Check Point NGFW Reviews

We use Check Point Gateways for securing our data centers including DMZ networks as well as gateways for our branch offices around the world. They are connected via MPLS, internet, or site-to-site VPNs depending on the branch connectivity.

A minimum standard for the whole environment is the NGFW. Firewall rules according to our security policy. VPN for site-to-site tunnels to our own gateways or to partners and customers. IPS is set primarily to prevent, and for some signatures to detect. 

Application Control is still in the early stages.

Firewalling is one of Check Point's core business attributes, and it just works.

Creating site-to-site VPNs between Check Point Gateways that are within the same management is unbelievably easy. If you create VPNs for 3rd parties and there are mismatches or issues, you will see logs that help pinpoint issues or misconfiguration.

Application control help with identifying applications and therefore makes firewall rules easier since changing ports don't have to be adapted every time an application changes or updates.

Generally speaking, all features are well documented and the two platforms help with configuration. Documentation and knowledgebase articles in the user center as well as user recommendation within the forums are great. The Admin Guides are really well documented, but it's a lot to read.

Check Point helps a lot with automatization which definitely reduces the effort to maintain the environment. The best example would be the CDT tool which helps with decreasing the amount of time for upgrading whole environments.

The policy installation length is still too long. It was promised that the time would be severely reduced in newer versions, but it is still too long. R81 promises at least parallel policy installations, which help in larger environments.

Check Point's advantage (to be able to configure everything) is also a disadvantage. The environment is quite complex. Troubleshooting is not always easy as there are a lot of possible debugs that can be taken, and the support will not always send the right or necessary debugs. Some debugs also can cause a heavy load, so you have to keep an eye on what you troubleshoot.

Our company has used Check Point for well over 10 years.

If it's running, it's stable. New setups have to be tested though.

The solution can be scaled from very small branch offices to huge data centers or even cloud data centers.

Support depends on how well you describe the issue and send information. Sometimes escalation is necessary.

The more features (blades) are turned on, the more complex the environment becomes. If something goes wrong, you have to rule out several issues (hardware, blades, et cetera).

As a next-generation firewall, this product is capable of handling all kinds of threats that might try to attack the network, including events such as DDoS attacks. 

The compliance part of the product has been very useful to our organization. There are many useful reports from this firewall device. For example, it can tell us how much of our network has compliance with the guidelines that are in place.

The product is very easy to use.

It's quite a stable solution.

The scalability is very good.

The solution is easy to install and deploy.

The product could always be even more stable and secure, as it would improve protection.

As we aren't using the very latest iteration, it's hard to say which features are lacking, as some might have been added in the latest releases we haven't yet migrated over to.

The pricing could always be more competitive.

Technical support needs to be more helpful.

I've been using the solution for the last six months or so. It's been less than a year, and therefore, it hasn't been that long. 

The stability is good. There are no bugs and glitches. It doesn't crash or freeze. It's reliable. 

The solution offers good scalability. If a company needs to expand it, it can do so. It's not hard.

We have 50 users on the solution right now.

I would say that technical support could be better. We also use Cisco, and, in comparison, Cisco's support is way better in terms of how helpful and responsive they are. We aren't as satisfied with Check Point. They need to be faster, friendlier, and much more knowledgeable. 

Right now I am using Check Point and Cisco ASA.

The initial setup is not overly complex or difficult. It's pretty straightforward.

The deployment doesn't take long either. It's a fast process.

You only really need two people for deployment and maintenance for most setups.

I handled the implementation myself. I did not need the assistance of an integrator or consultant. 

The solution could work to make the pricing a bit lower. It's similar in cost to Palo Alto, however, if it was lower, it would make them more competitive. 

We are a customer and an end-user. We don't have a business relationship with Check Point. 

We are not using the latest version of the solution, however, I cannot speak to the actual version number. We might be a version or two behind the latest update.

I'd rate the solution at an eight out of ten. We've largely been quite pleased with its capabilities.

I would recommend the solution to other users and companies. 

Our primary use case is to secure the perimeter and users in our network.

We use IPS/IDS, deep packet inspection, and VPN.

Our network performance and safety have improved. The reporting also gives us more information about our network, including cost and risk reduction.

This solution helps to keep our network safe and secure, protecting our investment.

The most valuable feature is the powerful, deep packet inspection engine.

The management console and diagnostic tools are powerful and we are happy with them.

The reporting is detailed and helpful.

There should be better integration with our current NAC solution to increase the granularity of policies that we implement.

We have been using the Check Point NGFW for two years.

Overall, this is a very complete tool.

The main use case is Firewall provisioning and integration with Tufin and Skybox. Also, we focus on firewall compliance, rule review, VPN configuration, and network troubleshooting.

Working for one of the largest companies, I found that using Check Point has made firewall provisioning very easy for us, and integration with the above-mentioned tools has eased the process of PCI audit, security compliance, and rule recertification.

I think the VSX has been the most valuable feature for us. We use it for tunnel management, which is great. The configuration has been quite straightforward.

Debugging could be improved when compared to the competition.

I think the product release lifecycle should be improved.                                                       

We have been using Check Point NGFW for almost eight years.

Previously, we used Cisco ASA. We switched because of the fact that Check Point offers more stability and visibility into the firewalls. Management is easier, especially using the GUI version.

I think that the pricing is different for every organization.

We did evaluate Juniper, as well.

Check Point is a very good solution. My primary use case is as a perimeter firewall. I never use Check Point's IPS. I always work with another IPS, in a different appliance. I always use the firewall modem as a firewall.

We have good support from Check Point. They always send us information about new products, new technologies, and new attacks worldwide. We are looking for endpoint protection and Check Point is one of the brands that could provide that technology to us.

The most valuable feature of Check Point is the management console. Another feature that is most valuable for me is that the configuration is easier than other firewalls.

I would like for them to develop the ability to manage a cloud firewall with the same console. That would be very helpful.

Another thing I would like to see improved is that when I start policies in Check Point's console, it takes a few minutes. It could be better and faster.

We never had an outage of the appliances or the consoles. Stability is very strong. I never had a problem related to stability.

Scalability is good. Since four years ago, we have been increasing the number of users and the traffic. The solution is working well and working with our progress.

I always work with a partner so the partner is in contact with Check Point. Their response is very fast. In all of the cases, it's very fast.

We switched because it is a good product and because of the cloud support. We are moving to the cloud step by step and the cloud support is important. If another company has better cloud support it may be a factor that would influence my company to switch to another solution. 

Important criteria that we look at when choosing a solution is the local experience and the local support. That it is very important. 

I wasn't there for the initial setup but from what I heard, it was straightforward. 

We looked at Cisco vs Fortinet. We chose Check Point because of the cost benefit that this product offers.

I would rate this solution an eight. It's a good solution. The management is easy. The console is very practical but in order to be a ten, it should be faster.

I would advise someone considering this or a similar solution to prove the solution before choosing the final vendor. Prove that it will be very helpful for you.

Check Point offers excellent security.

Check Point is a bit difficult to use and manage so it would be nice to see some improvement in those areas.

This is a stable solution.

This is a scalable solution. We have about twenty customers that are using the solution currently.

I have not needed to contact support.

The initial setup was a bit complex only because there are no vendors to help with the installation requiring you to need to be trained.

Other competitors would be Fortinet and Palo Alto.

Check Point is more complex than Fortinet and less complicated than Palo Alto.

I would recommend this solution to anyone with an eye for security and would rate it a seven out of ten.

Our organization implements, maintains, and operates Check Point's firewall. 

Check Point solutions were implemented by our organization in accordance with the project documentation and further adjusted at the request of the customer. 

We ourselves also use a Check Point firewall in conjunction with a firewall from another vendor - both to protect our network perimeter and to test various functions and new emerging firewall capabilities and identify various bugs before they reach customers in the product environment.

We and our customers use almost the entire palette of capabilities of the firewall solution from Check Point. We use almost every feature, from anti-spoofing and network segmentation to URL filtering and intrusion prevention systems. We also willingly use virtual private networks from Check Point, both site to site and client to site. We also leverage the antivirus blade and anti-DDoS attacks. Some of our customers use Check Point capabilities for mobile devices, which are also successfully implemented in the firewall.

We found a very successful implementation of the virtual private network client, since, for some time now, everyone has been working from home. With the firewall from Check Point, this function is implemented very conveniently and securely. 

A convenient new version of the firewall management console, which, starting with the R80 version, has become standard for many Check Point blades, however, unfortunately, not for all. You still need to use older consoles to manage some features. For example, to access the monitoring blade, I need the old console, but the new console should start it.

You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.

I've used the solution for six years.

There is room for improvement in terms of stability.

The scalability is great.

Technical support could sometimes be better.

Neutral

I have used and still use solutions from Sophos, however, in Check Point, some functions are implemented more conveniently. For example, work with logs.

Before installing, I recommend to go through the training.

I handled the implementation myself.

The ROI is good.

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.