Check Point NGFW Reviews

We have a big environment with nearly fifteen multi-vendor clusters. We are using firewalls mainly for layer three access rules. But nowadays, application-layer-based security and threat prevention are also important. We are using IPS and antivirus blades actively, too.

In the Intrusion Prevention System blade, we are using a lot of different signatures and actions according to the impact, severity, and cost of the specified signature. The antivirus blade is also in the same logic as the Intrusion Prevention System.

Multilayered protection is provided thanks to Check Point. For instance, security is achieved both on the endpoint side, as well as the firewall side.

Another example is that we can prevent critical and high-risk applications from being reached through the internal network by utilizing the application blade.

All of the blades, except URL filtering, are in the same interface and provide big savings when leading the security operations.

Firstly, inline layer technology is helpful because it will classify the traffic according to different security groups. This means that we can isolate them totally and it will also prevent human error because you are limiting source, destination, service, and application parameters at the top of the inline layer rule.

Check Point is very administrator-friendly and the SmartDashboard is easy to use.

The Blades and security features are also very innovative and up-to-date.

With the IPS blade, the administrator can write signature-based exceptions for specific users. This provides flexibility to except specific connections from specific signatures.

The cloning and copy/paste operations are very useful.

The SmartUpdate interface is a little bit crowded if your company has a lot of software items.

As an administrator, one should know how to troubleshoot by issuing related CLI commands before or after upgrading gateways, or the management server, in case of a problem.

Hardware problems on Check Point devices, such as those related to NIC or disk problems, may occur at times. In cases such as this, the support team is available and does what is needed, including the RMA process if necessary.

We have been using Check Point for 10 years.

In my opinion, scaling is very important and it must be done ahead of time. I would suggest considering scale three years in advance, as opposed to just the present.

We did not use another solution prior to this one.

Licensing issues may be confusing at times.

We did not evaluate other products before choosing Check Point NGFW.

We use the product for safeguarding our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. 

Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. 

It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

A lot of things need to be improved in Check Point NGFW. For example, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. 

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, Mac addresses, and sometimes usernames. More granular detail is crucial for security. 

Support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product offers a robust and intuitive experience, catering to the essential needs of users. 

The Cleanup Rule's ability to discard unwanted traffic and the inclusion of default Autonomous Threat Prevention Profiles simplifies security measures, catering to various deployment scenarios. I was impressed by how easy it was to activate blades and implement them on a security gateway, with the process taking less than five minutes. 

Additionally, the Smart Console's clear and efficient user interface ensures that the changes to the policy are swiftly made, with the added benefit of maintaining proper audit logs.

Places for improvement include:

• Having a Zone Alarm and the standalone endpoint VPN that become compatible products.
• Having a Smart Console in-place upgrades with IP/fingerprint retention.
• Offering a Mac version of Smart Console.
• Integration of CPview and things like fw accel stat in the monitoring blade.
• No more legacy SmartDashboard for some features.
• Streamlining of the endpoint solution and deployment options and also offering the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.
• Offering a fixed deployment schedule for accumulator hotfixes. This would help us foresee maintenance windows in organizations with rigid change management procedures.
• Finding a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.
• Scheduling policy pushes in Smart Console.

I've used the solution for ten years.

Our customers primarily use it to safeguard their organization's network against malicious activities and closely monitor user internet usage. The key objectives include implementing controls on web and application usage to restrict unwanted activities among users.

The primary advantage stems from the precision of the application engines. Customers can rest assured that unwanted infiltrations into their organizations are unlikely due to the advanced nature of the IAV engines. The algorithms employed are notably stringent, and while they may not be publicly disclosed, they play a crucial role in thoroughly scanning all incoming network traffic. Leveraging this technology, customers can swiftly and effectively protect their LAN network with Check Point.

Its most significant strength lies in its superior threat detection engines.

I would highlight the need for enhancements in technical support services.

I have been working with it for four months.

I found it to be reliable and stable.

It provides good scalability. In total, we are responsible for around three hundred and fifty endpoints.

Our experience with their customer support is not very satisfactory. We've encountered an incident at one of our customer sites, and despite reaching out for support and raising the issue with them, we haven't received a satisfactory solution from the support team in the past three months. I would rate it three out of ten.

Negative

Compared to other vendors such as FortiGate and Kaspersky, Check Point's protection engines stand out for their intuitiveness. However, the drawback lies in the pricing.

In our deployment process, there are two methods available: standard and distributed. The predominant choice in our country is the standard deployment, utilized by approximately ninety-two to ninety-five percent of our customers. In the standard deployment approach, a separate server is configured with three ports, situated between the firewall and the switch. Configurations are not directly applied to the firewall; instead, they are made on the server. After completing the configurations on the server, the changes, such as creating new firewall rules, are not immediately connected to the firewall. Instead, they go through the server, where calculations are performed, and the configured rules are loaded. If a misconfiguration is detected, the server notifies us, highlighting any inaccuracies in the rules or policies. This preventive measure helps avoid applying flawed configurations directly to the firewall. Regarding the ISMP modules, I believe a single individual is sufficient. Given some time for research, this person should be able to deploy it efficiently for me. The deployment time varies depending on the configurations. Maintenance primarily involves updating the firmware; aside from that, there are no additional requirements.

The greatest value is evident when an immediate threat targets your organization. Check Point firewalls excel in preventing such attacks, thanks to their highly advanced protection engines.

It is a notably expensive product in our country compared to FortiGate and other servers. The support services, licenses, and the additional requirement for another license to avail 24/7 support from Check Point contribute to its overall higher cost.

My recommendation is to allocate time for thorough research when working with it. Relying solely on their support may not be sufficient. Overall, I would rate it nine out of ten.

This is a very good application to be able to provide security to our infrastructure in Microsoft Azure. The provisioning through the Azure templates was very good. It is exactly the same security application of Check Point gateways as the one on-premises.

Now we can use the tool to provide granular security between subnets or generate VPNs against other offices, all with the great security that the manufacturer provides us.

The application control provided by the gateways is also very good for our objectives, which were to block some general access applications or categories that are prohibited by the business.

This security tool helps us a lot in the public cloud environment. We can provide perimeter security in the environment now.

We have been able to implement server policies, DMZ subnets, and updates, among others, that are not available for all VNETs, subnets, or servers, and with this, we have greater control.

Additionally, we have created new VPNs against some offices, which are monitored, encrypted traffic, and find it really easy to provide the required service.

Finally, we have created nets for public access to the infrastructure. It has really helped us a lot.

The most important features of this application are:

1- An easy implementation at the virtual level. This helps us to be able to have security in the cloud.

2- The monitor and records are shown from the security management environment, where we can validate many events that happen over time to improve security through the dashboard.

3- There is modern protection against current threats. All new Check Point protection features are included and ready to provide more protection.

4- The licensing includes management service.

The documentation could be better. Sometimes they do not update their manuals effectively. Not everything is the same, and it generates some problems in the implementations.

There's an issue with licensing provisioning within the Check Point NGFW Gateway. It is really difficult to place the licenses correctly, generating additional work or limiting the solution due to poor provisioning.

I would like them to improve the response speed of technical support.

We have used the Check Point Next Generation Firewalls for the last four years.

Four years ago, we had not used an NGFW in Azure. We used the basic security until we could meet and receive support from a Check Point partner.

The best option is to have a partner to support you with quotes, features, and other valuable details. They can guide you via details that Check Point currently does not provide publicly, to make good decisions.

We always evaluate the options. We take into account Check Point, Palo Alto, Cisco, and Fortinet.

The benefits provided by Check Point turned out better than what we requested, which is why this was our first choice.

This is a very good security application, both physically and as a virtual appliance.

We are using Check Point Next-Generation Firewalls to protect and prevent our corporate network and infrastructure from attackers.  We are using NGFWs to filter unwanted and malicious traffic from the internet. Check Point NGFWs provide Layer 7 or application layer monitoring and detection. 

It is a stateless firewall which examines packets deeply and detects any malware or malicious URLs. It greatly protects our infrastructure by acting as a perimeter for our organization. 

Moreover, it has log ingestion and deep packet analysis capabilities. 

Check Point Next-Generation Firewalls improved the security posture of our organization by detecting, analyzing, and blocking unwanted traffic. It blocks any malicious files, processes and URLs due to having deep packet inspection and monitoring. 

Check Point firewalls not only detects anything malicious against it's signatures rather it analyses and monitors all processes running on different machines to detect anything wrong and then block those processes or URLs. 

Log storage gives us insights when required. 

Deep packet inspection, Layer 7, and application layer monitoring and detection are the great features of Check Point Next-Generation Firewalls. They greatly improve and protect an organization, its staff, and its resources. 

Check Point's SmartConsole is a great tool for admins as all firewalls can be centrally managed and all policies can be pushed as and when required by using SmartConsole. Log ingestion and threat hunting are also great functions in Check Point firewalls that enhances and improves a security posture. 

The SmartConsole to manage Checkpoint Next Generation Firewalls takes a long time to load and gets stuck sometimes. It could be due to a lot of rules and policies defined on the firewalls. However, SmartConsole software needs to be improved by having some more functions to make an admin's life easier. 

Log queries are slow and take time to load. 

Query functions need to be improved and should be quick to give the required information. 

There should be filters having drop-down options to use and select during log analysis. 

I have been using Check Point firewalls for more than two years. 

I planned to block traffic from foreign countries, however, Check Point does not have the intelligence to determine VPN connections from foreign countries coming through the local VPN.

I also wish Check Point could be more effective by collaborating with Microsoft to establish a different connection for Outlook cellphones or devices not on the domain. I wish to hide my devices like cellphones only allowing them to connect via capsule, however, it applies to all devices. It works well.

It is an excellent, easy-to-acquire system to protect midsize businesses with up to 100+ users that require a security solution that can scale across corporate networks and give us protections against GenV cyberattacks as the business grows. 

What I recommend the most is its central administration. With the smart controller, you can manage all your firewalls from one location. 

Being able to access almost everything in one location manage all your gateways and get all your logs is great. For me, it's the best feature to work with.

The solution is great for cyber attack prevention, data bridges, and other threats. You need intelligent and effective solutions to minimize cyber attacks and Check Point gave me peace in December when they had an unidentified log4j vulnerability.

Our main benefit was the elimination of a server/VM from our data center and the usage of a cloud solution.

Having all the features on the cloud was also a benefit since some products when migrated to cloud solutions lose some features  - but not his one.

The setup is a little bit rough and requires some technical expertise, however, this is expected with a solution as complete as a firewall and especially a Check Point one.

Sometimes debugging is a hassle. We've had issues with VPN debugging in the past. In the more recent versions, later than R80.10, this seems not to be an issue anymore. 

This year we tried to debug performance issues of the gateways, which was cumbersome. When we finally found the performance bottleneck, it was a licensing issue. 

Check Point uses CPU-based licensing for OpenServer, and buying more licenses helped. However, this is the reason we're upgrading to Check Point appliances next year, as OpenServer becomes pricier every year, and Check Point pushes their customers to use their appliances.

I've used the solution for three years.

We've been using Check Point Firewalls for about nine years, from the early Nokia boxes to the most recent OpenServer architecture. Next year we're finally going to upgrade to an appliance directly from Check Point.

Check Point Next-Generation Firewall (NGFW) is a very good firewall. It is one of the best firewalls that I have used. I would rate Check Point Next-Generation Firewalls (NGFWs) a nine out of ten. 

Also, Check Point has a great architecture, where you can just enable the software blades and deploy a secure service. 

Overall, it provides ease of deployment and ease of use.

All in all, I'm delighted with their security solution. Making configuring numerous layers of security policies easy to use was always one of the things I liked most about their firewall solution. 

You have multiple security layers that build upon each other, from the traditional security policy that is IP and port-based to application security, intrusion prevention, and their latest sandblast cloud-based malware detection. Everything is easily managed through their "SmartConsole" dashboard. 

It's valuable as a next-level network security appliance for your enterprise.

It comes with advanced features like web filtering, app filtering, user-based policies to restrict web and application uses, tunneling, restricting bandwidth uses according to policy, load balancing, etc., and helps to cover almost all network security requirements.

Our IT team has installed a firewall on all of our company's workstations and laptops to keep our own data and our customer's data secure. This program runs in the background and I don't even notice it, but it keeps me secure at work.

Configuration using the command line is not that simple and user-friendly.

There is no email security.

It's a bit confusing to configure at first. An example is having to set up separate source and destination NAT rather than a simple static mapping. Some configurations require accessing multiple different sections rather than being consolidated in one area. License subscriptions are a bit confusing as well for additional features.

The CLI is not very useful.

There's no option to import bulk address objects.

The firewall default rule 0 blocks rule matches to allowed traffic, even though allow rule is written.

I started using this solution in 2009.

I am very satisfied with this product.

I have been using Check Point firewalls for a few years now and I enjoy the interface.

It also integrates great with our other security tools.

The GUI is much more user-friendly than other Firewall vendors.

I use Check Point Next-Generation Firewalls since things are automated and updated frequently. I did not use a different solution. 

It's not the cheapest solution, however, it's one of the most advanced and competent.

I am not responsible for our manager's choice of this product. He said it's the best product to secure our network. 

Check Point licenses work very differently compared to other vendors. We need to purchase each blade in order to make it work, however, we can easily obtain a trial (evaluation) license from Check Point to get visibility for the blade. Check Point tries to maintain relationships with customers and they try to match their price with customer expectations.

We initially started using the Check Point device for the VPN blade.  

After using the VPN blade for several months and using the hardware interface we found it very easy to use.  

The small business hardware device was powerful and easy to set up. We started using the firewall and Nat shortly after that. 

Having additional features like the threat prevention that has IPS antivirus antibot and threat emulation we're all added bonuses. This also gives us a piece of mind for the safety of our business.  

Securing our organization was our main goal. Check Point, with threat prevention which includes IPS antivirus antibot and threat emulation has better secured our business from the internet.  

With the auto-updates made simple and knowledgeable support personnel, it has freed up our time to focus on other IT strategies.  

Utilizing the Check Point support team has allowed us to configure and use other money-saving features like VPN tunneling to remote offices, while still remaining secure in our systems.

Check Point VPN has been most valuable to our organization. Having a hardware solution that allows our remote users to connect securely to our business is extremely valuable. 

The ease of use, setup and configuration backed by the knowledgeable support of Check Point has made this a smooth and easy setup. Our users can get connected securely, anywhere. When connected with our Check Point VPN endpoint, users get the same security and prevention from the threat prevention module as the rest of the devices on our network.

As a small business, IT expenditures are always a tough call and hard sell. With every business connected to the internet these days, firewalls and threat prevention are very important for any business of any size. Check Point's small business devices are a great fit for most any business. However, including some sort of menu or grouping for VOIP would help the small business area that has limited support. Check Point support is very knowledgeable and can also help in this area as they've helped our business evolve as well.

I've been using the solution for 20 years.

The hardware units are solid. It is a stable solution. While you're subscription is active checkpoint fully supports your hardware and will replace if you have any uncorrectable issues.  After 20 years, I've only had to do a hardware replacement once.  Once setup, they just do what their supposed to do.

The solution is very scalable. Configurations can be imported to other units.  Many levels of hardware and software are available.

Customer service has always been very knowledgeable about their products.

Positive

We used to use Norton VPN. We switched due to the fact that we had issues with the system.

The product offers a simple basic setup.

We handled the implementation in-house.

There are different levels of protection and yearly maintenance on offer.

We did not evaluate other options previously. 

The support is great.