Check Point CloudGuard Network Security OverviewUNIXBusinessApplication

Check Point CloudGuard Network Security is the #2 ranked solution in top DevSecOps tools, #3 ranked solution in best Cloud Security companies, and #9 ranked solution in best firewalls. PeerSpot users give Check Point CloudGuard Network Security an average rating of 8.4 out of 10. Check Point CloudGuard Network Security is most commonly compared to Azure Firewall: Check Point CloudGuard Network Security vs Azure Firewall. Check Point CloudGuard Network Security is popular among the large enterprise segment, accounting for 56% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 23% of all views.
Check Point CloudGuard Network Security Buyer's Guide

Download the Check Point CloudGuard Network Security Buyer's Guide including reviews and more. Updated: November 2022

What is Check Point CloudGuard Network Security?

Check Point CloudGuard provides unified cloud native security for all your assets and workloads, giving you the confidence to automate security, prevent threats, and manage posture – everywhere – across your multi-cloud environment.

Check Point CloudGuard Network Security was previously known as CloudGuard IaaS, Check Point vSEC, CloudGuard IaaS, Check Point Virtual Systems, Check Point CloudGuard Network Security.

Check Point CloudGuard Network Security Customers

Physicians Choice Laboratory Services, Helvetica Insurance

Check Point CloudGuard Network Security Video

Archived Check Point CloudGuard Network Security Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
PeerSpot user
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees
Real User
Seamlessly extends our on-premise protection to Cloud without requiring any effort
Pros and Cons
  • "The most valuable feature is that we can use the same manager server that we use on our own Check Point firewalls. We integrated CloudGuard on that manager and we can use the same kind of protections that we use on the on-prem firewalls, like the IPS and antivirus policy. We can have the same kind of protection on the Cloud environment that we have on-premise."
  • "CloudGuard functions just like any other firewall. It functions very well. The only thing that could maybe be improved would be to integrate some tools that are not integrated with the SmartConsole, like the SmartView Monitor that we need to open on a different application to access."

What is our primary use case?

We have an AWS environment with servers and resources. We also have a Cloud environment and CloudGuard is our solution to protect the internet access to and from the database environment. For example, servers on the AWS that need to do upgrades go to the internet and cross the CloudGuard solution. People that need to connect to the AWS environment, to a server are protected by CloudGuard. The environment is protected by CloudGuard. It's our perimeter firewall on the AWS environment.

How has it helped my organization?

We were already used to Check Point products and we needed to protect the AWS environment. It was very straightforward. We could use the same policies that we use on-prem. We were already used to the logs, for the kinds of things Check Point shows in terms of what is crossing to the internet. We didn't need to get used to a new kind of log that we were not used to. It saved us a lot of time. We were able to seamlessly extend our on-premise protection to Cloud and didn't require any effort.

Two years ago, we didn't know what the best way was to protect the environment but we found out that we could use the same kind of protection that we use on-prem. It helped our security team to be confident that the cloud environment is protected. 

The use of unified security management has freed up security engineers to perform more important tasks. We saved a lot of time, especially managing the threat prevention profiles because when we want to do some kind of exception or enable a new kind of protection, we can enable it on all our firewalls, not only the AWS but also on the on-prem firewalls at the same time using the same profile. That helps us a lot and saves us a lot of time because we don't need to go to the AWS protection to do stuff and then to the other premise. It saves at least four hours a week.

Compared to the security provided by AWS, CloudGuard is very easy to understand why something is being blocked. We can see it on the SmartConsole for Check Point, which is one of our favorite products for security. It's much easier to understand what and why something is happening. 

What is most valuable?

The most valuable feature is that we can use the same manager server that we use on our own Check Point firewalls. We integrated CloudGuard on that manager and we can use the same kind of protections that we use on the on-prem firewalls, like the IPS and antivirus policy. We can have the same kind of protection on the Cloud environment that we have on-premise.

  • The block rate is good. It's what we used on-prem. We feel protected by the Check Point threat prevention that we used for many years. We are confident that it blocks everything that needs to be blocked.
  • Malware prevention is also a good feature. It's the same kind of malware prevention we use on-prem and we never had any issues. We have used on-prem prevention for many years. 
  • Exploit resistance rate - we never had any problems with it. We never had any security issues due to exploits on our diverse infrastructure.

In terms of the comprehensiveness of its threat prevention security, it was very easy for us to start working with because it's the same. Check Point has a very wide group of protections, dozens of protections. It's very good in terms of protection.

CloudGuard is very good in terms of ease of use, especially because it's very easy to understand the blocks and why something was blocked. You can see in a log why something was blocked, if it was identified as some kind of malware or suspicious activity. You can immediately see on the log the rule or the threat prevention policy that was blocking it if you want to do some kind of exception, or if you want to verify why. And it's very well documented with the description of the threat and why it should be blocked.

What needs improvement?

CloudGuard functions just like any other firewall. It functions very well. The only thing that could maybe be improved would be to integrate some tools that are not integrated with the SmartConsole, like the SmartView Monitor that we need to open on a different application to access.

Buyer's Guide
Check Point CloudGuard Network Security
November 2022
Learn what your peers think about Check Point CloudGuard Network Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
655,113 professionals have used our research since 2012.

For how long have I used the solution?

I have been using CloudGuard IaaS for two years. 

What do I think about the stability of the solution?

It was always very stable, so we deployed it and now we only manage the policy, the application control, and the IPS. In terms of stability, it's very stable.

What do I think about the scalability of the solution?

Its scalability is one of the best features because of the auto-scaling groups.

There are three users in the company who are all network security engineers.

It's has a 100% adoption rate. Our Cloud environment goes to the internet through the CloudGuard solution.

How are customer service and support?

Support is good. We never had anything that they couldn't help us with.

How was the initial setup?

We did the deployment with vendor support. It's not straightforward, especially because the solution was fairly new when we started to deploy. There wasn't a lot of the commutation that there is now. We had help through remote sessions and the vendor. We managed to do it, but it's not very straightforward.

We had to get used to the concept. We use the auto-scaling groups, which is when there is low internet access needs, we only have one gateway. And when a lot of people access the internet, the product automatically generates more visual firewalls. This was a different concept than what we have on-premises, of course, because this is not what's on-prem. The concept of auto-scaling groups was something we needed to get used to.

It saves us money because if for example, we have three firewalls running but at night, no one is working, the internet access is very low. The solution automatically reduces the number of instances to one, which is the minimum. Then, if someone is doing a lot of things that need internet access, it automatically spins more instances. This saves us money.

The deployment took one week.

The implementation strategy was to first do a proof of concept, only for our Dev VPC. Only the Dev VPC was using the internet through this solution, and then when we were confident that it worked as we thought it should work. We deployed it in all our accounts, production, and corporate.

We are aware of the overall perspective of the Check Point security products and the rates. We were already aware that it meets the ones that we use on-prem. So we are always aware of those results. 

The fact that CloudGuard has been a leader for many years in industry reviews of network firewalls was also important, but the most important thing was that we can also use it on-prem and we are satisfied with it. 

What about the implementation team?

The consultants were very helpful. 

What's my experience with pricing, setup cost, and licensing?

Pricing for these kinds of products is always expensive but I would say that it's in line with the competition.

Which other solutions did I evaluate?

We didn't evaluate other solutions because it was a good fit for us and not worth evaluating other solutions.

What other advice do I have?

If you are already a Check Point customer, this is the perfect solution. If you are not used to Check Point products, you should also analyze other solutions and compare them before you buy.

The biggest lesson I have learned is that with this product, you can secure the Cloud environment the same way that you secure the on-prem, which helps a lot with people that are new to the Cloud security environment.

I would rate Check Point CloudGuard IaaS a ten out of ten. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
IT Security Manager at a retailer with 10,001+ employees
Real User
Top 5
Enables us to deliver connectivity in very short time frames and gives us much better control over sizing of firewalls
Pros and Cons
  • "The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented toward the cloud mindset, cloud agility, and this is a great feature."
  • "The convergence time between cluster members is still not perfect. It's far away from what we get in traditional appliances. If a company wants to move mission-critical applications for an environment to the cloud, it somehow has to accept that it could have downtime of up to 40 seconds, until cluster members switch virtual IP addresses between themselves and start accepting the traffic. That is a little bit too high in my opinion. It's not fully Check Point's fault, because it's a hybrid mechanism with AWS. The blame is 50/50."

What is our primary use case?

We use CloudGuard IaaS for cloud security in AWS, and it serves all kinds of purposes for us. It could be internal segmentation between on-prem or between application VPCs, and it can also help us to provide perimeter security for those parts of the network that require internet access.

How has it helped my organization?

Our company has a very dynamic IT landscape, and the demand to go live is very high. That means we have to deliver connectivity in very short time frames, and we can do that using CloudGuard IaaS. Once we have figured out a working template for connectivity, it becomes our standard, and we can run connectivity for new applications within a day or two, and sometimes it might only take hours. In the past this would take a much longer time. We also now have much better control over the sizing of the firewalls, which gives us a lot of flexibility in our planning.

In addition, we use an existing on-premise appliance, which is a multi-domain security server. The use of CloudGuard's Unified Security Management was an easy part of our integration. We didn't need to make a lot of effort to incorporate the new firewalls. We just needed to apply some existing policies to the new firewall. We didn't have to develop something from scratch. We just used our existing infrastructure and existing policies, and it was the easiest part of the deployment. And the use of the Unified Security Management has definitely freed up security engineers to perform more important tasks.

What is most valuable?

The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented toward the cloud mindset, cloud agility, and this is a great feature.

Check Point is a known leader in the area of block rate, so I don't have any complaints about it. It's working as expected. And similarly for malware prevention. When it comes to exploit resistance rate, it's excellent. I haven't seen any Zero-day vulnerabilities found in Check Point products in a very long time, which is not the case with other vendors.

The false positive rate is at an acceptable level. No one would expect a solution to be 100 percent free of false positives. It's obvious that we need to do some manual tuning. But for our specific environment and for our specific traffic, we don't see a lot of false positives.

Overall, the comprehensiveness of the solution's threat prevention security is great. It was changed in our "80." version and I know that Check Point put a lot of effort into threat prevention specifically, as a suite of products. They are trying to make it as simple as it can be. I have been working with Check Point for a long time, and in the past it was much more complicated for an average user, without advanced knowledge. Today it's more and more user-friendly. Check Point itself has started to offer managed services for transformation configuration. So if you don't have enough knowledge to do it yourself, you can rely on Check Point. It's a really great service.

Check Point recently released a feature which recognizes that many companies are going with the MITRE ATT&CK model of incident handling, and it has started to tailor its services to provide incident-related information in that format. It is easier for cyber security defense teams to analyze security incidents, based on the information that Check Point provides. It's great that this vendor looks for feedback from the industry and tries to make the lives of security professionals easier.

I highly rate the security that we are getting from the product, because the security research team is great. We all know that they proactively analyze numerous products available on the IT market, like applications and web platforms, and they find numerous vulnerabilities. And from a reactive point of view, as soon as a vulnerability is discovered, we see a very fast response time from Check Point and the relevant protection is usually released within a day, and sometimes even within a few hours. So the security is great.

What needs improvement?

Clustering has not been perfect from the very beginning. There weren't too many options for redundancy. It was improved in later versions, but that's something which should be available from the very beginning, because the cloud itself offers you a very redundant model with different availability zones, different regions, etc. But the Check Point product was a little bit behind in the past. 

The convergence time between cluster members is still not perfect. It's far away from what we get in traditional appliances. If a company wants to move mission-critical applications for an environment to the cloud, it somehow has to accept that it could have downtime of up to 40 seconds, until cluster members switch virtual IP addresses between themselves and start accepting the traffic. That is a little bit too high in my opinion. It's not fully Check Point's fault, because it's a hybrid mechanism with AWS. The blame is 50/50.

For how long have I used the solution?

I have been using CloudGuard IaaS for close to one year.

What do I think about the stability of the solution?

In terms of the stability, so far everything is good. We have had no problems. 

What do I think about the scalability of the solution?

The scalability is also great. It's not complicated to configure it and the environment can become really scalable. Everything can be auto-provisioned: instances created, policies pushed, licenses installed. Check Point did a great job in covering all these aspects and reducing manual intervention, which is how it is supposed to be on the cloud.

It is deployed in all AWS regions and we plan to increase the number of security features in use in the future.

How are customer service and technical support?

Check Point's technical support is great. We are a Diamond customer, meaning we have the highest level of support available from them. We always have very competent engineers and the right level of attention. We haven't had an opportunity to test technical support regarding this product, but in general we are happy with technical support we get.

Which solution did I use previously and why did I switch?

We did not have a similar previous solution. 

The favorable results of its security effectiveness score from third-party lab tests were not a major part of our consideration because Check Point is a known leader. There were no doubts about security.

As for the solution being a leader for many years in industry reviews of network firewalls, it is important to go with a solution that not only has good specs on paper, but also has a known record of success.

How was the initial setup?

The setup process offered by Check Point is quite straightforward. The challenge is that there is no single blueprint for an organization, and that's why each and every company chooses its own design for the cloud. That means we have to be creative and start adjusting whatever Check Point provided as a setup guide, for our needs.

Setting up a working environment took us approximately 10 days.

Our implementation strategy was quite simple. We first needed to understand the business needs and what the stakeholders wanted us to deliver. Based on that we created a design draft: How to proceed with the least complexity, the best way to provide connectivity, and obviously, to do everything in a secure way. After creating a high-level draft, we started our work. Since the environment was not really in production yet, it was a long path of trial and error. But at the end of the day, all aspects were accounted for, lessons were learned, and we adjusted our initial design and prepared operational documentation for our operational team.

What's my experience with pricing, setup cost, and licensing?

Licensing is easy since this is a virtual instance which does not require RMA.

Which other solutions did I evaluate?

The cloud security provided by public cloud providers is great because it's cloud-native. Sometimes it comes without an additional cost or as part of a basic license, but it's definitely not enough for an enterprise environment. Everything comes back to operational complexity. I could incorporate a new, simple tool from a public provider, but on my side it would mean I would need to up-skill team members and manage an additional layer of security, and it could be hard for troubleshooting. To integrate these tools into the peripheral systems, like sending logs, and analyzing these logs, and maintaining additional rule sets from additional dashboards, would require additional efforts.

So cloud-native security has its own disadvantages. Many companies try to stick with the simplicity whenever they define the operational flows, but I prefer choosing Check Point everywhere in a hybrid environment to make my life easier from all perspectives.

What other advice do I have?

The biggest lesson I have learned from using this solution is that network security is moving away from traditional deployments and companies have to adapt themselves to stay competitive.

We are fully managing the service. As soon as a new version is released on the Check Point site, they make sure to release it for CloudGuard as well. But so far, we have stayed with our original version. We haven't done any upgrades.

The integration process between CloudGuard and AWS Transit Gateway is not straightforward, because we're not talking about traditional networking. There are a lot of different aspects that we are still not used to keeping in mind. For example, routing is completely reworked in AWS. It's just a matter of time to get used to it. Once you get used to it, everything becomes relatively easy.

In terms of our workflow when using the integration between CloudGuard and AWS Transit Gateway, we needed to review our operational documentation and prepare additional guides for our operations team on how to do it. We needed to up-skill our team members, and we needed to utilize new technologies or new features, like BGP over VPN, to make communication secure in the cloud.

The solution provides security for numerous corporate applications and is under the responsibility of the operations team which consists of about 15 people. For deployment and maintenance of the solution we have one security operations engineer, one network operations engineer, one AWS operations engineer, and one SDWAN engineer.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Check Point CloudGuard Network Security
November 2022
Learn what your peers think about Check Point CloudGuard Network Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
655,113 professionals have used our research since 2012.
Alex Tremblay - PeerSpot reviewer
Cyber Security Manager at H2O Power
Real User
Top 10
Unified Security Management has enabled us to combine our on-prem appliances and cloud environments
Pros and Cons
  • "The visibility, the one-pane-of-glass which allows me to see all of my edge protection through one window and one log, is great. Monitoring everything through that one pane of glass is extremely valuable."
  • "The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard."

What is our primary use case?

We use it as an edge firewall to our entire cloud environment. It protects our connections to all of our sites, to our cloud data center. And it's the internet edge, the protection mechanism between the internet and our network.

How has it helped my organization?

The biggest example of how it has helped our company function is the single pane of glass. The way that we implemented it is that we monitor a lot of devices in our environment through this one place now, instead of it all being distributed. We don't have to log in to different systems, correlate the data, and say, "Okay, this was related to that," etc. It's one pane of glass, so the time to resolution and the time to find what we're looking for have become a lot shorter because we're able to just put all the data into this one pane of glass. We can look at it a lot quicker and decipher what's going on a lot quicker that way.

In some cases it has saved us hours in time to remediation, in some cases a day. When dealing with a single problem that may have taken an entire work day or so to really hunt down and know what's going on, this has brought it down to finding it within an hour or 45 minutes or so.

We use its Unified Security Management to manage the solution for on-prem appliances. We combine our cloud and on-prem environments. We have multiple devices at different sites that we manage through the single Management Server, which elevates us, again, to another single pane of glass, instead of all these firewalls all over the place and having to log in to each one of them. We look at all the data and correlate it on the one system that we use to unify our physical sites and our cloud environment.

Using CloudGuard IaaS has also definitely freed up security engineers to perform more important tasks. We don't have a large team that works on these, but it has freed up the equivalent of one or two roles, overall. It saves everyone a couple of hours a week, and those couple of hours mean we can take on new projects as a team.

In addition, compared to native cloud security protection, Check Point is far more advanced. There are far more options available than in a lot of the cloud-native stuff. The cloud-native solutions have similar tools that are more "pay and spray." You buy it, you implement it, and you have a few ways to configure it for your environment. But the flexibility in Check Point is due to the fact that they've always empowered the management. You can tune whatever you want and however you need it. With other cloud providers, the approach with their tools is, "Here's how we do it in the cloud and you need to adopt it our way," which is fine. It makes it simpler to manage, but you have less flexibility to customize it to your needs.

What is most valuable?

It's really the whole suite that is valuable. But within that, the Identity Awareness is good because you can build your policies around each user. You can say what each user, or group of users, like HR, for example, can do. 

Also, the visibility, the one-pane-of-glass which allows me to see all of my edge protection through one window and one log, is great. Monitoring everything through that one pane of glass is extremely valuable.

Their IPS stuff is just fine. It updates the signatures regularly and it does a lot of that stuff automatically in the background so I don't need to worry much about that. It does its blocking and organizes things for me, as an administrator, to look at and to pick and choose what preventions I need to have enabled. That is user-friendly and it's very descriptive. I know what I'm looking at and what I need to enable. It's really useful and is one of the reasons I continue to use the product.

In addition, the reporting gives you a lot of flexibility in building your own custom stuff.

What needs improvement?

The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing when you get a new version and you see that it's still using the old dashboard for some of the configuration and some of the stuff that you look at.

They just need to make sure they get all their tools into this one place. It would make it a lot easier for the managers.

For how long have I used the solution?

We just did an implementation of Check Point CloudGuard IaaS this year, so we've used it for less than a year. But the CloudGuard IaaS solution is the same software we've been running in our environment for years, just in the cloud. So our familiarity with it, and how it works is expert level.

What do I think about the stability of the solution?

I've had no problems with its stability or reliability. It's been up and running since then. We've done some patching of the system. And we've built it to be highly available so that we could shut certain ones down and bring other ones up. As we've done that, we've had no outages, nothing even close; nothing that would be of impact, since the implementation.

What do I think about the scalability of the solution?

Scalability is amazing when you're in the cloud. It's no problem. Once you settle on a configuration like we have, and once you've put it together and decided that this is your de facto template, all you have to do is click a couple of buttons to deploy another one. And that scales upwards. It's very simple.

It's used pretty extensively in our environment because we are trying to get the single pane of glass for traffic going through our network in multiple directions from a bunch of different networks. It's playing a more important role than the individual Check Point firewalls we used. We don't, at this time, need anything more with CloudGuard. We may, in the future, need another data center, so that's a consideration. I'm looking at other Check Point products that secure other components, in different ways. Our relationship with Check Point is still growing.

How are customer service and technical support?

Their technical support is usually spot-on. They've got some really good guys there. No matter what, sometimes you're going to get someone who is brand-new and who might not know as much, but they're okay at escalating, when that happens. But most of the time you've got someone who is highly trained and really knows what they're talking about, or they'll get you to someone who does. You generally find a resolution pretty quickly, or you can really take a deep technical dive with them.

Which solution did I use previously and why did I switch?

For this type of functionality we did not have a previous solution. We're building a new cloud data center, and this was our first cloud protection. But it's basically a firewall on the edge of a network.

We've had different firewalls on the edge of our other networks prior to this and we've consolidated those into the Check Point solution so that we've got just one vendor to deal with. We had some Juniper firewalls and some Cisco ASAs. We also had some WatchGuards and one old Palo Alto in there. It was a variety of solutions, depending on which network we were in. There was something of a long journey that took us two years or so to get to where we are now. We're almost there using one solution, one pane of glass, and one configuration.

We knew we needed to change because things were taking too much time. We weren't being efficient. We weren't able to get stuff done. Requests that were coming in were not being fulfilled properly. They were being half-done. There were too many different technologies that served the exact same purpose. It was incredibly inefficient because everybody needed to be trained up on every single one of them, including everything that they needed to do in their roles. Unless we wanted to hire four or five times the amount of staff so that we could have people specializing in just firewalls, we needed to change. To keep the same lean model, where we have people doing a variety of roles, we needed not to have to study 10 different things that serve the exact same purpose. So we decided that we were going to consolidate to one vendor.

In our decision to go with Check Point CloudGuard the favorable results of its security effectiveness score from third-party lab tests were a factor, but not really important. Our biggest deciding factor was what we had in the environment already; what we were most comfortable with. What was important was a solution that was the most feature-rich, and that could actually accomplish our goals the best among the vendors we already had. We didn't want to go with an entirely new vendor either, to leverage some of the knowledge we already had about them. We picked what we thought would serve us the best.

The fact that Check Point has been a leader, for many years, in industry reviews of network firewalls definitely affected our decision to go with it. They had to be a leader because with this — because of how important it is in our network — I was not ready to take a risk on a young, enterprising company that may be very creative in what it's doing but that will stumble more, along the way, than a company that is well-established.

How was the initial setup?

The setup seemed straightforward. We had a roadmap; we had it all planned out. But there were parts of the implementation that were "aha" moments. There were things that I found during the implementation that I told their engineers about and they would say, "Oh, you're right, that totally doesn't work," even though it was documented that it did. They would say, "We'll go back to our developers and they'll probably fix that in another release." 

During the implementation, we built and destroyed the environment about 10 times because we got to a point where we said, "Alright, maybe this is a problem with something we did earlier. Let's just start over and make sure that we follow every step and we don't make a mistake, to verify that this will work." A couple of different things were documented that you could do but it turned out that, no, you just couldn't quite do them yet.

We started talking about the deployment at the beginning of May and we were done by the end of June. It took about two months.

We were building a new data center in the cloud. We traditionally had stuff onsite but we had decided we were going to uplift everything and move it into the cloud. This was us building our network and the edge of the network in the cloud in preparation for moving everything up there. This was the first step in a long, ongoing process.

In terms of maintaining it, there is only ever one person on it, unless there's a major event going on. We're a team and all of us use the data coming out of it at various times. No one is ever just sitting there monitoring the thing all the time. We have other tools that help with that and send us notifications if something's weird that we need to look at a little further. It's the the team who are logging in regularly, every week, and pulling pieces of data out of it for either an investigation we're doing or a report we're doing. It's used frequently.

No one else is using it directly. There are other teams that, for certain reporting, may request some data from us to use for analysis. But no one else is actually logging in and using the tool.

What about the implementation team?

We worked with the Check Point cloud implementation team. There were two of us from my team involved and three Check Point cloud architects who helped us through most of the process.

What was our ROI?

We've seen ROI in time saved in threat hunting and in having a unified policy across our organization. We actually have this one policy that we can look at to determine if something is going to be accurately filtered. It has been very valuable.

It has been very expensive but my approach is that, while we're spending a bit more money, we're getting everything that we actually need. We should be happy with that. Obviously everybody would love to spend less, but that's just not the reality.

What's my experience with pricing, setup cost, and licensing?

The pricing is pretty high, not just for your capital, for what you have to pay upfront, but for what you pay for your annual software renewals as well, compared to a lot of other vendors. Check Point is near the top, as far as how much it's going to cost you.

Years ago they used to piecemeal and you could pick whatever you wanted. But now they have two basic options. You can go with this level or the higher level and that's it. It makes it simple.

Which other solutions did I evaluate?

We looked into the same vendors that we already had onsite. We looked at Cisco, WatchGuard, and Palo Alto, in addition to Check Point.

Some of them were actually quicker, in terms of mouse clicks, but they were less intuitive. With some of them you could just write a couple commands on a command-line and it would spit out the data for you, instead of having to click around with a bunch of mouse clicks. But that would have required some of the staff being comfortable with scripting, coding, and command-line stuff.

All of these solutions have their own unique perspectives. Most of them are pretty much market leaders. They're all very effective in their own ways, especially in threat protection. They all have very extensive databases on their protections and know what they're doing, and that's why they're all market leaders.

What other advice do I have?

Sometimes you've got to pay for what you actually want. We realized that it's an expensive solution, there's no denying that. But we're happy with what we have gotten out of it. Sometimes you just have to fork over the cash out of your budget and work with it. Work hard with it, because you can't just spend money and expect it to work. But with the time that you put into it, you can get something really good out of it for your company.

Really do your analysis, which is something anybody should really know if they're going to spend a lot of money like this. They offer up trials. Try it out and see if it actually works for you.

One of the biggest reasons it was successful for us was because we already used it in our environment and we used it pretty extensively. We had a variety of different systems in there, but we used the Check Point more. So we were more familiar with it coming into it and that's why we leaned more towards it. We figured, it will be expensive but it will probably have the lowest learning curve for us to get where we want to be.

Another company may already use, say, Palo Alto extensively and be very familiar with it. If their decision is that they want their team to be really well versed in what's going on, rather than have to break it all down and study all over again and retrain everybody, maybe their choice will be to stick with their Palo Alto solution rather than flipping over to Check Point. 

If you're going to change vendors entirely, you're going to have a steep learning curve and that's going to mean it will take time, where you might not be able to fulfill a request, because you have to learn how to do it.

I haven't really measured rates like the block rate or malware prevention rate yet. The CloudGuard stuff is the same software running under there that I have run for years. It's just in a cloud environment and it's been extremely effective. It doesn't really paint a picture of how much actually gets through, so I don't know the rates, but I do know that I don't have a lot of problems with things getting through that I didn't know about or didn't want to get through.

I don't think there are really any false positives with this solution. Sometimes an investigation that leads me down a path and I follow it so far that I can't quite figure it out, but I attribute that to not having enough visibility into other areas of the environment to actually see what's going on, so I can't paint the whole picture and can't then solve the problem. But I don't have a problem with false positives leading me down a path towards something that just had no relevance at all.

The ease of use is good if you have a strong technical background. The intuitiveness of getting in there has a learning curve to it because there's a lot going on there, but with something that takes care of this many things in your environment, it's hard not to make it complex. They've done a pretty good job of trying to make it as uncomplicated as possible, but no matter what, you're going to have a learning curve to be able to use it effectively.

The Unified Security Management has made threat hunting a lot easier because we have it all in one view, but managing the environment has become a little bit more complex because we have one ruleset to cross the environment. So we really need to know what we're doing there. We've had to adapt a little bit towards that. Instead of having little rulesets all over the environment, we have one massive ruleset. We have to be a little bit more careful about what we're allowing because it can affect more than just the site you want to change. For example, if you want to change a device in New York, you have to be very careful that you don't affect a device in Boston as well, because it's all in this one unified policy.

Overall, Check Point has been a nine-plus out of 10 for me. I'm really happy with it. It's a very expensive solution, but everything has gone really well. There are bumps along the way, like with anything. I don't fault them for that. We've worked with it and we've worked around those problems and have come up with solutions that work for everybody. So everybody's happy in the end.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Oleg Pekar - PeerSpot reviewer
Senior Network/Security Engineer at Skywind Group
Real User
Top 5
Flexibility in licensing and includes support for a large number of cloud providers
Pros and Cons
  • "I find it really useful that CloudGuard supports all the main players on the Public Clouds market including AWS, GCP, and Azure, as well as some exotic ones like Alibaba Cloud, Oracle Cloud, and IBM Cloud."
  • "I hope that Check Point continues to improve its technical documentation regarding the Check Point CloudGuard IaaS gateway and management system."

What is our primary use case?

The main usage of the Check Point CloudGuard IaaS within our company is for the protection of our cloud assets. It is deployed on Google Cloud Platform with the help of the Firewall, Application Control, and Intrusion Prevention System software blades. 

In addition, we rely heavily on the GeoIP module to restrict undesired countries from accessing our services, as for now, you can't achieve it with the GCP firewall.

There are about 30 Google Cloud projects of different sizes ranging from 10 to 250 virtual machines, and they are used for development, staging, production, etc. For every project, there is one dedicated scalable instance group of the Check Point CloudGuard IaaS gateways.

How has it helped my organization?

While using the Check Point CloudGuard IaaS gateways in the cloud environment, we had almost the same experience as with other Check Point firewall solutions.

The components of the infrastructure are integrated with each other quite well. All the common Check Point Next Generation Firewall blades are supported including Firewall, IPS, Antivirus, VPN, etc. There is not a big difference with the usual on-premises gateway from this perspective. This provided us a smooth experience while moving our load from on-premises data centers to the Google Cloud environments, and increased the adoption and the speed of the migration process.

What is most valuable?

I find it really useful that CloudGuard supports all the main players on the Public Clouds market including AWS, GCP, and Azure, as well as some exotic ones like Alibaba Cloud, Oracle Cloud, and IBM Cloud. I would say there is about a 95% probability that the platform you are using is supported, and I don't know any other solution for now that can provide the same number. Moreover, it integrates with most of the public cloud management solutions, so you could automate modification of the security policies based on some triggers or changes in your cloud infrastructure.

I also like that different licensing models are supported. For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.

What needs improvement?

As with other solutions of this kind, you still have to manage basic cloud firewalls and routes for VPC outside of CloudGuard IaaS. There's no 100% integration.

I hope that Check Point continues to improve its technical documentation regarding the Check Point CloudGuard IaaS gateway and management system. For example, the questions on how to scale the instances in the relevant cloud should be covered, and all the High Availability options and switchover scenarios. Without that, users have to open numerous consulting cases to the support team to get it right.

For how long have I used the solution?

We have been using Check Point CloudGuard IaaS for less than a year.

What do I think about the stability of the solution?

The Check Point CloudGuard IaaS is stable product, and in fact it runs the same code as the hardware Check Point NGFWs, so no issues were encountered there.

What do I think about the scalability of the solution?

The Check Point CloudGuard IaaS scales well for the Google Cloud Platform with the help of the Instance Groups feature.

How are customer service and technical support?

We have had several support cases opened. Some of the issues were resolved by installing the latest recommended JumoHotfix, whereas some required additional configuration on the OS kernel level.

The longest issue took about one month to be resolved, which we consider too long.

Which solution did I use previously and why did I switch?

We didn't use such solutions before and had to rely on the built-in firewall rules of the Google Cloud Platform infrastructure.

How was the initial setup?

The setup was straightforward, and the configuration was easy and understandable.

What about the implementation team?

Our deployment was completed by our in-house team. We have a Check Point Certified engineer working in the engineering team.

What's my experience with pricing, setup cost, and licensing?

There is flexibility in the different licensing models that are offered.

For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.

This is a flexible approach and we like that.

Which other solutions did I evaluate?

No, since we decided to have a unified firewalling solution across all the infrastructure, and we already had the Check Point firewalls in the on-premises data centers.

What other advice do I have?

You should fully understand the way CloudGuard would be integrated into your cloud from a networking perspective, and it differs from platform to platform. For example, for Google Cloud, the instances of Cloud Guard must have interfaces in several VPCs as a requirement. Think about the subnetting and routing for your project, then implement a PoC with your networking staff.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Google
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior System Engineer at Gas South
Real User
Secures our assets in the cloud while providing access to applications in our vendor hosted data centers via IPSEC tunnels
Pros and Cons
  • "We have found the overall functionality of the product to be exactly similar to the physical product. The one good advantage is that it is cloud-based and can be deployed either as a part of a scale set or one can shut down the virtual machine and adjust the physical parameters of the virtual machine easily and bring it right back up."
  • "I think they have pretty much mastered what can be done. There are some nuances like when you fail over from one cluster member to the other, the external IP address takes about two minutes to fail over."

What is our primary use case?

It secures our assets in the cloud while providing access to applications in our vendor hosted data centers via IPSEC tunnels. We also use it for endpoint vpn for all our users. We have it deployed in our cloud and it forms the gateway for all external connectivity and access to the assets in the cloud. We also have a backup site to site connection with our on premise data center so in case the primary connection to the cloud fails we can quick fail over to this backup connection and business can continue as normal .

How has it helped my organization?

We have it deployed in our cloud and it forms the gateway for all external connectivity and access to the assets in the cloud. CloudGuard IaaS has given us the complete redundancy that we have been designing and planning for over 2 years. CloudGuard provided the Gas South remote users with an alternate and secure connection into our completed IT infrastructure so that our remote users can log into CloudGuard end-user VPN over a secure and encrypted method and work as normal. This has come in very handy during this COVID-19 times.

What is most valuable?

We have found the overall functionality of the product to be exactly similar to the physical product. The one good advantage is that it is cloud-based and can be deployed either as a part of a scale set or one can shut down the virtual machine and adjust the physical parameters of the virtual machine easily and bring it right back up. Also if deployed as a cluster this can be done without any downtime at all since you can take down one virtual machine at a time to upgrade. Overall a very well designed product

What needs improvement?

I think they have pretty much mastered what can be done. There are some nuances like when you fail over from one cluster member to the other, the external IP address takes about two minutes to fail over. During this time there is an outage of service. On digging into this further I found that this is more on the cloud fabric and provider side than the actual Checkpoint CloudGuard side. The Cloud provider is taking that long to actually detach the Virtual IP Address (VIP) from one machine and fail it over to the other

For how long have I used the solution?

Almost two years.

Which solution did I use previously and why did I switch?

We have always been a Check Point customer.

What's my experience with pricing, setup cost, and licensing?

If you are a Microsoft Azure customer the setup is very simple. There is already a great template there ready for deployment. Read the deployment guide fully before attempting it. Licensing is built into the deployment but you will get billed separately as a market place deployment and does not get charged to your subscription. This is a bit frustrating but they are working on fixing this

Which other solutions did I evaluate?

We did look at bring in other alternate vendors before settling on CloudGuard. We did a POC of Fortinet.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
M Poczobut - PeerSpot reviewer
CISO and Senior Director Technical Operations at a insurance company with 201-500 employees
Real User
Extends required threat protection to all of our virtual assets, regardless of where they reside
Pros and Cons
  • "What's most valuable to me is that it's a contiguous solution that aligns well with the components that we've relied on and trusted from a traditional hardware, firewall, and unified threat management system. My engineers and analysts don't have to learn another platform. We have already entrusted our security controls to Check Point for perimeter and physical security, and now we can do so at the virtual layer as well, which is key to us."
  • "It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can go without the partnership and enablement of the virtualization platform vendor as it relies on "Service Insertion" to maintain optimal performance."

What is our primary use case?

Most security solutions traditionally have been protecting physical assets within an environment, or reliance on an inline hardware appliance. CloudGuard takes the security controls that were previously packaged with physical appliances in mind and extends them to the virtual infrastructure.

It's an add-on capability to an existing virtual infrastructure, such as an AWS, Azure, or even on-premise solutions. It adds a security layer on top of your existing infrastructure with zero latency.

We're hosting it ourselves on our hypervisors, as well as starting to do so in some of our private cloud instances. It's solely managed by us with a pair of consolidated management servers.

How has it helped my organization?

This virtual platform is unique in the way that it augments our existing physical controls through a centralized management system. When many organizations, like ours, went from physical servers to virtual servers and desktops, there was a blind spot there. We no longer had visibility into what was happening within our environment, and that extended to the cloud as well where it's difficult, if not impossible, to introduce hardware — firewalls and other security protection. This solution takes what is still required around intrusion detection/prevention, anti-malware, and other threat protection capabilities and extends it to all of our virtual assets, regardless of where they live, in a private or public cloud.

CloudGuard has closed a significant gap that we had in our environment. We were searching for the right solution for many years, to gain visibility into, and protection of, all of our virtual asset servers, desktops, and workloads. There have been other products throughout the years that provided a similar type of technology, but had we purchased and move forward with those, we would have seen a degradation of performance within our environment, as traffic would have to be what's considered "hair-pinning" and going in and out of the virtual environment to another either virtual or physical appliance. We intentionally delayed our purchase of this kind of solution because we were not satisfied with that architecture. We weren't willing sacrifice performance degradation on our network. That's really the big benefit of the CloudGuard, it is able to live within the same virtual instances as the other virtual assets and workloads.

What is most valuable?

What's most valuable to me is that it's a contiguous solution that aligns well with the components that we've relied on and trusted from a traditional hardware, firewall, and unified threat management system. My engineers and analysts don't have to learn another platform. We have already entrusted our security controls to Check Point for perimeter and physical security, and now we can do so at the virtual layer as well, which is key to us. It really augments their current stack of capabilities. It all aligns well under their umbrella of their Infinity architecture, which we have adopted.

What needs improvement?

It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can go without the partnership and enablement of the virtualization platform vendor as it relies on "Service Insertion" to maintain optimal performance. 

We are frequently in contact with Check Point's Diamond Support, Product Development Managers as well as their sales team, as we look to keep apprised of where the product ius and should be going. Most of our requests have been around our physical assets, the physical UTM devices — Check Point Maestro, as an example — as well as their endpoint systems. There has not been anything at this time where we've said, "We wish CloudGuard did X differently." CloudGuard, in my opinion, having recently talked with them, is continously improving and is incorporating some of their recently acquired capabilities, such as Dome9 cloud compliance. Those are areas I have been evaluating and looking to add to my environment. My preference would be that it be included in my CloudGuard subscription licensing, and not an add-on; But that's the only thing that I could say that would be beneficial to us as an enhancement to the system.

For how long have I used the solution?

We've been using Check Point CloudGuard IaaS for about three years.

What do I think about the stability of the solution?

The stability has been great. There has been no concern at all. We have not had any known downtime or issues to speak of.

What do I think about the scalability of the solution?

Scalability was well thought out and designed. I've spoken about this at several Check Point CPX events. Throughout the instances that we have, if a single Check Point CloudGuard instance is overloaded due to event load, it will intelligently redirect that workload to another service on a different host, so that it's not delaying the interrogation of the traffic.

It's being used throughout our environment. We will increase usage only when we augment our cloud offerings.

Users, in this case, are the IT security and networking folks that support it and rely on these controls being effective. They analyze the output of the event interrogation. Right now, I have three resources supporting CloudGuard. I don't have dedicated staff for maintaining the solution. They're shared resources who work on other network and security devices. From an operational standpoint, it's a fraction of an FTE that is required.

How are customer service and technical support?

Check Point's technical support for this solution, overall, is very good. Check Point has architected this solution well enough that it has similar, if not the same, code base as the physical devices. It doesn't appear to be a big lift and can leverage the same support engineers for CloudGuard as we would have for our physical devices.

Which solution did I use previously and why did I switch?

We never found a solution we were satisfied with, and which would not affect our overall operational performance.

How was the initial setup?

I was not personally involved in the initial deployment, as I'm the CISO of the organization, but I was closely engaged with my engineers. The CloudGuard portion of our installation and setup was extremely simple, in comparison to the integrated component on the virtualization side of things. Check Point made it extremely easy to deploy and configure, especially because it's done from our consolidated management devices that we're already familiar from our physical unified threat management devices.

The delays in deployment were mostly due to the virtualization side of things. If it was just CloudGuard alone, we probably could have had that done in about six to eight weeks. But there were several starts and stops due to the accompanying VMware component, which has really extended, I hate to say it, over 12 months.

In terms of our implementation strategy, the intent is that every host in our environment that serves up virtual assets and workloads would have an instance of CloudGuard installed on it. And then all respective HTTP/HTTPS traffic would be routed through Check Point for visibility and interrogation, so that if any of its threat controls determined that an asset was rogue or infected due to some malicious insider or outsider, it would automatically quarantine that device. We have tested that and it worked successfully.

What about the implementation team?

We installed it with the help of Check Point-badged engineers. To be honest, we had to ask for a new lead engineer. And once that occurred, the project implementation went very smoothly.

What was our ROI?

ROI is a very difficult metric in the security space. We've been fortunate that we haven't had an event in which we would say that because of CloudGuard our MTTD and MTTR was low and we quickly identified and stopped a malicious adversary.

However, we are now more confident in our security controls and visibility. CloudGuard plays a significant role in our SOAR (Security Orchestration Automation and Response) initiative. We can now automate the isolation of an infected machine with the help of CloudGuard.  This in itself is the best ROI as it doesn't require manual intervention to detect and respond.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing of this is much more digestible than that of its hardware equivalent. I've found, in times past, especially on the hardware side of things, that the licensing support and maintenance could be very daunting to understand. If that has scared folks away in the past, CloudGuard is much simpler. 

Licensing is simply by the number of hosts that you are looking to protect within your environment. It makes it much easier to ensure that you are covering your environment.

If you are not already a Check Point customer for the UTM and the SmartEvent, there likely would be an additional cost, beyond the standard CloudGuard licensing, if you wanted the reporting. It's a unique instance where we already had an established infrastructure of Check Point devices on our network, and then we added CloudGuard to it. Had we started with CloudGuard, and only had virtual assets to protect, it is possible that there would be additional cost. I would urge folks to look into what it would cost to add the reporting capabilities and log event management.

Which other solutions did I evaluate?

We looked at offerings from Cisco (ACI), Illumio and Gigamon. This was about three-and-a-half years ago.

The main differentiator, and the reason we selected Check Point, is how it integrated with our virtualization platforms. It lived there natively. It had the least amount of overhead to interrogate the traffic within our environment. It also aligned well with our consolidated reporting and management solutions that we have come to rely on from our Check Point physical UTM devices.

What other advice do I have?

Intently know and understand the integration points within your environment. It is a great security solution, but understand how integrated it is with, and what level of partnership there is between, Check Point and the virtualization platform that you're looking to add it on top of.

The biggest lesson I have learned is that the Check Point CloudGuard features, although good, are only as good as the accompanying virtual platform and its level of integration. I have to be honest: Overall, this is the ideal solution for us and our organization, but it is slightly more complex. There are newer competitive products that take a different stance, that are agent-based. We did not want — and this is another key distinction — a solution that wasn't agent-based in which we had to deploy a piece of software on each and every virtual endpoint. Having this done at the hypervisor level definitely was the right strategy for us. However, the lesson learned, with this type of solution, is that it is very important to understand the nuances of your virtualization platform and what is required on that side to enable the Check Point CloudGuard.

You're relying heavily on the partnership and the capabilities of that virtualization platform. Going in, understand the degree of that partnership and the respective road maps of each, because the CloudGuard solution is only as good as the capabilities it has with the virtualization platform. That's especially true for large enterprises that want to constantly move workloads around and have their rule set follow in an event where they're having to ensure that systems are always alive and always protected.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
RAMAKRISHNANV V - PeerSpot reviewer
Senior Security Architect at a computer software company with 10,001+ employees
Real User
Auto-scaling and zero touch are major security features
Pros and Cons
  • "Auto-scaling and zero touch are valuable features."
  • "Zero touch removes any independence for configuring."

What is our primary use case?

My experience with the solution has mainly been implementing it with an auto-scaling on behalf of my clients. My job was to migrate an on-prem firewall to AWS cloud. I'm a senior security architect. 

What is most valuable?

I think one of the valuable features is the auto-scaling, which is based on traffic and  automatically spins one more firewall and adds it to the management server. The zero touch is also a valuable feature. After re-tagging the next internal load balancer within Check Point, it automatically writes up a mac rule and an access rule. As long as you're adding a server into the internal load balancer, you won't need to touch anything. In a Check Point firewall, the mac rules and access rules are automatically written up. Zero touch means there is no need to insert rules again when you're adding servers internally. 

What needs improvement?

There is definitely some improvement required. We currently use a deployment template provided by AWS each time. If I want to clean up the IaaS I have to use the IaaS template which should not be necessary. Secondly, because it's zero touch, I cannot write up any rules in the firewall. I understand these features might have been built particularly for zero-touch but from the perspective of a network and firewall engineer, some independence to configure something on the firewall would be appreciated. 

An additional feature that could improve the solution would be to enable both automatic and manual control that would allow the engineer complete control over the firewall.

What do I think about the stability of the solution?

The solution is generally stable although it crashed one time while I was implementing. 

What do I think about the scalability of the solution?

The solution is absolutely scalable. 

How are customer service and technical support?

The technical support is excellent.

What other advice do I have?

My advice to anyone wanting to implement this solution would be to religiously follow the guidelines. 

I would rate this solution an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1033941 - PeerSpot reviewer
CTO at a healthcare company with 10,001+ employees
Real User
Secure, reliable, and has good technical support
Pros and Cons
  • "The most valuable feature for us is the cluster support."
  • "Our biggest complaint concerns the high resource usage for IDP/IPS, as we cannot turn on all of the features even with new hardware."

What is our primary use case?

We use this solution as our perimeter firewall. 

What is most valuable?

The most valuable feature for us is the cluster support. We have been using this for a long time, so it is not a feature from the latest version.

What needs improvement?

We would like to be able to scale out such that we can increase performance within a cluster with more active nodes.

Our biggest complaint concerns the high resource usage for IDS/IPS, as we cannot turn on all of the features even with a recent hardware upgrade.

A great enhancement for this solution would be an active-active or multi-active scalability.

As we need to fulfill higher bandwidth demands due to increased cloud usage and research-driven data exchange, we might need to look for other vendors with more competitive pricing.

For how long have I used the solution?

I have been using this solution for two years.

What do I think about the stability of the solution?

This is a stable solution.

Six months ago, we updated our version to the most recent one.

What do I think about the scalability of the solution?

The scalability of this solution is limited, which is why we have started looking for alternatives. Currently, we have about twenty-thousand users.

How are customer service and technical support?

Technical support for this solution is good. They have a quick response and the solution was available within a short period.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

This initial setup of this solution is complex.

The preparation for deployment took two days, and the deployment itself took about two hours.

We have three staff who are responsible for maintaining the firewall, although there are more tasks that they handle, in addition to it.

What about the implementation team?

We enlisted the help of a service provider to assist us with the implementation. 

What's my experience with pricing, setup cost, and licensing?

The price of this solution could be improved. We pay approximately ‎€150,000 ($166,000 USD) per year. We receive four days of support every year from our service provider before we have to contact Check Point. 

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution, although we are currently considering alternative solutions from Forcepoint and Fortinet.

What other advice do I have?

My advice for anybody who is considering this solution is to start by identifying high-bandwidth use cases. If you have any, and you have a high-security requirement, then I suggest considering other options.

This is a secure and reliable solution for us, although we are a bit disappointed with the limited scalability and resource consumption.  

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Network Security Engineer at a government
Real User
All-in-one-box solution with easy configuration and great routing
Pros and Cons
  • "As per the solution's blade design, there are many options. For example, you have to buy a UTM blade and an advanced malware blade, etc. If the blade license is there, we can configure from the firewall GUI."
  • "If you compare the GUI with the Palo Alto and Forcepoint in the Cisco, they're very easy. Check Point, due to its design, is a little bit complex. They should make the GUI easy to use so that anyone can understand it easily, like Fortinet's GUI. Many companies end up using Fortinet because the GUI is very easy, and there's no need for training. They just deploy the box and do the configuration."

What is most valuable?

As per the solution's blade design, there are many options. For example, you have to buy a UTM blade and an advanced malware blade, etc. If the blade license is there, we can configure from the firewall GUI. 

The net policy and routing are also great features.

What needs improvement?

If you compare the GUI with the Palo Alto and Cisco, they're very easy. Check Point, due to its design, is a little bit complex. They should make the GUI easy to use so that anyone can understand it, like Fortinet's GUI. Many companies end up using Fortinet because the GUI is very easy, and there's no need for training. They just deploy the box and do the configuration.

Also, we have to inform customers that with Check Point there's no need to purchase any routing device. Check Point can do that routing as well as the Firewall and the IPS. The marketing should be stronger, to show that customers only need one box to handle all the features. It will be cost-effective and enhance the performance and value, but because of their poor marketing, customers don't realize this.

In the future, a color string would be powerful. Sandboxing should also be offered. Many people want the Trend Sandbox but not on the cloud. In the Middle East, there is a policy for Sandboxing that states it should be on Trend as per the government law. They have Sandboxing solutions on the cloud, but they have to bring the solution onto Trend also. Palo Alto has Wildfire, Cisco has Talos, and Forcepoint has one available as well.

In the future, routing protocols should be more supported like OSPF and BGP. There needs to be integration with the SDN. I don't know if SDN is there or not in Check Point, but SDN is one of the major requirements nowadays.

For how long have I used the solution?

I've been using the solution for one month.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

We just deployed the solution, so scalability I cannot speak to right now. But, as per Gartner and NSS Lab, they're allegedly very good. I don't think there will be an issue with scalability.

Which solution did I use previously and why did I switch?

I am currently also working on Cisco ASA, Fortinet, and Palo Alto.

What about the implementation team?

I'm an Operation Engineer; I handle the deployments myself. 

What's my experience with pricing, setup cost, and licensing?

Compared to Cisco Firepower Threat Defense, the solution is cheap. However, not as cheap as Fortinet or Palo Alto. If clients have smaller budgets, we would have to advise one of those instead.

What other advice do I have?

There are two deployment model modes in Check Point. One is a gateway level and one is a no gateway all-in-one box solution. With the gateway level, only hardware will be there, all operating systems are stored in a VMware and if there are any issues in the hardware, you just replace the box; all of your policies will be saved into VMware.

The all-in-one box you have the GUI policies and also the gateway so it's secure. If there is an issue in the box - like failure or downtime - all of the networks will be affected.

I would rate the solution eight out of ten. We haven't been using it too long, so we haven't had a chance to look at all aspects of the solution. I would recommend Check Point to customers because it is an affordable option.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Siju Siju - PeerSpot reviewer
Assistant Manager IT Projects at Mustafa Sultan
Real User
Reliable solution with a unique architecture that creates flexibility in the deployment
Pros and Cons
  • "A unique architecture makes this product stand out from other solutions."
  • "It can be difficult to install properly without prior training"

What is our primary use case?

We install the solution for our customers and Check Point is our preferred solution in any firewall deployment. The two-layer architecture with the administration and security makes a difference and in every instance, we know who the user is.

The touch features are very different than other brands. From the feedback I get from my customers, Check Point is the best.

How has it helped my organization?

Check Point gives us a strong solution that we can depend on when deploying it for clients.

What is most valuable?

The most valuable features are within the unique architecture that creates flexibility in the deployment.

What needs improvement?

The knowledge base that is available is limited and it is on a closed network where only a customer or certified engineer will know about it. A beginner who wants to learn about the product actually has to enroll in training or get certified and have a valid license or certification to access information. That is something I find strange as most users would like to know about it. The new users would like to be able to see those areas and what type of concerns or any configuration issues they may have before deciding to work with the product. To me, that is a simple open-mindedness. In terms of the availability of the system and functionality of the product, there's no concern. But the problem is that efficient VSX (Virtual System Extension) deployment is complicated. Most of our customers are afraid to deploy any configuration changes because they are afraid something will happen.

It's not the same situation as with other products. I guess the reason behind it is the kind of architecture which they are using. There are more possibilities to crash than other products. That is the feedback I normally get from end-users, but even so, for us, I would say it's one of the best product.

For how long have I used the solution?

We've been using this product for over two years.

What do I think about the stability of the solution?

Check Point is very stable. I would say that initially there were a couple of issues we had during deployments. But now we have climbed the learning curve of the product and all installations are very stable. We have most clients running on version 7.3 and didn't upgrade most further from there because we know that 7.3 is stable and it is what we are running most of the customers now.

What do I think about the scalability of the solution?

Scalability is fine. In fact, we are demonstrating the hyper scale with most of the customer now. There is no doubt about the scalability and it is not a problem.

How are customer service and technical support?

Up until now, we have not had to register with technical support from Check Point. If we needed help we got support with the presale technical support team from our region. He was able to help us internally. The team helps us to get products stable. Up until now, we did not contact them. It is not very transparent. They approach resolutions through a partner and the partner solves the case. They seem to mostly depend on partners for the resolution of issues.

Which solution did I use previously and why did I switch?

We deploy a variety of products for our clients depending on their needs. Check Point is one of the most reliable.

How was the initial setup?

I would say that the installation is straightforward when you have learned about the architecture. Before that, the installations may be a little confusing.

What about the implementation team?

We are partners with Check Point so we handle the installations and deployment. In the beginning, we did have some engineers from Check Point assist us in the initial installations, but after that it was fine and we were able to manage it by ourselves.

What's my experience with pricing, setup cost, and licensing?

Check Point pricing is high. It is a sector where there is heavy competition so it does not help when trying to sell the product. But one thing is that the sales chain is fantastic. The price is usually the most difficult thing when we discuss Check Point with customers, their feedback is that it is not a competitively inexpensive product. Clients want to know why that is and if we could scale the price. Check Point can have more presence in the market, but if they want it to compete, they have to come down in price a little more. I would say 20 to 30% lower. The product is fine.

What other advice do I have?

The web application firewall is commonly used in most firewalls now. If they can add that as a feature, it would be a very strong scenario. When we use Check Point on a perimeter or a DMZ zone, the first thing that clients ask is if there is wireless protection. Check Point has IPS (Intrusion Prevention System) but it does not have wireless protection. So if production is using the cloud if they can integrate mobile app protection, mobile shielding, there's more value for Check Point, but if they include that, Check Point could be the very best firewall option.

On a scale from one to ten, when one is the worst and ten is the best, I would rate Check Point as an eight. It needs to do better in pricing and with broader features for mobile.

One thing that I learned from multiple installations of Check Point is that you have to train the customer before implementing. Unless the customer is already a highly skilled security engineer so that they know what they can get out of the product, they will not be as satisfied. Otherwise, just before the deployment, we have them go for training so they understand the product and what it can do.

They will be happier and they won't choose to go with another product in the future. Even with my engineers who understand many other products, I trained them properly before I send them out for deployments. Check Point is not a product that if you don't know you can just install without knowing anything about it. You have to know the architecture first. You have to know each and every option than work on the product. Then it will be far better and say no to certain features which are not important to use. On the other hand, knowing it is available is fantastic and becomes an option in the right situations.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
it_user919560 - PeerSpot reviewer
Consultant at a government with 10,001+ employees
Consultant
A good firewall solution that's extremely stable and can scale easily
Pros and Cons
  • "The IPS, application and URL filtering, as well as Identity Awareness, are all very valuable features."
  • "Sometimes, if you aren't familiar with the solution, it can be a bit complex, but it does become easier to use with time. However, every time they launch a new version, it becomes more complex and you need to take time to get familiar with all the changes. For every version that they upgrade, you need to upskill yourself."

What is our primary use case?

We primarily use the solution as firewall security for our clients.

What is most valuable?

The IPS, application and URL filtering, as well as Identity Awareness, are all very valuable features.

What needs improvement?

Reporting needs improvement. It's difficult to utilize properly. Currently, I'm in a situation whereby a client of ours is looking for reporting on their organizational unit. Check Point has failed to do that. We've been trying to do it for the past month and we haven't been able to. We've also gotten techs from Check Point to call us to help and we just can't get the solution to do what we need it to do.

Sometimes, if you aren't familiar with the solution, it can be a bit complex, but it does become easier to use with time. However, every time they launch a new version, it becomes more complex and you need to take time to get familiar with all the changes. For every version that they upgrade, you need to upskill yourself. 

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The stability of the solution is fantastic.

What do I think about the scalability of the solution?

The scalability potential of the solution is great. We use the solution quite extensively. We do plan to increase usage in the future.

How are customer service and technical support?

If I were rating technical support out of ten, I would give it a seven. They're inconsistent. Sometimes you do get guys from Check Point to help you out and then sometimes you don't. Sometimes it's hard getting a hold of them.

Which solution did I use previously and why did I switch?

We didn't previously use a different solution.

How was the initial setup?

The initial setup is straightforward. The time it takes to deploy depends on the organization.

What about the implementation team?

We handled the implementation ourselves.

Which other solutions did I evaluate?

I am familiar with Fortinet, although I didn't do a direct comparison. I did compare other solutions as well.

What other advice do I have?

For those who want to implement the solution, they should make sure they have a very strong networking background.

I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user583365 - PeerSpot reviewer
Head of Cyber Security Department at NGT Group
Real User
Completely closes the potential vulnerability channel and has excellent scanning and reporting
Pros and Cons
  • "We find Check Point valuable because they are 100% focused on security. It totally closes the potential vulnerability channel. We can check our mail and our attachments and we can scan everything easily. We get an immediate report about the situation of the attachments. We can discover if the target's security attack was started from phishing, etc. We also enjoy using the additional features that protect our internal customer from targeted attacks."
  • "The stability of the solution could be improved, but this is the problem of all the solutions in the market. This isn't just a problem specific to Check Point."

What is our primary use case?

We are able to use the solution for cloud protection and in parallel with or just for network protection. In our scenario, we use it as a border network firewall, which is based on a virtual environment and we're using it for the border protection of our network. 

What is most valuable?

We find Check Point valuable because they are 100% focused on security. It totally closes the potential vulnerability channel. We can check our mail and our attachments and we can scan everything easily. We get an immediate report about the situation of the attachments. We can discover if the target's security attack was started from phishing, etc. We also enjoy using the additional features that protect our internal customer from targeted attacks.

What needs improvement?

The stability of the solution could be improved, but this is the problem of all the solutions in the market. This isn't just a problem specific to Check Point.

For how long have I used the solution?

I've been using the solution for four years.

What do I think about the stability of the solution?

The stability is good. It's really good compared with Palo Alto, Fortinet, and Cisco, most of all. But it definitely can be better.

What do I think about the scalability of the solution?

The scalability of the solution is good. Right now, the solution protects about 400 customers.

How are customer service and technical support?

The solution's technical support is good. If we have problems, we can speak directly to Check Point, or we can speak to one of their partners or a local partner. The solution has a great community that surrounds it.

How was the initial setup?

The initial setup was complex because we were using a complex networking architecture. It took us about two days to implement the solution. For administration of all of this infrastructure, we need two people. For deployment and maintenance, we need just one person.

What about the implementation team?

We used the implementation guide provided by the company to assist with deployment.

What's my experience with pricing, setup cost, and licensing?

Our licensing is yearly at a fixed cost.

The solution has a very flexible pricing model. It can provide the same level of security and performance, but in parallel, can be subscription-based.

What other advice do I have?

The solution is the on-premises deployment model which we use in our server environment.

We are an integration company, and although we deal with other solutions, we mainly focus on Check Point.

The solution is a great mix of user experience, flexibility, security features, and cost. After five years, I believe the total cost ownership will be much cheaper than any competitor.

The advice I would give to others interested in implementing is that this solution does have security problems. Not Check Point, per se, but in the network environment. The security recommendation from the Check Point and from us is to use the VSX in the internal network. It should not protect your border because there are some issues around bugs, etc. It could cause vulnerabilities if it's used this way. 

I would rate this solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user819654 - PeerSpot reviewer
Network Consultant Engineer at a tech services company with 11-50 employees
Consultant
Excellent technical support but the zero-day threat detection needs improvement
Pros and Cons
  • "The program is very stable."
  • "It is a very expensive program and there are additional costs despite the standard licensing fees."

What is our primary use case?

Our primary use case of this solution is for security.

What is most valuable?

The IPs and the VPN are the most valuable features of this solution.

What needs improvement?

I would like to see an improvement on the zero-day threat detection. It is also not very user-friendly, so it would be great if it could be less complicated and easier to operate. The dashboard needs to be easier to use.

Also, if the solution could be cheaper, it would really help, because it is very expensive. 

I would like to see sand boxing added to the new version.

For how long have I used the solution?

I have been using Check Point Virtual Systems for ten years now.

What do I think about the stability of the solution?

The program is very stable.

How are customer service and technical support?

The technical support is excellent and they always responded when we had an issue.

How was the initial setup?

The initial setup wasn't too complicated, but it wasn't very easy and straightforward. Deployment took us about a week. 

What's my experience with pricing, setup cost, and licensing?

It is a very expensive program and there are additional costs despite the standard licensing fees. So I would like to see it being more affordable in the future.

What other advice do I have?

I will recommend this program to others and my rating is seven out of ten. I do recommend that users should always use the checkpoints and backup as often as they can.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user715161 - PeerSpot reviewer
Director at InfoGuardian
Real User
An expandable solution that can be upgraded on-demand and as required
Pros and Cons
  • "The most valuable feature of this solution is that you can start off with a simple firewall and expand it to UTM."
  • "The management console can be simplified because at the moment, it is a bit of a challenge to use."

What is our primary use case?

We are a solution reseller, and we also assist our clients with support. This is one of the solutions that we provide to our customers.

This solution can be deployed in many ways. It is available in the cloud on AWS and Azure. You can install it in a virtual machine, you can have it as a hybrid, and you can have it on-premises.

What is most valuable?

The most valuable feature of this solution is that you can start off with a simple firewall and expand it to UTM. You don't have to buy a UTM to start off with, but rather, you can buy a simple firewall and upgrade it. The simple firewall comes with many of the UTM features, in any case.

What needs improvement?

The management console can be simplified because at the moment, it is a bit of a challenge to use.

I would like to see support for software-defined wirings in the next release of this solution.

For how long have I used the solution?

I have been working with this solution for eighteen years.

What do I think about the stability of the solution?

I've got Check Point systems that have not been rebooted in two years, so it is quite stable.

What do I think about the scalability of the solution?

This solution is quite scalable, but it requires hardware upgrades from time to time. Or, if you go with a virtual environment then it is very scalable because you start with one CPU and can increase to twenty-four CPUs.

How are customer service and technical support?

Technical support for this solution is fairly good. We have got enough skill in our business to do most of it, but once you raise a call with support, they give you quite the fast and effective answer.

How was the initial setup?

The initial setup of this solution is in-between, but more on the complex side. It's not the most complex product that I've worked with, but definitely not the simplest product that I've worked with.

What's my experience with pricing, setup cost, and licensing?

The price of this solution varies from small to extremely expensive. On average, it is normally on the lower end, being less expensive than Palo Alto or Cisco.

What other advice do I have?

The biggest lesson that I have learned from this solution is to never assume that something is simple, because there's always a hidden snag that we run into.

I would rate this solution a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
it_user1146165 - PeerSpot reviewer
it_user1146165Cibersecurity Pre-Sales at a tech services company with 10,001+ employees
Real User

Auto-Scale Palo Alto Networks VM-Series Firewalls in a Public Cloud Environment
For environments that require an automatic deployment as scale out of the security services is required, you can
combine bootstrapping with additional automation that monitors the security services and, when performance limits
are reached, triggers (CloudWatch) the automatic deployment and bootstrap of a new firewall to the security layer.
Auto-scaling works differently in every environment because tools that are specific to each public cloud environment
monitor and trigger the firewall deployment. Auto-scaling in AWS uses AWS services such as Lambda, Amazon Cloud-
Watch, S3, and SNS, in addition to the APIs and bootstrapping on the firewalls. In Azure, you use AppInsights and
Virtual Machine Scale Sets to monitor the environment and trigger the automatic deployment of a new firewall. You
can use a number of metrics in order to trigger the auto-scale event. Examples include:
• Data Plane CPU Utilization %
• GP Gateway Utilization %
• Active Sessions
• Data Plane Packet Buffer Utilization %
• SSL Proxy Session Utilization %
• Session Utilization %
Just like in the previous example, you must create the bootstrap container before automatic scale-out. The automation
monitors the appropriate metric on the existing firewalls, and after the value is higher than allowed for the right amount
of time, the scale-out event triggers the same firewall deployment as in the previous example. After the firewall is deployed and has a configuration provided by Panorama, the auto-scale automation adds the new firewall to the backend pool of the load balancer, ensuring that traffic load is appropriately distributed to the new firewall.

Operational Response to a Changing Environment
In virtual private data center and public cloud environments where new compute instances are created as needed for
scale, the administrative overhead in managing security policy can be cumbersome. Using dynamic address groups in
security policy allows for agility and prevents disruption in services or gaps in protection.
The VM-Monitoring Agent on the firewall can pull IP address and tag information from the cloud environment. Predefined dynamic address groups use the tag information to automatically associate IP addresses to pre-defined rules in the security policy. When there are multiple firewalls in the environment, they all can monitor the same source for IP and tag information. This provides the firewalls a dynamic but consistent view of the resources within the environment.
Dynamic address groups allow the firewall security policy to respond to a changing environment, but the applications
running in the environment must be well known for the appropriate dynamic address groups and security policy rules
to be created. Configuration automation can be used to provide a security policy that automatically is configured when
new applications are deployed to the environment.

Security Response Based on Log Information
Although log information alone can be extremely valuable to a security administrator, manually sifting through the logs
and responding to security events takes too long and requires too many administrative resources. Automated security
actions in the firewall can respond when a previously identified scenario presents itself in the logs. For example, when
Panorama sees a correlation event, it can use the source IP address from the log and use auto-tagging to attach a predefined tag, such as “Compromised.”
You can configure a dynamic address group on the firewall that is associated to the IP addresses with the “Compromised” tag. You can then create a security policy that blocks the traffic or enforces multi-factor authentication (MFA) for these endpoints that uses the dynamic address group as the source. If the user on the endpoint is malicious, MFA blocks their attempt to move laterally within the network, protecting sensitive data.
If the user continues to attempt to move laterally, Panorama can automatically use additional tags to block the IP and
HTTP log forwarding to log an incident. Panorama can use the ServiceNow ticketing system HTTP API to create a ticket so that the operations team is aware of this action on the endpoint. They can then investigate the incident, remediate the endpoint if needed, and remove the associated tags the apply the enhanced security policy.

Security Response to Improper Cloud Environment Configuration
RedLock cloud security provides organizations configuration security alerting for AWS, Azure, and GCP environments
and provides integrations that allow remediation to be automated. Using auto-remediation, organizations can make
sure alerts are automatically remediated before they, or malicious actors, even know there’s an issue. For example,
reconfiguring a security group rule that allows ingress traffic from the public Internet and opening a ticket with Service-
Now for tracking minutes after it’s been created.
RedLock uses the following automation process to remediate issues:
1. Using the cloud environment’s API, continuously perform checks against the configured signatures and policies.
2. If the resulting analysis determines a signature did not pass, send the failed alert to an integration such as
ServiceNow or AWS Simple Notification Service (SNS).
3. The AWS SNS service triggers the workflow automation and launches the AWS Lambda auto-remediation
function.
4. Using the AWS API, auto-remediate and fix the offending issue.
5. Send the resulting logs to AWS CloudWatch.

Network and Security Manager at a financial services firm with 1,001-5,000 employees
Real User
Our network performance has increased since implementing this solution

What is our primary use case?

This solution is very important for our network. We use it for the data on our servers and for our internet connections. We also use it for all of our user devices to connect to outside corporations. The IPS on our devices prevents any issues from occurring. We use the on-prem version of this solution.

What is most valuable?

We currently upgraded our devices to a new version. We have noticed a performance increase. We tested filtering features and it's an interesting feature that helps us with our tasks. We don't need very complex features.

For how long have I used the solution?

We have been using Check Point for about two years.

What do I think about the stability of the solution?

It's a high-performance device. The network performance is also really good. We check how much time it takes for the servers. Our network performance has increased since using this solution. 

How are customer service and technical support?

We have a local consultant for this solution. They can handle most of the operations with my team. We work together with the consultant sometimes for complicated scenarios like migration.

How was the initial setup?

The initial setup is difficult. It took me three tries to get it right. The setup took two or three hours. We migrated from an old to a new one. It's not so complex but Check Point is complex in comparison to other firewalls. For example, Palo Alto is easier to install than Check Point. 

What's my experience with pricing, setup cost, and licensing?

We negotiate every deal to get a discount for a higher number of devices. 

What other advice do I have?

I would rate it a nine out of ten and I would recommend this solution. Their support team should be faster because sometimes when we need support their responses are late. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Network Engineer at a marketing services firm with 1,001-5,000 employees
Real User
This solution has provided the security that we were lacking on the cloud
Pros and Cons
  • "It is scalable. It's a cloud solution, so it's easy to implement and manage."
  • "I like how straightforward it is and simple it is to implement in the cloud."
  • "The product can still grow."

What is our primary use case?

Our primary use case of this solution is cloud protection for MC65 Operating System, AWS, and Microsoft.

How has it helped my organization?

Right now, we have a hybrid infrastructure. We needed security on the cloud, and this solution has provided the security that we were lacking.

What is most valuable?

  • Traps prevention
  • Security on the cloud

What needs improvement?

The product can still grow.

What do I think about the stability of the solution?

It is fast. It provides what we need at the moment, and it's still growing.

What do I think about the scalability of the solution?

It is scalable. It's a cloud solution, so it's easy to implement and manage.

How are customer service and technical support?

Technical support is fair. I have had some good support technicians when I call in. 

Which solution did I use previously and why did I switch?

We were not on the cloud before. We're a big Check Point customer. Our secure perimeter is checkpoint, so we needed security for the cloud. So, it was a pretty easy decision right there. We evaluated other vendors, but it was easy decision.

How was the initial setup?

The initial setup was straightforward, not complex.

What about the implementation team?

We did our own deployment. We used a reseller for buying the product, but not for the implementation.

Which other solutions did I evaluate?

We also looked at Cisco's cloud products since we have a lot of Cisco products.

What other advice do I have?

Look into it. I like how straightforward it is and simple it is to implement in the cloud. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Senior Network Engineer at a transportation company with 10,001+ employees
Real User
Enables us to move into the cloud without having to change a lot of our internal processes and retrain staff but it has more maturing to do
Pros and Cons
  • "Moving into the cloud without having to change a lot of our internal processes and retrain staff is one of the biggest benefits of this solution."
  • "I would like to see more focus on east-west traffic inspection and AWS."

What is our primary use case?

Our primary use case is for major cloud vendors: AWS and Azure. 

How has it helped my organization?

Moving into the cloud without having to change a lot of our internal processes and retrain staff is one of the biggest benefits of this solution. 

What is most valuable?

It is what we use mainly for on-premise. That is really what has us using the product, as it is sort of our standard for data centers.

What needs improvement?

I would like to see more focus on east-west traffic inspection and AWS.

Things are changing very quickly in the cloud. There is a lot more maturing that needs to happen as far as CloudGuard goes, specifically more around some cloud native type situations where everything is being shoehorned through one or multiple VMs is not optimal.

What do I think about the stability of the solution?

We definitely have to watch new versions and deploy them in a smart way, but that is the way with any type of software.

What do I think about the scalability of the solution?

The scalability depends on the situation. Some situations are not very scalable. High scalability, in AWS, without matting is just not there. It's more of an AWS problem than it is a Check Point problem.

How are customer service and technical support?

We are receiving our technical support through a partner. Therefore, we do not really engage directly with Check Point that much. We use the partner for technical support matters, who is great.

Which solution did I use previously and why did I switch?

We did not use anything previously. Going to the cloud was a new requirement for us.

How was the initial setup?

The initial setup was just as straightforward as setting up a physical Check Point box would have been.

What about the implementation team?

We implemented in-house by deploying it ourselves.

What was our ROI?

We don't really track the ROI on this.

Which other solutions did I evaluate?

We also considered Fortinet. Check Point has better overall integration with Azure.

I was part of the decision-making process.

What other advice do I have?

I would rate it a six out of ten. 

Other vendors typically are working with hardware acceleration and various other products, which you can't get in the cloud. One of the key things that made us more comfortable with Check Point is this is only thing that they do. It's the same exact thing as they are doing on-premise for the most part.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Rakesh Rawat - PeerSpot reviewer
Network Engineer at Acliv Technologies Pvt Ltd
Real User
Enables us to monitor what comes over to our network and we can then check the dashboard and work accordingly
Pros and Cons
  • "The most valuable feature is the monitoring. We can easily monitor what kind of stuff comes over to our network and we can then check the dashboard and work accordingly."
  • "The initial setup was a bit complex."

What is our primary use case?

We use this solution to secure networks. We block unwanted malware. 

How has it helped my organization?

We have a development team who asked us to open reports. We asked that they initiate traffic to see what is blocking them. We then give them reports and after that, they ask to open the report for the traffic application and we work accordingly.

What is most valuable?

The most valuable feature is the monitoring. We can easily monitor what kind of stuff comes over to our network and we can then check the dashboard and work accordingly.

What needs improvement?

I would like for them to develop guides. If you compare it with Cisco, you can just type out any problem you're having regarding Cisco and you will easily get a solution. With Check Point, it's not easy to get a solution.

For how long have I used the solution?

Three to five years.

What do I think about the scalability of the solution?

We maxed out scalability. 

How was the initial setup?

The initial setup was a bit complex. Is take two or three months to implement and we have to continuously work on it. We needed two to three engineers for deployment. 

Which other solutions did I evaluate?

We researched the top firewall solutions and settled on Check Point and Palo Alto. Comparatively, both are good. 

What other advice do I have?

Ultimately Palo Alto is a very advanced firewall. This firewall can easily identify what application is running behind the network.

I would rate this solution an eight out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
PeerSpot user
IT Security Consultant at Cilnet
Consultant
We consolidated from multiple consoles and clusters into an all-in-one cluster solution

How has it helped my organization?

We consolidated from three management consoles and three clusters to only one, which is a big improvement. 

What is most valuable?

In general, Check Point VSX is a good solution. Its blades and VSLS (Virtual System Load Sharing) work fine.

What needs improvement?

Having a web UI in the VSX (or something similar) would be nice. However, you can do everything in the CLI.

For how long have I used the solution?

Less than one year.

Which solution did I use previously and why did I switch?

We are replacing three old cluster ASA firewalls and concentrating it into an all-in-one VSX cluster. This allows our central management have more time for other tasks.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Information Security Analyst at a non-profit with 1,001-5,000 employees
Real User
Multiple virtual firewalls on one box are extremely useful
Pros and Cons
  • "Monitoring using SmartConsole and all its features is extremely easy, and I find SmartEvent an excellent monitoring tool for spotting threats and user behaviour."
  • "The multiple virtual firewalls on one box are extremely useful and the interconnection with virtual switches is simple and easy to understand."
  • "We have Microsoft CASB cloud app security and it's one of the least compatible firewalls. They really need to look at this, as both Check Point and Microsoft are major players. Why aren't they compatible? If we had Palo Alto then we wouldn't have this problem."

How has it helped my organization?

Monitoring using SmartConsole and all its features is extremely easy, and I find SmartEvent an excellent monitoring tool for spotting threats and user behaviour.

What is most valuable?

The multiple virtual firewalls on one box are extremely useful and the interconnection with virtual switches is simple and easy to understand.

We need a product that is logical and for which we can find people skilled who are interested in learning it. Check Point is always a winner, as its an industry standard.

What needs improvement?

We have Microsoft CASB cloud app security and it's one of the least compatible firewalls. They really need to look at this, as both Check Point and Microsoft are major players. Why aren't they compatible? If we had Palo Alto then we wouldn't have this problem.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

No stability issues, not even once. The firewall is set up and and the various parts are interconnected. It works just fine. R80.1 is also a major improvement.

What do I think about the scalability of the solution?

No scalability issues but I don't think we are utilizing the device to its maximum capability.

How are customer service and technical support?

Good. We go with a distributor but they work okay. It is a lot more reliable with the latest OS than it used to be.

Which solution did I use previously and why did I switch?

No previous solution. It's always been Check Point, though before the virtual firewall we used to have a Juniper fw. Now we are just Check Point because for the threats we face now, I don't think we need different firewalls at different layers.

How was the initial setup?

The issue normally is getting SIC working between the gws and the management server. Actually it's reasonably straightforward, though you have to get it right. It used to be you had to have a certain type of disk drive but this is a better solution.

What's my experience with pricing, setup cost, and licensing?

Look into this carefully and be sure you use all you buy. We haven't bought SandBlast or the bot solution but they look effective.

Which other solutions did I evaluate?

We did not evaluate other solutions. It was decided we would stay with Check Point.

What other advice do I have?

Make sure you can make use of the virtual firewalls and read up on the device or take a course before you implement. Or, if you get it installed, make sure you have the right devices in the right virtual firewalls.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Co-founder & CTO at a tech services company with 11-50 employees
Real User
Top 20
Valuable features include centralized management using the MDM solution and the log management module.

What is most valuable?

Valuable features include centralized management using the MDM solution of Check Point and the Log Management module. The latest version of VSX supports all blades of Check Point's security suite.

I get maximum flexibility as I can use a standard management server to manage all virtual gateways along with a dedicated log server for each virtual gateway. Sometimes I can use a single server to manage all virtual gateways.

How has it helped my organization?

Earlier versions only supported the Firewall and VPN feature. Now I can run Anti-Bot/Anti-Virus, URL and App Filtering, Threat Emulation, and other blades.

I can assign weights to each virtual gateway depending on how critical each virtual gateway is.

The VSLS feature provides linear scalability so I can keep adding hardware (maximum of eight) to meet my performance expectations.

What needs improvement?

It is somewhat difficult to upgrade the entire hardware without downtime.

For how long have I used the solution?

We have been implementing this solution to many customers in India and the SAARC region for seven years now. This is one of the most popular virtual firewall products in the industry.

What do I think about the stability of the solution?

We have not encountered any problems with stability.

What do I think about the scalability of the solution?

A sufficient amount of planning is required to deploy a solution that is scalable. However, as Check Point allows an Open Server to deploy its VSX solution, scalability is not a problem once the base hardware is chosen appropriately.

How are customer service and technical support?

Support is one area where efforts should be required from Check Point. Customers having multiple, more than ten, gateways are encouraged to consider Diamond Support services.

Which solution did I use previously and why did I switch?

We did not use any other solution previously.

How was the initial setup?

Engineers having less than three years of hands-on experience on Check Point products may find this product somewhat challenging. However, the best part is, once the product is deployed, there is no difference between virtual gateway and physical gateway from the operational perspective.

What's my experience with pricing, setup cost, and licensing?

Check Point pioneered this product, so don't look anywhere else if you are looking for a stable and scalable product with top-notch security blades.

Which other solutions did I evaluate?

We did not evaluate any alternative products.

What other advice do I have?

Choose your implementation partner very carefully. Choose someone who has done multiple, large-scale implementations and can show proof of the same in terms of customer references through emails or phone calls.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a value added partner of Check Point in India.
PeerSpot user
VikasSharma - PeerSpot reviewer
Senior Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
The product is stable but we had issues when we had really old hardware that had a less than stable OS.

What is most valuable?

The ability to host multiple virtual systems, categorize them based on their function and importance and the ease of use with which these can be deployed.

How has it helped my organization?

We do not need to keep provisioning hardware each time there is a requirement for a new firewall. Having a physical server capable of hosting many virtuals and also provide performance and redundancy is a big benefit and hence our preference for VSX.

What needs improvement?

Each new version does offer a new set of features plus also incorporates bug fixes identified during the life cycle of the previous product. Hence, this product keeps on maturing as newer versions are released.

For how long have I used the solution?

More than 15 years.

What was my experience with deployment of the solution?

Not from a product point of view. The critical aspect here is proper planning, performing several dry runs and identifying potential issues to the best possible extent. It's really about planning and testing prior to implementing.

What do I think about the stability of the solution?

No, because we keep on top of our installations. We maintain them by performing routine maintenance, and hot-fix applications. Stability wise the product is stable but we had issues when we had really old hardware that had a less than stable OS.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

Excellent – the vendor always supports us and is very proactive. We have excellent relations with the vendor.

Technical Support:

Definitely excellent. It’s a pleasure to talk with the tech support people and know they fully understand the issues – this gives us a sense of comfort.

Which solution did I use previously and why did I switch?

No previous solution used.

How was the initial setup?

It was simple. That is because the solution is architectured and designed from the ground up and the relevant teams were involved from the beginning.

What about the implementation team?

We did an in-house implementation.

What was our ROI?

Cannot give exact figures but we have made a lot of saving by implementing this product in our organization.

Which other solutions did I evaluate?

We were clear on our options – no we did not choose any other options save for the most important ones.

What other advice do I have?

Think of VSX as similar to VMware ESX solution. It will, in the long run, save a lot of money with the return it gives to the company. It is easy to maintain by a capable support team and can easily fit within the network where there is a requirement.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user249372 - PeerSpot reviewer
it_user249372Senior Security Consultant with 501-1,000 employees
Vendor

We have found VSX solutions to have lot of issues in our customers networks... Also hard troubleshooting and some anomalies are common. More than one customer feel safer with phisical Check Point appliances rather than VSX and decided to roll-back after some time of use (12 months of production). I can't raccomend this product, if you're looking to firewall instance virtualization, look further and you can find more mature solutions.

PeerSpot user
Senior InfoSec Engineer at a tech services company with 10,001+ employees
Consultant
Very intuitive ACL menu and design. A powerhouse firewall appliacnce

Valuable Features:

Easy to setup and use as its based off Redhat Intuitive ACL menu for writing rules Pre-populated common ports Customizable ports Suite of tools to report and troubleshoot network conditions

Room for Improvement:

At the beginning the design can be overwhelming, where to start Getting used to the CLI syntax but do-able

Other Advice:

This enterprise class firewall appliance is great and very intuitive menu. Great for inline firewall access control to work with Cisco or any vendor switch. It has a suite of applications to help you setup virtual firewalls and provide redundancy or bandwidth to whatever application or service you are providing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Manager of Infrastructure with 51-200 employees
Vendor
It has improved the way our organization functions in terms of visualization, simplicity, manageability, and support.

Valuable Features

Most of all, depends upon your environment.

Improvements to My Organization

It has improved the way our organization functions in terms of visualization, simplicity, manageability, and support.

Room for Improvement

Areas for improvement include other Security Features like AntiVirus, AntiSpam, DLP etc.

Use of Solution

I have been using this solution for a decade.

Deployment Issues

No issues with deployment.

Stability Issues

No issues with stability but it completely depends on how you/ at what stage you implement. Additionally, what features you enable.

Scalability Issues

No. You need to look upon sizing, one should never oversize nor undersize. Detail understanding is a requirement one needs to keep in mind.

Customer Service and Technical Support

Customer Service: Good customer service.Technical Support: Good technical support.

Initial Setup

The initial setup was normal.

Implementation Team

Vendor, but internal team should be aware of the technology.

ROI

Recently we have upgraded to new model, now looking into 3yrs cost, this is the first year. So cant say much.

Other Solutions Considered

Yes, we evaluated Cisco.

Other Advice

Only advice I can give is that whatever product you select, it's important to keep in mind your Requirements, Budget, and POC.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Check Point CloudGuard Network Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2022
Buyer's Guide
Download our free Check Point CloudGuard Network Security Report and get advice and tips from experienced pros sharing their opinions.