Check Point CloudGuard Network Security Reviews

As we are moving our workloads to the cloud, it means that we now have a need to protect our cloud infrastructure. This will ensure that our business is deploying products faster and with all of the required security.

Our solution needs to be able to protect workloads hosted on multiple clouds with the required security control. The license should be a subscription-based model so that we can add or remove depending upon the requirement to scale.

It needs to support a microservice platform such as Docker or another container, and it should be quick to deploy.

This solution gives us advanced threat prevention to protect our workloads from attacks including zero-day and other types of attacks.

It is able to provide cloud network security along with orchestration and automation. It also provides consolidated, consistent visibility and management across all clouds including public, private, and hybrid environments.

This product is quick to deploy, scalable, and is a fully functional firewall available in the cloud. We were able to scale as required based on load and performance. With Covid-19, our users, including our Customer Center agents, are completely remote and rely on Check Point Cloud Guard to provide flexibility and seamless access. 

We have the ability to easily encrypt/decrypt traffic according to the security policy, as well as integrate between Active Directory, Cloud Guard Azure objects & application control.

It provides micro-segmentation functionality through complete visibility and control of traffic following between EAST-WEST and North-SOUTH with VPC and Outside VPC.

We are using multiple security features including the firewall, DLP, IPS, application control, IPsec VPN, Antivirus, and Anti-Bot. SandBlast provides Threat Extraction and Threat Emulation for zero-day attacks.

SSL/TLS traffic inspection features are used for advanced threat prevention against secure SSL traffic.

Unified Security Management provides security policy management, enforcement, and reporting for public, private, hybrid-clouds, and on-premises networks in a single-pane-of-glass.

Seamless cloud-native integration with Azure, AWS, GCP, Oracle Cloud, and more.

System hardening could be improved, as password complexity is not enforced by default on root / command-line passwords.

The documentation provided by Check Point can be rough and needs to have a lot more detail incorporated in order to help the implementor and administrator.

The HA failover time is not as fast as expected and due to this, the convergence time between cluster members is still not perfect. Consequently, there may be an issue in migrating the mission-critical business applications. 

Micro-Segmentation functionality for EAST-WEST traffic is not native and requires integration with a third-party OEM.

We are performing a PoC with the product. 

As with other Check Point products, this solution is scalable.

Support from OEM is excellent.

We have a different solution that works in silos and we are doing this PoC to check the functionality/features.

Integration and setting up the solution are straightforward.

We are performing our PoC with assistance from the OEM.

The cost is on the higher side, as it is based on workload, hence we need to decide which VPC or workload needs to be part of CloudGuard.

We did not evaluate other options.

The perimeter firewall provides me control over my perimeter servers and devices.

Current cloud applications are getting good protection from CASB solutions but they are limited to data leakage and application control. Beyond that, I require something to monitor my data that flows inside of my cloud application.

Sophisticated threats, such as zero-day attacks, can't be controlled by CASB solutions. Instead, they require something that can work using artificial intelligence. They should have a correlation with machine learning algorithms to defend against today's attacks for my cloud applications.

Sophisticated attacks can't be prevented using normal SaaS security. CloudGuard SaaS is a technology that prevents not only sophisticated attacks but offers protection email threats.

Most attacks that succeed are because of SPAM emails. When users fall into an attacker's trap, Check Point's industry-leading technology provides maximum protection. It is effective against email phishing attacks and provides visibility over shadow IT applications.

Along with an email security solution, CloudGuard adds another layer of comprehensive security and we can completely rely on it.

CloudGuard comes with the best feature sets that include protection from Zero-Day attacks, which we usually get when we have blades on the perimeter firewall. These are analyzed using SandBlast Threat Emulation and SandBlast Extraction.

We are able to easily identify users who are going to use cloud applications when they log in from either a trusted network or device.

We have complete visibility of attacks originating from email including spear-phishing, spoofing, etc.

Based on the reputation of the domain and URL, the firewall allows traffic to flow.

I would like this product to provide functionality like a web application firewall, where we can fully monitor all traffic passing both to and from the cloud.

The latency should be minimized by having multiple entry points all across the world. Nearby requests will have lower latency access to cloud applications.

It would be useful to have AD integration with an on-premises server.

The API integration is complex, which is an area that should be improved.

Onboarding this product takes some expertise because it is complex compared to other services that Check Point provides.

We have been using Check Point CloudGuard Network for more than a year.

Need to focus on stability.

This solution is highly scalable.

Technical support, along with presales engineers have good knowledge of the product.

We did not use another solution prior to this one.

The initial setup is a mixture of straightforward and complex.

We deployed vendor

Although I don't have specifics for pricing, based on my overall experience, I can conclude that Check Point provides the best pricing when comparing to other vendors.

We did not evaluate other products.

CloudGuard is cloud-native security that secures your public, private, or hybrid environment under a unified platform, which can also be automated. It comes with multiple installation availabilities such as Software-as-a-Service(SaaS), Platform-as-a-Service(PaaS), Infrastructure-as-a-Service(IaaS), and more.

This solution can be installed on leading Cloud Service Providers such as Amazon Web Services, Google Platform, and Microsoft Azure, as well as on other not-so-known CSPs such as OCI.

This is helpful for clients who always thought upgrading hardware in the DC or testing new versions to be difficult. Normally, they have trouble due to some issue at hand or maybe due to sizing, but now they have an easy way to test the solutions and they can be accessed securely from all around the globe. It provides features such as Auto Scaling to deal with unforeseen situations with minimal costs.

It is quite easy to construct and destruct and doesn't need anyone to actually step into a DC, which is good because sometimes this needs endless approvals.

The solution comes with Active Load balancing and policies that can be installed before the traffic hits the firewall module.

Auto Scaling is one of the features that make me want to choose CloudGuard over actual HW.

Cloud leaders such as Amazon, Google, and Microsoft also provide an uptime of 99.99%, which might not be possible in a privately owned DC. Multiple instances where a hardware issue was found and it took weeks to replace the hardware and bring services up can now be fixed within few minutes by utilizing the available resources over CSP.

You get charged only for what resources you choose and how much traffic actually passes through the firewall, which in turn saves a lot of money.

Easier optimization techniques can definitely help with better performance of the OS, as using the vanilla software doesn't actually showcase the real capability of the software.

While there is a lot of documentation available on Support Center to understand how the solution works, it can become quite confusing. Some free training videos by Check Point would really help the engineers who don't have full access due to restrictions/unseen reasons.

A step-by-step guide for leading CSPs would really help.

Auto Scaling should be given as an option during a first-time installation, as it would be really beneficial and some users might not be aware of it.

We have been using Check Point CloudGuard Network for more than three years, starting when it was still called vSEC.

I have worked with other products and find that this is the better solution when compared to other vendors in the market.

My advice is to use the trial and understand whether this is what you are really looking for.

We primarily use the solution when clients are for searching in the servers. We compare the solutions or servers that are available and we seek out new features for the new solutions for our customers. We're solution providers. This is one of the products we offer.

The solution, overall, has worked very well for our organization.

The reliability of the product is excellent.

The configuration capabilities are very good.

The initial setup is pretty easy.

The capability and the response, in terms of the time of response of the transactions, is very important for my customers. It's something they need to continuously work on to make it better.

The memory and hard disk capability could be strengthened.

The product should integrate next-generation firewall features such as anti-spam and anti-spoofing.

I've been using the solution for 20 years or so. It's been a long time.

While the stability is okay, the servers could use more RAM memory.

In general, the scalability is good. If a company needs to expand the solution, it should be able to do so.

We typically work with medium-sized organizations. In some of the companies, there are as many as 1,000 users.

Technical support has been good. We don't have any complaints so far. If a customer needs to reach out to them, they can do so.

The initial setup isn't too difficult. It's rather straightforward. A company should have too many issues getting it set up properly.

The deployment process is quick and easy. It takes maybe an hour or two. It's not a long time.

In my company, we have 20 people that manage the deployment and maintenance for our clients. You only really need two to manage everything.

Check Point has moderate pricing. It's not the most expensive, however, it's also not the cheapest. Typically, when clients are looking for a solution, it comes down to the price.

Typically, our clients will also look at Palo Alto as an option. However, typically, it is more expensive.

Clients may also look at Fortinet products, which are a bit less. Check Point tends to sit in between the two in terms of pricing.

We're solutions providers. We're partners with Check Point. We offer integrations and support. This is one of the products we offer to our clients.

We're using the latest version of the solution. The platform is R80.40. It's deployed on VMware's virtual environment.

I'd recommend the solution to other organizations. The likelihood of running into issues is low.

I'd rate the solution at a nine out of ten. We've largely been satisfied with the product.

We integrate this solution, and we also provide the maintenance of the device. We are using this solution for those sites that are kind of medium in size and require a more complex solution but don't have too much space for big equipment.

It is useful for us for checking services, instead of protocols, because we have some services that are very smart and can change ports. It is also useful for verifying the logs. SmartLog is very practical, and it is easy to identify stuff and make corrections.

The Capsule solution and application filters are the most valuable. 

It is pretty straightforward to implement, and it also has good stability and scalability. Their technical support is also really good.

This application can be more integrated with web application firewalls. Better integrations would provide more granularity, which would be helpful for focusing on the application itself and preventing attacks.

It would be good to include the cross-domain search. If you have multiple firewalls that are managed on the same platform and you want to check who is using some particular objects or where a specific ID is being used, it should provide an option for this kind of search instead of having to check one by one on each firewall.

I have been using this solution for more or less ten years.

It is pretty stable.

With the virtual assistant, its scalability is very good.

Their technical support is really good.

The initial setup is pretty easy. Where it is not that simple is the integration of different blades and the customization of rules, which are really dependent on the policies of a company. When we are dealing with a small company, it is easy, but when we are dealing with global corporations that have previously-defined policies and the integration with the profiles, it is a little bit more tricky and complex.

The deployment takes a couple of days, but when the deployment is more complex and requires assessments, it could take one or two weeks.

We are an integrator. The number of people that are required for the deployment and maintenance of this product depends on the organization. The deployment could be done by one or two people, but for the maintenance of the device, big companies require more people because they are establishing new connections with third parties and so on, which means that it requires many changes.

It is not expensive, but it is a little bit above the middle range. There are other solutions that are a little more expensive than this, but they also have some interesting features.

Our clients also evaluate Palo Alto and Cisco. Palo Alto, Check Point, and Cisco are the top solutions at the moment. In terms of performance, all three are pretty much the same, but it is much easier to check logs on the firewall in Check Point than Cisco or Palo Alto. Check Point is also quicker and more intuitive. Its view is also better than others.

I would recommend this solution. It is pretty straightforward to implement. It is easy, and it doesn't require too much time to make a clean implementation. I am not really sure about using it in a really small company. It depends on the budget.

I would rate Check Point Virtual Systems a nine out of ten.

We mainly used CloudGuard for IPS and IDS in our AWS environment, and we also used it for additional logging to see what was going in and out of our network in AWS. We have very limited visibility, especially when it comes to logging, and AWS does not support IPS and IDS as of now.

The way they implemented their auto-provisioning, where you just change a port or a security setting on AWS and it applies it automatically to all your firewalls, is good. You don't have to go into both of your firewalls, if you have redundancy like we did. You just need to change it on one of them in AWS, and that change applies to both of the firewalls. That saved us a lot of time. Usually, on physical firewalls, if you have to do that, you're going to have to either do command line, or if you don't want to do command line you have to do console and do multiple changes everywhere, from firewall rules to access rules. With Check Point, all you have to do is one change in the AWS console, and it will apply it within your firewall. Without that we would have had to do that in AWS, then go into the SmartConsole for Check Point.

I'm the only one who does security for both our on-prem and our cloud environments. Having Check Point there, I didn't really have to do much. It gave me peace of mind that it would do its job. I did check on it on a daily basis, just to make sure everything was okay and that there was no unwanted traffic during the day or during the night before. I didn't see anything unusual and if I did see something, it was one of those one-offs because another team was doing testing or something like that.

The IPS, IDS and logging were some of the features that I found useful. Also, the automation using AWS CloudFormation, the way we deployed it to our system, was very simple.

The comprehensiveness of CloudGuard's threat prevention security, looking at the logs, was really good. It would tell me if there was any unwanted traffic on our system, it would keep track of that. We checked it to make sure that everything was okay. It gave me the information that I needed to keep our network safe.

It's also pretty user-friendly. I've used multiple firewalls, both physical and virtual, and to me, Check Point is on top when it comes to ease of use and understanding the firewall installation. It's very very simple. And the way they implemented CloudFormation and the auto provisioning, is hands-down one of the best.

We did not use the AWS Transit Gateway, and that's one of the things that we're currently using. I believe we will be working with Check Point again, in the near future, to implement it, once they start having proper support for a single customer with multiple accounts. When we were using them, we had to install Check Point on each and every single account.

I believe they're working on a solution for that. I know they're utilizing Transit Gateway for it, and that is exactly what we're using right now. I'm excited for them to have that ready, and for us to put it in our system.

In general, cloud infrastructure or a cloud-based environment, is very fast when it comes to technology. Things get developed right away. Check Point just needs to adapt to those changes quicker.

We used Check Point CloudGuard IaaS for over two years. We stopped using it about six to eight months ago. Our environment basically expanded to such a large scale that it wasn't feasible for us to use CloudGuard in our multiple-account production environment.

We are definitely planning on redeploying CloudGuard at some point because we always need IPS and IDS and better logging. AWS only has two or three companies that do IPS/IDS. We definitely need those kinds of protection and Check Point, in my opinion, is one of the best so I still want to put it in place. But their solution doesn't really match our requirements. That's the only reason we moved away from Check Point.

Its stability was really good.

They do implement Auto Scaling and that was one of the requirements that I asked them about. One of their southbound firewalls did not have Auto Scaling at that time, so that's why I requested it.

The scalability is very good; again, very user-friendly. I wouldn't even say "user-friendly" because, as long as you deploy it properly, you can kill an EC2 and it will spin up another one right away, within about a minute and a half. And it will be ready for production right away.

Our production environment never decreased, it only increased. Our presence in AWS quadrupled over the time that we used CloudGuard. I'm managing about 32 accounts that, obviously, need protection. Once they implement that particular solution, we'll be very happy to have them integrated within our environment.

The number of users of CloudGuard, because we had deployed it in our production environment, was as many customers as we had. All traffic went through CloudGuard.

I never dealt with tech support. I dealt more with our account manager. We never had issues with Check Point, so I never had a chance to talk to their support.

We were using native AWS protection.

The initial deployment wasn't too complicated because they had CloudFormation. The only thing that I had issues with was having to integrate that within our company's requirements. Our needs kept changing because we were new to AWS. But that was not an issue with Check Point. And once the requirements within the company had been solidified, we deployed the solution to four or five environments in our AWS and it was fine throughout. We even did their second version of CloudGuard, and again, it was easy.

It's pretty straightforward. It's literally just a matter of selecting the right version of Check Point, your VPC, your management, your password, and that's pretty much it. It's pretty simple.

With the way AWS does things, our deployment took about half a day. And that was mainly because there were dependencies on CloudFormation, where it would wait for a task to finish, and AWS depends on the region that you're in. If you pick a very busy region, then it takes longer than usual. So half a day is giving it padding, in terms of time.

Once it was up and running, it required just me for maintenance.

I was the only one from our organization involved with the deployment.

In the initial installation, the first time, I was working with a Check Point engineer, because we were new to AWS and the Check Point integration with AWS. We came from Azure. We needed somebody just to make sure that we were doing the right thing. But after that, we never needed Check Point support. They would check in on us, just to make sure everything was good.

The engineer was really good. He was there to walk us through and to make sure we understood every piece of the deployment. After that, I put together some documentation based on our needs. From then on, future deployment was fairly simple.

The ROI is in the number of people managing it. Technically, you don't need to manage it. If you have an on-prem, you constantly need to manage the firewall. You need to make sure everything is okay, when it comes to hardware, software, and managing the actual firewall. With CloudGuard on the cloud, we eliminated two of the three. We didn't need to care about the hardware or about the software upgrades. If we did need to upgrade, it was just with respect to CloudFormation. We didn't need to do any firmware. The only thing we needed to do was manage an interface, which is what you're going to do anyway. 

You only need just one person to do it. When it comes to return on investment, you don't need to hire a full team to manage your whole network. If you have a firewall team, with Check Point CloudGuard, you don't need it anymore. It's just a single person because, if a Check Point goes down, it gets spun up right away. You don't need to call anybody or order hardware or anything like that.

Pricing of CloudGuard is pretty fair when you have a single account. It's comparable with other cloud providers. But for our use case, it got really pricey when we had to deploy multiple CloudGuards on multiple accounts in different regions, because you can't have CloudGuard protecting multiple regions. That's the big thing.

Before picking Check Point, I checked Cisco, Fortinet, and Palo Alto. At that moment, when we were doing a PoC, Check Point was ahead of them when it comes to implementation, deployment, and ease of use.

Deployment was the big thing for us because we knew that we were going to be deploying this multiple times. We wanted redundancy, and ease of use and deployment. Check Point nailed those top-three requirements, so it was the clear choice for us. The others didn't have the robust capabilities of Check Point or CloudGuard, to do the things that we wanted. Those included ease of deployment using CloudFormation, scalability using Auto Scaling and the auto-provisioning within CloudGuard.

My advice: Get it. It's a great product. It's a great solution.

In terms of CloudGuard's block rate, malware prevention rate, and exploit resistance rate, we didn't really do much testing when it comes to those types of scenarios. But I've used Check Point as a physical firewall before, and it was great. It detected threats and gave me an alert as soon as it detected them. It was really good.

We use CloudGuard IaaS for cloud security in AWS, and it serves all kinds of purposes for us. It could be internal segmentation between on-prem or between application VPCs, and it can also help us to provide perimeter security for those parts of the network that require internet access.

Our company has a very dynamic IT landscape, and the demand to go live is very high. That means we have to deliver connectivity in very short time frames, and we can do that using CloudGuard IaaS. Once we have figured out a working template for connectivity, it becomes our standard, and we can run connectivity for new applications within a day or two, and sometimes it might only take hours. In the past this would take a much longer time. We also now have much better control over the sizing of the firewalls, which gives us a lot of flexibility in our planning.

In addition, we use an existing on-premise appliance, which is a multi-domain security server. The use of CloudGuard's Unified Security Management was an easy part of our integration. We didn't need to make a lot of effort to incorporate the new firewalls. We just needed to apply some existing policies to the new firewall. We didn't have to develop something from scratch. We just used our existing infrastructure and existing policies, and it was the easiest part of the deployment. And the use of the Unified Security Management has definitely freed up security engineers to perform more important tasks.

The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented toward the cloud mindset, cloud agility, and this is a great feature.

Check Point is a known leader in the area of block rate, so I don't have any complaints about it. It's working as expected. And similarly for malware prevention. When it comes to exploit resistance rate, it's excellent. I haven't seen any Zero-day vulnerabilities found in Check Point products in a very long time, which is not the case with other vendors.

The false positive rate is at an acceptable level. No one would expect a solution to be 100 percent free of false positives. It's obvious that we need to do some manual tuning. But for our specific environment and for our specific traffic, we don't see a lot of false positives.

Overall, the comprehensiveness of the solution's threat prevention security is great. It was changed in our "80." version and I know that Check Point put a lot of effort into threat prevention specifically, as a suite of products. They are trying to make it as simple as it can be. I have been working with Check Point for a long time, and in the past it was much more complicated for an average user, without advanced knowledge. Today it's more and more user-friendly. Check Point itself has started to offer managed services for transformation configuration. So if you don't have enough knowledge to do it yourself, you can rely on Check Point. It's a really great service.

Check Point recently released a feature which recognizes that many companies are going with the MITRE ATT&CK model of incident handling, and it has started to tailor its services to provide incident-related information in that format. It is easier for cyber security defense teams to analyze security incidents, based on the information that Check Point provides. It's great that this vendor looks for feedback from the industry and tries to make the lives of security professionals easier.

I highly rate the security that we are getting from the product, because the security research team is great. We all know that they proactively analyze numerous products available on the IT market, like applications and web platforms, and they find numerous vulnerabilities. And from a reactive point of view, as soon as a vulnerability is discovered, we see a very fast response time from Check Point and the relevant protection is usually released within a day, and sometimes even within a few hours. So the security is great.

Clustering has not been perfect from the very beginning. There weren't too many options for redundancy. It was improved in later versions, but that's something which should be available from the very beginning, because the cloud itself offers you a very redundant model with different availability zones, different regions, etc. But the Check Point product was a little bit behind in the past. 

The convergence time between cluster members is still not perfect. It's far away from what we get in traditional appliances. If a company wants to move mission-critical applications for an environment to the cloud, it somehow has to accept that it could have downtime of up to 40 seconds, until cluster members switch virtual IP addresses between themselves and start accepting the traffic. That is a little bit too high in my opinion. It's not fully Check Point's fault, because it's a hybrid mechanism with AWS. The blame is 50/50.

I have been using CloudGuard IaaS for close to one year.

In terms of the stability, so far everything is good. We have had no problems. 

The scalability is also great. It's not complicated to configure it and the environment can become really scalable. Everything can be auto-provisioned: instances created, policies pushed, licenses installed. Check Point did a great job in covering all these aspects and reducing manual intervention, which is how it is supposed to be on the cloud.

It is deployed in all AWS regions and we plan to increase the number of security features in use in the future.

Check Point's technical support is great. We are a Diamond customer, meaning we have the highest level of support available from them. We always have very competent engineers and the right level of attention. We haven't had an opportunity to test technical support regarding this product, but in general we are happy with technical support we get.

We did not have a similar previous solution. 

The favorable results of its security effectiveness score from third-party lab tests were not a major part of our consideration because Check Point is a known leader. There were no doubts about security.

As for the solution being a leader for many years in industry reviews of network firewalls, it is important to go with a solution that not only has good specs on paper, but also has a known record of success.

The setup process offered by Check Point is quite straightforward. The challenge is that there is no single blueprint for an organization, and that's why each and every company chooses its own design for the cloud. That means we have to be creative and start adjusting whatever Check Point provided as a setup guide, for our needs.

Setting up a working environment took us approximately 10 days.

Our implementation strategy was quite simple. We first needed to understand the business needs and what the stakeholders wanted us to deliver. Based on that we created a design draft: How to proceed with the least complexity, the best way to provide connectivity, and obviously, to do everything in a secure way. After creating a high-level draft, we started our work. Since the environment was not really in production yet, it was a long path of trial and error. But at the end of the day, all aspects were accounted for, lessons were learned, and we adjusted our initial design and prepared operational documentation for our operational team.

Licensing is easy since this is a virtual instance which does not require RMA.

The cloud security provided by public cloud providers is great because it's cloud-native. Sometimes it comes without an additional cost or as part of a basic license, but it's definitely not enough for an enterprise environment. Everything comes back to operational complexity. I could incorporate a new, simple tool from a public provider, but on my side it would mean I would need to up-skill team members and manage an additional layer of security, and it could be hard for troubleshooting. To integrate these tools into the peripheral systems, like sending logs, and analyzing these logs, and maintaining additional rule sets from additional dashboards, would require additional efforts.

So cloud-native security has its own disadvantages. Many companies try to stick with the simplicity whenever they define the operational flows, but I prefer choosing Check Point everywhere in a hybrid environment to make my life easier from all perspectives.

The biggest lesson I have learned from using this solution is that network security is moving away from traditional deployments and companies have to adapt themselves to stay competitive.

We are fully managing the service. As soon as a new version is released on the Check Point site, they make sure to release it for CloudGuard as well. But so far, we have stayed with our original version. We haven't done any upgrades.

The integration process between CloudGuard and AWS Transit Gateway is not straightforward, because we're not talking about traditional networking. There are a lot of different aspects that we are still not used to keeping in mind. For example, routing is completely reworked in AWS. It's just a matter of time to get used to it. Once you get used to it, everything becomes relatively easy.

In terms of our workflow when using the integration between CloudGuard and AWS Transit Gateway, we needed to review our operational documentation and prepare additional guides for our operations team on how to do it. We needed to up-skill our team members, and we needed to utilize new technologies or new features, like BGP over VPN, to make communication secure in the cloud.

The solution provides security for numerous corporate applications and is under the responsibility of the operations team which consists of about 15 people. For deployment and maintenance of the solution we have one security operations engineer, one network operations engineer, one AWS operations engineer, and one SDWAN engineer.

We use it as an edge firewall to our entire cloud environment. It protects our connections to all of our sites, to our cloud data center. And it's the internet edge, the protection mechanism between the internet and our network.

The biggest example of how it has helped our company function is the single pane of glass. The way that we implemented it is that we monitor a lot of devices in our environment through this one place now, instead of it all being distributed. We don't have to log in to different systems, correlate the data, and say, "Okay, this was related to that," etc. It's one pane of glass, so the time to resolution and the time to find what we're looking for have become a lot shorter because we're able to just put all the data into this one pane of glass. We can look at it a lot quicker and decipher what's going on a lot quicker that way.

In some cases it has saved us hours in time to remediation, in some cases a day. When dealing with a single problem that may have taken an entire work day or so to really hunt down and know what's going on, this has brought it down to finding it within an hour or 45 minutes or so.

We use its Unified Security Management to manage the solution for on-prem appliances. We combine our cloud and on-prem environments. We have multiple devices at different sites that we manage through the single Management Server, which elevates us, again, to another single pane of glass, instead of all these firewalls all over the place and having to log in to each one of them. We look at all the data and correlate it on the one system that we use to unify our physical sites and our cloud environment.

Using CloudGuard IaaS has also definitely freed up security engineers to perform more important tasks. We don't have a large team that works on these, but it has freed up the equivalent of one or two roles, overall. It saves everyone a couple of hours a week, and those couple of hours mean we can take on new projects as a team.

In addition, compared to native cloud security protection, Check Point is far more advanced. There are far more options available than in a lot of the cloud-native stuff. The cloud-native solutions have similar tools that are more "pay and spray." You buy it, you implement it, and you have a few ways to configure it for your environment. But the flexibility in Check Point is due to the fact that they've always empowered the management. You can tune whatever you want and however you need it. With other cloud providers, the approach with their tools is, "Here's how we do it in the cloud and you need to adopt it our way," which is fine. It makes it simpler to manage, but you have less flexibility to customize it to your needs.

It's really the whole suite that is valuable. But within that, the Identity Awareness is good because you can build your policies around each user. You can say what each user, or group of users, like HR, for example, can do. 

Also, the visibility, the one-pane-of-glass which allows me to see all of my edge protection through one window and one log, is great. Monitoring everything through that one pane of glass is extremely valuable.

Their IPS stuff is just fine. It updates the signatures regularly and it does a lot of that stuff automatically in the background so I don't need to worry much about that. It does its blocking and organizes things for me, as an administrator, to look at and to pick and choose what preventions I need to have enabled. That is user-friendly and it's very descriptive. I know what I'm looking at and what I need to enable. It's really useful and is one of the reasons I continue to use the product.

In addition, the reporting gives you a lot of flexibility in building your own custom stuff.

The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing when you get a new version and you see that it's still using the old dashboard for some of the configuration and some of the stuff that you look at.

They just need to make sure they get all their tools into this one place. It would make it a lot easier for the managers.

We just did an implementation of Check Point CloudGuard IaaS this year, so we've used it for less than a year. But the CloudGuard IaaS solution is the same software we've been running in our environment for years, just in the cloud. So our familiarity with it, and how it works is expert level.

I've had no problems with its stability or reliability. It's been up and running since then. We've done some patching of the system. And we've built it to be highly available so that we could shut certain ones down and bring other ones up. As we've done that, we've had no outages, nothing even close; nothing that would be of impact, since the implementation.

Scalability is amazing when you're in the cloud. It's no problem. Once you settle on a configuration like we have, and once you've put it together and decided that this is your de facto template, all you have to do is click a couple of buttons to deploy another one. And that scales upwards. It's very simple.

It's used pretty extensively in our environment because we are trying to get the single pane of glass for traffic going through our network in multiple directions from a bunch of different networks. It's playing a more important role than the individual Check Point firewalls we used. We don't, at this time, need anything more with CloudGuard. We may, in the future, need another data center, so that's a consideration. I'm looking at other Check Point products that secure other components, in different ways. Our relationship with Check Point is still growing.

Their technical support is usually spot-on. They've got some really good guys there. No matter what, sometimes you're going to get someone who is brand-new and who might not know as much, but they're okay at escalating, when that happens. But most of the time you've got someone who is highly trained and really knows what they're talking about, or they'll get you to someone who does. You generally find a resolution pretty quickly, or you can really take a deep technical dive with them.

For this type of functionality we did not have a previous solution. We're building a new cloud data center, and this was our first cloud protection. But it's basically a firewall on the edge of a network.

We've had different firewalls on the edge of our other networks prior to this and we've consolidated those into the Check Point solution so that we've got just one vendor to deal with. We had some Juniper firewalls and some Cisco ASAs. We also had some WatchGuards and one old Palo Alto in there. It was a variety of solutions, depending on which network we were in. There was something of a long journey that took us two years or so to get to where we are now. We're almost there using one solution, one pane of glass, and one configuration.

We knew we needed to change because things were taking too much time. We weren't being efficient. We weren't able to get stuff done. Requests that were coming in were not being fulfilled properly. They were being half-done. There were too many different technologies that served the exact same purpose. It was incredibly inefficient because everybody needed to be trained up on every single one of them, including everything that they needed to do in their roles. Unless we wanted to hire four or five times the amount of staff so that we could have people specializing in just firewalls, we needed to change. To keep the same lean model, where we have people doing a variety of roles, we needed not to have to study 10 different things that serve the exact same purpose. So we decided that we were going to consolidate to one vendor.

In our decision to go with Check Point CloudGuard the favorable results of its security effectiveness score from third-party lab tests were a factor, but not really important. Our biggest deciding factor was what we had in the environment already; what we were most comfortable with. What was important was a solution that was the most feature-rich, and that could actually accomplish our goals the best among the vendors we already had. We didn't want to go with an entirely new vendor either, to leverage some of the knowledge we already had about them. We picked what we thought would serve us the best.

The fact that Check Point has been a leader, for many years, in industry reviews of network firewalls definitely affected our decision to go with it. They had to be a leader because with this — because of how important it is in our network — I was not ready to take a risk on a young, enterprising company that may be very creative in what it's doing but that will stumble more, along the way, than a company that is well-established.

The setup seemed straightforward. We had a roadmap; we had it all planned out. But there were parts of the implementation that were "aha" moments. There were things that I found during the implementation that I told their engineers about and they would say, "Oh, you're right, that totally doesn't work," even though it was documented that it did. They would say, "We'll go back to our developers and they'll probably fix that in another release." 

During the implementation, we built and destroyed the environment about 10 times because we got to a point where we said, "Alright, maybe this is a problem with something we did earlier. Let's just start over and make sure that we follow every step and we don't make a mistake, to verify that this will work." A couple of different things were documented that you could do but it turned out that, no, you just couldn't quite do them yet.

We started talking about the deployment at the beginning of May and we were done by the end of June. It took about two months.

We were building a new data center in the cloud. We traditionally had stuff onsite but we had decided we were going to uplift everything and move it into the cloud. This was us building our network and the edge of the network in the cloud in preparation for moving everything up there. This was the first step in a long, ongoing process.

In terms of maintaining it, there is only ever one person on it, unless there's a major event going on. We're a team and all of us use the data coming out of it at various times. No one is ever just sitting there monitoring the thing all the time. We have other tools that help with that and send us notifications if something's weird that we need to look at a little further. It's the the team who are logging in regularly, every week, and pulling pieces of data out of it for either an investigation we're doing or a report we're doing. It's used frequently.

No one else is using it directly. There are other teams that, for certain reporting, may request some data from us to use for analysis. But no one else is actually logging in and using the tool.

We worked with the Check Point cloud implementation team. There were two of us from my team involved and three Check Point cloud architects who helped us through most of the process.

We've seen ROI in time saved in threat hunting and in having a unified policy across our organization. We actually have this one policy that we can look at to determine if something is going to be accurately filtered. It has been very valuable.

It has been very expensive but my approach is that, while we're spending a bit more money, we're getting everything that we actually need. We should be happy with that. Obviously everybody would love to spend less, but that's just not the reality.

The pricing is pretty high, not just for your capital, for what you have to pay upfront, but for what you pay for your annual software renewals as well, compared to a lot of other vendors. Check Point is near the top, as far as how much it's going to cost you.

Years ago they used to piecemeal and you could pick whatever you wanted. But now they have two basic options. You can go with this level or the higher level and that's it. It makes it simple.

We looked into the same vendors that we already had onsite. We looked at Cisco, WatchGuard, and Palo Alto, in addition to Check Point.

Some of them were actually quicker, in terms of mouse clicks, but they were less intuitive. With some of them you could just write a couple commands on a command-line and it would spit out the data for you, instead of having to click around with a bunch of mouse clicks. But that would have required some of the staff being comfortable with scripting, coding, and command-line stuff.

All of these solutions have their own unique perspectives. Most of them are pretty much market leaders. They're all very effective in their own ways, especially in threat protection. They all have very extensive databases on their protections and know what they're doing, and that's why they're all market leaders.

Sometimes you've got to pay for what you actually want. We realized that it's an expensive solution, there's no denying that. But we're happy with what we have gotten out of it. Sometimes you just have to fork over the cash out of your budget and work with it. Work hard with it, because you can't just spend money and expect it to work. But with the time that you put into it, you can get something really good out of it for your company.

Really do your analysis, which is something anybody should really know if they're going to spend a lot of money like this. They offer up trials. Try it out and see if it actually works for you.

One of the biggest reasons it was successful for us was because we already used it in our environment and we used it pretty extensively. We had a variety of different systems in there, but we used the Check Point more. So we were more familiar with it coming into it and that's why we leaned more towards it. We figured, it will be expensive but it will probably have the lowest learning curve for us to get where we want to be.

Another company may already use, say, Palo Alto extensively and be very familiar with it. If their decision is that they want their team to be really well versed in what's going on, rather than have to break it all down and study all over again and retrain everybody, maybe their choice will be to stick with their Palo Alto solution rather than flipping over to Check Point. 

If you're going to change vendors entirely, you're going to have a steep learning curve and that's going to mean it will take time, where you might not be able to fulfill a request, because you have to learn how to do it.

I haven't really measured rates like the block rate or malware prevention rate yet. The CloudGuard stuff is the same software running under there that I have run for years. It's just in a cloud environment and it's been extremely effective. It doesn't really paint a picture of how much actually gets through, so I don't know the rates, but I do know that I don't have a lot of problems with things getting through that I didn't know about or didn't want to get through.

I don't think there are really any false positives with this solution. Sometimes an investigation that leads me down a path and I follow it so far that I can't quite figure it out, but I attribute that to not having enough visibility into other areas of the environment to actually see what's going on, so I can't paint the whole picture and can't then solve the problem. But I don't have a problem with false positives leading me down a path towards something that just had no relevance at all.

The ease of use is good if you have a strong technical background. The intuitiveness of getting in there has a learning curve to it because there's a lot going on there, but with something that takes care of this many things in your environment, it's hard not to make it complex. They've done a pretty good job of trying to make it as uncomplicated as possible, but no matter what, you're going to have a learning curve to be able to use it effectively.

The Unified Security Management has made threat hunting a lot easier because we have it all in one view, but managing the environment has become a little bit more complex because we have one ruleset to cross the environment. So we really need to know what we're doing there. We've had to adapt a little bit towards that. Instead of having little rulesets all over the environment, we have one massive ruleset. We have to be a little bit more careful about what we're allowing because it can affect more than just the site you want to change. For example, if you want to change a device in New York, you have to be very careful that you don't affect a device in Boston as well, because it's all in this one unified policy.

Overall, Check Point has been a nine-plus out of 10 for me. I'm really happy with it. It's a very expensive solution, but everything has gone really well. There are bumps along the way, like with anything. I don't fault them for that. We've worked with it and we've worked around those problems and have come up with solutions that work for everybody. So everybody's happy in the end.