Check Point CloudGuard WAF Reviews

We have over ten root domains that we need to protect through the firewall. All our hosts are in EC2 instances, and it is challenging to protect them by using any AWS load balancer or shields. Therefore, we have implemented Check Point CloudGuard WAF as a solution to protect all these domains from the open internet. It supports all environments, including on-premises, Azure, AWS, and we have also implemented it for CDN URLs as well.

It has improved the overall security posture of our organization. Earlier, our security score was around eight to nine, which increased after implementing Check Point CloudGuard WAF. We have achieved NIST compliance, and now ninety-five percent of the environment compliance level is equal to ninety-five percent.

The support of the root domain is one of the best features, as is the support for the CDN and advanced load balancer. These are key features that differentiate Check Point CloudGuard WAF from other vendors. Additionally, rate limiting is another significant feature of the WAF.

The UI interface needs improvement because there are a number of bugs. Integration with the SIEM platform is currently one of the key challenges that need to be addressed.

We have been using Check Point CloudGuard WAF for the last six months.

I think Check Point CloudGuard WAF is stable.

It is a SaaS-based model, and we have not encountered any scalability issues. They have sufficient resources, and there are no challenges from a scalability perspective.

The customer support is good. They have skilled personnel to provide support.

Positive

We did not use a different solution prior to this.

The return on investment is reflected in the improvement of the overall security posture. While it does not have a direct monetary impact, it enhances security with an improved NIST compliance score and better overall security scores for our organization.

Pricing and setup costs are fine. It is less costly than Cloudflare, Fortinet, and other vendors. Additionally, it is less costly than the OEM.

We evaluated Cloudflare and Fortinet.

I would advise others to use and implement Check Point CloudGuard WAF as a solution in the firewall segment. Check Point has been in this segment for two decades and is more stable than other firewall vendors. I recommend using it and implementing all the features it offers. Overall, it's a good solution, and it fulfills all our core purposes, providing complete visibility and security. That's why I rate it ten out of ten.

Public Cloud

Other

I am currently evaluating a hybrid solution for our infrastructure since some of our services are hosted on-premises while others are processed through the cloud. We have multiple websites, applications, and some non-web-based applications that we need to protect.

The solution's ability to handle multiple websites and applications without needing more expensive hardware is a key advantage. 

The communication between the on-premises device and the cloud for analysis and feedback is a valuable feature. It also supports legacy applications and improves security access. Upon implementation and evaluation with third-party penetration testing, it meets rigorous security standards required for dealing with financial institutions and provides necessary protection between our central office and peripheries through VPN access. 

The solution allows for proactive support and parts replacement.

The learning curve was a challenge due to initially incorrect configurations. It took approximately a month and a half to understand how the solution works because of inadequate documentation. The provider could improve by providing better guidance and support during the configuration process.

I am happy with their support. They were responsive even before we committed to buying their solution. The support rating is about seven and a half to eight out of ten.

Positive

We looked at FortiGate and some open-source solutions, however, they either did not fully meet our requirements or required a dedicated person for administration, making them cost-prohibitive.

We collaborated with our vendor, A1, which also offers parts replacement and support as part of the package.

The base solution costs approximately 30,000 euros, with an additional 2,000 euros per year for licenses and support.

The price is fair for the features offered. For us, it is cost-effective compared to hiring a dedicated person for administration.

Prior to choosing the current solution, we considered FortiGate and other open-source solutions.

I would rate the solution eight out of ten. 

Hybrid Cloud

Other

Protecting our websites or our customers' websites is our top priority. We transitioned to Check Point WAF from on-premises WAF to safeguard our external perimeter. Essentially, I am focused on protecting our external infrastructure and web services.

It helps me sleep at night, providing peace of mind. It saves time, money, troubleshooting, and maintenance and reduces the need to hire people to manage the technology because it is so easy to use.

The WAF is the best feature. The application firewall's ability to block and recognize all attacks in real-time, such as DDoS, is invaluable. Identifying attacks and integrating with the rest of the ecosystem are features I am very fond of.

It's a pretty robust product.

CloudGuard protects against threats without relying on signatures. This is one of the best features. As an engineer, I don't have to review signatures one by one by one. 90% of the other players use signatures. So you have to review the attack, the signature, and how to mitigate it, etcetera. Removing the signatures from the equation removes a lot of time required for an engineer to review signatures, apply signatures, verify that these are applied to the infrastructure, etcetera. So removing that from the equation and protecting the infrastructure at all times is very cost-effective. 

Signature-based also causes a lot of false positives. So having no signature also helps remove a lot of the false positives. 

I cannot think of any needed features.

Pricing is high, although possibly justified by the service received. Reducing prices would be welcome. 

Integration with more technologies or Check Point products, or on-prem products, could improve robustness. Many organizations are moving to the cloud. Some cannot fully transition and require solutions similar to on-prem devices. 

I have used the solution for the past two years.

Support is the same with on-premise devices, and it is very good. Since it is cloud-based, I do not need them as much. 

Positive

I have used CloudGuard, Imperva Cloud WAF, and Barracuda Cloud WAF. I have experience with all of the major players.

I have seen what we were used to before and how much time we spent. We used to manage on-prem devices for other partners that could run from other vendors. When you migrate to the cloud, it feels like saving 90% of your time.

If the price could come down, I would be very happy with the product.

I will not disclose which vendor is the best. In specific cases, some vendors perform well, while others are competitive at the high end. Check Point is one vendor that I really appreciate, and I will not mention the other, however the competition is very close.

I would rate the solution nine out of ten. Nobody is perfect. 

My main use case for Check Point CloudGuard WAF is to protect web applications and APIs from OWASP Top 10, and it has helped to secure cloud workload and prevent unauthorized access to data leaks.

I use Check Point CloudGuard WAF to block SQL injection and cross-site scripting attacks, and we protect the API by enforcing strict access, automatically applying a security policy to new applications before deploying in the cloud.

The best features Check Point CloudGuard WAF offers in my experience include automated policy upgrade with threat coverage intelligence, flexible deployment, and zero-day protection, which stand out to me the most.

The automated policy creation and threat intelligence have helped my team by reducing manual configuration and saving time, and the threat intelligence updates ensure immediate protection against new threats, simplifying daily operations and improving response speed.

Check Point CloudGuard WAF has positively impacted my organization by strengthening overall application security and data security, and it reduces manual workload for the security team while improving compliance in securing cloud workloads.

It has improved compliance and manual workflows through automated updates and reports, making it easier to meet compliance, with faster audits and readily available security evidence in reports, and it reduces time spent on manual rule creation and log reviews by automating policy enforcement.

Check Point CloudGuard WAF could be improved by simplifying the initial setup for a faster deployment, making the dashboard and reporting more customizable, and offering a more accessible pricing model.

I have been using Check Point CloudGuard WAF for the past one year.

Check Point CloudGuard WAF is definitely stable in my experience.

It has a user-friendly interface that makes monitoring and management easier with smooth integration with other Check Point and third-party security tools, and it provides a clear dashboard for visibility into attack and traffic patterns.

I would rate customer support as eight out of ten.

I chose this rating because sometimes the response will be delayed more than expected.

Customer support is good, but sometimes it takes longer than expected.

Positive

I have seen a return on investment from using Check Point CloudGuard WAF, considering both time and money.

My experience with pricing, setup cost, and licensing was good.

The experience with pricing, setup cost, and licensing is straightforward without any challenges.

My advice for others looking into using Check Point CloudGuard WAF is to plan deployment with clear policies to maximize protection from the start and take advantage of automated updates and threat intelligence to reduce manual work, ensuring proper integration with your cloud environment.

Public Cloud

Amazon Web Services (AWS)

Due to the nature of our business, we have heavily invested in backend API development, providing services exclusively through this interface. Similar to how banks and medical industries utilize data from centralized sources, our APIs cannot be exposed directly to the Internet. To safeguard these critical APIs, a robust security solution is essential. 

Check Point CloudGuard WAF fulfills this need by intercepting all incoming internet traffic, categorizing requests as legitimate or malicious, including attack details, and blocking suspicious activity at the initial stage. Only verified, non-malicious requests are permitted to interact with our APIs.

When we activate the WAF, our security signatures and all the latest threat intelligence are immediately updated. Our protection is automatically refreshed every few hours to address emerging threats. For example, if a zero-day attack originates in Europe, Check Point CloudGuard can detect it within minutes and distribute a new signature globally. This ensures that when the attack reaches Australia, it is already blocked by our up-to-date WAF.

Although the WAF still produces false positives because of the signatures, we can apply a rule to exclude them easily.

Automated threat intelligence is crucial because a ransomware attack can compromise a network in minutes. Imagine an attack occurring at 3 AM when staff is unavailable; the damage may already be done when someone investigates. Ransomware can infiltrate and complete its task within just a few sessions. Once inside, attackers can lay dormant for months, covertly sending data using internal IP addresses. These addresses are often whitelisted, making it difficult to detect whether the outbound traffic is authorized or malicious. Automated threat intelligence can rapidly detect and respond to attacks, unlike manual processes that take 15 to 20 minutes, often too late to prevent significant damage like a completed ransomware attack. Systems like OCSP, utilizing best practices from multiple vendors such as Azure, Microsoft, CheckPoint, Palo Alto, and CloudStrike, provide an open platform for sharing and updating threat signatures. This enables organizations to tailor their security measures based on specific application needs and behaviors, effectively mitigating risks without unnecessary restrictions.

Cloud-based WAF solutions, such as Check Point's, offer significant advantages compared to traditional on-premises WAFs like Cisco or Palo Alto. On-premises WAFs require substantial upfront costs for hardware, expensive licenses, and frequent, costly upgrades as technology evolves. Cloud-based alternatives eliminate these expenses by providing the latest features and capabilities without hardware or software management. This flexibility and cost-efficiency make cloud WAFs appealing to many organizations. However, cloud solutions can be more expensive for high-throughput applications like Instagram or Facebook due to data transfer costs. At the same time,  on-premises options might be more economical in these cases. Ultimately, the best choice depends on specific network size, criticality, and application requirements.

Machine learning is a valuable tool for this assessment because it allows for a two-phase approach: secure and non-secure. In the first secure phase, pre-built signatures are used, eliminating the need for a live tracker as the necessary data is readily available. This approach efficiently blocks threats without progressing to the slower, resource-intensive second phase. Unlike competitors who process every request, this method conserves CPU power and prevents application slowdowns.

Check Point CloudGuard WAF's code could be improved. While the GUI allows configuration for application-related features, specific definitions cannot be modified through the code. Ideally, we would prefer consistent configuration across all products to simplify deployment, but in this case, the ISE is incompatible with the two or three different models we've identified. Therefore, we must rely solely on the GUI for configuration.

I have used Check Point CloudGuard WAF for four months.

It was stable in the four months we ran Check Point CloudGuard WAF.

I would rate the stability nine out of ten.

I would rate the scalability nine out of ten. We only reached 80 percent of our CPU capacity.

The technical support is good. We didn't use them much, demonstrating the product's quality.

Positive

At that stage, our primary goal was to select a suitable WAF to replace our existing F5 WAF. While the F5 WAF performed well, we sought to eliminate it due to excessive licensing costs. Given the high expense of our entire WAF solution, we explored alternatives, including Azure WAF, Check Point WAF, and Palo Alto WAF. Although we initially considered Cisco WAF, it was quickly discarded as outdated. After a two-week evaluation, we narrowed our options to Azure, Check Point, and Palo Alto WAFs.

The deployment is straightforward and similar to any standard firewall installation. While the process took four days due to design finalization, deploying directly from code can be completed in less than thirty minutes.

Two people were involved in the deployment, one working on the design and the other on the ISE.

Check Point CloudGuard WAF is expensive compared to Azure WAF. I would rate the cost of Check Point CloudGuard WAF as eight out of ten, with ten being the most costly.

We evaluated Cisco WAF, but it is outdated and no longer competitive. Since we utilize Azure Cloud, we opted for Azure WAF due to our preference for cloud-based solutions. Azure WAF has performed well and is seamlessly integrated behind the scenes. We also evaluated Palo Alto, but configuration challenges through ISE led us to discontinue its use seven months ago. Check Point CloudGuard WAF was abandoned for similar reasons. Azure WAF's integration with ISE, including built-in Bicep modules for CLI configuration and deployment, is a significant advantage. Currently, we manage approximately 35 IP addresses and require two distinct stages for WAF settings and module deployment. Consistent signature stem definition across different environments is essential. ISE was crucial in our decision-making process, ultimately replacing Check Point due to the latter's lack of ISE integration, a critical requirement. While Check Point offered several strengths, the absence of ISE was a deal-breaker. Overall, Azure WAF has met our expectations.

I would rate Check Point CloudGuard WAF eight out of ten.

We have six environments in multiple locations and eight products that use 20 APIs.

We have a team of four working with the WAF.

I would recommend Check Point CloudGuard WAF if it fully meets the organization's needs, the cost is reasonable, and they desire AI and ML integration in the future. However, since we do not require AI or ML and prioritize ISE for our management approach, this solution did not align with our requirements.

Public Cloud

Microsoft Azure

My main use case for Check Point CloudGuard WAF is defending from SQL injection or DDoS attacks, and a quick specific example would be that it protects our applications and data from these threats.

I don't have anything else to add about my main use case, as there are no stories or examples where it helped my team.

The best features Check Point CloudGuard WAF offers are that it's very easy to use, the automated management is very nice, and the introduction of new AI is very efficient, which I find valuable.

With the introduction of AI in general, Check Point CloudGuard WAF provides very high accuracy on the data, allowing me to avoid a lot of false positives and saving me time in determining if what I'm seeing is a possible attack.

Check Point CloudGuard WAF has positively impacted my organization by reducing incidents because I don't have false positives.

Check Point CloudGuard WAF can be improved; initially, the setup is very complicated, and there's not a lot of documentation available, plus it didn't have something for anti-bot, but other than that, it is fine.

The documentation issue means that I can't find it online very easily, and while I can always ask support, it's a bit limited. As for anti-bot, I refer to a feature that I can find a better option for on Cloudflare.

I don't have anything more to add about the needed improvements or anything regarding the onboarding.

I have been using Check Point CloudGuard WAF for one year.

Check Point CloudGuard WAF is very stable, and I haven't had any issues with downtime or reliability, plus it handles growth easily in my environment.

The customer support is rated eight. I have had to contact them, and my experience was satisfactory.

I did not previously use a different solution before Check Point CloudGuard WAF, so there's no prior comparison.

I don't have metrics, but I see a return on investment in overall efficiency, as it has saved my team time and reduced incidents.

I don't know about the pricing, setup cost, or licensing for Check Point CloudGuard WAF, as I don't manage costs.

Before choosing Check Point CloudGuard WAF, I did not evaluate other options, as I went straight with it.

Check Point CloudGuard WAF works very well with all the clouds, such as Azure and AWS, and I shouldn't have any problems adding this feature to my environment.

Regarding the reduction in incidents, I don't have any percentages, but I know I can save a lot of time because I understand that if something is signaled, I need to check it, as it's very not probable that it is a false threat.

My advice for others looking into using Check Point CloudGuard WAF is that, similar to other Check Point services, it can be intimidating at the start, but you will manage after some time.

I rate Check Point CloudGuard WAF eight out of ten.

Hybrid Cloud

Microsoft Azure

I have a team that manages CloudGuard for me. We have different research centers using various cloud accounts and are trying to consolidate everything into a single landing zone to protect those areas. From a use-case perspective, I have different laboratories or research centers utilizing it for various purposes. We are mostly focused on AI, and some of those requirements cater to the AI segment as well.

From a protection perspective, Check Point is a well-renowned name. We are also using other products from Check Point, such as Harmony, Infinity, and XDR. We have a consolidated view of the overall security posture, which I find quite interesting.

CloudGuard WAF protects our applications against threats without relying on signatures. This is crucial for us to maintain application security and stop the threats coming into our environment, keeping our production part secure.

Check Point CloudGuard WAF works well for preemptively blocking Zero Day attacks and detecting hidden anomalies. It is the best. That is why I am paying for it.

Check Point CloudGuard WAF helps us with overall application and cloud API security. The consolidated view of the security posture that Check Point provides is very useful from an upper management perspective.

CloudGuard WAF has helped reduce our false positive rate by 30%.

From a security perspective, it is quite good. I am not very familiar with the detailed features of it because I have a team that manages it. 

I am pretty happy with the current version. I have not yet used it to its full potential, but there could be improvements as I explore it further. I am content with what I have in terms of features and support, but if I start expanding the usage, I might need more help from them. I already have the best consultants from Check Point. 

I have been using this solution for around seven or eight months now.

I have not observed any stability issues yet. It has been pretty reliable.

The scalability is excellent and is one of its best features.

Customer service is one of the best in the market right now.

Positive

We did not use a similar solution previously. 

We have a hybrid deployment model with AWS as the cloud provider. 

Its deployment was smooth. We did not have any issues. 

We used Check Point for the implementation.

It has been only six or seven months now. I am hoping that by the time I complete one year, I will see the return on investment.

It has reduced the total cost of ownership for our web application firewall to a certain extent, but I do not have the numbers.

The sales team or account managers from Check Point are top-notch. As I am using other products as well, my pricing was competitive compared to others.

I considered other solutions. I decided on Check Point because of its comprehensive suite of applications and the integration with my tools, providing a consolidated view of my security posture.

I would rate Check Point CloudGuard WAF a nine out of ten. I believe there is always room for improvement, but there are use cases I have not yet explored. 

I use the solution for almost all of our web servers.

Before CloudGuard, we periodically had some website issues. Since we've had CloudGuard, we've never had these issues happen again. 

The rate limit feature is the most useful feature of the product.

We don't need to rely on signatures. We are protected when the signature doesn't exist. 

It can protect against zero-day attacks and hidden anomalies. It blocks items that would affect the company.

We've been able to reduce our false positive rate. It took a bit of time, however, not long. We're near zero false positives. 

The web user interface needs some improvement, even though the functionality is good. More user-friendly features could be added. Perhaps something between CloudGuard management and the virtual appliance on-site could be faster. 

It could be interesting to have an app for smartphones to manage all the cloud environments.

I have been using the solution for three years. 

The stability is always good. 

The scalability is always good.

I rate the solution nine out of ten. I am satisfied. It is always good. 

On-premises