Check Point NGFW Reviews

We use the solution for securing all of our servers facing the public network, site-to-site VPN, and SSL VPN like the webserver, e-services, and many other such applications. I have been using the below-mentioned modules:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

I can say each and every module has benefited my organization and I would highly recommend others to deploy Check Point solutions.

We have good peace of mind now, after deploying this solution. We could easily defend against zero-day attacks and day-to-day vulnerabilities.

Since the time we deployed the solution, we are 100% safe and secure.

At present, the newly deployed solution is being used for reverse proxy, the site-to-site VPN, and SSL VPN along with the proxy for a few of the machines.

Their threat emulations and Bot Services are a must-try. 

You can just deploy it, sit back, and relax without any issues.

The most valuable features include:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

Each and every module provides 100% accuracy. 

Their threat emulations and Bot Services are excellent.

Additionally, they have an excellent support team working around the clock. The engineers have excellent knowledge and provide us with a resolution in a very timely manner.

I have been using Check Point technology since 2011 and recently I have deployed new NGFW, the upgraded version, in a cluster along with the management box.

Check Point updates and upgrades are in a timely manner. There is nothing more that I need in terms of improvement.

Additionally, they have an excellent support team working around the clock. Check Point engineers have excellent knowledge and have provided us with the resolution in a timely manner.

I have been using Check Point technology since 2011 and recently I have deployed the new NGFW. It's the upgraded version and we have it in a cluster along with the management box.

I've used the solution for the last ten years.

The solution is highly stable.

The solution is highly scalable.

Customer service is excellent.

Positive

We did use a different solution originally. We changed to Check Point for achieving high levels of security.

The initial setup is straightforward.

We implemented through a vendor team and I would rate them at a 10 out of 10.

It's excellent and the management is very satisfactory.

It's a very economical option.

We evaluated Palo Alto and Cisco.

It's an excellent solution and offers the best support.

We are a large University with more than 1000 employees across seven faculties and growing. Student population is more than 15,000 in-house and 30,000 external. The University of Kelaniya Sri Lanka primarily uses the Check Point 4800 device to protect users and servers. The product also enables the VPN with advanced security policies inside our network. This gives us a better security posture. Valuable features include a good VPN, IPsec, and SSL. We use Check Point 4800 as a perimeter firewall and our internet bandwidth expanded to 1Gbps.

We use it mainly for security and content control. Earlier, we could not block BitTorrent and other high bandwidth downloads from our firewall. After introducing this NGFW, we have improved our security posture, and now, have peace of mind. 

The most valuable feature is the IPsec VPN. The application and content filtering is perfect for our university. This device gives us alerts and reports on a daily and weekly basis. It gives us the opportunity to know what is going on. The Smart Dashboard and other user interfaces are very easy to use and can be handled without any significant IT skills. It allows for easy policy management.

The Check Point Capsule VPN is a great feature. It connects to our university in a few seconds.

It's easy to handle and manage. No need for significant IT skills to manage this solution.

Check Point Smart Dashboard does not support my Apple MacBook Air. It only supports Windows versions. Checkpoint does not support captive portal in IPv6. We had a big issue. Not solved yet by Checkpoint experts.

Check Point is a stable product.

No issues with scalability. 

We used Cisco ASA 5510 as our perimeter firewall before purchasing this NGFW. It only had firewall features. We switched because we were looking for a strong gateway level security with attributes like antivirus, anti-spam, IPS, web content filtering, application control, and secure wireless access points.

The initial setup was straightforward.

A vendor team implemented this. They gave us in-house training for our staff. They are experts in Check Point and taught us well.

It has a great ROI. 

Pricing is negotiable and competitive.

We selected the following brands and models by going through different reviews:

• SonicWall 9200
• Sophos XG 750
• Fortinet FortiGate 1500D
  
• Check Point 15400

We requested that the vendors do a PoC. Check Point, SonicWall, Sophos and Fortinet agreed to run one. Finally, we chose Check Point.

We are in the higher education sector in Sri Lanka. We produce graduates to our country and other countries.

It's just enterprise firewalls, firewall clusters for redundancy to secure the company network from the internet, and as well as a data center firewall, for example, if you want to split up subnets to control traffic between them.

The management is very handy and intuitive, and it has a lot of features. I think it's one of the products in this market which has the most possibilities.

I saw some other firewall vendors or firewall solutions from other vendors. And maybe I like it because I'm very familiar with Check Point and the management of the Check Point gateways. So, probably, I'm just not aware of how other solutions work and how to use them. 

We also see or have a lot of customers with Palo Alto. That's also a solution we see a lot, but we have been a Check Point partner for more than seven or eight years since the beginning of our company. We have done a lot of research on firewall solutions. 

In our opinion, it's one of the best because the management is very handy. So it's easy to implement every possible configuration, and you have a good oversight of your rule set. 

If I compare it with Cisco Meraki, for example, if the rules grow, then it's very hard to get oversight or to have oversight over the whole rule set. So then it becomes hard to manage.

With Check Point, it's easy because even when you have 200 or more rules, it's still very user-friendly, and you can still quickly manage your whole rule set.

What I like about Meraki is the whole cloud-managed feature, where it can configure gateways in the cloud and preconfigure it as well. So I don't need to have access to the device or create a configuration in the cloud. 

And as soon as the firewall comes online connected to the internet, then it downloads its configuration from the cloud. I think Check Point does also have such a solution, but I'm not aware that it's as easy as Cisco Meraki. Sometimes it would be nice if they would have the same possibilities.

I have been using it for about five years now. 

I have not yet faced any challenges with performance or stability. Sometimes when we implement core firewalls, there are applications that have longer session timeouts than the Check Point firewalls in the default settings. 

Windows has a default session timeout for about two hours, I think, and Check Point's is one hour. So, it's not a performance issue, but the application will not run as well as before the security gateway analyzes and blocks traffic. So, it depends.

Scalability  is a very good point of Check Point's solution. They can scale very well and very large.

The technical support is also very well and specific. It's very useful to have technical support from Check Point.

Positive

I have experience with Nutanix Flow. It's also possible to enable training in Nutanix Flow where you can redirect the traffic to Check Point gateways. I think that's a very useful feature if you need layer seven traffic analysis and blocks. But I don't have any customers, or we don't have any customers, who use chaining. We also don't have any customers who use a micro-segmentation solution from Check Point. So, I'm not aware if they have a comparable solution like Flow.

For the initial setup, you need a good knowledge of the operating system, Gaia OS. It needs some knowledge to get started, but if you've done it once, then it's easygoing.

Normally, we check the customer's requirements. Then we start to deploy the gateway and start with a basic rule set so the customer is able to refine it for their needs. If we are in charge of creating a complete rule set, we will bring all the requirements into a concept and then create a rule set in a more suitable way.

Some customers have very basic requirements. If it's just to deploy the gateways, then it's very easy and quick. You just need maybe a few days and a maintenance window outside of business hours. But there are also customers who have a lot more requirements, like scanning or analyzing the traffic for subnets inside of the network. 

For example, a core firewall can be very time-consuming. You need to do a lot more research and concepts or write concepts on how to achieve that. That can take a few months.

For maintenance, you need to know what you do. It can be difficult if you don't know what you want to achieve. If you are not aware of network security, then probably it's not that easy, and you may run into configuration errors or mistakes. It's easy to manage, but you have to know what you do.

Check Point is not the cheapest vendor in the market, but it has everything you need compared to other solutions. So that's probably the main reason for the cost or the prices. I think it's probably on the same level as Palo Alto.

I would recommend Check Point to other users who are looking into implementing it.

I would advise others to compare or write down their requirements and have a look to see if Check Point is able to fulfill all the requirements.

Overall, I would rate it a nine out of ten.

The customer purchased Check Point 6200 Firewalls to replace their aging Cisco ASA firewalls on the perimeter of their sites. The Cisco Firewalls must be replaced due to insufficient capacity.

It is envisioned that the initial migration will be a direct replica of the ASA configuration, with the client expanding the solution post-migration, with Check Point NGFW features.

This project consisted of the following deliverables:
• Rule base is migrated like for like, in which ASA Firewall zone-based rules will be converted to Check Point Parent/Child layered rules.
• Firewall zones to be imported and reviewed post migration by client.
• NAT rules will be migrated “as-is”.
• Geo-location rules from FTD will be honored and mapped into Check Point.
• Client-based blacklisting will be migrated into the solution, using external feeds via URL.
• A single IPS profile consisting of a clone of the vendor's “out-of-box” balanced profile (optimized).
• 1X site-to-site VPN.
• Integration into Client’s Cisco ISE solution for RADIUS-based admin authentication.
• NGFW licensing and blades to be installed on firewall devices, to allow features to be enabled in the future and expand the solution.

The Client wishes for the ASA firewalls to be replaced with a Check Point systems solution, which consists of 6200 Plus Appliances. 

The initial requirement was to migrate the configuration in an “as-is” state, with the necessary licensing purchased and installed to enable expansion of the solution with next-generation feature sets in the future.

The solution was able to meet and exceed the client's requirements thereby improving the client's environment.

The management server is software-based.

Firewalls and licensing include:
• FW
• IPS

The solution provides a single pane of glass management of rules/logging.

The solution supports IPsec tunnels FOR 1X IPsec VPNs.

The solution integrates with the client’s Cisco ISE RADIUS solution for administrative access.

The compute power of the appliance is great. The Check Point appliances are considered NGFW devices and can process both the ASA and FTD requirements on a single instance, removing the requirement for an expansion SSD module and/or additional hardware.

We'd like an option that can convert other vendors' NGFW configurations to supported Check Point NGFW config for ease of migration.

Check Point configuration options can be very enormous and overwhelming.
Check Point comes with a very lean learning curve even though they offer a robust knowledge base. 

A lot of configuration cannot be accomplished via the web interface or the smart dashboard software and must be done manually via the command line interface.

I'd like to see some built-in automation for the firewall alerts/events to trigger an automated response or recovery.

I've used the solution for three years.

The solution is stable with frequent version and management updates.

The solution is highly scalable and expandable.

The solution offers great customer support.

Positive

We used a different solution and needed more processing power and functionality which this had compared to industry competitors.

The setup was straightforward yet third-party device migration contained a lot of manual configuration conversions.

I implemented this myself.

Pricing can be relatively more expensive when compared to industry peers, however, the functionality makes up for the price difference.

We also evaluated:

• Cisco NGFW
• Fortigate NGFW
• Palo Alto NGFW

This is a great overall solution.

We're an international research laboratory, focused on thermonuclear energy experiments. Due to strong remote collaboration, and to control network communication, we choose the Check Point NG Firewall solution.

Most of the personnel are researchers. We also have a strong collaboration with a University and take care of a European Ph.D. on thermonuclear fusion, as the future clean energy.

We aim to constantly improve firewall technology, which is a key strategy nowadays. We've chosen Check Point in 2007 and step-by-step upgrade and expand cyber security deployment using their solution. 

We appreciate the support and escalation when issues are in place. We really appreciate the solidity of the solution, the redundancy, we own a couple of appliances in failover. 

We use Check Point to grant VPN access both for clients and also in specific site-to-site IPSec remote connections.

I like the dashboard, redundancy, log analysis, threat prevention and ISP, and VPN.

The dashboard has clean and focused menus and tabs, that offer immediate access to important information and configuration. 

Log analysis is really powerful considering the enormous amount of logged data. 

We use a specific function to control bandwidth occupation based on protocols and IP subnetworks.

Fundamental is the interoperability with RSA SecurID, Windows AD/Azure.

We're in the process of moving to the MS O365 cloud, and Check Point helps us with this.

Maybe the VPN clients could be improved, however, only from a cosmetic point of view. They use a very old GUI and should help remote assistance in case of problems to make it more accessible in terms of getting log/debug information. On this, I suggest an approach like ZOOM US, where is clearly defined the application life cycle, and users warned over time.

We're in the process of moving to a cloud hybrid solution based on MS Azure, and on that field, quite common nowadays, it seems that more has to be done, moving from on-premise historical deployment. 

IoT should be considered in future development.

I've used the solution since 2007.

It is an absolutely stable solution. It is easy to put maintenance on an appliance without losing any connectivity.

The last release, R81, is impressive, at least in these first months, having recently upgraded from R80.

My experience is good, both on technical issues, and commercial support during renewal.

Positive

We previously used a Cisco PIX firewall.

The setup is somewhat complex, however, technical documents are clear, and the most common solutions are well described.

We implemented it with a third party and in-house. The support company that helped in Italy is fantastic.

We may need more time to measure ROI.

Check Point is not a cheap solution, however, on cyber security, we prefer to stay with a key player.

We constantly verify other vendor solutions, such as Palo Alto, Fortinet, and Sophos.

We use Check Point to protect our two data centers under an active scheme. It allows us to protect our customer information while preventing cybersecurity events that put our customers at risk. We use threat prevention and extraction, VPN, firewall blade, VSX, and the entire Check Point management suite. Our setup includes two firewalls in a high availability and VSX environment, respectively. We also take advantage of Check Point's load balancer, which works very well. The failover is performed automatically, without any flashing or noticeable impact on the user. 

Check Point NGFW enabled us to switch from a decentralized solution with seven firewalls to a solution that's easier to manage with high-availability firewalls and capabilities that were previously lacking in NGFX. It helped us connect our users working remotely during the quarantine while maintaining our security policies and avoiding zero-day attacks. 

The solution makes administration more straightforward because we can replicate the policies in both data centers with a single click, helping us to deploy quickly in both gateways without problems.

Check Point's most useful feature is threat prevention and extraction. It was tough to manage seven firewalls and a perimeter solution for IPS, anti-malware, anti-bot, and sandboxing. 

Integrating everything in Check Point allows us to see all the attacks that are blocked with our perimeter countermeasures every day. Check Point's high detection rate improves our overall security posture, and we can achieve a low rate of false positives through a few adjustments to the configuration.

It could be easier to access the installation of the Hostfix for VSX solutions. The CLI commands help us understand how virtual firewalls behave in terms of processor, memory, and other aspects. More graphic visualizations of CPUSE commands would be a welcome improvement, and Check Point could expand scripts to run within the solution for multiple tasks.

I've been using Check Point NGFW for seven years

Check Point works well in a high-availability setup, and the failover is fast. We had very few instances of unavailability. It happened once when we had hard disk issues, but the RMA process was quite simple, and the replacement part came quickly.

We added new Check Point firewalls twice this year, and it was relatively simple. You can quickly migrate the configurations, and your new firewall is ready to go after a few adjustments to the settings.

Check Point's support has been excellent, and they respond immediately via phone, chat, and email. In particular, I think the chat support was great. 

Positive

Previously, we were using seven open-source firewalls, and we decided to go for a solution with good ratings from NGFW users. We wanted something well-positioned in the market that had good support.

Migrating from an open-source, decentralized setup with seven firewalls to centralized management was complex, but it was less complicated than we expected thanks to Check Point’s management features. The ability to perform a parallel startup helped a lot during deployment.

A vendor team helped us, and the migration was smooth. The Check Point engineers who worked for our partner were well trained to handle the implementation.

Check Point NGFW can be expensive compared to other competitors, but the price matches the functionality and efficiency of the solution.

We considered Fortinet, Palo Alto, and SonicWall before settling on Check Point

The reason we have the Check Point Next Generation Firewall is that it's our main perimeter firewall in all our branches around the world. It secures the IT infrastructure in all of our environments and our subsidiaries. We also use it to set up tunnels between all our sites.

We have multiple versions from the legacy R77 to the latest R80.40.

In today's world, there are a lot of risks related to infrastructure security, malware and more. The Check Point has multiple blades in the same product, which improve security in IPS, application control, and URL filtering. You don't need to buy multiple, separate products to achieve the best security.

The basic most valuable feature is the firewall itself.

The management platform, dashboard, graphical user interface, are one of the best, if not the best, in the business. It's the most intuitive and it's really user-friendly in day-to-day operations.

The VPN means you can communicate in an encrypted manner between sites. 

The application control and URL filtering are also very beneficial. They enable you to tighten security and decide which applications or websites you want to grant access to. In our company, we don't allow anyone to freely access the internet to surf all websites. Some sites may be sensitive and some of them may be inappropriate. It allows us to control the traffic.

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

I have been using Check Point's NGFW for approximately 10 years.

One of my issues with Check Point is the stability. There have been too many bugs, over the years, when I compare them with other vendors. Their QA team should do better work before releasing their GA versions.

If you're looking for scalability and you need to add more power and performance and to scale up, they have a new solution, but I haven't used it yet.

In terms of the extent of our use, it's our main firewall. Everything flows through it.

We currently have four direct users and all of them are security engineers. I'm doing most of the deployment and the others are responsible for the day-to-day operations. In the overall company there are more than 10,000 users, and the traffic throughput is around 10 Gb.

They have a very extensive Knowledge Base on their website, which is very helpful. But if you contact their technical support, not all of them have all the skills. If you open a ticket it may take a while to be resolved. It can take more than a month until they finally escalate it several times internally and then, finally, find a solution. But the first tier is not too technical.

The previous solution, Contivity, was before my time in this company and I don't think it even exists anymore. The Contivity was only a firewall and our company wanted more features and benefits. It didn't have next-generation firewall options, like URL filtering, user identity, and IPS. As risks evolved in the data security field, our company needed to adapt.

The complexity of the setup depends on which branch we're setting it up for. If it's a new branch, we can spin up a new firewall in less than an hour or so, do all the configuration, and it's ready for production. But if we're replacing an existing solution, the migration process may take some time and the people involved need more extensive knowledge, compared to spinning up a new firewall.

If it's a complex environment and you're migrating from one solution to another one, or even from an older version to a new version within the Check Point platform, I would recommend not to do it by yourself. In those cases you should use a third-party partner or Check Point Professional Services.

I did most of my deployments by myself, but in our headquarters, where there was an older version of a Check Point version, and they wanted to migrate to a new one, I used a partner. The partner I used was SafeWay, a company in Israel. They have quite extensive knowledge and they are very professional.

It's hard to measure ROI in financial terms, but our productivity has gone up with the new version of the R80 because we don't need to wait for one administrator to log out of the management system for another to be able to log in. Multiple administrators can now work simultaneously on the platform. That productivity increase can be seen as a form of ROI.

Use the basic sizing tool to do the correct sizing so you don't waste too much money, because it's not a very cheap solution when compared to other vendors. There are other vendors that are more affordable.

There are no costs in addition to the standard licensing fees, except maintenance.

We have not evaluated any other options.

My best advice would be, if you are not as skilled, that while you don't really need to use the Check Point Professional Services, you should use a partner that has good knowledge of the device. If it's just a straightforward deployment without all the features, it may look simple but there are too many options. Eventually, you may use 30 percent of them. I don't think you will use 100 percent of all the features that are available.

Overall, I'm a little bit disappointed because of the numerous bugs that there are.

I would rate it at seven out of ten because their management platform and the dashboard. It's the most intuitive and user-friendly in day-to-day operations, as long as you're not dealing with the bugs.

In our organization, we are using distributed device management. Here, management and distributed devices are separate deployments. Therefore, our management is very easy in our organization for traffic management. Here, tier architectures are used. That smart console, smart getaway, and management are different devices. Each device is connected to the other. 

Threat prevention is used as well. Basically, threat prevention is used for preventative management traffic entering into our internal organization. The hash value is used whether traffic is legitimate or not for distributed traffic. 

We are using Check Point for URL filtering. 

In our organization, we are using policy configurations where various policies are configured for internal to outside organization communication, and our DM's are there too. Various zones are created in our organization. 

For each particular zone, if I want to communicate with the external zone, then I need to create a policy for internal to external. Various rules can be created, particularly for organization communication outside the organization. It will be configured in our organization and four gateways are there allowing for our four different locations to communicate. 

In our HR deployment, hiring deployment, there is a new and legacy mode that we are currently using.

The distributed deployment is very helpful. This way, the burden on each device is less and management is very easy and CPU process utilization will be not high on a particular device - it'll be distributed on each device. Management is very easy.

We like that it is a next-generation firewall where hackers would need to inspect down to a seventh layer, an application layer, and that offers us better protection. 

The initial setup was straightforward.

The solution can scale.

We would like to see constant improvement in anti-malware functionality and anti-threat protection.

Various functions affect our organization's traffic performance.

They need more focus on the stability of IP security.

The organization has used the solution for five years, however, I only joined the company two years ago. 

It provides very good stability for traffic management and network flow. We monitor various locks that will be there for internal and external traffic. I'd like, however, more stability of IP security, more of that is needed. Sometimes there is an issue in IP security clarity.

The scale is currently very good. In our organization around 3000 or more employees use it. There is two IT personnel that will configure 30 Check Points, 13,500 gateways will be there and it will handle around 3000 plus employees. 

We will increase usage. Currently, one new branch will be open. They are also migrating from Fortinet to Check Point's firewall. The previous they did 40 deployments here, however, currently they're migrating to the Check Point next-generation firewall.

Tech support is very good. After logging the call, if there is an issue discovered, they are very supportive. They are helpful and responsive. We've very happy with them.

Positive

We used to use Fortinet, however, it did not go deep enough and check down to layer seven.

The initial setup was straightforward. That said, I wasn't part of the initial setup, as it was set up before I came to work with the organization.

I'm comfortable with the licensing. The pricing, for what you get, is pretty reasonable. 

I'm an end-user of the product. I don't have a specific business relationship with the company.

I'd rate the solution at a ten out of ten.