the same standard process and is actually easier now than it was in the past.

We call the team responsible for deploying certified solutions to the service delivery team. It's made up of two groups: build services and service delivery. The build services team works with our networking team to ensure our network and peering devices are set up right to host the firewall.

The service delivery team focuses more on the firewall itself. We need about three or four extra people from build services for firewall deployment. They act as go-betweens with the network team, ensuring our firewall solution works well with the peering devices when we put it in place. The build services team is important because they ensure everything fits together properly when we set up our firewall.

For maintenance, the solution is pretty stable. We have a global team, but a separate team handles regular firewall changes and daily operations. For support, we have about ten people total - three groups of three people each. This team manages around 1200 firewalls, including Check Point and Palo Alto devices.

Check Point NGFW is much cheaper than other platforms, including Palo Alto. Its scalability, especially with the Maestro solution, is a big advantage. If you're looking for good security at a reasonable price with a good return on investment, I believe Check Point NGFW is the way to go.

I've been dealing with Check Point NGFW for my entire career. I started with their Stateful Inspection feature. The term "Next Generation Firewall" is just marketing. Check Point's UTM product was designed from the ground up with next-generation features. They have a feature called Blaze. Besides stateful inspection firewalls and VPNs, they offer IPS, application control, URL filtering, antivirus, and antibot. You can also integrate it with third-party tools like Active Directory for authentication. This combination of features is what's called a next-generation firewall.

Other vendors use terms like app ID or user ID. They focus less on ports and more on ensuring services match their intended use. For example, if port 22 is enabled, it should be for SSH service, not something else. We use both Check Point NGFW and other products. I think if you commit to one vendor's approach, it can be hard to switch late.

We use the solution for our data center firewall on-premises. We have deployed a VSX Cluster that currently holds three virtual firewalls. We have several site-to-site VPNs established with our partners and hundreds of policies applied. 

We had a custom configuration in our previous policy for which we were passing traffic from one VPN tunnel to another transparently. With Check Point we had to create a new virtual firewall in order to keep it working, so from one firewall we ended up with two rerouting traffic from one firewall to another and changing NAT in order to keep this solution running. 

Finally, we created another (third) virtual firewall and configured it to be only a remote access SSL VPN firewall and to be used as a backup if our primary in our HQ fails while the other two firewalls handle production traffic. 

We selected this solution in order to replace the Cisco ASA we used to have. 

The features the CP firewall has combined with a very attractive price led us to this decision. The migration was smooth and all the features we needed have been configured easily and worked as expected. Additionally, the SmartConsole and the Log Event viewer made our every day to day tasks easier. 

Also, we were provided with a trial license for the compliance blade and the IPS which are truly amazing. I believe that the compliance blade will be used soon by our company in order to assist with the ISO certificate we are trying to get. 

Since we have already deployed an AWAF on our premises we didn't use the IPS but the features presented definitely would increase the security level. 

Although we use it as our data center firewall, it would be ideal for our HQ Office with all the security features it provides.

I appreciate the Smart Console for its ease of use and clarity in managing configurations. It's user-friendly and free of software bugs. Smart Console simplifies the management of current policies and objects, making it effortless to track an object's usage or identify unused objects, thus ensuring a tidy configuration. 

Additionally, the hit count feature proves highly valuable, enabling policy prioritization based on usage frequency and facilitating verification of traffic alignment with newly created policies. Furthermore, implementing 2FA for SSL VPN users was a straightforward process, notably without the need for additional costs, unlike the FortiTokens required for our primary SSL VPN.

Additionally, the quick and seamless option to revert to a previous configuration revision is highly valuable. The logs tab serves as a helpful tool for troubleshooting. 

It's worth noting that we've experienced no CPU or memory issues, and the system is highly responsive.

The only downside is that we are not able to have redundant VPN tunnels with our cloud environments. We tried many guides suggested by the CheckMates community and have not been able to easily capture packets in a PCAP file as we used to do with the ASDM Packet Capture Wizard.

Finally, in the past year, we faced severe downtime that lasted many days due to a misconfiguration. Support wasn't able to detect it. We are allowed to add an automatic NAT in an object and install it in all three virtual firewalls that we have. I cannot imagine a real case that needs this option. This option should be totally removed. 

The destination MAC address for this object was flapping between the three virtual MAC addresses of the FW leading to a packet loss in our service up to 30%. Our manager found the root cause at the end.

I've used the solution for three to four years.

In the past four years that we have had Check Point, we haven't faced any stability issues. It is a stable solution.

Our cluster is oversized for our needs so we haven't reached any system limits in order to face an issue or at least observe its behavior. Our solution covers our current needs and can easily handle any additional load.

Technical support is average. From my last experience, it was my manager who found the root cause of the downtime. 

Positive

As noted earlier, our transition to this solution marked a shift from our previous Cisco ASA Cluster setup. Check Point's prominent position in the network industry and the compelling price point offered made it too appealing to overlook.

The initial setup and the configuration migration were done by an integrator who specializes in such migrations. It was complex enough yet very well-planned and organized.

The implementation was done by a very qualified vendor team.

Since I am in the engineering department, I can't evaluate the actual income or costs of handling our production traffic with this solution.

I'm not sure what was evaluated. It depends on the company's unique existing infrastructure and needs.

We evaluated offers for Cisco, Fortinet, and Palo Alto solutions.

We are using physical appliances along with some VSX's in our network. We mostly use firewall only (due to high traffic usage). We are using CP NGFW to protect the company from the internet and also provide security while we are connecting to the internet.  

We have physical clusters that we manage via our company's external connections through S2S. We are managing our core and client networks with separate clusters. Applying security rules and providing NAT when we need it. We are also using CP in our DRC environment to provide SRC and DST NAT with VSX to provide access to machines that have the same IP addresses.

Back when we had a different brand of firewalls, we were having trouble managing all of them separately. With Check Point's HA capability, we merged all of our Check Point firewall management. With this, we can apply a viable DRC solution that our company needs and also manage, view logs, and administer all of the components together.

With the capable appliances, we don't experience any CPU and Memory utilization most of the time. With the help of new versions, Check Point is moving forward. We hope the upcoming version will provide hyper flow, and this will solve our elephant flow problem.

The solution offers a good GUI. It is easy to use, smart, simple, and user-friendly.

The client VPN and S2S VPN capabilities are great. Check Point's mobile access provides us with flexibility. We don't have a single point of failure regarding the VPN access points anymore.

We can use Check Point NGFW physically, virtually (with Check Point VSX), and on the cloud with CloudGuard. We have most of the features available even within these different environments.

We can apply SAM Rules (without installation needs), and Custom Intelligence Feeds.

It has good API support and provides value when you need it. 

The API support is good. However, Check Point needs to focus on more prepared scripts for some tiresome actions. Other vendors provide this, including Palo Alto). We are in a big organization now, and we need good tools to maintain stability and get rid of the objects and rules that we don't use.

If you are working within a big organization, you may have some CPU and memory utilization problems. Most of the time, we are encountering these kinds of problems, and due to that, we can't use other features and blades other than the firewall or threat prevention.

I find Check Point's log experience a little tiresome as it does not provide information with limited blades enabled. We'd like to see information around session time, sent and received bytes, etc. Even if you manage to get some data, you may find it not very reliable.

I've been using Check Point's NGFW and its features for about five years. 

I found Check Point's stability a little bit so-so. Not that good, not that bad. Most of the time it is reliable. We had lots of problems before due to the utilization of our firewalls. Most of the time, the hotfixes provided the solution. However, applying hotfixes and getting in touch with the R&D when needed may be tiresome.

It's pretty good. The HA Features provide a good solution so far, and with Maestro it will perform better.

I had the chance to work with Fortigate and Palo Alto Firewalls before. Due to the stability and know-how regarding Check Point, we chose this vendor.

We always believed and saw that the money we spent on Check Point was not in vain.

We have around 500 firewalls all around the world with a global team to manage them. We are using Check Point NGFW for Internet traffic, IPS, and UTM devices.

Atos provides this solution, including network design and advice.

• Antivirus
• IPS
  
• They got the logs into one site, which is wonderful.
• There is a secure action line code that you can announce your products in.
• If you have a number of sites, like a hundred sites around the world, you can deploy multiple VSX testing. 
• All over the world, you can have DMZs in data centers, e.g., in the USA, Dubai, and London. 
• It is easy to deploy and upgrade. 
• Easy to manage, e.g., if there is a new engineer onsite, they can easily manage it.

In a VPN setup, we have Internet connection via Check Point. The connectivity is not turnkey like competing devices. We have not yet terminated our site-to-site VPN because things are fluctuating right now and Check Point needs to be upgraded. Also, their troubleshooting needs to be improved for this. 

I have been using it for five years.

I haven't seen any stability issues, though I have seen some issues with the management of the gateway. Stability-wise, it is good (a nine out of 10).

We have 74 locations. We can have 10,000 users maximum via an Internet gateway. We have four data center across the world: two in USA, one in London, and one in Dubai. Passing through Check Point per location: in the USA - 5000 users, in London - 2000 users, and in Dubai - 10,000 users.

There are 12 network security engineers/consultants managing Check Point and the legacy firewall, SonicWall.

Right now, we cannot go directly to Check Point because of vendor dependency. We have to first initiate with our vendor.

We migrated SonicWall to Check Point about two years back. That took one year to set up in our organization. 

We switched away from SonicWall because it is a legacy firewall at end of life. SonicWall was missing features that Check Point has, like UTM, IDS, IPS, antivirus, etc. Check Point is better for protection and performance-wise.

It is easy to deploy or upgrade. There is no need to do this manually with commands. This solution can be set up online.

We have two devices. Right now, we are deploying and upgrading a new setup, where you can do management, management plus gateway on the device, or virtually you can install your management device on VMware or Hyper-V. With the Hyper-V and the Management Server, you can access all the gateways. For the Management Server and gateways, we have an activation key.

We are an IBM OEM company who received installation support from that vendor. They provided all the network connectivity.

For our implementation, we:

1. Started with an initial diagram of the configurations and what we want to see after the installation.
2. Segregated the SonicWall and Check Point tools for the migration since we used automation.
3. Checked the mode of installation. We went with transparent mode.
4. Collected the IPs for the firewall. It required multiple IPs because with we have cluster nodes.
5. Assessed the feasibility of Check Point in our environment.

For our strategy, we looked at:

• How many users are in all our offices? For example, is it a small office, mid-size office, or data center?
• Using high-end versus lower-end devices, e.g., lower-end devices means a smaller price tag.

A smaller office of less than 500 people would get a 4000 Series. Whereas, a larger office would get a 5600 or 7000 Series. We have to be focused on the natural topology.

We have had some vulnerabilities when we upgraded the R80.30 Management Server. We have some gateways right now in our R77.30 version, and this means if we go without license in R80.30, then it will prompt a bad connection and terminate. We have had some license difficulties with the connection going from R70 to R80. However, these don't largely impact performance.

We looked at Fortinet and Palo Alto. We did not feel FortiGate was capable of what we required. Palo Alto is somehow not as good as Check Point, budget-wise and performance-wise. Palo Alto is more costly than Check Point.

If you need a good support or something that is good budget-wise, then I recommend going with Check Point compared to Cisco or Palo Alto.

It is a good firewall. It has returned good performance. We are happy with the product. I would rate the product as a nine out of 10.

My company is an IT service provider. We suggest customers choose the Check Point next-generation firewall along with other OEMs for their environment. Once they choose (and confirm the product with model capabilities), we migrate the existing firewall to the new firewall. 

I have deployed multiple Check Point products. Based on my experience and its effective features, I do suggest customers go with Check Point NGFW. I love its security profiles which effectively secure the organization's LAN, DC, and DMZ network.

The solution has improved organizations via:

1. Ease of deployment: We can easily implement and deploy the check Point NGFW.

2. Deep Inspection: It inspects traffic beyond just port number and IP address.

3. Threat Prevention: It has multiple security features and we can enable and integrate these features like IPS(Intrusion Prevention System), Anti-Bot Protection, and SandBoxing.

4. Organizations can enable Multi-Factor Authentication (MFA) in their network environment to verify their identity before they access the network. this feature keeps the integrity of the LAN network.

My favorite feature of Check Point NGFW is its "deep traffic inspection capability" due to the fact that:

1. It provides deep-level control over the network activity, allowing you to prioritize critical traffic first based on organization requirements.

2. It analyzes application behavior to detect suspicious activity.

3. We integrate with Sandbox technology to safely detonate and analyze zero-day threats. 

4. It also blocks the application and prevents them from accessing the organization's LAN network.

5. It gets a regular zero-day signature update.

During my initial level implementation of check Point NGFW, I faced issues troubleshooting. The problem was with its command line. 

Check Point runs on Linux and its command line is Linux-based. However, at the time, I was not familiar with Linux commands, and I invested lots of time in finding the Linux command and understanding the meaning, then went for troubleshooting.

It would be very helpful if the OEM provided all the Linux commands in a way that we could easily understand and follow the steps to configure or troubleshoot the issue using the command line.

For the last year, I have been implementing and deploying Check Point NGFW in multiple client environments. 

Its NAT automation and routing intelligence are excellent. We are not required to configure NAT rules separately; we can enable them while creating an object. We are also not required to configure reverse routing for LAN subnets.

At this time, Check Point NGFW is more stable than other options.

The scalability is wonderful.

Customer service and support are good. However, they can be enhanced.

Positive

We do not choose the solution. Rather, we provide multiple solutions to the customer.

The solution is easy to implement.

We are from the vendor side. We can help implement the solution. 

As of now, everything is good as per the market scenario.

We did not evaluate other options.