Check Point NGFW Reviews

I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years. 

I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.

This solution has helped keep the security posture of my organization in the best possible shape. Check Point's solutions stay a cut above its competitors to make sure your IT infra Cyber is safe from both known as well as zero-day attacks and malware. 

From an operations point of view, Check Point solutions are the best in terms of providing central configuration management and also central log correlation and management. Additionally, Check Point's virtualization solutions around VSX are super-efficient and very stable.

I found Check Point's software ability to provide for all the perimeter security solutions including next-generation firewalls, intrusion prevention systems, identity and access management, and URL filtering. They are all excellent. Check Point's Central configuration management, central log correlation, and management solution are a cut above the other vendors and are the best in the industry. Check Point's virtualization solutions are also very efficient and can be scaled. They are highly stable solutions (MDS/Domain Managers & MDLS).

To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture. 

Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space.

I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.

I've worked with the solution for a little over 12 years.

The product is very stable.

The solution is highly scalable.

The sales, pre-sales, professional services, and tech support are all very nice.

Yes, and we switched because Check Point proved to be more reliable.

The initial setup is absolutely straightforward.

We implemented it through an in-house team.

Every dollar spent is worth it.

Yes, we looked at Cisco, Juniper, and Palo Alto.

Not at the moment.

The solution is used for edge and interior firewalls. We use large-scale Check Points for our edge and have them set up in an active/passive cluster. For our internal firewalls at the remote sites, we use a virtual firewall for the OT DMZ, and then behind this virtual firewall, we have a physical appliance for the actual OT network. This allows us to fully secure the critical network yet still allow access via jump hosts or other remote management that we have approved. It also gives us excellent control over any north/south traffic.

Check Points is probably not the easiest or cheapest solution to use, however, we have never had any issues with their security and the technical issues we have had with them are few and far between. 

Most support calls for us are centered around how to best deploy a feature or why something is being blocked by a certain blade. This is one of the main reasons we continue to use them as they provide proven security for my company and the built-in blades generally always provide a benefit for us.

The central management and logging are frankly one of the top selling points. 

The actual management is perhaps a little confusing for a newcomer to Check Point - however, does not take very long to learn the basic ins and outs of. 

The logging capability of Check Point is excellent and very rarely have we wanted more. The logging is very fast and easy to use, and this makes finding items across all 80+ firewalls very easy. 

It is also easy to export all logs to our MSP since it is from a central point. The other built-in features are also helpful as it eliminates the need for some extra security appliances.

Lately, Check Point seems to be pushing new products too early. We have evaluated a few we thought may be useful to us yet were just not ready for enterprise use. Every company goes through this so hopefully, they will slow down and get the products up to speed and working better before trying to bring them to market. 

The current products that have been around for more than a few years generally do not suffer from this issue, however, their documentation does lag severely when a command changes or says the way to configure it changes. Support generally is up to date, but the KB articles are not always this way.

I've used the solution for 18 years at my current company, and another four at my previous company.

The stability is excellent.

Scalability is excellent, especially the newer products.

The technical support is mostly good. Their Tier 2 and higher engineers are excellent. Like any call center, however, their Tier 1 can be hit or miss. We use a third party for front line support so mostly never encounter anything less than Tier 3 since the only issues that get directed to actual Check Point support are already vetted out.

Positive

We used SonicWall. We switched due to wanting a more enterprise-quality product and previous experience.

The setup is complex, however, we knew this from the start so it was not unexpected.

We set up the solution mostly in-house. However, we were experienced with Check Point installs.

I have no visibility on ROI.

If new to Check Point, get pro services to help deploy it - especially if it is an advanced config. This will save huge amounts of time and grief. Once you have experience, pro services are generally not needed unless, again, you have no experience in that area.

We did not evaluate other options. 

The device is being used for perimeter security devices across multiple clients across sites. Check Point has not only improved our organization - it also has given us holistic perimeter and endpoint security protection throughout the enterprise.  

Our sites across the globe have Check Point perimeter protection.

Pros include:

• Internal Network Protection from outside network
• VPN connectivity for secure data transmission across multiple vendors
• File download antivirus security
• URL Filtering
• Application filtering
• Malicious domains blocking

The solution has helped out organization stay safe with its depth application filter, URL filtering, and SSL inspection. It's mitigated a significant amount of risk for corporate users as well as to host services at our terminal that need access from the internet. By far, it's the best security solution one can adopt for their organization. 

It's:

• Reduced attacks on DMZ servers
• Blocked access of malicious destinations hit by internal users
• Complete visibility about what is going and what is coming via internet
• Check Point is the industry’s unified cybersecurity architecture that protects businesses against sophisticated 5th generation cyber-attacks.
• Having multiple checkpoint products under the same roof provides consolidated security.
• Ultimately saving cost by having better centralized solution

The solution has a lot of valuable aspects, including:

• IPS & IDS
• Sandbox (Threat Emulation & Extraction)
• Ease of management
• Reports for analysis
• Better technical support
• Stateful inspection
• Application-aware boxes
• Threat detection capabilities
• Hyperscaling

Data loss prevention, compliance, threat emulation, and other blades overall make this a robustly unified platform for the implementation and management of security controls.

Since it is Layer 7, we are able to get down to the application level and block certain applications from even running.

Since it has an IPS in place, we are able to see possible attacks that have been prevented by the firewall.

The perimeter antivirus can be improved. It's not as good as other leaders.

Additional features that could be good to have/improved include:

• Modular capabilities 
• Integration with VMware and NSX products per client requirement
• 3rd Party support product is very limited 

The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.

The licensing part is a bit tricky. The product can simplify this further for ease of use.

They need to work on log size optimization.

Antivirus signatures should be updated in real-time.

We've used the solution for the last eight years.

The stability is very good.

The scalability is very good.

Technical support has been great.

Positive

We did not use a different solution previously.

The initial setup is straightforward. 

We had a vendor assist us.

We haven't used other products.

We also looked at FortiGate and Palo Alto.

Our company undertook a network transformation and instead of implementing a separate IPS solution, we've opted for the NGFW of Check Point. We've leveraged the different security blades available in the Check Point NGFW. Besides the IPS blade, we've also leveraged the anti-malware threat intelligence blades for our gateways, especially for the perimeter. 

We've also enabled the IPS blade for our remote offices as part of the additional security layer for our smaller international offices and used both the IPS and anti-malware for our bigger offices. 

We've managed to reduce the CAPEX cost of the network transformation when we leveraged the versatility of the Check Point NGFW solution. 

Instead of purchasing separate solutions for the IPS, anti-malware, and threat intelligence, the security blades of the Check Point NGFW were just enabled. 

The software subscription cost is already included in the annual software and hardware maintenance cost which made the solution more cost-effective than having separate solutions wherein we need to maintain a separate subscription for each. 

Besides the basic firewall feature of the Check Point NGFW, we find the IPS and anti-malware security blades to be most valuable for our current implementation.

The IPS and anti-malware solutions have successfully identified and blocked potential threats from our perimeter. 

Though we are also using threat intelligence, we see more validation of the successful use of the IPS an anti-malware. 

The successful performance of the security blades has shown the value of the investment along with the comparable success of leveraging the NGFW over a separate specialized security solution. 

Overall, we are satisfied with the performance of the NGFW both from the functional and operational perspective. The solution has been proven effective in detecting and blocking potential and intentional threats to the company's internal network without impacting the performance of the appliance. 

What can be improved though is the capability of providing an executive summary report that can highlight the performance and operational effectiveness of the implemented security solution. The current reporting capability needs to be parsed and edited to be appreciated by leadership.

We've been using Check Point NGFW for more than 4 four years.

Check Point NGFW has been very stable and very rarely do we encounter any performance issues due to hardware or software issues. 

The solution is very scalable and easy to manage.

Customer service and support are very responsive, and we get quick and fairly consistent turnaround times for the resolution. 

Positive

We previously used Cisco Firepower, however, we were not satisfied with its performance both functional and operational. 

The initial setup was straightforward since the deployment is just the typical high-availability active standby implementation. 

We implement through a vendor team. The vendor team is very competent and has consistently displayed their expertise in the technology. 

Unfortunately, our team does not have visibility on the ROI.

If the implementation would require multiple gateways, consider leveraging the Infinity Total Protection. 

We no longer evaluated other options. 

We are a top enterprise with a huge Check Point presence. We have been using Check Point since its older R65 version, and we are currently on the R81 version. 

We have close to 200 Check Point devices for DC and all remote sites. We are also using Check Point for our edge security along with the Sandbox environment. 

Check Point is also used as a VPN solution which is a pretty easy setup. 

Check Point Cloud Guard is an excellent find we were able to do some cloud-based networking in our private cloud. 

HTTP forwarding is one feature that I haven't seen in Check Point's competitors. With it, I can just send all HTTP traffic to a cloud-based proxy directly without building a GRE tunnel or VPN. 

We took some major leaps with Check Point virtualization. VSX is one of the phenomenal features of Check Point. It allows us to virtualize multiple environments. We have saved hundreds of thousands of dollars with VSX. 

Instead of using a number of small firewalls, we bought a couple of CP 23K series with 20 virtual licenses. It really worked for us with the MDS and smart log. 

HTTP forwarding is something I haven't seen elsewhere.

VSX, URL filtering, and DLP are all excellent. VSX is the best thing we have used. We can use virtual switches and virtual routers for VLAN extensions. Another great feature is the "Active-Active" state that no other firewalls provide. I worked with other vendors as well; however, Check Point is the only one that can provide very good support on the Active-Active state. I still like the traditional way of troubleshooting using TCPDUMP and the FW monitor. Application IDs can be used, which is a significant improvement from previous versions.

The web UI for VSX could be better. As we enable VSX on physical gateways we cannot access the web UI. Smart log setup isn't so easy. We have some issues with some domains, however, overall, the smart log is a really good feature that helps navigate to the right domains for troubleshooting. 

We have so many applications, including smart updates, provisioning, etc. I would like to see a single pane where I can do everything instead of going to each application and making changes. 

More and more application IDs and integration is a really good thing and that's something I am looking for. 

I've used the solution for eight years.  

We used another solution before, which was only command-line based. Check Point was only the major competitor and best option a decade ago. 

We need to choose technology first, and obviously, others follow. Check Point's three-tier architecture is the main reason for us using it. I believe the pricing is pretty competitive.

We did look at other options, including Fortinet, however, nothing is as good as Checkpoint. 

Check Point is a good solution. It is a reliable solution above all. 

We are mainly using it for policy installation and access purposes. We have a bank project where we are using mobile access, Antivirus, and IPS. These are all are configured on the Check Point Firewall, where we are using it on a daily basis. 

I have worked on the following firewall series and models:

• 15000
• 23900
• 41000 
• 44000. 

I have worked on the following versions:

• R77.30
• R80.10
• R80.20. 

I am currently working on the R80.20 version and the hardware version is from the 23000 series.

We installed this firewall in our organization one year ago, and it is completely fine. There are other deployment also going on for other customers. Most of those deployments are handled by our project teams. 

What I like most about Check Point Firewall is that it is easy to use. 

The most valuable feature is the IPS. For our bank project, we are using it as an external firewall. All the traffic is going through the Check Point Firewall. Then, using the IPS, we can easily identify if there is any malicious activity or anything else. We also have to update signatures on a regular basis.

We are facing some problems with the management on our Check Point Management Server. There are some issues with R80.20, so Check Point suggested to upgrade. However, we are in lockdown, so we will upgrade after the lockdown. We are coordinating this issue with the Check Point guys. After upgrading, I think these issues will get resolved.

For R80.10 and above, if you want to install a hotfix, then you can't install it through the GUI. I don't know why. In the earlier days, I was able to do the installation of hotfixes through the GUI. Now, Check Point said that you have to install hotfixes through the CLI. If that issue could be resolved, then it would be great because the GUI is more handy than the CLI.

Two and a half years.

They are completely stable. I haven't faced any issue with stability. 

There are no issues with scalability.

In Hitachi Systems in Mumbai, there are around 10 to 12 clients who are using Check Point Firewall. There are around 40 network security engineers who support Check Point Firewall in our organization for the Mumbai location, and there are multiple locations.

The technical support is very good. The Check Point guys are very humble and quick. They are always ready to support us if we call them.

I have done four to five initial setups and configurations of firewalls, which have been completely fine and proper. There are no improvements needed.

For one firewall, it will take around two and a half hours to configure the interface and everything else. For the deployment of one firewall, it will take around two and a half hours. If you want to make any clusters, then it is around five to six hours. 

We support companies locally and remotely. Since the lockdown, we have been supporting companies only in a remote fashion.

We have to first make a plan of action, then verify that it meets Check Point's requirements. Then, we will raise a case with the Check Point desk. We verify with them if there are any changes that they need us to do. After that, we will go for deployment. Check Point engineering will also help if there are issues with the deployment.

They have made domain improvements to SmartConsole. If you check older versions, such as R77.30, you have to open a separate, smart tracker to view logs. However, in R80.10 and above, you can view logs in SmartConsole. You don't have to open another smart tracker to view logs. That is the improvement Check Point has done which makes it better because it is much easier to find logs. This saves time, approximately 40 to 50 a day in one shift.

For the firewall, there is a limitation on the license. We are facing some problems with mobile access. We have a license for 450 licenses of VPN users. We would like Check Point to have more than that, e.g., if the organization gets bigger and there are more users, then that will be a problem.

I have done licensing and contracts for multiple firewalls. The license and contract configuration is completely fine, but if it is possible to make them cost a bit less, then this would be better.

Palo Alto is a zone-based firewall and Check Point is an interface-based firewall. With Palo Alto, we are using Panorama to install policy, and in Check Point, we are using their Management Server to install policy. The Palo Alto Panorama console has more options than Check Point.

On the Check Point Firewall, you can install policy. With the Palo Alto firewall, you can install policy on multiple gateways. You cannot install policy on multiple gateways with the Check Point Firewall.

If you are making a plan of action for the installation of firewalls, clarify with the Check Point tech engineers that all is proper and good. We always arrange a Check Point standby engineer for this activity, because if anything goes wrong, then they can help on the call.

I would rate this solution as an eight out of 10.

We use it for safeguarding our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

It provides a comprehensive and scalable security solution. With features like nanosecurity, cloud integration, and multi-domain management, they address the diverse security needs of businesses, from small enterprises to large corporations. It excels in malware prevention, utilizing features like fan black pattern and vulnerability-driven detection, ensuring comprehensive security against evolving threats.  It boasts an Infinity architecture, offering a multitude of features tailored to enterprise needs. The integration with AWS and Google Cloud, safeguarding cloud servers and networks. The Multi-Domain Management feature enables centralized control across on-premises and cloud environments, streamlining security management.

There is room for enhancement in the support system in India. Given the burgeoning market and the growing reliance on security solutions, focusing on strengthening support and implementation infrastructure would be beneficial. This could involve increased training programs to equip professionals with the necessary skills to understand and effectively implement Check Point technologies. Its scalability capabilities should be improved.

It's an exceptionally stable tool. I would rate it nine out of ten.

Scaling up is quite restricted, and the scalability needs improvement. It should be a multi-tiered and robust solution. Currently, there is a gap in the ability to seamlessly scale within the same series. I would rate it seven out of ten.

Technical support in India is lacking, and there's a clear need for improvement. There's a high reliance on third-party support, which needs to be addressed. The current rating would be around five on a scale of one to ten.

Neutral

The implementation process is generally straightforward and basic, taking around one to one and a half hours. However, if there's a need for the creation of numerous VLANs and policies, it might extend over several days.

It comes with a significant price. The cost of the six thousand six hundred models was approximately thirty-eight lakhs. Although the cost may be higher, the reliability and functionality it offers are well worth the investment. I would rate it ten out of ten.

I consider it a top leader in security, and I highly recommend it. Overall, I would rate it eight out of ten.

It offers a range of models to enhance network security and it can be customized to secure endpoint client machines or user devices by deploying features like malware detection, antivirus, and mail security blades. Its integration with a web application firewall provides added protection.

Check Point's architecture is three-fold, comprising the firewall, management server, and dashboard. The dashboard provides a comprehensive view of the network and security status, enabling identification and isolation of problematic devices, performing tasks like patch updates, and monitoring logs. It provides configured automated alerts via email or notifications on mobile devices, ensuring you're informed of any threats, even during non-business hours. Another vital function is the ability to offer VPN services. This enables end users and mobile or remote workers to securely access the network from anywhere globally.

There is a strong demand for security services that can be effortlessly integrated which would ensure that security measures can seamlessly adapt to the cloud infrastructure.

I have been working with it for eight years.

It is a highly reliable tool. I would rate its stability capabilities nine out of ten.

Check Point NGFW is a highly scalable solution that can be tailored to the unique needs and infrastructure of each customer. For instance, if a customer needs to secure multiple zones, they can opt for multiple firewalls. They can consolidate their network onto a single firewall by creating virtual interfaces based on VLANs. The firewall's capability to handle network traffic becomes a crucial consideration, especially when dealing with larger user bases and higher traffic volumes. In such cases, deploying multiple firewalls in a high-availability configuration becomes essential.

The initial setup was easy. I would rate it nine out of ten.

I have hands-on experience working in various environments, including on-premises, private clouds, hybrid setups that combine both private and public clouds (e.g., AWS, Google Cloud, Oracle Cloud), and purely public cloud deployments. While the technical interfaces and options may differ slightly between these environments, the core concepts, such as Security Event and Management (SEM), remain consistent. For instance, the Virtual Private Cloud (VPC) configurations in Google Cloud are similar to those in AWS. Network components like instances and Access Control Lists (ACLs) share common principles across platforms. The key to successfully implementing it lies in understanding the specific needs of each client's business and aligning our solutions accordingly. We can leverage technology and services to meet their requirements effectively. It's worth emphasizing that the adaptability of our approach is central to achieving our clients' objectives. When starting a project, we typically initiate a POC and conduct thorough pre-checks to assess the network's specific needs. In cases where clients want to transition from legacy firewalls like Cisco ASA or Palo Alto to modern Next-Generation Firewalls like Check Point Firewall, we carefully examine their existing configurations. This allows us to manipulate and adapt the configurations to suit Check Point's requirements. The timeline for these processes can vary. For entirely new environments, which involve documentation, design, and diagram creation, it may take anywhere from 15 days to one month at most.

The pricing falls in the middle, meaning it's neither cheap nor expensive. I would rate it five out of ten.

Before opting for this solution, it is crucial to assess the customer's existing environment, including the number of users, traffic patterns, applications in use, and bandwidth utilization. It is an excellent choice and I would encourage others to consider using it for their security needs. I would rate it nine out of ten.