Our company works in the area of developing and delivering online gambling platforms. The Check Point Next-Generation Firewalls are the core security solution we use for the protection of our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. The Application Control software blade is one of the numerous blades activated on the NGFWs and serves for the security improvement in the application detection, categorization, and filtration.
The overall security of the environment has been greatly improved by the Check Point NGFWs. Before implementing the Check Point solutions, we relied on the Cisco ACLs and Zone-Based firewalls configured on the switches and routers, which in fact a simple stateful firewall, and currently appear to be not an efficient solution for protecting from the advanced threats. The Check Point Application control-blade significantly increased the security level from the standpoint of application visibility and filtration. The blade was easy to enable and configure, and we don't see any performance penalty after the activation of it.
1. The built-in database of the applications, software and the protocols is just amazing - there are more than 8 thousands available just after the blade application. In comparison, the Cisco Network-Based Application Recognition (NBAR) available on the routers provides like 200 applications.
2. The application are categorized into group based on the purpose, like messengers, databases, games etc., and such group objects may be directly use in the Security Policies for the NGFWs.
3. It it really simple to add new custom application definitions and groups if you need so (we use such an option for our own developed software on non-standard ports).
4. The visibility is just great. For any security event of the Application Control blade there is a relevant log entry with all the application details (but don't forget to enable logging for the security rule in the Policy).
I think that the pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly), or create some additional bundles of the software blades with significant discounts in addition to the current Next Generation Threat Prevention & SandBlast (NGTX) and Next Generation Threat Prevention (NGTP) offers.
We also had several support cases opened for software issues, but none of them were connected with the Application Control blade.
We have been using the Check Point Application Control for about three years, starting in late 2017.
The Application Control software blade is stable.
The Application Control software blade scales well with the gateways we use, since it doesn't affect the overall performance much after activation.
We have had several support cases opened, but none of them were connected with the Application Control software blade. Some of the issue were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level. The longest issue took about one month to be resolved, which we consider too long.
We used the ACLs and Zone-Based firewalls with NBAR on the Cisco switches, routers, and found that this approach doesn't provide sufficient security protection against the modern advanced threats.
The setup was straightforward. The configuration was easy and understandable - we relied heavily on the built-in objects and groups.
In-house team - we have a Check Point Certified engineer working in the engineering team.
Choosing the correct set of the licenses is essential - without the additional software blade licenses purchased the Check Point gateways are just stateful firewall.
We didn't evaluate other vendors or solutions.