Check Point NGFW Reviews

The primary use case is segmentation in many different areas of the company network. We had a few critical use cases: there was a need for an internal firewall, and also an edge firewall. Apart from having simple segmentation, we had a requirement for additional features like the possibility to decrypt traffic, the possibility to inspect URLs or the intrusion prevention system feature. 

A very important thing for us was also to have a very good quality of vendor support. Definitely, this is something we can get here. 

With Check Point we have achieved our primary goal - segmentation. We were able to limit North-South and East-West traffic which had a very impressive impact on improving security posture. 

We also have the possibility to control Internet traffic, we can use the URL filtering feature together with traffic decryption to be able to allow only safe communication. A very important thing for us is also having the possibility to use identity awareness and be able to implement policy based on user IDs (user ad groups).

I like the Next-Generation Firewall. This is the primary feature and use case for this solution. It's a very important thing for us to have a solution that provides ease of use and an intuitive interface.

We are also using other security blades that are included in the package like URL filtering, identity awareness, IPS, antibot, and threat detection.

The most valuable thing for us is to have the possibility to use all the security blades and all security products and have a consistent policy among different security features. Reporting and integration with external solutions are great.

Check Point could improve the time for delivering requested features from customers. It could be delivered much faster. Also, communication and status reporting for such requests have a lot of room for improvement. After the request, we do not get any information on the status or progress until it is implemented.

Looking at the trend in the market which aims for vendor consolidation, the strategy to deliver one vendor SASE could be beneficial for Check Point and its customers. 

I've been familiar with the product since 2003. At my current company, CheckPoint appeared three years ago.

The stability is good.

The range of platforms is huge. It can fit every traffic requirement.

Overall I have had a positive experience with support. Sometimes it takes too long to resolve issues, however.

Positive

I have been using Cisco ASA. The switch was done based on the intuitive management interface and ease of use of Check Point.

The setup is straightforward, even if the policies are big and complex.

We have used help from a third-party company.

I'd advise users to prepare their requirements before choosing the product and model.

I also evaluated Palo Alto.

It is a really good solution. You should be happy with it if you choose it.

At the organizational level, we needed to protect the security of our organization. This is where a much broader need arises. We must protect each of the branches that our company has - in some cases larger than other branches. We took on the task of implementing a next-generation firewall from Check Point which allows us to have valuable equipment that adjusts to the needs of each of the branches according to their size and organizational demand by the number of users. This equipment is designed for infinity architecture. 

The designs, including Check Point next-generation firewall equipment, have allowed us to have all branches interconnected with the same brand and the same site-to-site communication service. We can encrypt the traffic through these VPNs and ensure communication in all directions, solving transactions and access to applications and services within our organization and outside of it. Additionally, we have a content filtering robot that ensures that users and applications are reached solely and exclusively by our networks and users. 

The most outstanding feature of Check Point is the possibility of having more than 60 indicating services within it. Among the most outstanding in keeping safe is its rule management, VPN configuration, SSL, and, above all, HTTPS Inspection, which is a solution that allows us to see what users do. We can decipher the activity of each connection and see what is inside it. In this way, we ensure that the data is not violated or violated by third parties outside our organization and we validate the internal and timely security. 

The Next Generation Firewall (NGFW) Configuration Guides in XL cluster are very complex and other guides should be reviewed to validate configuration references. They should be updated for new versions.

Something worth mentioning is the need for Spanish support and better representation for teams in the Latin American area. There is a growing demand for these IT services and new technologies.

Its guides are identical to the existing ones. It would be more pleasing that these guides be updated and improve their design.

Give it a try, and it will help you more in these times when users are more remote than local.

I've used the solution for two years.

It is quite scalable. That said, it is complex to integrate cluster services from the same equipment.

I was testing WatchGuard and Fortinet. In the end, it was easier for me to integrate Check Point.

The cost is quite high. That said, it must be understood that it is not only a firewall, it is a solution that integrates more solutions within it.

We use the solution for securing all of our servers facing the public network, site-to-site VPN, and SSL VPN like the webserver, e-services, and many other such applications. I have been using the below-mentioned modules:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

I can say each and every module has benefited my organization and I would highly recommend others to deploy Check Point solutions.

We have good peace of mind now, after deploying this solution. We could easily defend against zero-day attacks and day-to-day vulnerabilities.

Since the time we deployed the solution, we are 100% safe and secure.

At present, the newly deployed solution is being used for reverse proxy, the site-to-site VPN, and SSL VPN along with the proxy for a few of the machines.

Their threat emulations and Bot Services are a must-try. 

You can just deploy it, sit back, and relax without any issues.

The most valuable features include:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

Each and every module provides 100% accuracy. 

Their threat emulations and Bot Services are excellent.

Additionally, they have an excellent support team working around the clock. The engineers have excellent knowledge and provide us with a resolution in a very timely manner.

I have been using Check Point technology since 2011 and recently I have deployed new NGFW, the upgraded version, in a cluster along with the management box.

Check Point updates and upgrades are in a timely manner. There is nothing more that I need in terms of improvement.

Additionally, they have an excellent support team working around the clock. Check Point engineers have excellent knowledge and have provided us with the resolution in a timely manner.

I have been using Check Point technology since 2011 and recently I have deployed the new NGFW. It's the upgraded version and we have it in a cluster along with the management box.

I've used the solution for the last ten years.

The solution is highly stable.

The solution is highly scalable.

Customer service is excellent.

Positive

We did use a different solution originally. We changed to Check Point for achieving high levels of security.

The initial setup is straightforward.

We implemented through a vendor team and I would rate them at a 10 out of 10.

It's excellent and the management is very satisfactory.

It's a very economical option.

We evaluated Palo Alto and Cisco.

It's an excellent solution and offers the best support.

The solution is primarily used for firewall protection for an enterprise environment, The Check Point firewalls are implemented on the perimeter (DMZ) and Secure Access Domain (SAD) environments. 

We use physical VSLS clusters but have many virtual systems (Vsys) configured for different sub purposes. The Entire management domain is protected by Check Point firewall virtuals running on multiple physical boxes.

We have multiple virtual routers configured on the physical firewalls which connect L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone Environments 

Check Point firewalls have helped our organization to securely promote the traffic flow in a secure way that is fast and swift.

There's faster identification of customer traffic issues identifies via a smart view tracker and centralized management of rules. It has an ease of access policy and a human-readable format.

We have multiple virtual routers configured on the physical firewalls which connect with L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone environments.

Dashboards for rules management and trackers for firewall logs capture are useful.

Traffic flow in Check Point is very structured so that it is easy to understand the path it checks to understand which elements come first and which elements come later.

The smart log compiles from multiple CMAs is an important feature that is very attractive. 

The MDM dashboard is very organized compared to other vendors. The use of CLI tools like TCPDUMP and FW monitor are very useful in verifying the traffic logs.

Objects search and tracker logs are useful.  

To combine CLI routing and GUI application in a way that both interact together would be ideal.

The pricing could be better. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

In the CLI, while viewing configs, there is no easy way to snapshot configs. 

I've used the solution for more than 15 years.

The product is very stable.

The solution is scalable.

Technical support is super.

We switched from Cisco to Check Point. Cisco was CLI-based and cumbersome with rulesets.

The setup is straightforward as there are many videos available on the net to practice with.

We had vendor involvement.

It serves the purpose and primarly gets the best output.

The pricing is high. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

Yes, the vendor ran through the options and based their decision on the company security standards.

We are satisfied with the product and support.

We are a financial institution and we use Check Point as a firewall that is positioned for external connections, like the Internet, leased lines, and site-to-site VPNs for other companies. Check Point protects our mobile applications connected to the internet, as well as the main company website. Some firewalls are positioned on some of our HQs.

We're on version R80.40 (some minor firewalls are on R80.30) and we use 13000, 23000, and 26000 series appliances. We use Application Control, Identity Awareness, IPS, URL Filtering, Anti-bot, Antivirus, Threat extraction, and Threat emulation blades.

I've been in the same company for 11 years, and Check Point has been running in a stable manner for our company's main internet connection (and 7 years before that).

It has protected our main applications successfully without any performance drops, and with its flawless logging capabilities, we were able to pinpoint any issues every time.

The management is also the best among any other firewall, with the convenience to create the objects and rules on the same page. This has helped us save time on operations. We can use APIs to create objects and rules to easily finish some projects.

The best features are the stability and the performance of the firewall and its software blades, simplicity to write the firewall rules on its GUI, and its logging capabilities.

The firewalls are working stably, without any interruptions. As we planned our capacity well, we've never had any performance issues.

The firewall rule writing and object creation are the best and simplest I've seen on a firewall (I've looked at 6 different vendors). I often wonder why the other vendors don't do it Check Point's way.

To see the logs, we can search like a search engine, and we can combine different search strings to pinpoint the interesting traffic.

The product can be improved with fewer hotfixes, and if more generally available jumbo hotfixes were used.

We don't often hit bugs. It's perfectly normal for an NGFW device as other vendors are always fixing bugs too. However, when we hit a bug, the support team recommends some hotfix, and if we upgrade to that, we have to uninstall it before we apply some newer jumbo hotfix. If those fixes were included in a fast manner in the jumbo hotfix (as jumbo hotfixes are tested thoroughly for general availability), it would be ideal.

I've used the solution for 11 years.

The primary use of the solution is as an enterprise perimeter firewall in our data centers. We also use software blades for IPS/IDS functions as well. We have a combination of enterprise-grade firewalls like the 15000 and16000 series as well as mid-size versions like the 5000 and 6000 series which are for specific segment isolation or other purposes. The software blades are running on HP servers. Management is done via 5150 appliances. 5000 and 6000 series appliances are primarily used for segment isolation while the larger appliances are used for perimeter security.

We have been using Check Point firewalls as our main security devices for many years and thus have a strong level of expertise within the organization on implementing various features. We love the reliability and strong feature set of the firewall appliances and software blades. Managing policies with v80 and above is also much more streamlined. Troubleshooting events via logs makes identifying issues straightforward. We have multiple engineers working on policies at the same time, so the newer versions help simplify this tasks for us.

I love the redesigned interface starting with R80 as well as the ability for multiple engineers to work on the policy simultaneously. Policy management is simplified and the virtualization options help us to plan for future deployments in a much easier way. While we haven't tried out all the features available - like Sandblast, AntiBot, URL filtering, etc. - the fact that these are available to use is definitely a plus. We were able to use the IPS features, negating the deployment of an expensive standalone IPS solution.

Check Point solutions have always been more complex to deploy than their competitors. There may be multiple scenarios where we may need to engage support, however, the customer support is very good. There are certain features that are only possible from the command line (e.g. packet captures) and it would be good to integrate everything into the GUI to reduce the learning curve for newer engineers. Finally, it can be a costlier solution - especially for the smaller firewalls as compared to the competition. It would be beneficial to have more training options or documentation as well.

I've been using the solution for over 15 years.

The solution is extremely stable. There have been a few software bugs that have caused some unwanted glitches but these were fixed with updates.

If the product is sized correctly in terms of appliances, then it is easy to scale. 

The support is excellent and knowledgeable. The service offered sets them apart from the competition.

We have used Juniper SSG firewalls in the past and moved to Check Point due to the learning curve on the new JunOS deployments with the SRX firewalls.

The setup required some planning and was slightly complex. The process requires good expertise on the product before deployment.

We had an in-house team for deployment with active support from Check Point.

I don't have much detail on this.

We evaluated Cisco ASA firewalls and Palo Alto devices as well as Juniper SRXs.

Setup can be complex and it is very helpful to first plan the deployment before rushing into it. Use the support available to find out the best options to use.

We would love to have more training materials and/or courses available so that I can onboard engineers in a faster way.

The role NGFW plays is to protect the organization against Layer 7 network attacks.

The solution has helped us to guard our perimeter security on a wider level. This is not like plain vanilla firewall. We have got a wider visibility with the help of this next-generation firewall; it shows us the traffic flowing across the network and based upon that, we have made the modifications required to restrict access.

Also, the active cluster module has helped us to balance the load during peak hours. Since moving to the active-active module, we have got the much-needed breathing space.

It has helped us to inspect traffic, not only with a limited protocol base but on the application/service level inspection too.

The service base access policy has provided us with a next-level restriction, which wasn't there on old school firewalls.

The integrated threat & anti-bot blade gives us protection from zero-day attacks and these can be blocked using analysis & signature matching.

The integrated intrusion prevention blade not only gives an additional level of security but also cuts down the load to manage an extra device.

The threat emulation blade and user identity awareness feature has helped us a lot in terms of perimeter security and have given us granular visibility of user access.

The integration with third-party vendors is quite easy and well defined, which really helps you with the automation.

The integration of gateways with a centralized managed server gives you full control in a single place.

The setup and implementation are quite easy and the logs and reports are elaborative and effective for securing the network.

The one area that I would like to see a change in is policy installation. Right now, with a larger user database and a high number of rules, it takes a bit of time for policy installation. There is definitely some improvement in the R80 version; however, I believe that it should not take more than one minute to refresh the database. Also, there is a significant spike in gateway resource utilization during policy installation. 

The additional blades have an impact on resource utilization, hence scope of improvement is needed here too.

I am using Check Point NGFW for the past five to six years for perimeter & internal security.

The solution is quite stable, however some issues also observed in new version release & same is fixed through hotfix/portfix once it is highlighted to the TAC 

The new hyperscale module gives you the much-needed breathing space, which the industry was looking at for quite a long time.

When it comes to technical support, Check Point is on another level. The support engineers are very well versed with the solution they are managing.

The initial setup & integration was quite easy, and the support during migration was outstanding.

It was a collaborative effort of our in-house and vendor teams. The support was good & quite appreciable.

It's good & the same as expected.

For the SMB appliances, the use case is tricky because I don't actually like them too much. If you have a very small branch office, you could use one of them, but in that case I would just go for the lowest version of the full GAiA models. But for small locations that are not that important, it is possible to use one of the SMB appliances, the 1400 or 1500 series. 

The full GAiA models, starting with the 3200 and up to the chassis, are the ones we work with the most, and you can use them in almost every environment that you want to secure, from Layer 4  to Layer 7. The only reason to go higher is if they don't perform well enough, and then you go to the chassis which are for really big data centers that need to be secure.

About a year or a year-and-a-half ago, they introduced the Maestro solution, which gives you the flexibility of using the normal gateways in a way that you can extend them really easily, without switching to the chassis. You can just plug more and more gateways into the Maestro solution.

It's difficult to say how these firewalls have improved our clients' companies because a firewall isn't meant to improve things, it's meant to make them more secure. Nine times out of 10, it's going to give you something that the end-users aren't so happy with. But Check Point Next Generation Firewalls improve security and, indirectly, they improve the way users work. They can access practically everything on the internet without being concerned about what's going to happen. They give users more confidence when doing something, without having to worry about the consequences because the gateway is going to help them out where needed, preventing malicious stuff.

The feature I like the most is their central management, the Smart controller which you can use to manage all the firewalls from one location. You can get practically all information — but not all the information, because not everything has been migrated from the previous SmartDashboard version into the SmartConsole. Being able to access almost everything in one location — manage all your gateways and get all your logs — for me, is the best feature to work with. 

As for the security features, that depends a bit on what you're doing with it, and what your goal is. But they're all very good for application URL filtering. Threat Prevention and Threat Extraction are also great, especially the Threat Extraction. It's very nice because your end-user doesn't have to wait for the file that he's downloading to see if it's infected, if it's malware or not. It gives him a plain text version without active content, and he can start working. And if he needs the actual version, it will be available a few minutes later to download, if it isn't infected. That's a great feature. 

Anti-Bot also is also very nice because if a PC from an end-user gets infected, it stops it from communicating with its command and control, and you get notification that there is an infected computer.

It's difficult to distinguish which feature is best, because they're all good. It just depends on what your goals are. As a partner, we are implementing all of them, and which ones we prioritize depends on the client's needs and which is the best for them. For me, they're all very good.

The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.

But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.

A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.

I started working with Check Point firewalls in 1999, so it's been about 20 years. In the last year I have worked with all the SMB appliances, through the full GAiA and up to the 64000 series.

There's not much difference between a Check Point 3200 and a 5200 because they're running the same OS. There are just performance differences. So I can't say I've worked on every model, because I don't always check the model when I come to a client. But I've worked on every model that runs different software. I've worked with all three kinds of software that are used by Check Point.

The SMBs have room for improvement in stability. They're not as stable as they could be.

The chassis are great, but they are running behind. Maybe "running behind" is an overstatement, but the roll-out of new features on them is really slow because they want them to be tested and tested and tested. The clients installing these chassis are large banks or very large customers that can't have any downtime whatsoever, so it's normal that they test them more thoroughly. 

For the mainstream models, we do run into bugs on a regular basis, but they're mostly not showstoppers. You can run into a bug, but either there's a possible work-around or it doesn't impact things so much that there are huge problems for the client.

The SMBs are not scalable. New devices come out from time to time that are more performant. The mainstream devices are also not scalable except if you go with the Maestro version, and then you can just plug in an extra firewall and it scales up. With the chassis you just plug in an extra blade and it scales up also. So the Maestro and the chassis are very scalable, but for the other models it comes down to buying new boxes if the current ones aren't sufficient anymore.

Check Point support is a very difficult question because not so long ago I had a major complaint with Check Point about their support. Now, they give us much better support because we have the highest level of partnership. They recognize that the people from our team, in particular, are very skilled, so we don't go to first-level support anymore. The moment we open a ticket, we get tier-three support, and that is good.

But we haven't had this privilege for that long and, in the past, support could be a bit tricky. If we got a tier-one engineer it could be okay for support that wasn't urgent but if we were doing an implementation, especially since we had a lot of experience, they were mostly asking questions about things that we had already checked. Often, we had more knowledge than they did.

For us, it's great that we now immediately get access to tier-three. I just wrote an email to the support manager this morning about an issue we had last night, and I told him the support was great; no complaints anymore. It took a while, but now it's good. I can't complain anymore.

It depends on the partnership you have with Check Point. If you're a lower-level partner, you have to go through the steps and it takes a bit of time. If you're working in a company that has a good partnership and you can negotiate some things, then support is good and you get very good people on the line.

The initial setup of these firewalls is fairly straightforward for me, but they're not the easiest ones to learn and to set up. But I've been working with Check Points for 20 years. So if you're a new user, I wouldn't say it's easy. If you have experience, it's not really that difficult. But the learning curve is higher than some of the competitors.

The time for deployment depends on the features you want to enable on the firewall and the environment you want to put it in. If it's a branch office with a small network, a DMZ and an internet connection, that would take half a day or a day. It also depends though on if it is a completely new installation where you also have to install a Management Server. On average, we count on about one day per gateway and one day for the management, but it depends on the complexity of the environment, of course.

Our implementation strategy differs per client, and it even differs by the engineer who does it because everyone has his own skills and tricks from the past that they're using. But a uniform implementation approach, especially for different clients, is very difficult to do because every firewall is a complex product. You can't do for client A what you're going to do for client B.

If it's an installation we go the standard route, with a high-level design and get it approved by the clients. Then we go for the low-level design and implementation. A standard implementation is a clustered environment with a separate Management Server. We almost never deploy one gateway, so one cluster with a separate Management Server is the most basic level. We usually set up the management on a virtual system, not an appliance, and we try to go for appliances for the gateways, depending a bit on the customer's needs; it could be virtual.

Make sure you get the correct license. For instance, I did an audit for one of our clients recently and I saw that they always were buying the most expensive license and not using the features that were included in it. That's one thing to look at: If you're not going to use some features, don't buy the license related to those and go for a cheaper license. 

Also, negotiate. There's always room for discounts.

You get licensing bundles, so depending on which features you want to activate, your license is going to be more expensive. Some things, like Threat Extraction and Threat Emulation, require subscriptions. They don't come with a standard firewall. 

I'm not a licensing expert, but as far as I know there's the standard firewall, the Next Generation Firewall, and then the Next Generation Threat Prevention license. The price goes up in those bundles.

Another vendor I work with and have the most knowledge about, when compared to Check Point, is Palo Alto. They force you to work a bit more with applications instead of ports, although that's not something Check Point cannot do. 

The central management is different for Palo Alto. You can install it, but it doesn't work the way it works with Check Point. I like both. I like that with the Palo Alto you just go to a web browser and can configure the firewall all the way, but it's also easy to have the SmartConsole from Check Point where you can manage multiple devices. Palo Alto doesn't really have that. They have a central manager where you can get logs and where you can distribute some policies, but it doesn't work the way Check Point's central management does.

Both have their pros and cons. It depends on how you like to work. I like working with both of them. It's a bit different, but in terms of security and features, I don't think they're that different. It's just another way of working.

Make sure you have a good partner doing Check Point work for you because, as a direct client, it's very hard to get the necessary skills in-house, unless you're a very big company. Contact Check Point and ask them which partner they recommend and go that route. Don't try to do it yourself. The firewall is too complex to set up and maintain yourself, without the assistance of people who do it every day.

Learn and get experience with it. Don't be overwhelmed. When you start with it all the features and all the tips and tricks that you need to know to maintain it, it can be overwhelming. Like I said, the learning curve is very steep, and when you start with it, it's going to look like, "Whoa, this is impossible." But stick with it and when you get some experience it's going to be okay. It's a difficult product, but once you get the hang of it, it's one that's really nice to work with. We still run into issues from time to time, but Check Point products are very manageable and fun to work with. Check Point is my favorite vendor. I like working with it a lot.

I would rate Check Point's mainstream solutions at eight or nine out of 10, and the same for the chassis. I would rate the SMBs around a six. I don't really like those too much. Overall, Check Point is an eight, because most people are going for the mainstream solutions and those are very good.