Check Point NGFW Reviews

I support multiple clients within the UK, the EMEA region, the US, and now in Asia Pacific as well. I specialize in Check Point firewalls. I design and secure their data centers, their on-premises solutions, or their businesses security.

The firewalls are mostly on-premise because most of our clients are financial organizations and they have strict compliance requirements. They feel more secure and have more control when things are on-premise in the data center. However, there are use cases where I have helped them to deploy Check Point solutions in the cloud: AWS, Azure, and in Google as well. But cloud deployments are very much in the early stages for these clients, on a development or testing basis. Most of the production workloads are still on-premise in data centers.

Most of my customers are still using R77.30, and they are on track to upgrade from that to R80, which is the current proposed version by Check Point.

One of our customers has just recently been attacked by malware and internal DoS attacks, and they have a multi-vendor, multi-layer firewall approach. The internal firewalls are Check Point. The great thing about Check Point is that because of its central architecture, you can very quickly pinpoint where the attacks are coming from. It gives you comprehensive reporting when the attacks start and when they've stopped, so you can see the complete, end-to-end picture: where the point of attack is, at what time, and what host. They can track all of that.

However, in parallel, that customer is using other firewalls which have no visibility. One of the main advantages of having Check Point firewall is definitely that it gives you absolute in-depth visibility.

Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features.

One of the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use.

The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.

The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.

The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.

If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different. 

It seems like they were possibly built by different teams, independent of each other.

I've been using Check Point firewalls for about 16 years. I am the main network or security lead and I have four other engineers who report to me. They also do design and deployment.

I work with approximately 40 companies that utilize Check Point.

Check Point firewalls are very stable. One good thing about Check Point is that they do rigorous testing internally before releasing updates, which is something I have not found with any other firewall products. With most of the other firewall products, when they release something, it's like the customer becomes the guinea pig for that particular version, whether a minor or a major update. However, with Check Point, you can see all the white papers and what ways they have tested a minor or major upgrade of the software version, and what the performance was like. What are their known issues and is somebody working on them or not?

So the software releases are very stable and you have visibility into how they operate and what the known issues are, so you know whether you should go ahead with them or not. And in case there is a problem, the support is excellent. You can reach out to Check Point and say, "Look, I've done the software upgrade and I'm experiencing these problems. How can I deal with them?" They are there to help you out.

There are times when we have problems in terms of software or hardware defects. We have sustained downtime, but most of the architecture I design is resilient, so if one device is down, the other one is working fine. Then in the background, I or my support team will deal with Check Point directly, to get a replacement. They're definitely quick to respond and very efficient. 

In the past, we had a lot of problems with licensing, specifically, but Check Point has redone the whole way they do licensing. It's very quick now, and very efficient.

Check Point firewalls are extremely scalable. Recently, I deployed Check Point in an AWS cloud solution for one of my clients, and it's been absolutely excellent in handling growth. They've grown from 10,000 users to a million users. The way Check Point has advertised the product, it is supposed to be highly scalable, which means it grows as your demand grows, and that has been the case. 

Recently we have set up a test case where we are moving over management servers from on-premise to a Check Point-provided Infinity cloud solution. We are still at the testing phase but, overall, it's been a great experience so far.

The teams we deal with within Check Point are extremely knowledgeable. They know how to understand the background of the problem, and they're very good about articulating how we deal with the issue, whether it's a minor software upgrade issue or it's a major failure of the hardware itself. They know where to look for the right stuff. The key point is they're very knowledgeable and very technical. And if somebody doesn't have the technical capability, they will definitely help you out to make sure you get to the bottom of the problem.

In the past, most of the customers I've worked with have used different firewall vendors, such as Cisco, Palo Alto, and Juniper.

I've recently seen deployments where customers have tried to move from Cisco ASA to Cisco Firepower and the deployment has gone horribly wrong because the product has not been tested by Cisco very well and is not a mature product. I've gone in and reviewed their business requirements and technical requirements and, based on that, I've recommended Check Point and done the design and deployment. They've absolutely been happy with the solution, how secure and how capable it is.

We use Check Point across multiple types of customers, such as financials, retail, and various other public and private sector organizations. I review their security architecture, which is firewall specific and, based on that, I have recommended Check Point. In most cases, I've managed to convince them to go ahead with Check Point firewalls as a preferred secure firewall solution.

The main reason is that Check Point is far ahead in the game. They're definitely the market leader. They are visionaries when it comes to security. Another reason is that a lot of firewall architecture starts from the firewall itself, which is the local firewall. It can easily be hacked and manipulated. However, the Check Point architecture, out-of-the-box, is very secure. They have a central Management Server and all of the firewalls are managed through that one central point. So in case somebody breaks into your firewall, the firewall is encrypted; they will delete the database. The architecture is secure by default. The good thing is that other firewall vendors have realized this and they've started to copy the same system that Check Point has used for the past 20 years now.

When working with the Check Point team on deployment, they're really helpful and very talented people. When you speak to other firewall vendors, they just think about the firewall from their point of view. The good thing about Check Point engineers, or technical staff, or even management staff, is that they understand what the requirements of business are and how they can improve or align the proposed solution. Overall, Check Point staff are very knowledgeable, they understand different industries, and they understand the product very well. That's definitely a competitive edge compared to other firewalls.

Once the design is done, for something simple the deployment can take half a day, whereas for a complex deployment in a data center it can take about five days.

Our implementation plan is divided into different phases. Phase One might be the physical cabling of the firewall device itself. Phase Two would be the logical setup, which means defining the interfaces and the virtual setup of the firewall itself. The final phase would be to bring it online in parallel with production, in a non-prod service, and test it to ensure it works as per the design.

A customer I'm working with right now was running with Check Point and they wanted to move to Fortinet firewalls. However, when I worked with them on the design to upgrade the existing Check Point firewalls, what we worked out was that even though the Fortinet might have seemed like a cheaper option, it didn't have the security capabilities that Check Point is offering. On that basis, the customer signed off on a project for upgrading their existing firewalls, on-premise and cloud, from R77.30 to R80.10.

It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point you get all of that.

With Juniper, one of the biggest downsides is support. The support portal is slow and I won't say the staff is competent in terms of understanding. They're very disconnected internally. What I mean is that the team working on the software development of the firewall has no interface with the support teams that are handling day-to-day TAC cases. They definitely struggle when it comes to understanding challenges, problems, and incidents with the firewalls.

In the past, Juniper firewalls were good, but recently the security offering has just not been there. They don't have anything like SandBlast from Check Point. They don't have up-to-date Zero-day attacks control. They're still running a very old architecture. They can do things like antivirus and URL proxy, but those are very simple features. They have none of the advanced feature set that Check Point has.

Palo Alto is very competitive with Check Point when it comes to security. However, one of the challenges with Palo Alto is that, overall, the solution can be extremely complex and expensive. That is one thing I've heard from customers again and again. Either they have existing Palo Altos or they plan to go to Palo Alto, but when they do a comparison with Check Point, what they find is that the overall value with Check Point is much greater than with Palo Alto firewalls.

If you're looking to implement Check Point as a security solution, definitely do your homework. Do some research, not just in terms of firewalls, but overall security architecture. Which ones are the leaders in the field? Which ones are there to deliver what they promise? And overall, how does the architecture work? Is it secure or not? And does it come from a team that understands how to support the solution itself? Are they consistent? Look at their track record for the past 10 or 15 years, or are they a new player? If they are, you don't know whether they're going to stay in the game or not. A good thing about Check Point is that its core product is security. They've been doing it day in and day out. You know they're there to stay in the game. You can trust them.

Check Point is a proven solution. A lot of customers and clients already rely on it. And for the Next Generation Firewalls, they're coming up with new features as security threats become known.

If somebody wants a secure and stable environment, Check Point is definitely the leader to go to; definitely the number-one choice. It's not only what it says on the box. In reality, I've worked with hundreds of banks and they're happy with the product because it works; in practice, it works. That's the main thing.

I do not use them, I just sell them, but customers are using them to protect on the edge and at the core.

It brings value to their clients as everybody is concerned with security. Firewalls are the first line of defense. Check Point's support is probably the best of the major players in that space. Check Point is more complex than the other players, but it is also more powerful.

A lot of the other players have a more robust best-of-suite offering versus the best-of-breed offering. Check Point's capabilities are limited from a firewall perspective. Other players are acquiring companies and offering add-ons like CASB or VPN-type capabilities.

I have had experience with Check Point Next Generation Firewall for seven or eight years.

Their code is a little bit finicky as of late, but that's just because they just released this product line.

It depends on what you're deploying. Maestro is more scalable than standalone firewalls.

The support depends on what support model you buy. Customers that have dedicated support teams get more attention than the traditional support, however, a lot of other companies are offshoring their support.

Positive

Cisco is not a true security company, but Check Point is where they grew up, so I think they are a little more mature.

The initial setup depends on the environment and can take weeks. It is not different than the rest of the players in terms of maintenance.

It's basic engineers, usually one to two people.

It is pretty difficult to determine ROI with firewalls because they are more of an insurance policy. However, it helps with security. The cost of a breach versus having some of these measures in place is the real comparison.

There is a lot of price parity between all the players. Everybody is within plus or minus ten percent. Check Point is probably more expensive than some of the other players out there, but it is incremental.

I evaluated Palo Alto and Fortinet.

I would recommend Check Point Next Generation Firewall to others. I would put them in the upper echelon.

I'd rate the solution nine out of ten.

My customer is one of the big banks in Bangladesh, and they use the solution to protect themselves from malware.

The solution's most valuable feature is CDR (content disarm and reconstruction). The Infiniti Portal feature helps manage the firewall and get a proper report, which is required for management. Capacity and Maestro are good features that can produce better firewall speed.

I want better (DPI) Deep Packet Inspection in Check Point NGFW. The solution should include some behavioral features to detect the malware smartly.

Check Point NGFW is a very stable solution.

I rate the solution’s stability nine and a half out of ten.

Around 20 small and medium businesses are using the solution. The solution's scalability is really good. It has a feature called Maestro, which can increase bandwidth by three terabytes.

I rate the solution's scalability an eight out of ten.

The solution provides good technical support.

Positive

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

Check Point NGFW is not a cheap solution. Customers often need to pay a premium for its services.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

Check Point NGFW is a good firewall. You can mount it into your firewall in every country and have the report. You can find out how good it is. Customers can change this firewall or determine the efficiency of other firewalls, including Check Point. After 15 days, they can see the report, which is a good feature.

Overall, I rate the solution an eight out of ten.

We use Check Point NGFW as our data center and branch location firewalls.

The solution is robust and can handle heavy workloads and user traffic well. The product is good. 

The tool's support is lacking. We find almost all its features useful, except for some challenges with VPN.

I have been working with the product for ten years. 

I rate the product's stability an eight out of ten. 

I rate the tool's scalability an eight out of ten. My company has 5000 users. 

The initial setup can be complex, especially for BGP configurations. I'd rate it a five out of ten for ease of setup. It's neither too hard nor too easy - it depends on your requirements. We deployed it on-premises. The initial deployment of our enterprise-grade device took about three months. We need about two people for maintenance, mainly for operational changes when needed.

We mostly did the deployment ourselves, with some professional services support from Check Point. Three to four people were involved in the deployment, including one from Check Point to validate our work.

The Harmony bundle is interesting, with many new features, but we're not evaluating it much as we're moving to FortiGate. We're not planning to increase the usage of Check Point NGFW. We're looking into SD-WAN and moving towards FortiGate.

I rate the overall solution an eight out of ten. 

The Check Point firewalls are used to protect both the edge and datacenter firewall environment.

The firewalls have been deployed in a high availability design and are virtualized using Check Point VSX VSLS. This means we have multiple virtual firewalls protecting different parts of the data center (e.g., DB, Edge, WAN, pre-production.)

We have activated multiple software blades, including firewall, VPN, URL filtering, Application Control, compliance, reporting, and threat emulation, to name a few.

A similar design has been deployed at the DR with a similar set of firewalls.

The following has been improved:

1) The edge security posture has greatly improved. We are now able to detect and prevent threats coming from the public internet. The firewall is able to block know threats using the inbuild Intrusion Prevention blades.

2) We can connect with other organizations using site-to-site VPNs to enable inter-organization communication.

3) Check Point comes with a strong management solution that allows us to monitor and track threats that are detected and prevented. It also helps us be in compliance with industry standards.

The following features have been valuable:

1) IPS - The edge security posture has dramatically improved as we can now detect and prevent threats from the public internet. The firewall can block know threats using the inbuild Intrusion Prevention blades.

2) VPN - We can connect with other organizations using site-to-site VPNs for inter-organization communication.

3) Management Blades - Check Point comes with a strong management solution that allows us to monitor and track detected and prevented threats. It also helps us be in compliance with industry standards.

The following can be improved:

1) The management solution is currently using a desktop client for administration purposes. This should be improved by ensuring configuration on the firewalls can be done 100% using a web-based approach. This is currently a work in progress in R81.X, yet should be fast-tracked.

2) The Check Point TAC support has, in recent years, deteriorated. Getting support is usually a pain as the TAC engineers don't seem to understand our issues fast enough and are not readily available. This is in contrast to the amount of money paid for the support.

I've used the solution for five years.

A lot of improvement is required in how checkpoint TAC engineers handle their assigned cases. Tickets can be opened for very long without clear solutions.

Neutral

We previously used Cisco ASA 5585 Firewall.

The setup was fairly easy as the team is well trained.

We worked with Check Point professional services.

This is a premium enterprise product, hence the price is very high.

We looked at FortiGate Firewalls.

Check Point should review their pricing models especially for the African market.

We are using Firewall Intrusion Prevention and URL Filtering, and we just purchased the Endpoint Protection package for our workstations.

It is deployed on-premises. We have two Check Point systems in place. We have one that's between our business network and the outside world, and we also have one that's between our business network and our internal SCADA system.

We haven't updated to version 81, so we're still at version 80.

It has provided us with great protection from threats. I've been here 30 years, and we've had two incidents, and none of them were within the time we've used Check Point.

The console or the single interface on the blades is most valuable.

The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.

I have been using this solution for probably 10 years.

I would rate it a nine out of 10 in terms of stability.

Its scalability is very good. Our entire force is about 190 people, and most of them use it at some point just because they are going out to the internet and have that protection for the workstations. 

It is being used extensively. Everyone is using it, and we do have plans to increase the functionality on the device.

They provide really good support. I would rate them a five out of five. 

I can't remember the product, but what we had initially was an entry-level device. It was a single-purpose firewall. We went up to an enterprise solution that had additional features.

It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.

It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.

We used a consultant. Our experience with them was very good.

For deployment and maintenance, we have five people on our staff. We have to do some maintenance on it. It's pretty much scheduled to rotate between us so that we keep our skills fresh.

We've not done an initial study on any kind of ROI. We rarely do. In positives, we try to perform a yearly risk assessment of our systems, and we find very few vulnerabilities. So, it is doing what it's supposed to. It is keeping us safe.

Its cost is a little higher than other products.

We evaluated other options, but I don't remember their names. We basically went to the consultant we deal with for security-related things and said, "What's out there? What do you recommend?" He gave us three and recommended that the Check Point was probably the lead one.

I would advise comparing it to the other products.

I would rate it a nine out of 10. It has served us very well and given us very few headaches.

Check Point is currently our perimeter firewall at various locations. We use their failover clustering with high availability option, which performs flawlessly. Upgrades are easy to perform and have always worked reliably for us. Technical support is always available to assist with these operations, which makes the process less stressful to the admins. 

We are also using their ISP Redundancy feature, which works as advertised - perfectly! It's easy to implement, especially with the awesome documentation from our engineer. We also use their Remote Access VPN offering and have really seen its value this past year, due to COVID-19. The VPN has been 100% rock solid, especially during the most critical times in our history.

As mentioned in the primary use case question, ISP Redundancy and VPN are the two primary use cases. When the pandemic hit, a sudden shift to a remote workforce was a major requirement for us, and we needed a reliable and stable firewall. Implementing ISP Redundancy helped ensure that, as well as having a tried and tested VPN solution. Upgrades have occurred during this time and manually planned failovers as well; every upgrade and test went smoothly and without issue. The last thing we could afford is an outage.

They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements. 

Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released. 

Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.

The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading. 

The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing. 

Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

We have been using Check Point firewalls for 20+ years. We originally used the Nokia hardware platform, which was not technically NGFW at the time, however, the OS and its configuration have maintained some similarities over the years. It keeps getting better every release.

Lately, stability is 100% reliable. Earlier generation firewalls were a bit unreliable, however, as Check Point acquired third-party hardware. For example, their Nokia acquired security appliances had a firmware that worked, until they started to modify the firmware (IPSO 6.0 was solid, but problems started with our upgrade to R75), then it became less stable; frequent crashes, settings not saving, high availability issues, frequent reboots required.  Eventually, we upgraded to their NGFW offerings.  Their newer hardware, and firmware R77.x was released, and we have been stable ever since.  Upgrades to R80.x have been flawless, HA works as expected, and we have had zero performance issues.

They are very scalable. If you need more computing resources, adding more hardware is easily done.

Customer support is not always as responsive to finding solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

Positive

We have always used Check Point.

Setup was very straightforward and easy. We did have the assistance of our Check Point engineer, which is just awesome.

We implemented through Check Point directly.

I do not measure ROI financially, although personally speaking, we have definitely gotten back every dollar we've spent by having reliable and secure infrastructure.

The setup cost is not a challenge at all. Check Point engineers work directly with you throughout the whole process. The pricing is high, for the hardware and software, although discounts are negotiable. The software blade licensing is broken down into many flavors, depending on your needs. It is very a la carte and provides various product offerings, including endpoint management, VPN, disk encryption, etc.

We did review a few competitors during a possible migration plan. The proof of concept did not yield better results, so we stayed with Check Point. We reviewed Cisco, Palo Alto, and SonicWall.

If you don't need/use their a la carte software blades (FDE, Ransomware, etc.) you can always add on later. They are very accommodating with trial licensing to test in a proof of concept way. If you already have other third-party products that perform those functions, you can bundle Check Point's and save a bit of money consolidating them.

Our primary use cases for Check Point NGFW are for perimeter security and content filtering for browsing behavior.

We have a lot of flexibility now and a leg up identifying zero day threats. We have multiple ways of doing policies now that we didn't have before. The options are more robust over previous products and I would say that we're pleased with the product. The reports I'm getting are that we're satisfied, even impressed, with the options Check Point offers.

Packet inspections have been a strong point. Our Identity Collectors have also been helpful. In many ways, Check Point has been a step up from our SonicWalls that we had in-house before that. There's a lot of additional flexibility that we didn't have before.

We saw a noticeable performance hit using SonicWalls. Whether it's because we've provisioned the Check Point gateways correctly from a hardware standpoint or whether it's the software that is much more efficient (or both), we do packet inspection with very little impact to hardware resources and throughput speeds are much improved.

With SonicWall, after it would calculate inspection overhead, we might see throughput at, and often below, 15%. My network administrator gave me data showing Check Point hovering at 50%, and so we were actually seeing Check Point fulfill its claims better than SonicWall.

Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap would help us as we navigate the options.

The VPN setup could be simplified. We had to engage professional services for that. That's not a problem, but compared to other products we've used, it was a little more complex.

We started putting Check Point NGFW into production late first quarter this year, right before the pandemic hit. We put in two gateways and one management server.

Stability is there especially compared to previous security products. Certain things had quirky behaviors. For instance, once we upgraded to 80.40, a couple items inexplicably acted up (not uncommon for any software upgrade). Certain policies would drop and then show up again (remained in force, just briefly disappeared from management console). I would have to get some specifics from my network administrator, but I do recall some strange behaviors. One of them was fixed by a patch and another one still has a backup issue that's pending right now about how to best back up the device before we upgrade.

I haven't had to test scalability yet because we purchased it for our existing needs and as a company, our performance and our needs are pretty flat. We don't really have need to scale yet.

We are adequately equipped for what we need and we have room to grow and to add all of our users and possibly add additional products down the road and still have plenty of room to do so on how these gateways are powered.

We have a total of about 620 employees that use Check Point NGFW. I would say we are 80% there. There are still some users that have to be migrated to it once we test their accounts, their kiosks, that kind of stuff. 

There is one primary employee who is dedicated to maintenance and there are another two who back him up but our network administrator is primarily responsible.

Mixed experience, mostly satisfactory. Some support engineers are quite helpful and efficient, others required more patience working through support incidents. ATAM support has been high quality, and as previously mentioned, local support has been key to resolving some cases much more quickly. If we were giving their support a letter grade, it would be in the B range.

We were previously using SonicWall. We switched because we were struggling with performance, support, and strategy. There were things that were broken that did not have coherent or reliable fixes. At the time we did not consider it to be next-generation technology. There were problems with GeoIP enforcement. There were also quite a few performance problems, especially with inspecting traffic. It would literally bring the device to its knees once we turned on all the inspections that we really felt that we needed. It was under-provisioned, under-specced, and coupled with all the support problems we had, we started shopping for a new solution.

The setup was both straightforward and complex. There were some complexities in there that required us to get help. We have some local representatives that are very helpful and so we frequently contacted them for guidance.

We're still migrating people behind Check Point, especially in our main facility, but the heavy lifting was done by early summer. It took around three to four months.

Our strategy was to set it up in parallel with the existing firewalls and begin setting up policies and testing the policies against individual services in-house. Then, as we were successful, we would grab pilot users and migrate them to Check Point and have them start trying to break things or browse to certain sites and see what behaviors they were getting.

It was a slow migration with a handful of people at first. We tweaked their experiences and just kept adding people. It was gradual. We tested, fixed, and then migrated a few more incrementally.

We had two different ways of getting help. We have local representatives who are in the same metropolitan area and they were very responsive. Then when we would have to contact standard support. We were satisfied about 80% of the time. Sometimes follow-up was not there. Sometimes there would be delays and occasionally there would be rehashing of information that didn't seem like it was efficient. Eventually, we would get the answers we would need.

That's why we rely heavily on the local people because they could sometimes light a fire and get things moving a little bit quicker.

Primarily it's offered stability and caught behaviors and given users (and administrators) a level of confidence as they are doing their daily jobs. The inspection that Check Point does, even when we download a document or a PDF, offers a bit more peace of mind in those types of transactions. GeoIP is working like we had hoped compared to SonicWall.

We have a lot of granularity in our policies. We can accommodate some really interesting scenarios on our operations floors, certain groups needing certain types of access versus other groups. We're accommodating them fairly seamlessly from migrating from SonicWall to Check Point. We might have struggled to try to make stuff happen in SonicWall, and Check Point just seems to ingest it and run with it. Having access to Check Point's AI ThreatCloud cloud has given us a lot of peace of mind. ThreatCloud is 25+ years worth of exploit research that informs and feeds CP technologies and gateways.

Another feature that's been helpful is the sandbox feature. A lot of companies offer this type of thing now, but CP has been offering it for quite a while. If end users are browsing websites, and they download a payload-infected document from a website, SandBlast will detect it and take it offline. It will sandbox it, detonate it there safely, pull out the content that we're actually looking for, then re-present that cleaned content back to the user.

Strongly consider augmenting standard support with Check Point's premium option or by purchasing ATAM/professional services time blocks, especially during deployment.

Standard support is decent, though occasionally frustrating from a turnaround perspective. While we sometimes wait a while for resolution on some cases, the information we receive is usually quality; that's been our experience.

We looked at Palo Alto, Fortinet, and Sophos. I brought some of that experience to bear on our decision but our shortlist was Palo Alto, Fortinet, and Check Point.

The reason I selected Check Point was partly its pedigree, knowing that Palo Alto formed out of Check Point. Both companies are built from the same DNA and each has a history and a culture I respect and trust. Check Point Research is regularly in the news it seems for finding exploits and vulnerabilities in popular cloud platforms. 

Check Point offered quality local support, including our technical sales representative and a support manager that live in the area. A couple of executives also live in the area. If we needed to escalate, we had the people here locally that could help us with that.

My former company used Palo Alto and, while I didn't interface with the products on a regular basis (we relied on the network team for analysis), I'd overhear frustrations with support. Palo Alto is also a great product and it wasn't an easy decision choosing between CP and PA from a technical perspective. I had never used Check Point prior to this position, but it outpaced its competitors in a few key areas, especially the pre-sales phase, POC engagements, local support options, and the maturity of Check Point's ThreatCloud technology.

My advice would be to look hard at premium support options. Know what your tolerances are, and if you expect fairly quick turnaround on support incidents, go ahead and invest that money in support. Definitely take advantages of pro services, buy a block of hours, whether that's 10 hours or 20 hours, and use that to fill in the knowledge gaps, especially during deployment. If you rely on standard support during setup, depending on how complex your environment is, you may be frustrated.

We did well doing what I recommended here. We bought two rounds of pro services (20 hours). I don't want to pile on standard support - it's not bad - it's just that if we were to rely only on standard support, I think our migration would have taken longer, and there might have been more frustrations. Because we had local support and because we bought pro services, it accelerated our timeline and it got us into production much quicker.

From what I've seen and heard from my staff, I would rate Check Point NGFW technology a nine out of ten.