Check Point NGFW Reviews

I use CheckPoint in our data center to control the internet and to enable threat prevention. I then integrate it into my center and to my events.

I like the SmartEvent feature. When we see a threat, SmartEvent can create a rule for that. SmartEvent works with the SmartCenter to block a threat attack with a block monitor. The SmartCenter has the management for all the firewalls and data centers in a single dashboard.

It could be more stable and scalable. Check Point price and support could be better.

I have ten years of experience using Check Point NGFW.

Check Point NGFW could be more stable. I think the problem is that the kernel sometimes won't play ball and isn't stable. Sometimes, they have a block, and we have to spend a lot of time fixing it. In contrast, I think Palo Alto and Fortinet are more stable.

Check Point NGFW could be more scalable. I think Palo Alto has more plugins and features, and Check Point needs more features. However, Check Point integration is very complex.

Check Point support could be better. I think Palo Alto has a very clear pricing model. When we have an issue, we create a ticket and receive fast service from Palo Alto. It's good.

The initial setup, in my experience, isn't simple as Fortinet and Palo Alto. It would be better if the person doing it has experience. 

I implemented this solution by myself.

The price could be better. I think Palo Alto pricing is high, and Check Point isn't much better. FortiGate is cheaper. I think when I implemented this solution, I recommended buying a yearly subscription.

When I choose a solution for a customer, I must verify the features, current specifications and make recommendations. When we use an all-in-one firewall solution, we usually recommend using a Palo Alto external firewall. This is because Fortinet has an SD-WAN solution and firewalls, and Palo Alto is the same. But I don't think Check Point has one. When a customer doesn't want to implement many solutions, we recommend using Fortinet or Palo Alto.

On a scale from one to ten, I would give Check Point NGFW an eight.

Primarily, we implement the solution at a couple of sites around the world and have created five site VPNs across it. We are running a pretty decent policy to make sure internally our infrastructure is secure.

The product offers excellent security. How open they are with new risks and new vulnerabilities is very helpful in the task of keeping our company safe from malicious attacks.

Newer versions are much more stable.

The UI could use some improvement. It's not as clean or seamless as it could be. 

It's my understanding that the initial setup is a bit complex. There's a bit of a learning curve if you're trying to set it up for the first time and you aren't familiar with the product.

Older versions were a bit unstable. 

We've been using the solution for six or seven years so far. It's been a while. 

While this version seems to be quite stable, Check Point, in previous versions, had a lot of issues when we used to do firmware updates.

We have 200 people on the solution currently. 

I also have experience with Fortinet. I don't have too much, however. It's still very new to me, and therefore it's hard to compare the two solutions. 

While I didn't directly participate in the implementation, from the people that participated, I've heard that it's complicated if you don't know the product very well.

We hired a company to do the implementation. I don't remember the dynamics of the team. The last time it was set up, there were two people on the implementation team. 

While we don't have a direct relationship with the company, we do have business relationships with both Fortinet and Checkpoint partners.

I'd rate the solution at a seven out of ten.

We use this solution for perimeter security and data center security.

On the firewall side, the security efficacy is good. The interface for application filtering and application-based policies is also good. They have good roadmap on the cloud as well.

This solution requires management software that is sold separately; it's actually a different appliance altogether. For smaller customers or smaller environments, this becomes an added entity in the environment. Not to mention, they'll also have to invest a lot in the necessary management stations. If that came built-in, it would really benefit smaller businesses. 

The performance when you enable decryption could be improved. That's a CPU-intensive task. Many customers struggle if they try to implement decryption — it can really hamper the performance. It's probably something to do with the appliance or the hardware design. This needs to be examined further.

I have been using Check Point NGFW for roughly five years. 

This solution is quite stable. Performance-wise, I have seen customers using this solution for years without issue. 

There are different models available. Sizing can be done accordingly. They have a good range of versions available for small to large data centers. So, scalability is definitely there. 

As I am not an end-user, I haven't really had any contact with support. Still, none of my customers have had any complaints regarding support.

The initial setup was fairly easy. Still, compared to other vendors, the learning curve is a bit complex. 

Compared with Palo Alto and Cisco, the price of this solution is quite fair. Compared to Fortinet and other vendors, it's probably a little bit on the higher side. Really, it all depends on what you get at the end of the day.

Overall, on a scale from one to ten, I would give this solution a rating of eight. 

I would definitely recommend this solution. It's a good platform for perimeter security. In an enterprise, you need good security. There's endpoint security, network security, and cloud security. Check Point's strongest point is network security; they still need to catch up on endpoint and cloud security. If you're interested in integrating all of these tools, then there are better products available. However, as far as network security is concerned, Check Point is really good.

The primary use of the firewall is to allow or block some traffic. Mainly, it is the perimeter firewall for the Internet. It filters the traffic from external to internal, e.g., to secure the traffic. 

Some of our customers have been demanding Check Point as their firewall product.

I do the installation, support, firewalls, etc.

It provides a central station where it is very easy to deploy our firewall policy in one click to many firewalls. This is one of the leading perks. It saves time by having one central station because I can deploy the same kind of policy to many firewalls at once. 

With the latest release, it's easy to configure firewall rules with the scripting. This is one of the features that we have been demanding for some time so we can script some actions for automation.

The best part is that it is very intuitive. It is easy to configure, deploy, and maintain. If it works, it works.

The troubleshooting: When you find something that is not working, it is very easy to check in the logs what is failing and fix it in a short time.

The login tool is really nice.

We can virtualize the physical firewall in a virtual environment. However, the virtual environment is not stable at all. We have some customers who are using the virtual environment feature, and sometimes it crashes. We have many tickets open and the response is not as good as expected. We have to wait months for a resolution.

If you use all the features available on the firewall, it's not working. If you keep it simple, then it works. When you try to do cool things, you start to have some problems because that kind of integration is not fully developed.

I have worked with Check Point since 2007.

When it is failing, it is a nightmare. The stability has room for improvement. Sometimes, it is not working at all.

The scalability is good. I haven't had any scalability issues. If the firewall gets stressed, we buy a new firewall.

There are many options, such as, virtualization. They have also release a new product, Quantum, that makes it possible to scale up and have more firewalls. 

As an integrator, we have very big companies (like banks) to small companies, who have only 200 users or less. 

I would rate the technical support as a six out of 10. I have customers with no tickets open with Check Point and other customers who have many tickets open.

Solving some issues with them is a nightmare. They don't reply in time. They always ask the same questions. I expect better feedback from them, but that usually never happens.

Before Check Point, I used Cisco and Fortinet FortiGate.

The big differences is really the full integration firewall, e.g., Cisco doesn't provide this. Also, the Check Point central console is so much better because it provides that one central station, which is a plus.

The con for Check Point is the stability. The hardware for Check Point fails more often than other vendors. Usually, other firewalls are more stable than Check Point so I don't have to open as many cases with other vendors, like I do with Check Point.

There are two parts:

1. In the physical, you deploy with a wizard, which makes it very easy. It is a standard wizard where you click "Next, Next," then you see the GUI and everything is done there.
2. It is possible to do it in automatic way with the scripting. In the cases that you have some experience on it, it's very easy to deploy some scripts and the firewalls. For example, in the cloud, I created my own firewall with the same setup every day using the auto-integration since it's possible to integrate Azure with Check Point, which is very easy. One of the best features of the Check Point is its integration with the cloud, because not all vendors have that kind of integration.

The deployment time depends. If I do any scripting, it takes 30 minutes. If I do it manually, the deployment takes two hours. It also depends on the size and scope of the deploy, e.g., if I create a basic firewall rule or do a full automatic migration. However, It does take less time than other firewalls.

The implementation strategy depends on the customer.

I can deploy one firewall in an easy way. I can do it quickly by equiping firewall rules in text mode or in the API. However, when I have a problem, it's totally the opposite. I lose a lot of time.

The pricing and licensing are the worst part of Check Point. I usually don't know what I really am buying. When I have to do an inventory of the license, I don't know what it is being used for. Sometimes I feel I am being cheated, and the others times, I feel it is a bargain. Nobody knows! Even the Check Point representatives, they aren't clear on somethings, such as, what is the right license for what I need.

There is a possibility to have diamond support. You can have a technical engineer who is there just for you. When you have that type of feature, it's more expensive.

Cisco NGFWv

• Check the price first. 
• For migrations between different vendors, it's a nightmare. You need to do some tasks manually, otherwise it doesn't work when you migrate it. 
• Check the performance if it is working as expected. 
• Try to keep it simple.

It is a good product. I would rate the solution as an eight out of 10.

The primary use is to segregate the environment internally to create a lab environment and a production environment, for example. We also use them to protect the company from the internet and when going to the internet; to protect the perimeter of the company. We use them to create a VPN with customers and clients, and with the other companies that belong to the group.

We work with 1200s, 1500s, 4000s, and 5000s.

With this firewall on the perimeter, we detect a lot of attacks with the IPS and the antivirus blades. With the SmartLog for our team that operates the solution, we have a very intuitive way of searching the logs and seeing events, when compared to other vendors that we also have. This is the biggest advantage of the Check Point compared to competitors.

We have a lot of Check Point firewalls and a lot of Fortinet firewalls. The biggest advantage of the Check Point for us is that daily operations are much easier. That includes working with policies, checking and searching logs, dragging objects on the policies and searching where objects are used. All of that is easier in the SmartConsole than doing it on a browser, as the competitors do.

The most valuable features are the

• security blades 
• ease of managing the policies, searching log for events, and correlating them.

Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement. 

Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.

I have been using Check Point firewalls for about eight years.

They are very stable. We usually deploy them in clusters, in front of the node. We always have the other one functioning and we have never had an occasion in which one failed and the other also failed. We also have support for the hardware. But regarding their functioning, we are very satisfied. We have never had a big outage because the two members of a cluster went down. They are very good in terms of stability.

We have some firewalls with the VSX functionality which allows us to add more virtual firewalls to the same physical cluster. That allows for scalability. But when compared to Fortinet, the way to have more than one virtual firewall on the same cluster is much harder.

It's very scalable if we have the VSX license for Check Point, which we have in some places. But it's much more complex than adding to the FortiGate. So it's scalable, but it's not easy to work with VSX, especially compared to the competitor.

Our usage should be increasing weekly because our company is buying other companies constantly and we need to deploy firewalls on the companies we buy. It shouldn't increase a lot, though, just a bit.

We have about 1,000 users crossing the firewalls and 10 network admins.

The technical support is good in general, but it's better if you call and you are answered by the headquarters back in Israel. We notice a difference if we call at different times and we go through Canada or some other country. It's not bad, but we notice a bit of a difference in the way they handle the tickets and the knowledge they have.

We usually try to open tickets when we know that the office in Israel is open and they are taking the tickets. But there are some times that we can't do that. The others are not bad, but for some stuff we need quicker support and we feel we are being handled better on the Israeli side.

The initial setup is complex and when you have issues, it's more complex. 

To create a cluster or to add a new firewall to the Manager, or when, for example, you want to add a license for IPS or for antivirus, there are often problems with that because it doesn't recognize the license. We end up having to call support. With Fortinet, that kind of initial setup of the firewall is always straightforward.

Now that we have a lot of experience it takes us two days, at the most, to deploy a Check Point firewall, if we don't run into problems with the license.

We are not at the data center, so we need to ask the data center guys to mount the firewall where we need it and to patch it. Then we access it via a console cable, remotely. We have equipment that allows us to do that. We do the initial config via the GUI, and then we add the firewall to the Manager and we start deploying the policies.

We implement the firewalls ourselves.

The return on our investment with Check Point firewalls is that we are secure and that we haven't had any attacks that have had a big impact or that were successful. If we had been paying a lot and were being targeted to the same extent, I would say no, that we have not had a return on investment, but at this stage it's a "yes."

In the past, when Fortinet was a young company, the price point of Fortinet was very low compared to Check Point. But at this stage, our experience is that the pricing is almost the same. The pricing of Check Point is fair when compared to others.

The only additional cost we have with Check Point is when we need to do a big migration. Sometimes we need a third-party company, but this is not usual. It's only for big migrations that we sometimes have support from an external company. The last time we needed something like that was two years ago.

Half of our environment is with Check Point and the other half is with Fortinet. We don't have a strategy of giving everything to one vendor; we like to have both.

If the person implementing it doesn't have much experience in how the solution works, with the Manager and connecting the firewall to it, and using the SmartConsole, they should try to go through the CCSA materials for Check Point certification. Check Point is easy to work with on a daily basis. Sometimes we get new people working here and they can add rules straight away on the policies and push policies. But if they need to deploy a firewall and they are not used to Check Point and how it works and the components, it's not that straightforward. With competitors like Fortinet, you just have to access the HTTPS of the FortiGate and it's like configuring a router, which is much easier. With Check Point, you need to read some manuals before you start deploying the firewall.

The biggest lesson I have learned from using Check Point firewalls is that if you lose the Manager you lose the ability to manage the firewall policies, which is, in my opinion, the biggest difference when compared to other vendors. Because, for example, if the Manager stops working and the server where you have the Manager gets stuck, you have no way of managing the policies directly on the firewall.

We use Checkpoint Firewalls to protect Datacenter VLANs against each other. In addition, we use them to protect our perimeter systems from the internet, and our internal network from the perimeter.

We have virtualized the systems on a VSX-Cluster using VSLS, but the basics are still the same compared to a traditional cluster. VSX gives us a bit more flexibility in the case of load-sharing. Therefore, it’s quite easy to react in the case of heavily used hardware distributing the load by failover or prioritizing VSs onto different nodes.

The biggest improvement is the central logging and management of all firewalls. Other IT-departments can get log-access and search for their own if there are missing rules or other issues.

Since we use Identity Awareness the solution becomes more flexible, as users no longer need static IPs. Especially for IT-users, who always need more rights, it was a big improvement.

Implementing Wi-Fi makes it nearly impossible to work without Identity Awareness. Unfortunately, we fought with some bugs in the IA-module, but we got them solved.

R80 management has improved and made the product more comfortable for IT people to use.

Filtering through rules and finding similar ones to add additional objects becomes much faster.

With an additional hotfix starting from R80.10, we are able to use the management with Ansible. From R80 on, we started creating objects via script or adding them to groups. That makes some parts “automatic”, or at least much faster.

With the new SmartTask offered in R80.40, we will be happy to configure some automatic control-functions.

The Check Point support needs a lot of improvement. We spend a lot of time troubleshooting issues ourselves, create good ticket descriptions, and try to explain in detail what has already been tested. Even so, it takes at least three ticket-updates before support really understands the issue. If you manage to reach the third-level support, you are still forced to be really critical of what kind of suggestions Check Point support is offering you. Running debugs on a test environment is quite different than running them in a heavily used production environment.

We have been using Check Point firewalls for 16 years.

It's simply a firewall.

1. Enables us to meet compliance requirements.
2. It maintains our security posture.

Filtering. It filters unwanted traffic.

Their products are pretty robust but, at the same time, we deployed ours in HA mode so we don't really worry about downtime, we have redundancy. We've never had any problems.

We have the right appliance for our specifications. If we wanted to get a bigger box then we will just get a bigger box based on our requirements.

We tend to go to our reseller for technical support.

The setup wasn't complex. I went to training and after training it pretty much all made sense. I was prepared for it.

Do your homework and make sure it fits. You have to know exactly what you want, what your requirements are. Make sure that whatever product you are actually going for meets your requirements, suits your infrastructure and how your IT operates.

What I look at when selecting a vendor is how long the vendor has been around, the level of focus on technology, how good they are. And one of the most important things we do is check industry ratings. That's one of the first things we look at, to see which vendors to consider.

I would rate Checkpoint eight out of 10. To get to a 10, there are some issues compared to other products. Ease of use is one. Also, I can never give any product a 10 out of 10. It's just impossible. There's always something definitely missing.

We primarily use the solution for security.

Check Point NGFW is a stable and user-friendly solution. It has increased the security level and stability within our organization. With the ATP solution, it works and is fully competent. It can catch many zero-day attacks and it fits NGFW well,

The most valuable features are IPS and Antivirus. 

The Blades work fine and the performance optimization is great.

In some features, it is not easy to use the Check Point firewall. 

The IPSEC VPN setup is not easy to configure. In some cases, if the VPN is not established, it is very hard to troubleshoot the configuration. It does not address the problem well. 

The upgrading process takes too much time.

I've used the solution for seven years.

The stability is very good. I would rate it at a nine out of ten.

The solution is scalable. I'd rate it at a nine out of ten.

In most cases, they answer our ticket in one day. They are willing to solve the problems at hand.

The initial setup is not easy, however, it is also not very complex. We have to use both the Gaia and smart console interface and it should be checked for some conf from the CLI.

We did and their expertise was high. We did not face many problems.