Check Point NGFW Reviews

Our customer’s infrastructure is entirely based on Check Point. They are using around 2,000 firewalls worldwide. We resolve the problems in their product as a service provider.

Check Point is a great technology. It doesn't compromise the performance of the users. The tool provides great security. It was the first firewall that provided 3-way handshake. It was the first stateful firewall in the market.

The tool’s architecture could be improved a bit. It should provide Single-Pass Parallel Processing. Check Point’s interface is quite segregated.

I have been using the solution for seven to eight years.

The tool will be stable if the implementation team has done a good job.

The tool is scalable. If a user faces any constraints, we can upgrade the tool. The hardware is scalable. Our customers are enterprise-level businesses.

The technical support team is not excellent. It’s not easy to get people on call on urgent tickets. They join the call, but the support is not as smooth as other vendors like Cisco and Zscaler.

Positive

Palo Alto provides Single-Pass Parallel Processing. Palo Alto and Check Point are not very different.

The product is easy to install. It's an interesting product. Once we get the knowledge of Check Point, it's quite easy to work on. However, for new users, the solution is a bit difficult. For a single gateway, if we are ready with all the necessary software we need while installing, the deployment takes one to two hours.

A single-site deployment, where all gateways and management are taken care of, can be done by one or two people. However, a complete implementation team is required if some things are to be done on the cloud and some in the branch offices. One team will handle the policies, and the other will handle the basic installations. Once the solution is stabilized, maintenance will be easy.

Check Point is a good tool. I would recommend it to others. Overall, I rate the solution a nine out of ten.

The primary objective was to replace the Cisco ASA firewalls with Check Point NGFWs. In addition to their firewall functions, these NGFWs also provide features like Web Application Firewall and Network Data Security. We used this approach to consolidate security measures into a single, comprehensive solution, much like having a master key at the main entrance rather than separate keys for each window and door. This streamlines security management and ensures a more efficient and robust overall security strategy.

There are several crucial advantages to using Check Point NGFW including its ease of use, as it provides a unified interface for managing multiple security functions. It offers impressive scalability to meet the demands of a large organization and can handle substantial traffic. Its simplified management, enhanced remote support capabilities, and the ability to facilitate secure VPN connectivity for numerous offices and employees are highly beneficial.

The current model is predominantly hardware appliance-based, which can incur substantial costs. These appliances must be purchased separately, contributing to a significant investment.

Our most recent engagement with Check Point NGFW was a year ago when we implemented it for one of your financial sector clients.

The stability of the firewall has been exceptional, with very minimal disruptions. There was only one instance of downtime, and it wasn't attributed to any fault in the firewall itself or the hardware, but due to a configuration issue. I would rate it eight out of ten.

The scalability of Check Point firewalls is a notable strength. These firewalls can handle a substantial number of connections. For instance, they can manage up to one million connections on the NDSW server. Regarding its VPN capacity, it can support around 5,000 to 8,000 users per box, which is quite impressive. This scalability makes Check Point firewalls well-suited for organizations with high connection and user requirements. I would rate it eight out of ten.

Their support team has demonstrated an approximately 24-hour turnaround time, which is considered quite good. We have rarely needed to engage with Check Point support because most issues are resolved internally. Typically, we turn to OEM support only when we encounter challenges that are beyond our capabilities.

I also have experience with Fortinet and Cisco, both of which have made significant developments recently. They have introduced software-based firewall and system solutions, which have garnered attention from customers. This shift in the competitive landscape has led to changes in customer preferences, with more organizations considering Fortinet as a viable option for their security needs.

This process can be a bit complex at times, mainly because it depends on the specific client architecture and how they want to set it up.

The deployment process can be rated at about six in terms of complexity. Several factors influence this complexity, but getting the infrastructure ready is often the most challenging aspect. To successfully deploy, you need to account for downtime, ensure proper backups are in place, and ideally test it in a sandbox environment before going live. After deployment, thorough checks and adjustments are necessary. It typically requires at least two days of parallel operation, where both the new and old equipment run simultaneously. In an environment with no existing infrastructure to replace, the process is generally smoother. Deployment typically involves a team of 2 or 3 people working full-time for 4 to 5 days, equivalent to nine hours a day. Maintenance is handled by a networking team, which includes a Network Operations Center. The team consists of approximately eleven people managing various network components, including L1, L2, and L3 devices.

When considering a POC for a security solution, it's essential to assess the various use cases and functionalities it offers, such as NDSW which is particularly useful for protecting sensitive data. Check Point NGFW is not solely a firewall; it's a comprehensive security solution with various capabilities. It can address a wide range of security requirements, making it a valuable and versatile asset for organizations looking to enhance their security posture. I would rate it eight out of ten.

I have used this product in chemicals, insurance, and industrial sector companies.

The primary use case is to secure the inbound and outbound traffic and secure the DMZ servers. We use this solution for Remote access VPN (on smart view event can see reports more granular level) and IPSEC VPN for using the applications hosted on Public cloud and integrate the customer 3rd parties vendors. 

Using threat prevention helps in securing the customer environment from cyber attacks, ransomware, malwares etc. We use the Sandboxing features to protect the network from zero-day attacks

It improved the performance of the network on large scale. 

It's easy to use and configure. We can build the new firewalls with minimum effort. 

It's easy to upgrade the device. 

You can van view the device health on the smart view monitor and smart event monitor at a more granular level. We're achieving great performance using the latest quantum gateways. You can see the real-time logs on the management and also can configure the logging in redundancy mode. 

Using TCPDUMP, a firewall monitor, and firewall zdebug drop, you can troubleshoot the real-time issues.

We like the SecureXL, CoreXL, and Multi-que.  Using these features improved the performance of the gateway at a more granular level.

The Smart View Event monitor is great. You can see the real-time events on the firewall - including remote access VPN usage.

The smart licensing is great. It's easy to generate the license and apply it on the gateways.

The solution offers very good anti-virus and anti-spam capabilities. It's good security on the network.

Threat Prevention and Sandboxing are useful to have. We're protecting the network from zero-day vulnerabilities and securing the network from the latest cyberattacks.

Pricing for the gateways is too high as compared to the other vendors.

Whenever there is any issue comes checkpoint support ask to keep the gateway on the latest hotfix and OS which is difficult to roll out on all the gateways present in the customer environment.

I am using this product for more than five years.

We can achieve great stability using Check Point Quantum Gateways which improves the performance of the network.

We can achieve great scalability using Check Point Quantum Gateways.

We did not use a different solution. 

The initial setup is straightforward.

We did not evaluate other options.

Checkpoint Firewall provides advanced security for the organization and its connection to the members/participants. The Check Point FW controls access and traffic to and from the internal and external networks. The Check Point Firewall rule base defines the access control and network performance to help our organization achieve the below security goals:

• Only allows authorized connections and prevents vulnerabilities in a network
• Gives authorized users access to the correct internal networks
• Optimizes network performance and efficiently inspects connections

Check Point Firewall provides advanced security for the organization. The FW controls access and traffic to/from the internal and external networks. The Firewall rule base defines the access control and network performance to help our organization achieve the below security advantages:

• Only allows authorized connections and prevents vulnerabilities in a network
• Gives authorized users access to the correct internal networks
• Optimizes network performance and efficiently inspects connections
• Protection of all assets from internal and external threats

The following features are most valuable: 

• Threat prevention
• Malware prevention
• IPS
• IDS
  

Check Point should improve services related to the cloud-based solution. Due to these challenging times, most organizations seek to move to cloud-based implementation to minimize the cost and for easy deployment, access, and remote support. 

The Next-Generation Firewall should also be focused on zero-day threats as attacks have improved the past few years. They need to ensure that all connections and nodes are being protected. 

Sandblast technology is also a good tool as it offers enterprise solutions on malware detection and prevention.

I've used the solution for five years.

The solution is stable and can support all OS deployments. It's easy to manage.

We recommend the product as it is excellent and very scalable.

There have been no issues regarding the support from Check Point and the local vendor.

Positive

We previously used Fortinet.

The initial setup was straightforward. 

We did the deployment in-house and with a vendor team. The level of expertise was a 10/10.

The solution is easy to deploy. The pricing is lower than other solutions. We've had no issue with licensing.

We looked into Watchguard, Palo Alto, and Sophos.

We need more information on the ability to collaborate enterprise support.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.

We needed stateful inspection, logging, integration with Active Directory, and the ability to monitor devices using standard SNMP for use cases. Now, with the tool's Skyline product and OpenTelemetry, we can monitor it through Prometheus and Grafana. It has all the features we needed when we certified the solution.

Integration with Active Directory, IPS, standard VPN, and the firewall itself are the most valuable features for us. We haven't yet certified or aren't using Application Control, anti-bot, or anti-virus features.

Significant improvements have been made in the product. I started working with the R65 code and then upgraded to R74.40. When they transitioned from R77.30 to R80.x, they made major back-end modifications, switching from a flat file system to Solaris and Postgres. This was a big step that neither customers nor their support staff were fully prepared for.

Now, they're adding more features due to the increased flexibility of the new back-end. The main improvement I'd suggest is better preparation when introducing new features. Before releasing, they must train their support staff to troubleshoot these new features. The transition from R77.30 to R80.x was problematic due to a lack of preparation by Check Point, customers, and support.

Sizing is crucial, but we've never had issues with the products we've sized for each environment. The Maestro solution provides a lot of flexibility. On a scale of one to ten, with ten being the highest scalability, I'd rate it a ten.

I use Palo Alto firewalls. Check Point NGFW was the first to invent the stateful inspection firewall. They focus more on security and try to keep their motto of "keep security simple". They don't get bogged down in marketing or complicated terminology when using their products.

Even enabling a firewall blade on Palo Alto requires learning about different sync ports, how sync ports differ between chassis, and navigating through multiple GUI tabs for configuration. It's not as straightforward.

On the other hand, Check Point NGFW has kept things very simple for deployment. You set it up once, and then you can repeat the same process repeatedly.

On a scale of one to ten, with ten being the easiest, I'd rate the initial setup as ten. The process is straightforward: you rack and stack, configure the management code, create a standard policy, establish SIC, and push the policy. This process has remained consistent over the years.

For deployment, it took us longer than the typical two weeks because we had to design solutions for different scenarios. Check Point offers various options, such as clustering solutions, Maestro solutions, and standalone solutions. We had different use cases—some required standard clusters with ClusterXL, while others needed scalability solutions like Maestro. We also had to factor in sizing considerations.

The certification process took about the same amount of time as other products. We've been using the Maestro solution for a while now, so when new platforms are released, there isn't much change required beyond certifying the new hardware and ensuring backward compatibility with our certified solution.

Initially, it took a little more than two weeks to certify. However, the actual deployment still follows the same standard process and is actually easier now than it was in the past.

We call the team responsible for deploying certified solutions to the service delivery team. It's made up of two groups: build services and service delivery. The build services team works with our networking team to ensure our network and peering devices are set up right to host the firewall.

The service delivery team focuses more on the firewall itself. We need about three or four extra people from build services for firewall deployment. They act as go-betweens with the network team, ensuring our firewall solution works well with the peering devices when we put it in place. The build services team is important because they ensure everything fits together properly when we set up our firewall.

For maintenance, the solution is pretty stable. We have a global team, but a separate team handles regular firewall changes and daily operations. For support, we have about ten people total - three groups of three people each. This team manages around 1200 firewalls, including Check Point and Palo Alto devices.

Check Point NGFW is much cheaper than other platforms, including Palo Alto. Its scalability, especially with the Maestro solution, is a big advantage. If you're looking for good security at a reasonable price with a good return on investment, I believe Check Point NGFW is the way to go.

I've been dealing with Check Point NGFW for my entire career. I started with their Stateful Inspection feature. The term "Next Generation Firewall" is just marketing. Check Point's UTM product was designed from the ground up with next-generation features. They have a feature called Blaze. Besides stateful inspection firewalls and VPNs, they offer IPS, application control, URL filtering, antivirus, and antibot. You can also integrate it with third-party tools like Active Directory for authentication. This combination of features is what's called a next-generation firewall.

Other vendors use terms like app ID or user ID. They focus less on ports and more on ensuring services match their intended use. For example, if port 22 is enabled, it should be for SSH service, not something else. We use both Check Point NGFW and other products. I think if you commit to one vendor's approach, it can be hard to switch late.

My customer is one of the big banks in Bangladesh, and they use the solution to protect themselves from malware.

The solution's most valuable feature is CDR (content disarm and reconstruction). The Infiniti Portal feature helps manage the firewall and get a proper report, which is required for management. Capacity and Maestro are good features that can produce better firewall speed.

I want better (DPI) Deep Packet Inspection in Check Point NGFW. The solution should include some behavioral features to detect the malware smartly.

Check Point NGFW is a very stable solution.

I rate the solution’s stability nine and a half out of ten.

Around 20 small and medium businesses are using the solution. The solution's scalability is really good. It has a feature called Maestro, which can increase bandwidth by three terabytes.

I rate the solution's scalability an eight out of ten.

The solution provides good technical support.

Positive

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

Check Point NGFW is not a cheap solution. Customers often need to pay a premium for its services.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

Check Point NGFW is a good firewall. You can mount it into your firewall in every country and have the report. You can find out how good it is. Customers can change this firewall or determine the efficiency of other firewalls, including Check Point. After 15 days, they can see the report, which is a good feature.

Overall, I rate the solution an eight out of ten.

It assists us in filtering files for our internal users, ensuring that our data remains secure and protected. During the pandemic, it has been invaluable in enabling remote connections through VPN for our employees who are working from home, facilitating our COVID-19 response efforts. We established point-to-point VPN connections with approximately thirty clients, which enhances our security, especially at the outermost layer of our network, safeguarding us from external threats.

It includes features like IPS, which keeps us informed about potential threats attempting to breach our infrastructure, adding a crucial layer of security. It is user-friendly and straightforward to manage, which simplifies our overall network security management.

It could greatly improve our customer experience by centralizing management. Currently, we face the issue of having different management interfaces, which require us to switch between them, causing some difficulties and inefficiencies in our workflow. There are instances where the software crashes and this necessitates frequent upgrades from one version to another.

I have been using it for four years now.

I would rate it as highly stable, giving it a solid nine out of ten.

In terms of scalability, we haven't needed to expand significantly as our current setup consists of firewall checkpoints at the main site and another set at the HQ. These devices can seamlessly communicate with one another. We use SmartConsole managing system, which serves as a centralized hub for collecting and managing logs from all our Check Point Firewalls. As far as I know, the limit for management servers is five firewalls, so beyond that, additional licensing may be required to accommodate more devices.

We don't engage directly with its support team. Instead, we work through a reseller who handles our support needs. When we require assistance, we reach out to the reseller, and if necessary, they will liaise with Check Point on our behalf.

We were previously using Cisco ASA, Cisco X-ray, and FortiGate. However, the technologies we had, particularly the Cisco ASA, were outdated, and there was a clear need to upgrade to a next-generation appliance. When considering our options, we received a proposal from a local vendor in Angola, and after reviewing it, we decided to move forward with Check Point as it is widely recognized as one of the top solutions in the market.

The initial setup is straightforward. I would rate it nine out of ten.

We've had positive experiences with the deployments, and we've recommended it in several instances. Currently, we have implemented four Check Point Firewalls. Our initial deployment at the primary site took approximately a week to set up. After fine-tuning and making necessary adjustments, the total time for implementation was roughly two weeks. The main office at our headquarters had a similar timeline, as the tuning process does require a significant amount of time and effort.

The technology itself is impressive, but I find the pricing a bit on the higher side. This is partly due to the complexities we face with exchange rates in our country, as obtaining foreign currency can be challenging.

Having worked with products from various providers, I've found the experience and functionality of Check Point to be quite impressive and I strongly recommend it, provided they invest in essential training, which is a critical component. Its user-friendly management interface simplifies the process, and it offers a wealth of features. I would rate it nine out of ten.