Check Point NGFW Reviews

Check Point is mainly used for internal communication. Our clients have multiple platforms, and customers use it for internal communications and protection, from the DMZ to the LAN to the DMZ, and also for MPLS connectivity with multiple branches. 

As I've seen, the customers also use it as a gateway for publishing their website. This is only for the perimeter, however.

It is very easy to identify the logs. It is also very well managed because of the threat cloud architecture. 

Another thing is that whenever we make changes on the firewall, we first need to publish them and then install the policies. This allows us to double-check the policies before they are implemented, which is helpful.

We faced many challenges. For example, an issue with the managed view that Check Point has. When clicking on a rule, we are supposed to have a full view of that rule and its log portion. This should show what's passing through the rule, what's coming to the rule, and all of that on a single pane of glass. Currently, the log isn't showing when we click on a particular rule. This might be an issue with an upgrade or something. Because of this, we can't implement anything on the live system; we only have a maintenance window every weekend, and it's hard to troubleshoot within an hour.

Another problem is that when we created around two lakhs of Check Point objects on the firewall, it became very slow.

I have been using it for two months. 

It is not slow. But, we implemented two lakhs of objects on the firewall, and that caused the slowness. It can happen with all firewalls, not only Check Point.

Currently, I work with enterprise customers.

It was good. No issues with that.

Positive

I can recommend Check Point, Fortinet, and even SonicWall. 

I come from a system integrator background, we first understand the customer's requirements before suggesting a firewall. Sometimes we aggressively push SonicWall because the user's requirements are more aligned with SonicWall. That's how we propose solutions.

It is very easy to install, not that complicated.

The complexity and time depend on the customer's requirements.

No maintenance: In the past two months, we haven't faced anything that required replacements on the firewall.

Pricing is good. The price is very reasonable for enterprise customers.

It offers average pricing. Previously, I worked as a system integrator, and we faced some cross-product environments where Check Point was quite costly compared to the product we were working with.

Overall, I would rate it an eight out of ten. 

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

We are a large University with more than 1000 employees across seven faculties and growing. Student population is more than 15,000 in-house and 30,000 external. The University of Kelaniya Sri Lanka primarily uses the Check Point 4800 device to protect users and servers. The product also enables the VPN with advanced security policies inside our network. This gives us a better security posture. Valuable features include a good VPN, IPsec, and SSL. We use Check Point 4800 as a perimeter firewall and our internet bandwidth expanded to 1Gbps.

We use it mainly for security and content control. Earlier, we could not block BitTorrent and other high bandwidth downloads from our firewall. After introducing this NGFW, we have improved our security posture, and now, have peace of mind. 

The most valuable feature is the IPsec VPN. The application and content filtering is perfect for our university. This device gives us alerts and reports on a daily and weekly basis. It gives us the opportunity to know what is going on. The Smart Dashboard and other user interfaces are very easy to use and can be handled without any significant IT skills. It allows for easy policy management.

The Check Point Capsule VPN is a great feature. It connects to our university in a few seconds.

It's easy to handle and manage. No need for significant IT skills to manage this solution.

Check Point Smart Dashboard does not support my Apple MacBook Air. It only supports Windows versions. Checkpoint does not support captive portal in IPv6. We had a big issue. Not solved yet by Checkpoint experts.

Check Point is a stable product.

No issues with scalability. 

We used Cisco ASA 5510 as our perimeter firewall before purchasing this NGFW. It only had firewall features. We switched because we were looking for a strong gateway level security with attributes like antivirus, anti-spam, IPS, web content filtering, application control, and secure wireless access points.

The initial setup was straightforward.

A vendor team implemented this. They gave us in-house training for our staff. They are experts in Check Point and taught us well.

It has a great ROI. 

Pricing is negotiable and competitive.

We selected the following brands and models by going through different reviews:

• SonicWall 9200
• Sophos XG 750
• Fortinet FortiGate 1500D
  
• Check Point 15400

We requested that the vendors do a PoC. Check Point, SonicWall, Sophos and Fortinet agreed to run one. Finally, we chose Check Point.

We are in the higher education sector in Sri Lanka. We produce graduates to our country and other countries.

It's just enterprise firewalls, firewall clusters for redundancy to secure the company network from the internet, and as well as a data center firewall, for example, if you want to split up subnets to control traffic between them.

The management is very handy and intuitive, and it has a lot of features. I think it's one of the products in this market which has the most possibilities.

I saw some other firewall vendors or firewall solutions from other vendors. And maybe I like it because I'm very familiar with Check Point and the management of the Check Point gateways. So, probably, I'm just not aware of how other solutions work and how to use them. 

We also see or have a lot of customers with Palo Alto. That's also a solution we see a lot, but we have been a Check Point partner for more than seven or eight years since the beginning of our company. We have done a lot of research on firewall solutions. 

In our opinion, it's one of the best because the management is very handy. So it's easy to implement every possible configuration, and you have a good oversight of your rule set. 

If I compare it with Cisco Meraki, for example, if the rules grow, then it's very hard to get oversight or to have oversight over the whole rule set. So then it becomes hard to manage.

With Check Point, it's easy because even when you have 200 or more rules, it's still very user-friendly, and you can still quickly manage your whole rule set.

What I like about Meraki is the whole cloud-managed feature, where it can configure gateways in the cloud and preconfigure it as well. So I don't need to have access to the device or create a configuration in the cloud. 

And as soon as the firewall comes online connected to the internet, then it downloads its configuration from the cloud. I think Check Point does also have such a solution, but I'm not aware that it's as easy as Cisco Meraki. Sometimes it would be nice if they would have the same possibilities.

I have been using it for about five years now. 

I have not yet faced any challenges with performance or stability. Sometimes when we implement core firewalls, there are applications that have longer session timeouts than the Check Point firewalls in the default settings. 

Windows has a default session timeout for about two hours, I think, and Check Point's is one hour. So, it's not a performance issue, but the application will not run as well as before the security gateway analyzes and blocks traffic. So, it depends.

Scalability  is a very good point of Check Point's solution. They can scale very well and very large.

The technical support is also very well and specific. It's very useful to have technical support from Check Point.

Positive

I have experience with Nutanix Flow. It's also possible to enable training in Nutanix Flow where you can redirect the traffic to Check Point gateways. I think that's a very useful feature if you need layer seven traffic analysis and blocks. But I don't have any customers, or we don't have any customers, who use chaining. We also don't have any customers who use a micro-segmentation solution from Check Point. So, I'm not aware if they have a comparable solution like Flow.

For the initial setup, you need a good knowledge of the operating system, Gaia OS. It needs some knowledge to get started, but if you've done it once, then it's easygoing.

Normally, we check the customer's requirements. Then we start to deploy the gateway and start with a basic rule set so the customer is able to refine it for their needs. If we are in charge of creating a complete rule set, we will bring all the requirements into a concept and then create a rule set in a more suitable way.

Some customers have very basic requirements. If it's just to deploy the gateways, then it's very easy and quick. You just need maybe a few days and a maintenance window outside of business hours. But there are also customers who have a lot more requirements, like scanning or analyzing the traffic for subnets inside of the network. 

For example, a core firewall can be very time-consuming. You need to do a lot more research and concepts or write concepts on how to achieve that. That can take a few months.

For maintenance, you need to know what you do. It can be difficult if you don't know what you want to achieve. If you are not aware of network security, then probably it's not that easy, and you may run into configuration errors or mistakes. It's easy to manage, but you have to know what you do.

Check Point is not the cheapest vendor in the market, but it has everything you need compared to other solutions. So that's probably the main reason for the cost or the prices. I think it's probably on the same level as Palo Alto.

I would recommend Check Point to other users who are looking into implementing it.

I would advise others to compare or write down their requirements and have a look to see if Check Point is able to fulfill all the requirements.

Overall, I would rate it a nine out of ten.

The customer purchased Check Point 6200 Firewalls to replace their aging Cisco ASA firewalls on the perimeter of their sites. The Cisco Firewalls must be replaced due to insufficient capacity.

It is envisioned that the initial migration will be a direct replica of the ASA configuration, with the client expanding the solution post-migration, with Check Point NGFW features.

This project consisted of the following deliverables:
• Rule base is migrated like for like, in which ASA Firewall zone-based rules will be converted to Check Point Parent/Child layered rules.
• Firewall zones to be imported and reviewed post migration by client.
• NAT rules will be migrated “as-is”.
• Geo-location rules from FTD will be honored and mapped into Check Point.
• Client-based blacklisting will be migrated into the solution, using external feeds via URL.
• A single IPS profile consisting of a clone of the vendor's “out-of-box” balanced profile (optimized).
• 1X site-to-site VPN.
• Integration into Client’s Cisco ISE solution for RADIUS-based admin authentication.
• NGFW licensing and blades to be installed on firewall devices, to allow features to be enabled in the future and expand the solution.

The Client wishes for the ASA firewalls to be replaced with a Check Point systems solution, which consists of 6200 Plus Appliances. 

The initial requirement was to migrate the configuration in an “as-is” state, with the necessary licensing purchased and installed to enable expansion of the solution with next-generation feature sets in the future.

The solution was able to meet and exceed the client's requirements thereby improving the client's environment.

The management server is software-based.

Firewalls and licensing include:
• FW
• IPS

The solution provides a single pane of glass management of rules/logging.

The solution supports IPsec tunnels FOR 1X IPsec VPNs.

The solution integrates with the client’s Cisco ISE RADIUS solution for administrative access.

The compute power of the appliance is great. The Check Point appliances are considered NGFW devices and can process both the ASA and FTD requirements on a single instance, removing the requirement for an expansion SSD module and/or additional hardware.

We'd like an option that can convert other vendors' NGFW configurations to supported Check Point NGFW config for ease of migration.

Check Point configuration options can be very enormous and overwhelming.
Check Point comes with a very lean learning curve even though they offer a robust knowledge base. 

A lot of configuration cannot be accomplished via the web interface or the smart dashboard software and must be done manually via the command line interface.

I'd like to see some built-in automation for the firewall alerts/events to trigger an automated response or recovery.

I've used the solution for three years.

The solution is stable with frequent version and management updates.

The solution is highly scalable and expandable.

The solution offers great customer support.

Positive

We used a different solution and needed more processing power and functionality which this had compared to industry competitors.

The setup was straightforward yet third-party device migration contained a lot of manual configuration conversions.

I implemented this myself.

Pricing can be relatively more expensive when compared to industry peers, however, the functionality makes up for the price difference.

We also evaluated:

• Cisco NGFW
• Fortigate NGFW
• Palo Alto NGFW

This is a great overall solution.

We're an international research laboratory, focused on thermonuclear energy experiments. Due to strong remote collaboration, and to control network communication, we choose the Check Point NG Firewall solution.

Most of the personnel are researchers. We also have a strong collaboration with a University and take care of a European Ph.D. on thermonuclear fusion, as the future clean energy.

We aim to constantly improve firewall technology, which is a key strategy nowadays. We've chosen Check Point in 2007 and step-by-step upgrade and expand cyber security deployment using their solution. 

We appreciate the support and escalation when issues are in place. We really appreciate the solidity of the solution, the redundancy, we own a couple of appliances in failover. 

We use Check Point to grant VPN access both for clients and also in specific site-to-site IPSec remote connections.

I like the dashboard, redundancy, log analysis, threat prevention and ISP, and VPN.

The dashboard has clean and focused menus and tabs, that offer immediate access to important information and configuration. 

Log analysis is really powerful considering the enormous amount of logged data. 

We use a specific function to control bandwidth occupation based on protocols and IP subnetworks.

Fundamental is the interoperability with RSA SecurID, Windows AD/Azure.

We're in the process of moving to the MS O365 cloud, and Check Point helps us with this.

Maybe the VPN clients could be improved, however, only from a cosmetic point of view. They use a very old GUI and should help remote assistance in case of problems to make it more accessible in terms of getting log/debug information. On this, I suggest an approach like ZOOM US, where is clearly defined the application life cycle, and users warned over time.

We're in the process of moving to a cloud hybrid solution based on MS Azure, and on that field, quite common nowadays, it seems that more has to be done, moving from on-premise historical deployment. 

IoT should be considered in future development.

I've used the solution since 2007.

It is an absolutely stable solution. It is easy to put maintenance on an appliance without losing any connectivity.

The last release, R81, is impressive, at least in these first months, having recently upgraded from R80.

My experience is good, both on technical issues, and commercial support during renewal.

Positive

We previously used a Cisco PIX firewall.

The setup is somewhat complex, however, technical documents are clear, and the most common solutions are well described.

We implemented it with a third party and in-house. The support company that helped in Italy is fantastic.

We may need more time to measure ROI.

Check Point is not a cheap solution, however, on cyber security, we prefer to stay with a key player.

We constantly verify other vendor solutions, such as Palo Alto, Fortinet, and Sophos.

The device is being used for perimeter security devices across multiple clients across sites. Check Point has not only improved our organization - it also has given us holistic perimeter and endpoint security protection throughout the enterprise.  

Our sites across the globe have Check Point perimeter protection.

Pros include:

• Internal Network Protection from outside network
• VPN connectivity for secure data transmission across multiple vendors
• File download antivirus security
• URL Filtering
• Application filtering
• Malicious domains blocking

The solution has helped out organization stay safe with its depth application filter, URL filtering, and SSL inspection. It's mitigated a significant amount of risk for corporate users as well as to host services at our terminal that need access from the internet. By far, it's the best security solution one can adopt for their organization. 

It's:

• Reduced attacks on DMZ servers
• Blocked access of malicious destinations hit by internal users
• Complete visibility about what is going and what is coming via internet
• Check Point is the industry’s unified cybersecurity architecture that protects businesses against sophisticated 5th generation cyber-attacks.
• Having multiple checkpoint products under the same roof provides consolidated security.
• Ultimately saving cost by having better centralized solution

The solution has a lot of valuable aspects, including:

• IPS & IDS
• Sandbox (Threat Emulation & Extraction)
• Ease of management
• Reports for analysis
• Better technical support
• Stateful inspection
• Application-aware boxes
• Threat detection capabilities
• Hyperscaling

Data loss prevention, compliance, threat emulation, and other blades overall make this a robustly unified platform for the implementation and management of security controls.

Since it is Layer 7, we are able to get down to the application level and block certain applications from even running.

Since it has an IPS in place, we are able to see possible attacks that have been prevented by the firewall.

The perimeter antivirus can be improved. It's not as good as other leaders.

Additional features that could be good to have/improved include:

• Modular capabilities 
• Integration with VMware and NSX products per client requirement
• 3rd Party support product is very limited 

The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.

The licensing part is a bit tricky. The product can simplify this further for ease of use.

They need to work on log size optimization.

Antivirus signatures should be updated in real-time.

We've used the solution for the last eight years.

The stability is very good.

The scalability is very good.

Technical support has been great.

Positive

We did not use a different solution previously.

The initial setup is straightforward. 

We had a vendor assist us.

We haven't used other products.

We also looked at FortiGate and Palo Alto.

The reason we have the Check Point Next Generation Firewall is that it's our main perimeter firewall in all our branches around the world. It secures the IT infrastructure in all of our environments and our subsidiaries. We also use it to set up tunnels between all our sites.

We have multiple versions from the legacy R77 to the latest R80.40.

In today's world, there are a lot of risks related to infrastructure security, malware and more. The Check Point has multiple blades in the same product, which improve security in IPS, application control, and URL filtering. You don't need to buy multiple, separate products to achieve the best security.

The basic most valuable feature is the firewall itself.

The management platform, dashboard, graphical user interface, are one of the best, if not the best, in the business. It's the most intuitive and it's really user-friendly in day-to-day operations.

The VPN means you can communicate in an encrypted manner between sites. 

The application control and URL filtering are also very beneficial. They enable you to tighten security and decide which applications or websites you want to grant access to. In our company, we don't allow anyone to freely access the internet to surf all websites. Some sites may be sensitive and some of them may be inappropriate. It allows us to control the traffic.

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

I have been using Check Point's NGFW for approximately 10 years.

One of my issues with Check Point is the stability. There have been too many bugs, over the years, when I compare them with other vendors. Their QA team should do better work before releasing their GA versions.

If you're looking for scalability and you need to add more power and performance and to scale up, they have a new solution, but I haven't used it yet.

In terms of the extent of our use, it's our main firewall. Everything flows through it.

We currently have four direct users and all of them are security engineers. I'm doing most of the deployment and the others are responsible for the day-to-day operations. In the overall company there are more than 10,000 users, and the traffic throughput is around 10 Gb.

They have a very extensive Knowledge Base on their website, which is very helpful. But if you contact their technical support, not all of them have all the skills. If you open a ticket it may take a while to be resolved. It can take more than a month until they finally escalate it several times internally and then, finally, find a solution. But the first tier is not too technical.

The previous solution, Contivity, was before my time in this company and I don't think it even exists anymore. The Contivity was only a firewall and our company wanted more features and benefits. It didn't have next-generation firewall options, like URL filtering, user identity, and IPS. As risks evolved in the data security field, our company needed to adapt.

The complexity of the setup depends on which branch we're setting it up for. If it's a new branch, we can spin up a new firewall in less than an hour or so, do all the configuration, and it's ready for production. But if we're replacing an existing solution, the migration process may take some time and the people involved need more extensive knowledge, compared to spinning up a new firewall.

If it's a complex environment and you're migrating from one solution to another one, or even from an older version to a new version within the Check Point platform, I would recommend not to do it by yourself. In those cases you should use a third-party partner or Check Point Professional Services.

I did most of my deployments by myself, but in our headquarters, where there was an older version of a Check Point version, and they wanted to migrate to a new one, I used a partner. The partner I used was SafeWay, a company in Israel. They have quite extensive knowledge and they are very professional.

It's hard to measure ROI in financial terms, but our productivity has gone up with the new version of the R80 because we don't need to wait for one administrator to log out of the management system for another to be able to log in. Multiple administrators can now work simultaneously on the platform. That productivity increase can be seen as a form of ROI.

Use the basic sizing tool to do the correct sizing so you don't waste too much money, because it's not a very cheap solution when compared to other vendors. There are other vendors that are more affordable.

There are no costs in addition to the standard licensing fees, except maintenance.

We have not evaluated any other options.

My best advice would be, if you are not as skilled, that while you don't really need to use the Check Point Professional Services, you should use a partner that has good knowledge of the device. If it's just a straightforward deployment without all the features, it may look simple but there are too many options. Eventually, you may use 30 percent of them. I don't think you will use 100 percent of all the features that are available.

Overall, I'm a little bit disappointed because of the numerous bugs that there are.

I would rate it at seven out of ten because their management platform and the dashboard. It's the most intuitive and user-friendly in day-to-day operations, as long as you're not dealing with the bugs.