What needs improvement with Check Point SandBlast Network?

The cost is a little bit high-end, and you need to get precise performance metrics in order to get the correct size. Improvements are required in both areas of the tool.

Check Point offers three types of support: Gold, Platinum, and Diamond. The level of support you receive should be based on the criticality of the issue, not solely on your client's support tier. While there are established support levels, I have experienced instances where the support provided was not categorized as Gold, Platinum, or Diamond but rather a standard support level. In such cases, the response times were slower, and getting support personnel on the call was more difficult.

The configuration could be optimized. The usability could improve. They need to make the guides more specific with images, as it is very complicated to guess where each option is located. The management of alerts could improve them a bit - especially in event management. In terms of performance, at some point, I have come to feel that it drops during certain hours. Some additional features that can be added may be the use of Artificial Intelligence (AI) and Machine Learning (ML).

There should be some improvement in the solution's stability and scalability.

We have found a need for the application to be a bit more elastic, bringing it to SAS services and not IAS. We need to understand where to find edge analytics in Edge. Right now, it's a bit sparse and not available for some of the products that we have in the services suite. I'd like to see it integrate with more third-party services so that we would have the ability to be an edge service and have high emulation in functionality.

The Check Point SandBlast Network, like any technological tool, must apply some changes. The tool has a high cost and is not accessible to all types of markets. They must also change the type of integration with the cloud in the part of the SIEM that is not necessary to use. In the administrative part, they must improve the database of the guides since they are not all in one place and often are not updated. They must also improve the technical support they provide. Sometimes the response time is not ideal.

We do take advantage of the year we get for free from Check Point. In the future, this solution can be added under licensing for consumption per user. Today, we have it as part of a solution or a package. However, we'd like there to be a way where we can have the solution's features available to us in a cheaper way in the future.

We would like to see this solution reach mobile devices more efficiently, through apps or more specific products. For the moment, the solution adapts efficiently to corporate environments as technological demands evolve. It is for this same reason that I hope that these innovations will be integrated into SandBlast and in other Check Point products, as it is one of the best that I have tried. It offers us a competitive advantage and efficient security.

The Check Point SandBlast Network solution also needs some improvements that can be expected in the future. For example, the cost, which for some customers is high. Also, on the subject of the guides, they are difficult to find, or they are not clear when it comes to carrying out implementations, generating best practices, or some other details. They are difficult to understand. At the support level, they could improve the attention times and have the resolution of cases happen a little faster. Sometimes it takes a long time to send emails and tests instead of generating sessions or calls with the client to solve everything quickly.

There is a limit on the number of files that can be scanned in real-time, which could lead to us being found with our guard down on a high-traffic day. We knew that from the beginning, so there is more than one device integrated. Not all file types are scanned, so we had to limit the type of files that could be shared. We've detected slower performance in older equipment, sometimes forcing the replacement of it since we can't proactively downgrade the security standards on an endpoint for better performance, knowing this causes a threat to the organization.

Check Point SandBlast Network can improve the integration with third-party vendors, such as EDR or CRM products. For example, IBM Curator.

When you have to scan emails that come with attachments, it takes a long time to examine them, which causes other emails not to be scanned, which can cause some danger to our organization. Another problem is that some PC with minimum characteristics makes them slow, causing slowness in computers where we have to invest in PCs to increase their performance or change them Another point to improve is the support since they do not give an effective and fast solution to the clients when they have problems with any tool or feature.

We use the infinity portal of Check Point to manage our services through smart cloud to manage our gateway and our SandBlast blade, however, sometimes the service has performance problems which generates some delays in administration. It would be very good for Check Point to improve its support. They can improve a lot in providing more effective and faster solutions and sessions with customers to validate the problems that are usually generated. For the rest, Check Point does not have so many problems to improve.

EDR and EPM solutions like Carbon Black or CyberArk have integrations with the cloud version of Sandblast, however, there must be on-premise Sandblast options also (due to the fact that there are regulations for cloud usage restrictions in some countries). Also, some of the military standards might force you to not send a whole file to the cloud for examination. The thread extraction part has very good capabilities to remove all executables from a document, and, if the user wants to download the original file, it gives link for it. This page needs more customization options or files could be stored on third-party device and could be shared by a third-party product.

The file types that can be scanned are limited, which means that if the file type is not listed or enabled for the sandbox, they are bypassed and it can lead to a security issue. The maximum number of files that can be scanned by the higher sandbox appliance (TE200X) on-premises is 5K per hour. Hence, a bigger organization needs to have multiple devices along with integration between them. Enabling a module on the same NGFW firewall impacts performance, which adds delay/latency. Encrypted and password-protected files are not getting detected, and are bypassed. Exceptions are for files that have a dictionary-based password. Currently, this solution is supported only for Windows and Linux for Threat Emulation/Extraction.

We have noticed a slight performance hit when the Threat Emulation and Extraction features were enabled, but the protection trade-off is worth it for us. If the performance could be improved in the next release, that would be beneficial. We have had a few instances where the firewall has seemed to stop checking for updates and gets behind on the updates, forcing us to go in and manually check for and install updates. Maybe there is something going on here that could be improved even though it is not specific to the SandBlast feature.

In Check Point SandBlast, improvement has to be made with respect to the GUI. The problem we face is due to log queue files, which were being delivered with a delay. All details should be provided on the smart dashboard and made easier to use. For example, it should display what file it is currently emulating, how many files are currently in the queue, and how much time each file is taking. There should be an option to flush the queue in case of any issues. Similarly, we should be able to remove particular files from the queue on demand. Also, policy creation can be more simplified or we can say more specific to particular traffic.

In our setup we don't use any SandBlast Physical or Virtual Threat Emulation Appliances, so all the sandboxing is performed on the hardware Check Point NGFWs. The Threat Emulation software blade significantly affects the performance of the NGFWs, we have a significant increase in the CPU and memory consumption. In addition, some of the end-users complain that it takes too long to transfer the files to the servers in the data center since the Threat Emulation adds delays to the transfer used for the emulation. I hope these issues will be fixed in the next release.

I would like if it could emulate bigger files and somehow improve this usability. I don't know if this would be possible. However, if it was able to scan or emulate bigger files, then it would be safer for a company using it.

I think Check Point provides standard time which ideally most other vendors take to identify behaviors of a file by sending them into a sandbox environment for inspection. Apart from policy creation and the number of supported files which is also the same as other vendors in the industry so probably as per me, there is no need to improved other things except if they want to make something different than making sure on-prem devices support almost all type of file inspection so even customers who don't have Check Point firewalls can buy Check Point on-prem device for sandbox technology.

Firstly, performance in our case daily many emails were queued for scanning & among that 30% emails were getting skipped means delivered without scanning. Some times queue was so large that we need to flush or dump emails. Many Important controls are only available in CLI & very very complicated. All tecli command features should available on GUI so that it will become easy for normal users to monitor & control queue. Threat Emulation device HA Configuration is also CLI based. Monitoring Queues and related operations are very complex as it needs to check on CLI.