Check Point NGFW Reviews

Check Point NGFW needs to run marketing events. They have also to set up a support center in India. 

I have been working with the product for 12 years. 

I rate the tool's stability a ten out of ten. 

I rate the tool's scalability a ten out of ten. 

I rate the tool's initial deployment a nine out of ten. 

Check Point NGFW is expensive. 

We have customers from medium and corporate enterprises. I rate the solution a ten out of ten. 

Our customer has been the best in stock trading; they observed that in peak hours or business hours buying and selling the stocks was time-consuming.

When they reached out to the firewall team, we checked the disk space, memory, and HDD we didn't notice much difference.

However, we monitored the interface utilization, and 1 GB was choking up and being consumed. The cpstat status on the interface level monitor and bundling the multiple interfaces fixed the issue.

We have been fixing the performance and also found that the solution offers:
1. A user-friendly dashboard with all the information available in front view and we view according to our requirements in graphical, statistically, etc.
2. Check Point firewall can combine all locations in one Check Point management console so that we can monitor everything with alert configuration.
3. We have multiple options for SIC resetting.
4. We can monitor the complete organization (for RAM, Memory, Disk, and CPU) and alert handle monitoring. We can now easily handle failovers.

The Check Point firewall features for Next Generation Firewalls are excellent. Through scripts, we can easily push firewall rules, extract, and import as per availability. Scripting is the best way to support the firewall functionality and it's been supported by all major versions. We can monitor all types of logs (traffic logs, management logs, and active logs). 

The firewall is EDR-supported; we can block or allow the URLs as per phishing or detection. 

Firewall flow and logs analysis is awesome.  

Bug Fixes and enhancement requests should be remediated earlier, as we have multiple dependencies and auditors are forced to have the latest possible environments.

Check Point's major version should have an extended time than the default time mentioned in the end-of-life policy document with additional prices.

As for deployment, we follow best practices for long-term support services. Tools must be introduced and supportive in analyzing the data, flow, and threats. We have to introduce the scripting part to work seamlessly.

I've been using the solution for more than ten years.

The stability offers high performance.

The scalability offers high performance.

The support is the best in the marketplace.

Positive

We did not use a different solution. It's the best in the marketplace and stronger than any other firewall. We can trust it 100%.

The initial setup was complex.

We handled the setup in-house.

Definitely, every sector [banks, finance, corporate, etc] should have a Check Point Firewall for strengthening/securing the environment.

We did not evaluate other options.

Check Point NGFW is great in terms of functionality. We use it to control the infra outbound/inbound traffic and with it and we can block suspicious IPs directly on our SAM database instead of creating or adding in firewall rules. This not only saves time but also provides immediate protection from malicious traffic without deploying the changes in firewall gateways. 

We used to check who is doing what changes and when. We can now check logs to find why any traffic is blocked, and, if blocked, it gives good details of each error. We can easily organize all firewalls through one smart console.

Its GUI platform is very good. It helps us to divide up the rule base which made it easier to recognize the rules. Its SAM database gives us the amazing ability to block suspicious activity without waiting for the next change window to push the changes. In packet flows, it first checks the SAM database beforehand in order to process the packet further.

The logs give us plenty of detail as to why any packet was blocked or allowed. It really proves the purpose of getting a stateful firewall, showing the context of every packet.

The SAM database, URL/application filtering and IPS, Data Loss prevention, VPN and mobile device connectivity, stateful packet inspection, and unified management console are all useful features. 

It allows us to avoid having to go and log in to each firewall device for creating the rules as it can be done from its central console. We can manage all the firewalls and create rules and deploy them through the smart console which is really good. It helps us avoid creating the same object in each firewall. 

Its auditing features are also good for checking who did what changes and when.

The URL objects take significant time in processing compared to other products like Cisco FTD; it would be better if they could improve it. 

We have seen that whenever we configured URL objects, the CPU percentage went higher. Therefore, we started using IKP-based objects, however, in today's cloud world where every application is in the cloud and they change IPs on a random basis, whenever each new IP change happens, it's too risky to allow the whole cloud subnet (like Google or Azure). They need to therefore fix URL processing times. 

I've used the solution for four years.

I work for a large bank in Australia and the Check Point NGFW is used on the edge of the network. This strategic positioning allows the platform to provide extensive protection to internal systems from the internet, avoiding security threats on the most sensitive places on the network. 

Another factor in the positioning of the firewall is the protection from external partners connected to the internal network through VPN and MPLS tunnels. The solid performance and flexibility allow the platform to be trusted on this strategic spot.

Check Point NGFW has contributed to the success of the organization in keeping data safe through its powerful and flexible security features. 

In conjunction with the Check Point Management Platform, the firewalls provide an easy-to-use platform that facilitates and creates agility in the operation. The easiness to operate the platform creates a great value for the operation since it is easy to train people to work with the platform. 

Agility is also a key factor for the rapid response to business needs.

Even though Check Point NGFW provides a set of security features that enforce protection on the network, the most valuable aspect is also the most used feature: the plain and simple firewall component. This is the core of the product and works to a great extent without the need for all other available bells and whistles. 

What may sound obvious is actually an important point to be weighed, since several platforms in the market promise miracles but fail to deliver the basics. Check Point NGFW most definitely delivers a great, stable platform in that regard.

Although the GUI is simple to use and fairly comprehensive, more support via CLI would be beneficial for bulk operations. Repetitive tasks can surely be explored via API, however, oftentimes, tasks that are not worth automating can take longer than expected via GUI, while it could be easily tackled via CLI.

There should be better and more comprehensive reporting. This would also bring a lot of value to the platform by enhancing its capability of bringing transparency to the network.

I've used the solution for about three years.

The most recent software version is stable and reliable. There have been some issues in past versions, however, there have been no big ones in the most recent releases.

There are good scalability options through virtualisation. The platform can be expanded to multiple segments.

The support provided by the vendor either via professional services or an engineer is always spot on. They are quick to act and help.

This platform was already being used when I joined my company.

The initial setup can be cumbersome.

We did the implementation with vendor support.

As the platform delivers competent security enforcement with simplicity, the ROI is great. The easy-to-operate nature of the product means fewer hours spent by people struggling with things, while the network itself is constantly kept safe. 

The use of virtual firewalls within the platform should be considered for horizontal scaling and in order to increase the product's cost-effectiveness. 

I was not part of the evaluation process.

This is a great and stable platform overall. Performance and simplicity make this a good choice for any size of company.

We primarily use the solution for perimeter security - including DMZ and as an internet firewall. We use Check Point Firewalls as the first line of defense from the internet and they are also used to segregate the internet, DMZ, and internal networks. Check Point VSX technology is used to split the hardware into multiple virtual firewalls to cater to different environments so they are well segregated. We have BGP running on the firewalls, such as all of our network devices in our environment, to learn and advertise routes. Check Point does a decent job with BGP and does an excellent job as a perimeter firewall.

Check Point was brought into our environment as a perimeter security device to replace the Juniper NetScreen which was originally used as the perimeter firewall. When Juniper announced the end of life of NetScreen devices, we decided to go with Check Point mainly because of the ease of management and also because Check Point was an Industry leader and Juniper was still in the initial stages of building their own firewalls using JunOS. With the introduction of Check Point with the VSX features, we could use BGP instead of the tedious static routes that we had in place with the old NetScreen.

The VSX has been great. The ability to split single hardware into multiple virtuals along with support for dynamic routing using BGP is very useful for our environment.

We like the management console. The Check Point smart dashboard has made things easier for administration and we've been able to manage all the Check Point devices from one place which is very useful.

The operations support is great. There is a smart log system that is very good for troubleshooting and reporting. We also use the CLI for troubleshooting purposes (for the likes of FWMonitor and tcpdump) while the FW rules are managed via the smart console which does wonders for operations support.

It is common for any network device to compromise on stability when more and more features are packed into it. It may work for small organizations when they want a single device to do everything for security. However, it is a big issue for us as a large financial institution when even a small outage costs dearly. Check Point, being our perimeter firewall, has failed quite a few times mainly when handling BGP. I would like less CPU-intensive features to be introduced to replace the existing heavy-duty processes. They may already have a lot of features, so the enhancement of existing features could focus on robustness rather than introducing new features.

I've been using the solution for three years.

With the upgrade to R80, the solution has become more stable. We have had outages because of the gateways failure while running BGP with older versions. After the upgrade, we havent had such outages.

With the latest upgrades of R80, Check Point has bettered its performance, and hence, scalability has improved a lot. Also, there are multiple NG features that can be utilized that makes it more suitable for multiple solutions.

They offer very good customer support; they're always available and capable.

We previously used NetScreen and they were at their end of life.

Check Point has its own design that is a little complex compared to other products. This has a 3-tier architecture and we need management servers and gateways separate. I would still say its not much of a hassle building it.

We handled everything through Check Point PS. They were very good.

I can't really comment, as I do not have much idea about this space.

The solution is priced well in the market in order to compete with the other products.

I wasn't in the organization when the evaluation happened. However, I know Juniper SRX was one of the solutions looked at as we are using them for our internal firewalls.

For the SMB appliances, the use case is tricky because I don't actually like them too much. If you have a very small branch office, you could use one of them, but in that case I would just go for the lowest version of the full GAiA models. But for small locations that are not that important, it is possible to use one of the SMB appliances, the 1400 or 1500 series. 

The full GAiA models, starting with the 3200 and up to the chassis, are the ones we work with the most, and you can use them in almost every environment that you want to secure, from Layer 4  to Layer 7. The only reason to go higher is if they don't perform well enough, and then you go to the chassis which are for really big data centers that need to be secure.

About a year or a year-and-a-half ago, they introduced the Maestro solution, which gives you the flexibility of using the normal gateways in a way that you can extend them really easily, without switching to the chassis. You can just plug more and more gateways into the Maestro solution.

It's difficult to say how these firewalls have improved our clients' companies because a firewall isn't meant to improve things, it's meant to make them more secure. Nine times out of 10, it's going to give you something that the end-users aren't so happy with. But Check Point Next Generation Firewalls improve security and, indirectly, they improve the way users work. They can access practically everything on the internet without being concerned about what's going to happen. They give users more confidence when doing something, without having to worry about the consequences because the gateway is going to help them out where needed, preventing malicious stuff.

The feature I like the most is their central management, the Smart controller which you can use to manage all the firewalls from one location. You can get practically all information — but not all the information, because not everything has been migrated from the previous SmartDashboard version into the SmartConsole. Being able to access almost everything in one location — manage all your gateways and get all your logs — for me, is the best feature to work with. 

As for the security features, that depends a bit on what you're doing with it, and what your goal is. But they're all very good for application URL filtering. Threat Prevention and Threat Extraction are also great, especially the Threat Extraction. It's very nice because your end-user doesn't have to wait for the file that he's downloading to see if it's infected, if it's malware or not. It gives him a plain text version without active content, and he can start working. And if he needs the actual version, it will be available a few minutes later to download, if it isn't infected. That's a great feature. 

Anti-Bot also is also very nice because if a PC from an end-user gets infected, it stops it from communicating with its command and control, and you get notification that there is an infected computer.

It's difficult to distinguish which feature is best, because they're all good. It just depends on what your goals are. As a partner, we are implementing all of them, and which ones we prioritize depends on the client's needs and which is the best for them. For me, they're all very good.

The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.

But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.

A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.

I started working with Check Point firewalls in 1999, so it's been about 20 years. In the last year I have worked with all the SMB appliances, through the full GAiA and up to the 64000 series.

There's not much difference between a Check Point 3200 and a 5200 because they're running the same OS. There are just performance differences. So I can't say I've worked on every model, because I don't always check the model when I come to a client. But I've worked on every model that runs different software. I've worked with all three kinds of software that are used by Check Point.

The SMBs have room for improvement in stability. They're not as stable as they could be.

The chassis are great, but they are running behind. Maybe "running behind" is an overstatement, but the roll-out of new features on them is really slow because they want them to be tested and tested and tested. The clients installing these chassis are large banks or very large customers that can't have any downtime whatsoever, so it's normal that they test them more thoroughly. 

For the mainstream models, we do run into bugs on a regular basis, but they're mostly not showstoppers. You can run into a bug, but either there's a possible work-around or it doesn't impact things so much that there are huge problems for the client.

The SMBs are not scalable. New devices come out from time to time that are more performant. The mainstream devices are also not scalable except if you go with the Maestro version, and then you can just plug in an extra firewall and it scales up. With the chassis you just plug in an extra blade and it scales up also. So the Maestro and the chassis are very scalable, but for the other models it comes down to buying new boxes if the current ones aren't sufficient anymore.

Check Point support is a very difficult question because not so long ago I had a major complaint with Check Point about their support. Now, they give us much better support because we have the highest level of partnership. They recognize that the people from our team, in particular, are very skilled, so we don't go to first-level support anymore. The moment we open a ticket, we get tier-three support, and that is good.

But we haven't had this privilege for that long and, in the past, support could be a bit tricky. If we got a tier-one engineer it could be okay for support that wasn't urgent but if we were doing an implementation, especially since we had a lot of experience, they were mostly asking questions about things that we had already checked. Often, we had more knowledge than they did.

For us, it's great that we now immediately get access to tier-three. I just wrote an email to the support manager this morning about an issue we had last night, and I told him the support was great; no complaints anymore. It took a while, but now it's good. I can't complain anymore.

It depends on the partnership you have with Check Point. If you're a lower-level partner, you have to go through the steps and it takes a bit of time. If you're working in a company that has a good partnership and you can negotiate some things, then support is good and you get very good people on the line.

The initial setup of these firewalls is fairly straightforward for me, but they're not the easiest ones to learn and to set up. But I've been working with Check Points for 20 years. So if you're a new user, I wouldn't say it's easy. If you have experience, it's not really that difficult. But the learning curve is higher than some of the competitors.

The time for deployment depends on the features you want to enable on the firewall and the environment you want to put it in. If it's a branch office with a small network, a DMZ and an internet connection, that would take half a day or a day. It also depends though on if it is a completely new installation where you also have to install a Management Server. On average, we count on about one day per gateway and one day for the management, but it depends on the complexity of the environment, of course.

Our implementation strategy differs per client, and it even differs by the engineer who does it because everyone has his own skills and tricks from the past that they're using. But a uniform implementation approach, especially for different clients, is very difficult to do because every firewall is a complex product. You can't do for client A what you're going to do for client B.

If it's an installation we go the standard route, with a high-level design and get it approved by the clients. Then we go for the low-level design and implementation. A standard implementation is a clustered environment with a separate Management Server. We almost never deploy one gateway, so one cluster with a separate Management Server is the most basic level. We usually set up the management on a virtual system, not an appliance, and we try to go for appliances for the gateways, depending a bit on the customer's needs; it could be virtual.

Make sure you get the correct license. For instance, I did an audit for one of our clients recently and I saw that they always were buying the most expensive license and not using the features that were included in it. That's one thing to look at: If you're not going to use some features, don't buy the license related to those and go for a cheaper license. 

Also, negotiate. There's always room for discounts.

You get licensing bundles, so depending on which features you want to activate, your license is going to be more expensive. Some things, like Threat Extraction and Threat Emulation, require subscriptions. They don't come with a standard firewall. 

I'm not a licensing expert, but as far as I know there's the standard firewall, the Next Generation Firewall, and then the Next Generation Threat Prevention license. The price goes up in those bundles.

Another vendor I work with and have the most knowledge about, when compared to Check Point, is Palo Alto. They force you to work a bit more with applications instead of ports, although that's not something Check Point cannot do. 

The central management is different for Palo Alto. You can install it, but it doesn't work the way it works with Check Point. I like both. I like that with the Palo Alto you just go to a web browser and can configure the firewall all the way, but it's also easy to have the SmartConsole from Check Point where you can manage multiple devices. Palo Alto doesn't really have that. They have a central manager where you can get logs and where you can distribute some policies, but it doesn't work the way Check Point's central management does.

Both have their pros and cons. It depends on how you like to work. I like working with both of them. It's a bit different, but in terms of security and features, I don't think they're that different. It's just another way of working.

Make sure you have a good partner doing Check Point work for you because, as a direct client, it's very hard to get the necessary skills in-house, unless you're a very big company. Contact Check Point and ask them which partner they recommend and go that route. Don't try to do it yourself. The firewall is too complex to set up and maintain yourself, without the assistance of people who do it every day.

Learn and get experience with it. Don't be overwhelmed. When you start with it all the features and all the tips and tricks that you need to know to maintain it, it can be overwhelming. Like I said, the learning curve is very steep, and when you start with it, it's going to look like, "Whoa, this is impossible." But stick with it and when you get some experience it's going to be okay. It's a difficult product, but once you get the hang of it, it's one that's really nice to work with. We still run into issues from time to time, but Check Point products are very manageable and fun to work with. Check Point is my favorite vendor. I like working with it a lot.

I would rate Check Point's mainstream solutions at eight or nine out of 10, and the same for the chassis. I would rate the SMBs around a six. I don't really like those too much. Overall, Check Point is an eight, because most people are going for the mainstream solutions and those are very good.

We have a big environment with nearly fifteen multi-vendor clusters. We are using firewalls mainly for layer three access rules. But nowadays, application-layer-based security and threat prevention are also important. We are using IPS and antivirus blades actively, too.

In the Intrusion Prevention System blade, we are using a lot of different signatures and actions according to the impact, severity, and cost of the specified signature. The antivirus blade is also in the same logic as the Intrusion Prevention System.

Multilayered protection is provided thanks to Check Point. For instance, security is achieved both on the endpoint side, as well as the firewall side.

Another example is that we can prevent critical and high-risk applications from being reached through the internal network by utilizing the application blade.

All of the blades, except URL filtering, are in the same interface and provide big savings when leading the security operations.

Firstly, inline layer technology is helpful because it will classify the traffic according to different security groups. This means that we can isolate them totally and it will also prevent human error because you are limiting source, destination, service, and application parameters at the top of the inline layer rule.

Check Point is very administrator-friendly and the SmartDashboard is easy to use.

The Blades and security features are also very innovative and up-to-date.

With the IPS blade, the administrator can write signature-based exceptions for specific users. This provides flexibility to except specific connections from specific signatures.

The cloning and copy/paste operations are very useful.

The SmartUpdate interface is a little bit crowded if your company has a lot of software items.

As an administrator, one should know how to troubleshoot by issuing related CLI commands before or after upgrading gateways, or the management server, in case of a problem.

Hardware problems on Check Point devices, such as those related to NIC or disk problems, may occur at times. In cases such as this, the support team is available and does what is needed, including the RMA process if necessary.

We have been using Check Point for 10 years.

In my opinion, scaling is very important and it must be done ahead of time. I would suggest considering scale three years in advance, as opposed to just the present.

We did not use another solution prior to this one.

Licensing issues may be confusing at times.

We did not evaluate other products before choosing Check Point NGFW.

Our customers primarily use it to safeguard their organization's network against malicious activities and closely monitor user internet usage. The key objectives include implementing controls on web and application usage to restrict unwanted activities among users.

The primary advantage stems from the precision of the application engines. Customers can rest assured that unwanted infiltrations into their organizations are unlikely due to the advanced nature of the IAV engines. The algorithms employed are notably stringent, and while they may not be publicly disclosed, they play a crucial role in thoroughly scanning all incoming network traffic. Leveraging this technology, customers can swiftly and effectively protect their LAN network with Check Point.

Its most significant strength lies in its superior threat detection engines.

I would highlight the need for enhancements in technical support services.

I have been working with it for four months.

I found it to be reliable and stable.

It provides good scalability. In total, we are responsible for around three hundred and fifty endpoints.

Our experience with their customer support is not very satisfactory. We've encountered an incident at one of our customer sites, and despite reaching out for support and raising the issue with them, we haven't received a satisfactory solution from the support team in the past three months. I would rate it three out of ten.

Negative

Compared to other vendors such as FortiGate and Kaspersky, Check Point's protection engines stand out for their intuitiveness. However, the drawback lies in the pricing.

In our deployment process, there are two methods available: standard and distributed. The predominant choice in our country is the standard deployment, utilized by approximately ninety-two to ninety-five percent of our customers. In the standard deployment approach, a separate server is configured with three ports, situated between the firewall and the switch. Configurations are not directly applied to the firewall; instead, they are made on the server. After completing the configurations on the server, the changes, such as creating new firewall rules, are not immediately connected to the firewall. Instead, they go through the server, where calculations are performed, and the configured rules are loaded. If a misconfiguration is detected, the server notifies us, highlighting any inaccuracies in the rules or policies. This preventive measure helps avoid applying flawed configurations directly to the firewall. Regarding the ISMP modules, I believe a single individual is sufficient. Given some time for research, this person should be able to deploy it efficiently for me. The deployment time varies depending on the configurations. Maintenance primarily involves updating the firmware; aside from that, there are no additional requirements.

The greatest value is evident when an immediate threat targets your organization. Check Point firewalls excel in preventing such attacks, thanks to their highly advanced protection engines.

It is a notably expensive product in our country compared to FortiGate and other servers. The support services, licenses, and the additional requirement for another license to avail 24/7 support from Check Point contribute to its overall higher cost.

My recommendation is to allocate time for thorough research when working with it. Relying solely on their support may not be sufficient. Overall, I would rate it nine out of ten.