Check Point NGFW Reviews

Our primary use cases for Check Point NGFW are for perimeter security and content filtering for browsing behavior.

We have a lot of flexibility now and a leg up identifying zero day threats. We have multiple ways of doing policies now that we didn't have before. The options are more robust over previous products and I would say that we're pleased with the product. The reports I'm getting are that we're satisfied, even impressed, with the options Check Point offers.

Packet inspections have been a strong point. Our Identity Collectors have also been helpful. In many ways, Check Point has been a step up from our SonicWalls that we had in-house before that. There's a lot of additional flexibility that we didn't have before.

We saw a noticeable performance hit using SonicWalls. Whether it's because we've provisioned the Check Point gateways correctly from a hardware standpoint or whether it's the software that is much more efficient (or both), we do packet inspection with very little impact to hardware resources and throughput speeds are much improved.

With SonicWall, after it would calculate inspection overhead, we might see throughput at, and often below, 15%. My network administrator gave me data showing Check Point hovering at 50%, and so we were actually seeing Check Point fulfill its claims better than SonicWall.

Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap would help us as we navigate the options.

The VPN setup could be simplified. We had to engage professional services for that. That's not a problem, but compared to other products we've used, it was a little more complex.

We started putting Check Point NGFW into production late first quarter this year, right before the pandemic hit. We put in two gateways and one management server.

Stability is there especially compared to previous security products. Certain things had quirky behaviors. For instance, once we upgraded to 80.40, a couple items inexplicably acted up (not uncommon for any software upgrade). Certain policies would drop and then show up again (remained in force, just briefly disappeared from management console). I would have to get some specifics from my network administrator, but I do recall some strange behaviors. One of them was fixed by a patch and another one still has a backup issue that's pending right now about how to best back up the device before we upgrade.

I haven't had to test scalability yet because we purchased it for our existing needs and as a company, our performance and our needs are pretty flat. We don't really have need to scale yet.

We are adequately equipped for what we need and we have room to grow and to add all of our users and possibly add additional products down the road and still have plenty of room to do so on how these gateways are powered.

We have a total of about 620 employees that use Check Point NGFW. I would say we are 80% there. There are still some users that have to be migrated to it once we test their accounts, their kiosks, that kind of stuff. 

There is one primary employee who is dedicated to maintenance and there are another two who back him up but our network administrator is primarily responsible.

Mixed experience, mostly satisfactory. Some support engineers are quite helpful and efficient, others required more patience working through support incidents. ATAM support has been high quality, and as previously mentioned, local support has been key to resolving some cases much more quickly. If we were giving their support a letter grade, it would be in the B range.

We were previously using SonicWall. We switched because we were struggling with performance, support, and strategy. There were things that were broken that did not have coherent or reliable fixes. At the time we did not consider it to be next-generation technology. There were problems with GeoIP enforcement. There were also quite a few performance problems, especially with inspecting traffic. It would literally bring the device to its knees once we turned on all the inspections that we really felt that we needed. It was under-provisioned, under-specced, and coupled with all the support problems we had, we started shopping for a new solution.

The setup was both straightforward and complex. There were some complexities in there that required us to get help. We have some local representatives that are very helpful and so we frequently contacted them for guidance.

We're still migrating people behind Check Point, especially in our main facility, but the heavy lifting was done by early summer. It took around three to four months.

Our strategy was to set it up in parallel with the existing firewalls and begin setting up policies and testing the policies against individual services in-house. Then, as we were successful, we would grab pilot users and migrate them to Check Point and have them start trying to break things or browse to certain sites and see what behaviors they were getting.

It was a slow migration with a handful of people at first. We tweaked their experiences and just kept adding people. It was gradual. We tested, fixed, and then migrated a few more incrementally.

We had two different ways of getting help. We have local representatives who are in the same metropolitan area and they were very responsive. Then when we would have to contact standard support. We were satisfied about 80% of the time. Sometimes follow-up was not there. Sometimes there would be delays and occasionally there would be rehashing of information that didn't seem like it was efficient. Eventually, we would get the answers we would need.

That's why we rely heavily on the local people because they could sometimes light a fire and get things moving a little bit quicker.

Primarily it's offered stability and caught behaviors and given users (and administrators) a level of confidence as they are doing their daily jobs. The inspection that Check Point does, even when we download a document or a PDF, offers a bit more peace of mind in those types of transactions. GeoIP is working like we had hoped compared to SonicWall.

We have a lot of granularity in our policies. We can accommodate some really interesting scenarios on our operations floors, certain groups needing certain types of access versus other groups. We're accommodating them fairly seamlessly from migrating from SonicWall to Check Point. We might have struggled to try to make stuff happen in SonicWall, and Check Point just seems to ingest it and run with it. Having access to Check Point's AI ThreatCloud cloud has given us a lot of peace of mind. ThreatCloud is 25+ years worth of exploit research that informs and feeds CP technologies and gateways.

Another feature that's been helpful is the sandbox feature. A lot of companies offer this type of thing now, but CP has been offering it for quite a while. If end users are browsing websites, and they download a payload-infected document from a website, SandBlast will detect it and take it offline. It will sandbox it, detonate it there safely, pull out the content that we're actually looking for, then re-present that cleaned content back to the user.

Strongly consider augmenting standard support with Check Point's premium option or by purchasing ATAM/professional services time blocks, especially during deployment.

Standard support is decent, though occasionally frustrating from a turnaround perspective. While we sometimes wait a while for resolution on some cases, the information we receive is usually quality; that's been our experience.

We looked at Palo Alto, Fortinet, and Sophos. I brought some of that experience to bear on our decision but our shortlist was Palo Alto, Fortinet, and Check Point.

The reason I selected Check Point was partly its pedigree, knowing that Palo Alto formed out of Check Point. Both companies are built from the same DNA and each has a history and a culture I respect and trust. Check Point Research is regularly in the news it seems for finding exploits and vulnerabilities in popular cloud platforms. 

Check Point offered quality local support, including our technical sales representative and a support manager that live in the area. A couple of executives also live in the area. If we needed to escalate, we had the people here locally that could help us with that.

My former company used Palo Alto and, while I didn't interface with the products on a regular basis (we relied on the network team for analysis), I'd overhear frustrations with support. Palo Alto is also a great product and it wasn't an easy decision choosing between CP and PA from a technical perspective. I had never used Check Point prior to this position, but it outpaced its competitors in a few key areas, especially the pre-sales phase, POC engagements, local support options, and the maturity of Check Point's ThreatCloud technology.

My advice would be to look hard at premium support options. Know what your tolerances are, and if you expect fairly quick turnaround on support incidents, go ahead and invest that money in support. Definitely take advantages of pro services, buy a block of hours, whether that's 10 hours or 20 hours, and use that to fill in the knowledge gaps, especially during deployment. If you rely on standard support during setup, depending on how complex your environment is, you may be frustrated.

We did well doing what I recommended here. We bought two rounds of pro services (20 hours). I don't want to pile on standard support - it's not bad - it's just that if we were to rely only on standard support, I think our migration would have taken longer, and there might have been more frustrations. Because we had local support and because we bought pro services, it accelerated our timeline and it got us into production much quicker.

From what I've seen and heard from my staff, I would rate Check Point NGFW technology a nine out of ten.

In my previous company, one of the clients was a big chocolate company. They had this payment card infrastructure (PCI), where they needed to have auditors from PCI check the firewalls to see if everything was okay. So, they had web-based authentication. 

I'm working with the 5800, 5600, and 5200 models. I work with the UTMs as well. These are physical appliances as well as open servers.

It helped clients get through big audits for PCI, which has been very cost-effective for them. In one hour, they make 30,000 to 40,000 pounds worth of sales. A PCI audit has actually threatened them, "If you don't do it by this date, you will have to stop taking payments." Even if the audit is delayed about an one hour or so, they'll have thousands of pounds worth of losses. The previous company may have spent a lot of money on Check Point, but they save a lot as well. So, they were quite happy with that. 

The most valuable feature is definitely the logs. The way you can search the logs and have the granularity from the filter. It's just very nice. 

I love the interface of R.80.30. The R.80 interface is very nicely thought out with everything in one place, which makes Check Point easier to use. When I started in 2014, I was just confused with how many interfaces I had to go on to find things. While there are quite a few interfaces still in the older smart dashboard versions, most things are consolidated now.

The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.

In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time. 

I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point. 

Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.

Six to seven years.

It is very stable. 

The headache with these firewalls is when they failover. The client will ask us why. We have a separate service desk and Tier 2 guys who monitor these firewalls. But, in these cases, they can't tell why, because you have to deep dive. The reason was unclear on R77.30, so I had to find it in the logs. However, in R.80, it's quite clear. We will just use a cphaprob stat to tell us the failover reason for the last time. 

Sometimes, it is very difficult to find something in Check Point Firewalls when you are stuck. Therefore, you need to know exactly what you are doing.

They do scale well as long as a company is not scaling rapidly. This is the reason we have a CPSizeMe tool. With normal growth, they will easily go for five to 10 years. Normal growth means setting up a few offices, not doing big mergers.

We have about four to five Check Point users out of 20 network engineers.

In my new job, we have 80 clients in user center.

I would rate the support as a three out of 10. It seems like they are all Tier 2 guys. If there is a problem, you search everything and read all the articles, then you contact their support center who forward you to the same articles. It is very difficult to work with their support guys, unless you work with the guys in Israel.

From my last job, I had a web UI issue on one of my firewalls. It's been a year now, and it's not been resolved. Although it's been to the Israel as well, It's still been delayed. We couldn't live with the issue, so we decided we would buy a new open server, as the previous open server was quite old, then we did a fresh install of R.30 on it.

if you buy the appliances or licenses through partners, they will try to resolve your issue or talk in a way that makes sense.

My previous company used to have Junipers that used to send all the credentials via HTTP. Because all Juniper SRXs didn't do that, since they were quite old (version 570), they had to buy new firewalls. I tried to do it, but I couldn't do it on the Junipers, especially since they were out of support and nobody would help me from Juniper.

I told my previous company, "Check Point would be the best solution for them. In the long run, while you might have a lot of issues with auditors, we will actually be able to combat this using Check Point firewalls if you get the proper licensing." Then, we did web bots on Check Points. 

About five years later, an auditor said that we needed to do a RADIUS Authentication, not a clear text password nor the Check Point local password. So, we implemented that as well. This was a bit tricky because they didn't want the local guys to have RADIUS Authentication, but anybody coming from the outside would have to go through RADIUS. This was a bit tricky with Check Point because I had to involve Check Point support in the process as well, but we were able to do it. This was one of the client use cases.

The initial setup was straightforward. I told one of my colleagues in my last job, "Just follow the prompts and you should be able to install it. It is a very simple, basic thing. Just do it as a gateway, then that's it. You are done". 

Before, on R77.30, there were cluster IDs and people needed to know what they were doing. In the R80 cluster, the cluster ID is gone, so it is very straightforward and you don't have to be an expert to install it.

A new installation on the VMs (about a week ago) took me around 20 minutes or less. This was a lot faster than I imagined, and I've created quite a lot of resources to their management and Gateway as well.

If the firewalls go down, then the employees' car payments would stop. This would be a disaster. 

There are three types of licensing: Threat Prevention, NGTP, and Next Generation Threat Extraction. Before, it used to be you would just enable the license of whatever blade you wanted to buy. Nowadays, Threat Prevention would be sufficient for most clients, so I would think people would go for the NGTP, license which includes all the blades.

All sorts of councils in London use the solution. In my new job, there are quite a lot of councils and schools as well. They need to know the web traffic from their users, e.g., what they are searching and looking for and where they are going. Therefore, its application and URL filtering comes in quite handy. I've seen the application and URL filtering on Palo Alto, and it is a pain to get those details from it and create a report for users. Whereas, the user report is very easy to get with Check Point.

I have not seen another firewall offer the same level of logs that Check Point offers. I have worked on ASA and Juniper SRX. While they are a bit similar, they are not exactly what Check Point has to offer.

This is not day-to-day firewall work, where maybe a node can do it. If you get into a trouble, you can't actually involve Check Point support all the time, especially when you won't get a response. You need to employ people who are certified. Check Point has a lot to sink in, and it's not an easy thing. You might just expose your environment, even after spending a lot of money.

It is future-proof. I would rate this solution as a nine out of 10.

The firewall is the primary use case of this solution & IPS is secondary use case of the solutions.

We are looking forward to Sandblast solutions.

We also use it for cloud expansions 

The Check Point NGFWs brought up the security level with the help of the advanced software blades - we use Application Control, URL Filtering, IPS, Anti-Bot, and Antivirus. The setup was simple, and the performance is great - we have significant resources to expand the environment in the future without disabling any blades and thus maintaining the security on the same, high level.

It has improved the security posture of the organization by implementing this solution.

Now we can add application signature in the same rule base & don't have to create a different policy for that.

Advanced networking and routing features - we use Proxy ARP to announced virtual IPs to ISP and bing domain names to it; BGP for dynamic routing over IPSec VPN tunnels to other environments, and Policy-Based Routing for connecting to two ISPs.

• Easiness while working on all blade of firewalls 
• Flexibility in NAT rules 
• The new Policy Layers feature for building up the Access Control policy - the rules are now more understandable and efficient.
• Also, even so, the new SmartConsole is declared to be unified starting from version R80.10, there are still some features that have to be configured in the old SmartDashboard (e.g. Mobile Access policy and Antivirus), or on the Gaia OS level (all the routing features).
  

• Offline Sandblast solution, which should send malicious sources to other security solutions.
  
• TAC Support level to be enhanced 
• More details to be included while VPN troubleshooting, using GUI representation 
• Integrate all blades to use a single policy rather than multiple.

I have been using Check Point for more than 14 years.

We are using Palo Alto and Check together.

Cost is negotiable always & matches the expectations and licences are flexible and are added advantage. 

We evaluated other solutions.

Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. The Clusters serve as firewalls for both inter-VLAN and external traffic.

The overall security of the environment has been greatly improved by the Check Point NGFWs. Before implementing this solution we have to rely on the Cisco ACLs and Zone-Based firewall that we had configured on switches and routers, which in fact a simple stateful firewall, and currently not an efficient for protecting from advanced threats. The Check Point NGFWs brought up the security level with the help of the advanced software blades - we use Application Control, URL Filtering, IPS, Anti-Bot, and Antivirus. The setup was simple, and the performance is great - we have significant resources to expand the environment in the future without disabling any blades and thus maintaining the security on the same, high level.

1. Advanced logging capabilities - our support team on duty constantly monitors the security logs in the SmartConsole, and notifies the security team in case of major alerts.

2. Advanced networking and routing features - we use Proxy ARP to announced virtual IPs to ISP and bing domain names to it; BGP for dynamic routing over IPSec VPN tunnels to other environments, and Policy-Based Routing for connecting to two ISPs.

3. The new Policy Layers feature for building up the Access Control policy - the rules are now more understandable and efficient.

The pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly). 

We also had several support cases opened for software issues (e.g. unstable BGP sessions over VPN tunnels), which, in our opinion, took too long to resolve - up to one month.

Also, even so, the new SmartConsole is declared to be unified starting from version R80.10, there are still some features that have to be configured in the old SmartDashboard (e.g. Mobile Access policy and Antivirus), or on the Gaia OS level (all the routing features).

We have been using the Check Point Next-Generation Firewalls for about 3 years, starting from late 2017.

In general, the solution is stable, but we still have had some support cases opened and have to install the JumboHotfixes on a regular basis to fix the minor bugs. Please note that the current version of the software we use - R80.10 - is not the latest one (R80.40).

The solution is scalable - we use the Active-Standby Clusters, but could switch to Active-Active and add additional Gateway nodes if needed.

We have had several support cases opened. Some of the were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level (e.g. TCP MSS clamping). The longest issue took about one month to be resolved, which we consider too long.

We relied on the ACLs and Zone-Based firewalls of the Cisco switches and firewalls, which doesn't provide sufficient security protection against the modern advanced threats. 

The equipment has been delivered on time, without delays. The setup was straightforward. The configuration was easy and understandable. 

In-house team - we have a Check Point Certified engineer.

Use the Check Point Performance Sizing Utility to measure and estimate the hardware needed to purchase for your environment.

We primarily use the solution as a firewall device and for our VPN.

It gives me very detailed reports. The endpoint solution for clients is wonderful.

We're looking at the endpoint because there are some smaller issues with internet connectivity within our country.

Although they have it now, we don't have a license for it, and I think mobile device security should be a standard feature. I cannot control someone bringing their device to my network and what they do.

Within the first four weeks, we had a few little issues with stability, consideration issues here and there. But the partner helped and gave direction that and now it's better. It's still under warranty so we are okay with it. We have about 250 users. We also have the administrative and the IT team in the company that manages different solutions.

We are definitely planning to increase the scale, especially the endpoint. The cost in comparison with the brand new addition will be okay.

Right now, the agreement we have is elaborate enterprise support. That means we are entitled to an engineer within 48 hours if we have issues that can't be resolved remotely. I've been satisfied with technical support so far.

We were using the Sonicwall NSG 3400. It's a good appliance, but the major problem is they don't have competent technical partners in Nigeria. So all our support was via email, phone, and remote. It wasn't very good which is why we had to change it. Sometimes our network went down and we had to start calling so that we can call on the device. They needed to have someone in Nigeria that could assist. That's why we had to leave it.

The initial setup was very straightforward. You can customize it and change it as you need. But the initial information is wonderful. Initial deployment took approximately two and a half days. Then, to complete everything took a week. Deployment took about 3-4 people.

We had a partner. A representative of Check Point came and did the implementation.

We pay a license fee on a three year basis. We have a three-year license. We pay $5,000-$6,000 a year.

I would advise anyone to try Check Point.

I would rate this solution 7.5 out of 10. I think they should make their licensing simpler.

I've been dealing with the Check Point environment for over eight years, ever since SPLAT, the R75 versions, and mainly with a multi-domain management (former Provider1) set-up. I also use the Smart Management Server, with a standalone/distributed deployment.

I'm currently engaged in the design, implementation, and maintenance of a large-scale Check Point firewall environment (~100 GWs).

Presently, the customer is using Check Point for perimeter security, IPS, threat prevention, encrypted traffic, as well as access to the internet, and multi-domain server architecture.

The Check Point solution has improved the way the customer organization functions.

People are working within the organization all over the world, across NALA, APAC, and EMEA regions. Having Check Point as a security vendor made it easy to assure people they could access the resources everywhere, from offices, homes, and across the globe, especially during the pandemic, safely.

One of the last implemented projects was replacing an obsolete Client Auth solution with Identity Awareness, including integration to AVD.

The solution plays an important role in preventing security incidents from happening and preventing malicious attempts to infiltrate into the organization while quickly adapting and reacting to any attempts. For example, it protected us against Log4J vulnerability a few months ago.

It is easy to administrate and maintain.

The product is very granular in the Logs & Monitor section and also intuitive to use.

It offers good control and visibility over users' identities and actions.

It provides central policy management, which is easy to manage and maintain.

The product offers great performance tuning features like SecureXL, CoreXL, HyperThreading, and Multi-Queue.

The study material and training need to be improved and become more accessible to security engineers working with Check Point.

Needs serious skills for advanced troubleshooting. The configuration might get a little bit too complex for regular engineers, compared with easy administration.

We've encountered a few limitations when trying to accomplish simple tasks required by customers. For example, changing a domain name inside an MDS environment or missing a function in the database which removes the domain object completely from the database.

There are plenty of bugs that are not documented, or with too generic error messages.

I've used the solution for eight years.

We are using these Next Generations Firewalls to segregate and protect our data center and business-critical data from the user LAN. 

We have some of the resources behind these firewalls which should be allowed to a certain set of users only. This is done using the authentication against the Active Directory groups and only the designated users are allowed to access the contents based on the firewall rules. 

Along with this, we use IPS and Antivirus features to protect our most critical network.

The solution is great and simple to implement. It has improved the security posture and overall management of this segregated network.

We have this deployed globally across multiple sites and it's very easy to manage compared to other vendors. 

We have been using this solution now for a few years and never came across any issues. 

The documentation is simple to understand and is easily available. 

The support is also observed to be good and we never had to escalate the cases due to support issues.

We have been using Check Point NGFW to protect the business-critical data from the other networks and provide secured access to the users best on the authentication, integrated with the Active Directory. 

We have been using packet filtering, stateful inspection, and VPN awareness along with user authentication and have not observed any performance issues in the last several years. If you are looking for a solid solution that is very stable in nature, this is the best choice.

We have been using CheckPoint NGFW for quite some time now, and the only thing that could be improved is the upgrade procedure and the frequency of the hotfixes we get. 

We have this deployed in multiple sites globally and managed via the central management server. The upgrade is something we would like to be improved in the future as the frequency of hotfixes is too much, and by the time we finish the one round, we already have the new version released and are required to upgrade. We would like to see some improvement in this area.

I've used the solution for 15 years.

The stability is rock solid.

The solution is easily scalable.

It's been a long time since we started using this. When we decided to expand several years before and we decided to go ahead with Check Point and continued with Check Point. We reviewed a lot of other products from different vendors, however, his was chosen as the best by our engineering team and we decided to stick with this.

The set up is very simple and more straightforward than we thought.

The setup cost is pretty much the same as compared to the other vendors. The initial pricing could be slightly better, however, the licensing and maintenance cost is much better compared to the other similar products in the market.

Cisco and PaloAlto were the other options evaluated.

We have a very robust implementation of firewalls for a central site, a contingency site, and five agencies, all connected by MPLS. In each perimeter firewall, we apply the security features of FW, IPS, AV, and AB. Additionally, we have a VPN concentrator for VPN S2S and C2S.

Over time, Check Point's solutions have had fewer security breaches than their competitors, which is why they remain in high categories and quadrants, as they are a very robust technology. As pioneers in information security, Check Point has been innovating year after year in information security.

Since we implemented this architecture in our client, we have not had any security breach exploited and the organization maintains communication with its different sites through MPLS and VPN to secure and encrypt the traffic that passes through said connection.

In addition to the different security features that Check Point security solutions have, their integration with other technologies makes the security environment a complete security type.

Apart from the technological and innovative solution, a point in favor of Check Point is the support provided by the manufacturer, since over time, we have not had any case that is not resolved, they have a good escalation process and highly qualified staff. 

The process of opening a case has different options that are convenient.

Check Point could do better to include acceleration technologies like SD-WAN in an integrated or embedded way to provide these new features that Check Point never had and is of great importance in the market.

Its competitors have this SD-WAN technology, if it were not for the fact that Check Point has been more stable historically, this value would weigh negatively for Check Point when choosing a solution.

If Check Point includes this feature, they will be able to cover those architectures where traffic between sites must be protected and accelerated.

I have been using Check Point for ten years. It is a very mature and robust technology. R81 is a very stable version and always has great security features.

I consider that they have good support engineers at each level of escalation, according to the criticality of the issue.

Positive

I do use other technologies, however, Check Point is historically more stable for me, as they have had fewer exploitable security breaches.

Check Point has a good cost-benefit ratio.

We also evaluated Fortinet, Palo Alto, and Watchguard.