Check Point NGFW Reviews

We have around 500 firewalls all around the world with a global team to manage them. We are using Check Point NGFW for Internet traffic, IPS, and UTM devices.

Atos provides this solution, including network design and advice.

• Antivirus
• IPS
  
• They got the logs into one site, which is wonderful.
• There is a secure action line code that you can announce your products in.
• If you have a number of sites, like a hundred sites around the world, you can deploy multiple VSX testing. 
• All over the world, you can have DMZs in data centers, e.g., in the USA, Dubai, and London. 
• It is easy to deploy and upgrade. 
• Easy to manage, e.g., if there is a new engineer onsite, they can easily manage it.

In a VPN setup, we have Internet connection via Check Point. The connectivity is not turnkey like competing devices. We have not yet terminated our site-to-site VPN because things are fluctuating right now and Check Point needs to be upgraded. Also, their troubleshooting needs to be improved for this. 

I have been using it for five years.

I haven't seen any stability issues, though I have seen some issues with the management of the gateway. Stability-wise, it is good (a nine out of 10).

We have 74 locations. We can have 10,000 users maximum via an Internet gateway. We have four data center across the world: two in USA, one in London, and one in Dubai. Passing through Check Point per location: in the USA - 5000 users, in London - 2000 users, and in Dubai - 10,000 users.

There are 12 network security engineers/consultants managing Check Point and the legacy firewall, SonicWall.

Right now, we cannot go directly to Check Point because of vendor dependency. We have to first initiate with our vendor.

We migrated SonicWall to Check Point about two years back. That took one year to set up in our organization. 

We switched away from SonicWall because it is a legacy firewall at end of life. SonicWall was missing features that Check Point has, like UTM, IDS, IPS, antivirus, etc. Check Point is better for protection and performance-wise.

It is easy to deploy or upgrade. There is no need to do this manually with commands. This solution can be set up online.

We have two devices. Right now, we are deploying and upgrading a new setup, where you can do management, management plus gateway on the device, or virtually you can install your management device on VMware or Hyper-V. With the Hyper-V and the Management Server, you can access all the gateways. For the Management Server and gateways, we have an activation key.

We are an IBM OEM company who received installation support from that vendor. They provided all the network connectivity.

For our implementation, we:

1. Started with an initial diagram of the configurations and what we want to see after the installation.
2. Segregated the SonicWall and Check Point tools for the migration since we used automation.
3. Checked the mode of installation. We went with transparent mode.
4. Collected the IPs for the firewall. It required multiple IPs because with we have cluster nodes.
5. Assessed the feasibility of Check Point in our environment.

For our strategy, we looked at:

• How many users are in all our offices? For example, is it a small office, mid-size office, or data center?
• Using high-end versus lower-end devices, e.g., lower-end devices means a smaller price tag.

A smaller office of less than 500 people would get a 4000 Series. Whereas, a larger office would get a 5600 or 7000 Series. We have to be focused on the natural topology.

We have had some vulnerabilities when we upgraded the R80.30 Management Server. We have some gateways right now in our R77.30 version, and this means if we go without license in R80.30, then it will prompt a bad connection and terminate. We have had some license difficulties with the connection going from R70 to R80. However, these don't largely impact performance.

We looked at Fortinet and Palo Alto. We did not feel FortiGate was capable of what we required. Palo Alto is somehow not as good as Check Point, budget-wise and performance-wise. Palo Alto is more costly than Check Point.

If you need a good support or something that is good budget-wise, then I recommend going with Check Point compared to Cisco or Palo Alto.

It is a good firewall. It has returned good performance. We are happy with the product. I would rate the product as a nine out of 10.

Generally speaking, it's like any other NGFW. It's quite a versatile solution for many aspects. It's not like a separate solution for firewalling, but a separate solution for web access. It's just very convenient to have everything in one box. On the other hand, when you need something, like a very top-rank solution for very specific things, like network intrusion prevention or network intrusion detection as a component of NGFW, I would say it looks weaker compared to the well-designed solution for its purpose. It has the same issue as many other versatile or unified solutions, so it's really convenient.

From our point of view, including me and my colleagues, I would say it's really good that they have a lot of integrations with third-party companies. Integrations with third-party companies are really convenient. API offers many convenient ways to integrate with open-source solutions. It's very, very good when you have everything in one package and one bundle.

If you check each and every point from this part, you will find some flow in an area, or you will discover another flow in another area. It's unfortunate, and not a usual situation and it is not just for NGFW but for any other tool, making it a disadvantage where improvements are required.

For the next release, I would prefer the tool to be more flexible in terms of general deployments because some additional companies must be deployed as a basic one. For those who have been working with their solutions for a relatively short amount of time, it would be better for the tool to offer an adequate knowledge base, not just very superficial information, or maybe not too much in that spot, something like average stuff. The tool should be more flexible in terms of deployment, and a more adequate knowledge base should be available.

About the UI, it is hard to comment because it has been more or less the same for many years. Professionals have already been using the tool's interface for many years. From a contemporary angle, the tool's interface looks a bit outdated from a UI point of view. The UI has been more or less static in terms of changes for the last couple of years. People can get to the UI and work with it in a couple of months, but compared to any other solutions on the market, which are more flexible and more rapidly evolving, I would say that UI should be considered for improvement.

I have been using Check Point NGFW for two to two and a half years. My company is a partner and reseller of the solution.

For stability in high-load networks, I rate the solution a six to seven out of ten.

Scalability-wise, I rate the tool an eight to nine out of ten.

There could be some performance issues under the heavy deployments and heavy load, but generally, if you are talking about the general scalability, it is quite good.

The tool is suitable for large and very large enterprise businesses. From our company's practice, I would say it is meant for banks and financial institutions. It is also quite popular in heavy industries. I would say it has a more or less wide list. It is more or less very popular in banking.

The tool can be scaled up, but even despite high scalability, it requires a lot of extra companies to bear a high-load environment and high-load networks, making it a bit unfair, especially when comparing some of the numbers with the real-world statistics it likes too far from reality.

The solution's technical support is fine. I rate the technical support a nine to ten out of ten.

Positive

If ten means easy, I rate the product's initial setup phase a six to seven out of ten. It is not a plug-and-play solution. It requires much more skill and effort for the specialist to set it up properly. Even if there are any PoCs, you can easily discover the difference between the easy setup process and the more difficult setup phases, and I would say that Check Point falls under the latter category as it takes much more time and effort. Sometimes, it could be buggy, and you just need to fix some other firmware or software update.

The solution is deployed on an on-premises model for large and very large enterprises.

The time to deploy the solution depends on the stage because you can talk about the initial deployment or you can talk about the deployment, including the integrations. I would say that the integrations would be really time-consuming. For the initial deployment, I would say it is a couple of days if it is not really a large installation and a couple of weeks are needed for the initial deployment.

ROI is like an artificial point in connection to a solution like Check Point NGFW, and its numbers are quite questionable.

Suppose the company has too many different solutions from different vendors. In that case, it becomes a greater burden in terms of support and everything, especially in terms of management of these solutions. I would say that Check Point would be a good choice if they are planning to migrate. If it is something like a choice between one NGFW from a vendor and you want to move into the Check Point NGFW, it becomes a bit more tricky. It becomes really hard to say about the ROI because it is just like a different approach. If you are moving between a lot of different solutions from different companies, then ROI will be really good and attractive.

The tool's price is reasonable in case you are not using it in a high-load environment. If you are not expecting significant increases or peak increases in loading, it should be fine. If it is a really highly loaded VLE environment, and if you try to rely on the tool's official numbers, I would say you can put your environment and network in jeopardy because it becomes really unstable. For the last couple of years, the situation has changed, and it has become really tricky to understand why the tool's official numbers aren't aligned with real-world numbers, which is a big problem for the VLE customers because when they are just trying to consider their official stats and official scalability numbers, it might be tricky. VLE customers should have, like, a 20 to 30 percent extra, or else, at this point, it becomes much more expensive.

The tool's prices don't make any sense because we are not talking about MSRP prices for VLE. We are talking about the discounted prices, which could be a really, really huge gap between the MSRP and the discounted price. I don't think these numbers will highlight any beneficial aspect of the price for you.

There needs to be accuracy in terms of scalability. It should be well-designed, and if the customer does not have enough resources or their own resources, it is better to involve an adequate number of SIs. The system integrator will do the trick, and if a person is experienced, then everything can be really good in terms of the certifications, the statistics, and everything else. The system integrator should do everything properly, but it will be quite expensive, especially if we are talking about large and very large enterprises. For mid-sized businesses, it should be fine because it is less tricky, and even the normal specialized person on the customer side should be fine with using it, as it can be quite easy. In any case, scalability is a bottleneck here.

I rate the tool a seven out of ten.

I used Check Point NGFW to secure the data centers of medium to large enterprise companies. In many cases, it serves as a perimeter firewall, though its use can vary based on specific needs. Primarily, it functions as a defensive firewall.

The GUI is not very user-friendly, and configuring it can be challenging. The management console often has issues, sometimes requiring high CPU usage on your FTP or Windows system to open or manage sessions. It can be resource-intensive. Additionally, when viewing or monitoring logs, they sometimes do not appear immediately and may be outdated or missing.

I have been using Check Point NGFW for two years.

It is a stable device.

They support a range of enterprises, from small to large. Their solutions can accommodate environments with as few as 50 users to those with thousands or more. So, handling a large number of users is not an issue.

Support is very good.

Positive

The initial setup is not straightforward and can be more complex than that of other devices like Palo Alto or Fortinet firewalls. The setup for the CMA and management center requires careful implementation. Additionally, integrating components such as MDM and other security devices, including sandboxes, can be challenging to achieve a cohesive and secure environment.

The time required for deployment depends on the amount of configuration needed. Typically, it might take a full day, but with sufficient time, a basic configuration can often be completed in about eight to ten hours.

I have worked with both on-premises and VM versions. The CMA is typically deployed as a VM on a server, while the firewall is a physical device. 

I have already deployed many times by myself, so there is no need for many people.

It is a cheaper device than what other vendors offe.

For security features, I typically use the templates or standards provided by the vendor. Based on my experience over the past three years, I haven’t encountered any significant complaints from customers about attacks or major issues while using the firewall to protect their data centers.

Google has a premium partnership with Check Point, involving extensive verification processes for major customers. This strong partnership indicates a significant level of collaboration between the two companies.

I haven’t handled any maintenance, but the support center has been very helpful. They provided excellent support and demonstrated strong knowledge whenever I reached out for assistance. They are proficient in various languages and have a good grasp of Linux, which is essential for effective support.

They provide good step-by-step implementation guides, similar to what is available for Fortinet's FortiGate. However, I find the implementation process for other vendors to be easier. Pricing varies among the three vendors, so there are differences in cost. Palo Alto offers the best options for sizing, though I haven’t worked operationally.

I recommend it, but you should know Linux and its commands to work effectively with this device.

Overall, I rate the solution a six out of ten.

Check Point is mainly used for internal communication. Our clients have multiple platforms, and customers use it for internal communications and protection, from the DMZ to the LAN to the DMZ, and also for MPLS connectivity with multiple branches. 

As I've seen, the customers also use it as a gateway for publishing their website. This is only for the perimeter, however.

It is very easy to identify the logs. It is also very well managed because of the threat cloud architecture. 

Another thing is that whenever we make changes on the firewall, we first need to publish them and then install the policies. This allows us to double-check the policies before they are implemented, which is helpful.

We faced many challenges. For example, an issue with the managed view that Check Point has. When clicking on a rule, we are supposed to have a full view of that rule and its log portion. This should show what's passing through the rule, what's coming to the rule, and all of that on a single pane of glass. Currently, the log isn't showing when we click on a particular rule. This might be an issue with an upgrade or something. Because of this, we can't implement anything on the live system; we only have a maintenance window every weekend, and it's hard to troubleshoot within an hour.

Another problem is that when we created around two lakhs of Check Point objects on the firewall, it became very slow.

I have been using it for two months. 

It is not slow. But, we implemented two lakhs of objects on the firewall, and that caused the slowness. It can happen with all firewalls, not only Check Point.

Currently, I work with enterprise customers.

It was good. No issues with that.

Positive

I can recommend Check Point, Fortinet, and even SonicWall. 

I come from a system integrator background, we first understand the customer's requirements before suggesting a firewall. Sometimes we aggressively push SonicWall because the user's requirements are more aligned with SonicWall. That's how we propose solutions.

It is very easy to install, not that complicated.

The complexity and time depend on the customer's requirements.

No maintenance: In the past two months, we haven't faced anything that required replacements on the firewall.

Pricing is good. The price is very reasonable for enterprise customers.

It offers average pricing. Previously, I worked as a system integrator, and we faced some cross-product environments where Check Point was quite costly compared to the product we were working with.

Overall, I would rate it an eight out of ten. 

The solution is our main firewall. It protects our perimeter.

The tool has solid firmware with very few vulnerabilities. We don't need to upgrade it for vulnerabilities. It is rare when compared to the competitors. The product’s performance is good. My organization chose the product because it is stable and provides a very good Software Blade.

The tool must improve its support. The support provided by partners gets expensive.

I have been using the solution for around six years.

The product is stable.

The solution protects the entire perimeter. Every user passes through the firewall. It is used daily. We have around eight administrators. The solution requires very little maintenance.

The initial setup was easy.

The solution is expensive. A medium data center would cost around $17,000 per year for a medium enterprise.

Except for Palo Alto, Check Point is good compared to its competitors. Cisco ASA lacks features.

It is a good product. There are other competitors. Check Point NGFW is easy to deploy, manage, implement, and troubleshoot. The operation is pretty simple. Even a few operations people can run it very well. It is pretty much stable. We need to safeguard the data of our organization very well. Check Point NGFW is a leading solution provider. Security products must not have many vulnerabilities. Overall, I rate the product a nine out of ten.

We use Check Point Quantum Network Gateways for all our on-site firewalls. It protects the network edge, network core, data center, and our AWS direct connect. 

We are a payment facilitator and security is one of our core requirements. 

We have implemented VSX which enabled us to reduce the hardware footprint. 

We have implemented 6700NGFW, 6600NGFW, and 6400NGFW in different network segments. We have enabled basic firewall, ClusterXL, and IPS licensing. 

Due to the nature of the traffic, we do not use Application Control or URL Filtering.

With our previous firewall solution, we had no automated compliance tools. Now, with the Check Point Quantum Network Gateways, we have the ability to automate compliance reports for both GDPR and PCI3.2, and by using VSX (Virtual System Extension) we have reduced our data center footprint. This will lead us to become a more sustainable organization. 

We have found the central management (Smart Console) to be very helpful in managing all the firewalls and keeping the software/hotfix versions up to date.

By implementing VSX (Virtual System Extension), we were able to reduce our hardware footprint, reducing both direct and indirect costs. This also enables us to quickly scale up or down to meet business needs.

We have also found that the Intrusion Prevention System implemented on Check Point Quantum Network Gateways is robust, efficient, and very easy to implement. Being able to add it later as a software feature is a real boon. The customization options enabled us to zero in on our specific use case.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration.

We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The solution has been in use for one year.

During the first year of operation, we have seen 100% up-time.

Due to the VSX implementation, I would conclude that it is highly scalable.

Customer service and support from the vendor have been excellent. They have assisted in communicating issues back to Check Point and the subsequent response from Check Point has been very good.

Positive

We used Cisco ASA 5500 series firewalls, but these have reached the end of life and needed to be replaced.

The initial setup and migration was complex and we had a vendor team assisting.

The expertise of the vendor team is excellent; I'd rate their services nine out of ten.

It is important to carefully consider your needs. Additional features can be activated easily - for additional licensing costs. However, opting for extended licensing can provide cost savings through discounts.

In looking at replacing the existing firewalls we considered Cisco, Palo Alto, and Check Point. 

Check Point Quantum Network Gateways offered us a more favorable price point without compromising on functionality.

The solution is used for edge and interior firewalls. We use large-scale Check Points for our edge and have them set up in an active/passive cluster. For our internal firewalls at the remote sites, we use a virtual firewall for the OT DMZ, and then behind this virtual firewall, we have a physical appliance for the actual OT network. This allows us to fully secure the critical network yet still allow access via jump hosts or other remote management that we have approved. It also gives us excellent control over any north/south traffic.

Check Points is probably not the easiest or cheapest solution to use, however, we have never had any issues with their security and the technical issues we have had with them are few and far between. 

Most support calls for us are centered around how to best deploy a feature or why something is being blocked by a certain blade. This is one of the main reasons we continue to use them as they provide proven security for my company and the built-in blades generally always provide a benefit for us.

The central management and logging are frankly one of the top selling points. 

The actual management is perhaps a little confusing for a newcomer to Check Point - however, does not take very long to learn the basic ins and outs of. 

The logging capability of Check Point is excellent and very rarely have we wanted more. The logging is very fast and easy to use, and this makes finding items across all 80+ firewalls very easy. 

It is also easy to export all logs to our MSP since it is from a central point. The other built-in features are also helpful as it eliminates the need for some extra security appliances.

Lately, Check Point seems to be pushing new products too early. We have evaluated a few we thought may be useful to us yet were just not ready for enterprise use. Every company goes through this so hopefully, they will slow down and get the products up to speed and working better before trying to bring them to market. 

The current products that have been around for more than a few years generally do not suffer from this issue, however, their documentation does lag severely when a command changes or says the way to configure it changes. Support generally is up to date, but the KB articles are not always this way.

I've used the solution for 18 years at my current company, and another four at my previous company.

The stability is excellent.

Scalability is excellent, especially the newer products.

The technical support is mostly good. Their Tier 2 and higher engineers are excellent. Like any call center, however, their Tier 1 can be hit or miss. We use a third party for front line support so mostly never encounter anything less than Tier 3 since the only issues that get directed to actual Check Point support are already vetted out.

Positive

We used SonicWall. We switched due to wanting a more enterprise-quality product and previous experience.

The setup is complex, however, we knew this from the start so it was not unexpected.

We set up the solution mostly in-house. However, we were experienced with Check Point installs.

I have no visibility on ROI.

If new to Check Point, get pro services to help deploy it - especially if it is an advanced config. This will save huge amounts of time and grief. Once you have experience, pro services are generally not needed unless, again, you have no experience in that area.

We did not evaluate other options. 

We use Check Point firewalls to prevent attacks against the data center servers by adding more layers of security, such as IPS, Data Leak Prevention. We have also used Check Point to implement security policies in layer 7 and applications as well as to configure the VPN for internal users of the organization.

Check Point's firewall security solution is a complete solution that allows you to prevent attacks against your data center servers and avoid the transmission of viruses to end-users via ransomware, phishing, or forgery of URLs.

Check Point has a centralized console that makes it possible to manage all the deployed equipment. It also has a built-in VPN service that lets users connect through VPN to our organization, which facilitates teleworking while cutting off unauthorized access to the organization's internal network.

The predefined reports are limited and should provide more information. Check Point should provide a greater number of defined reports and produce reports for each division of the organization. Also, historical statistics cannot be obtained from the central console, the data or logs must be exported to another machine and processed from there to obtain this historical information. The number of available physical ports could be increased and Check Point could add support for higher speeds.

We have been using Check Point firewalls for more than 10 years.

Check Point is a company that has been producing firewalls for many years. It is a leader in today's market, and its products are very stable. They are always updating and improving their products to stay at the top of the market. 

Check Point NGFW allows easy and fast scalability.

Our experience with Check Point technical support was very positive. They always resolved questions or incidents quickly and professionally.

We have always had Check Point solutions.

The initial configuration was simple. The previous team was also using Check Point, we only had to export and update the rules. Only a couple of things had to be corrected and changed.

It was implemented through a CheckPoint partner who demonstrated great experience in migration.

When implementing, I would suggest you define in a real way what you want to allow —applications, content, destinations, etc. — and drop the rest of the traffic. It is important to review the groups, objects, and networks created to efficiently define the security policies that you finally want to implement.

Before making the last purchase, we evaluated other solutions, such as Palo Alto or Fortinet.

I would rate Check Point NGFW 10 out of 10.