What needs improvement with Check Point Endpoint Remote Access VPN?

There are some issues with the Check Point VPN, such as its complexity compared to other VPN clients. Another downside is related to performance, which lags behind similarly priced products like those from Palo Alto. The platform becomes layered with add-ons, moving away from its original simplicity, which poses a problem.

The product needs to improve its support.

The knowledge base can be improved for advanced troubleshooting. For new users, configurations might be complex. This can be also improved.

As everything is moving to cloud environments, it would be beneficial if Check Point Remote Access VPN could provide on-demand services related to remote VPN. Users with proper authentication should be able to easily deploy VPN on their devices with just a click, perhaps with the help of plugins. This would establish a secure connection from the customer's network to their data center. I've recently worked with Oracle Cloud, and they offer a feature where running a simple script on any device establishes a terminal between the device and the data center, allowing easy access to resources.

Check Point Remote Access VPN handles up to a hundred megabytes for clients, but I want it to be able to handle up to one gigabyte. For improvements in the product, I can create a wishlist since it is a VPN technology. I would love to see what is available on the VPN connections, but it is important for our company to check the encryption part of it.

The scalability needs improvement.

The main area for improvement is pricing. Another area could be integrating MFA authentication directly into the solution instead of using separate benchmark tools for implementation.

The product’s architecture is a bit distributed. It should consolidate the architecture to make everything available on a single dashboard.

We encounter challenges for the product’s installation and troubleshooting processes compared to other VPN products. It is difficult to restore settings in cases of connection failure. This particular area needs improvement.

The client-side UI is fundamental, and there is nothing to see.

Check Point Remote Access VPN's enterprise support could be improved. The principal support is the problem with the operating systems. The customers have a problem with not being able to publish the application.

It's becoming old-fashioned and slightly out of date. We're moving towards DNS. We have noted some stability issues.

This version has comprehensive features that provide reliable services based on the organization's requirements. Sometimes the application slows down the computing device, and this affects workflows. Most modern VPNs offer more features that are more powerful as compared to the ones set up in this system. The focus of the next release should be on the compatibility and speed of this platform so that it can easily compete with other products. It should be customized to accept more languages and more locations.

The main feature that would be improved within Check Point Remote Access is its operation within Linux OS, as it currently does not have many features for that OS. You cannot access the detection of threats that can steal your data. In addition, it does not have an incident analysis that can detect failures in time in the network or VPN connectivity. Also, the IPsec settings on Linux are quite limited, which makes it a bit difficult to configure the settings you can make for remote connection to Linux.

The provisioning of VPN users has room for improvement. The solution can improve by providing an option to centrally manage and upgrade client applications on a PC.

My experience with the set features has always been excellent. The secure connection networking system has enabled each team to connect effectively with colleagues from anywhere. Connection of devices from various locations is efficient though there are a few challenges when there is a network failure. Disconnection due to internet failure may affect the entire connection and slow down the workflow. The setup process requires skilled manpower and dedicated teams to get the best results from the entire connection system. Integration of more powerful kill switch tools will enhance secure connection. Additional server locations can boost service delivery and cut the cost of connecting computing devices from different areas.

I think Check Point Remote Access VPN is good enough to suffice our needs. At present, I don't have any complaints about the tool.

A characteristic to improve is the communication service under the SMTP scheme. In some cases, it is quite complex when it comes to managing, configuring, forwarding, and integrating mail services. It consumes a lot of processing and RAM memory. We want a solution that allows us to use current resources so that high processing peaks demanded by the virtual or physical equipment do not occur.

Sometimes it may mislead the user based on the requested location due to poor networking. Most features have capable performance that responds quickly to user requests. The cost of maintenance is high compared to most products in the market. Integrations with some applications are difficult due to poor compatibility tools. The development team should focus more on updates and integration features. I am impressed by the current performance despite the few challenges. The overall performance has been excellent, and I recommend it to others

The solution needs: Advanced monitoring and reporting capabilities in order to have a more detailed visibility into security incidents and events. It's important to note that the areas of improvement and additional features will vary depending on the specific use case and the organization's security needs, so it is recommended to contact the vendor to know more details about their roadmap and the next releases of the product. Improved scalability to allow the solution to handle larger numbers of users and devices without a significant impact on performance.

We started with 50 users, but our numbers are increasing. Now it's difficult for us to maintain a steady internet connection and remote access, so we want to upgrade. We are considering a switch to FortiGate. I think they may have better service than Check Point offers. Scalability is where we're having problems now. Generally, Check Point has been working fine, but we need something that can accommodate many users and provide a steadier internet connection. Our remote users need to access the VPN without any issues. Of course, this could also have something to do with our internet connection at the organization. We've been using Check Point to manage sites we need to block. It gives us the option to totally disable things, but it does not let the administrator create exceptions to allow specific users to access certain websites. Check Point could enable the administrator to permit users to access particular sites. I think the VPN we're using may have exceeded its lifespan. For example, if you check Instagram on Check Point, you might not even see it showing up, and it's difficult to restrict access to specific applications.

They need to verify the latency in the GUI. They may need to rearrange or adjust the administrative part of the application. They must improve the documentation part of the tool since it is difficult to find relevant information. They must improve the technical support to reduce the time of resolution of cases. We have had to escalate cases that are not resolved in the priority that they were opened, resulting in operational problems.

We'd like to integrate Check Point into the Remote Access VPN solution and have the ability to integrate multiple devices as access points through the solution. This would allow us to have a tool that it is not only remote access for mobile devices but a remote access solution for virtual teams, including mobile devices such as cell phones, tablets, and other types of devices in IoT areas such as doors, houses, and medical equipment.

In the future, if this service could be installed in a faster and simpler way (rather than having it directly connected to the appliances), that would be ideal. Today, many of the solutions are not what was needed when we had perimeter security. It would be good to have Remote Access VPN solutions for Check Point edge services.

I would like this service to be easier to manage when you integrate it with third parties. Although it is complex to configure, I cannot complain that it is complete and it is worth being able to use and integrate it. However, any administrator would welcome any changes that made configuration simpler. We would like the ability to perform remote access with the VPN in the future with any type of device. Lately, Android applications tend to have more errors. I hope that this will be solved in the future.

If you are new to deploying the solution, the initial setup might be difficult the first time around. I had trouble setting the policies and then resetting the device.

The VPN remote Access blade could be improved. Licensing is extremely expensive per user and more so for large companies where the number of users directly impacts the cost. The documentation for good practices and specific configurations is somewhat old, generally for versions before R80, which is why it is sometimes more challenging to understand them or be able to implement them, Also, at the support level, response times can be improved, as the technical level for this type of tool is very good.

Sometimes we have some small problems with Check Point Remote Access VPN. For example, problems with authentication.

We are still in the learning phase as of now, and there seem to be more and more feature upgrades in the standard version of the application. They're providing updated features in the application with complete compliance assurance - which is really awesome - and we need specific customizations to make it a perfect fit for our business environment. This is a new and emerging area and requires a lot of customization and flexible features to suit the business requirements. Price category and smooth renewal of agreement should be considered for flawless and quick onboarding of clients and partners.

The license is included with gw licensing, however, in terms of the number of users that can be activated for use. In our case, we quote additional licensing and it is quite expensive for remote VPN, other manufacturers are not so expensive. The support provided is slow, in addition to the fact that the service hours are contrary to ours, which generates slower problem solving, I think it is important to improve this area.

It's difficult to configure on Linux workstations as Check Point Remote VPN clients support only Windows and Mac devices. The configuration of a VPN requires a distinct VPN Tab. Once the VPN blade has been activated, after activating VPN blade, we need to make some configurations in the gateway option settings and others in the VPN communities section. It would be preferable if these two things came together in one place. Apart from this, it operates flawlessly. To improve our IT Services, we poll our users. The majority of people say how excellent the remote access VPN service is. Additionally, they stated that once connected to a VPN service, they never experience connectivity problems.

In my organization, there aren't Linux users, however, I know it has difficulties offering secure access for customers who use this operating system. Also, this product has limitations with headcount addition, as there are performance limitations in each security gateway the software has. The ability to allow split-tunneling while still following our corporate policy should be offered. Some things like the compliance aspect of the VPN Client can be updated so the product stays up to speed with the ever-changing environment in software security.

One of the parts where the improvement of Check Point Remote Access VPN can be forced is in the compliance analysis. Sometimes it causes the consumption of machine resources, and also improves the scanning since they consume many resources in the clients' machines. Another point to improve is to program a timeout if the VPN is disconnected due to an internet problem. One complication that we found is that the Linux machines do not have a complete client to do the installation and that has not delayed a bit with our users who use this type of operating system

That the level of Remote access VPN was higher by default as other brands do it that way. In the case of Check Point, they are not like that. The maximum it is giving us is only 5 licenses and if you need more, they must be purchased separately. From my perspective, it should be added to the same cost as the general license, and that well explained makes the product more attractive. Many organizations would have this need, as many are moving off-premise. We have great executives and entire corporate teams that perform work tasks from home.

Endpoint Security on Demand, or Compliance Check is a good feature. It allows the creation of compliance policies and adds more security to the network. Machines will be scanned once they connect to VPN to make sure all of them are compliant. Conditions to configure compliance checks are Windows security (hotfixes, patches), Anti-Spyware, Anti-Virus software, personal firewall, or Custom (application, files, registry). These are not enough in a complicated environment. Almost of them are supported for Windows machines, however, are just limited conditions for non-Windows. In fact, using mobile devices on Android, iOS, macOS, and Linux is very popular. Compliance Check on Check Point should be improved by having more configurable conditions to support multi-platforms and adding more granularity. Besides compliance scanning sometimes causes consumes machine resources. I also suggest scanning operations will consume fewer resources and increase speed time.

Check Point Remote Access VPN could be more user-friendly.

It needs to improve the capability of the Secure browser VPN connections. Some in-house applications didn't work due to the use of JScript and the backend and front end technology for the applications. In the case of URL translation of the VPN Web portal, the requests made from the front end to the back end weren't valid (due to the use of dynamic subdomains). In the case of host translations, the request was made to the same host, however, we cannot specify the ports, which, in our case, are used to redirect to different servers.

The Linux version may have an app (similar to Windows) instead of a shell script. We have seen that in Windows and Apple systems the app is running on the system tray whereas in Linux we have to keep the Linux Terminal Window open otherwise the connection drops. Sometimes, we have noticed that the owing to installation of various antivirus and running of inbuilt firewalls (applicable to all operating systems); the connection for VPN sporadically drops and tries to reconnect. When this happens, we have to manually either disable the firewall/antivirus or reconnect the VPN again.

The ability to allow split-tunneling while still following our corporate policy needs to be on the table. Right now, in order to allow the same policy to apply, the users' traffic must be routed up to our NGFW before going out to the internet. Having a method to apply the same policy to the client for outbound traffic while connected to the VPN would be huge. Some things like the compliance aspect of the VPN Client can be updated to bring it a little more modern. It's very useful for checking things like Windows Updates levels before connecting, however, it could use a facelift since it's still quite old-looking.

We have not migrated to the R81 version and I do not doubt that it will have some improvements compared to the version we use today. Without a doubt and with the new trends in technology, Check Point should already have a blade with a 2MFA solution and not through some other vendor. This type of integration would undoubtedly give it a better reach and greater market with new security trends top of mind. I know that everything is moving to a cloud environment, however, for all those corporates that still do not trust such an environment, it would be favorable to offer a 2MFA service in a solution tested through a blade or in the cloud.

This is the best version we are using, however, if some changes can be made in the next release, I'd like to see adjustments to the time period and internet connectivity. For example, when my internet is not working properly, then the VPN disconnects all of sudden and if I want to connect again, I need to do so with credentials and 2FA. In the next release, if the product could program in a hold time then disconnect the VPN due to the internet's fluctuation, that would be ideal as it would improve the way we can monitor our network visibility.

We would like to implement HTML5 (clientless access) in the product without installing any additional software. It would also be desirable to be able to segregate the different authentication methods by domain user group. Unfortunately at the moment, the division is only between domain and non-domain users. What we also miss is control over the workstations for non-domain PCs that the client is installed on. It would be nice if we could block such connections based on, for example, the machine name or connection ID.

The authentication that we handle is through a .p12 certificate, however, we have integrated it with a 2MFA service through another provider. Something that could improve Check Point is if it had its own 2MFA service through a blade or some sort of application. We'd be able to give a better experience to companies that already have a contract or Check Point services that deal with a work-from-home environment, giving greater scope and coverage from a single centralized dashboard.

The non-standard setup is quite complex as you have to do changes via GUI and CLI. Luckily, Check Point knowledgebase articles help you, however, there are so many resources you have to go through. The Client VPN licenses are for concurrent users and there is currently no way to prioritize certain users over others. There is no possibility to increase the number of concurrent users for a short time (except if you have unlimited concurrent users licensed). This could help during emergency situations where there are more client VPN users than anticipated.

Check Point RA VPN requires companies to take separate licenses initially so that only 5 connected users licenses are given as subscriptions. Most other competitors, like Palo Alto, provide 1000 connected user licenses for free. Some configurations, like idle timeout (the requirement came from multiple users), are not possible to configure directly from the Check Point management server. We have to make changes in the local directory of the respective devices.

A saving password option might save time for continuous disconnection to the server due to internet fluctuation problems. They need to increase their timeout. Right now, it will fail after ten seconds, however, it shouldn't fail until after 20 seconds. If you don't get on your phone right away and check on your authentications, it will kick you out. In an environment with multiple cluster checkpoints, the global properties common to all clusters in some cases give problems. The interface needs improvement. When you need to create something, you have to go through a lot of steps. It needs to be simplified.

The main problem with Check Point is that some configuration can be done with the smart console in GUI, however, some others need to connect to the firewall via the CLI on SSH and therefore you will need to modify the local file on the firewall with VI. ASA is so easy to reserve some static IPs based on users, however, in Check Point, it is really difficult to do so. In addition, you can't reserve as static some IP that you are assigned dynamically to a local pool. You have no ability to reserve a total number of licenses. The VPN user licenses are assigned per gateway, and if you enable the MEP function is not so easy to size the gateway licenses. The configurations that you do to modify local files are not reflected in the GUI via the smart console.

We don't have any specific complaints. We are very happy with the Windows client. You log in with the VPN for the full client, you do the log in right from the software itself. For Linux machines, they don't have a full client to install. For the users that utilize Linux, there needs to be an equivalent. The documentation of the software needs to be more accessible. If an end-user wants to have access to customized training from the company, that should be able to be built-in. I would add that feature.

There needs to be a way to create a VPN client specific to our environment so that we can easily lock down who can connect. The VPN client install should be specific to our environment. Our service desk does get some complaints about users not being able to connect. Sometimes it's because the VPN client has updated and they've lost their connection settings and don't have a record of the connection settings themselves. Other times, the VPN client needs to be reinstalled or upgraded to allow them to connect.

With this particular client VPN, there needs to be a feature that can glance at your credentials, of being able to look at credentials. You might hang for a bit or the execution might fail. It would be useful to see your credentials before you connect to take note to see if you are likely to have trouble connecting. They need to increase their timeout. Right now, it will fail after ten seconds, however, it shouldn't fail until after 20. If you don't get on your phone right away and check on your authentications, it will kick you out. They need to give a bit more time.

Despite being very intuitive, the interface needs improvements. When you need to create something, you have to follow many steps and I think that should be simplified.

Access is provisioned based on a single L3 tunnel being established between the endpoint and the VPN device. If an attacker gains access to this session then all of the tunnel traffic is compromised. It needs to move to next-generation style access, provisioning such as per-app VPN. The GUI interface for configuring the SSL VPN is not user-friendly and requires expertise. Devices are exposed over the internet and it can lead to a security threat. When a critical patch needs to be applied to the VPN, downtime is required for the entire NGFW. This can impact the business when it has a single security gateway. This product cannot manage sudden user growth, as each security gateway has limitations in terms of performance and throughput. The fully-featured security module is only supported on Windows and Mac systems, which means that organizations with Linux will face issues providing secure access. Specifically, modules such as Threat prevention, Access control, and Incident analysis are supported only on Windows and Mac.

I would like to have the ability to specify different policies in a simple and quick way, depending on whether I am using the secure remote client or the SSL VPN. It would be very useful to be able to apply different policies depending on the authentication method. For example, an 801x authentication can have different native permissions from those who enter the username and password. In an environment with multiple cluster checkpoints, the global properties common to all clusters in some cases give problems.

* The Compliance software blade is available only for the Windows operating systems family, so no macOS security checks are implemented and performed. This is valid for at least software version E82.30, which we currently use. * In addition, there is no full client of the Check Point Remote Access VPN available for the Linux operating systems families. That is important since some of our administrators prefer to use this OS even on their home PCs. We hope that Check Point would develop a client for Linux in the future.

There is always room for innovation and the addition of new features.

I cannot see the full effect of the antibot solution because it relies on having access to the DNS queries, which might not go through the Check Point firewall when you're using it for perimeter networks. In this case Check Point will not identify the actual source of the DNS queries associated with antibot activity. This may be related to the customer architecture, however, and not due to product limitation. I don't know if it can be improved on the Check Point side or not. The solution should allow for the automatic identification of destinations. We have a URL qualification on the on-premises deployment model; this should also be the case on the cloud. The automatic classification should be done by the cloud team instead of having to specify or subscribe to a RSS for the information, we should be able to have an object that represents such cloud services. It's possible that Check Point already allows for this, but if they don't they should.

The solution should include the ability to integrate the equipment's functionality with others. For example, we would like Checkpoint to be able to integrate easily to the public key infrastructure. According to Checkpoint, there is no use case for this right now. The interface itself needs improvement. When you need to create something, you have to go through a lot of steps. It needs to be simplified.