Check Point IPS Reviews

My primary use case for Check Point IPS is very simple: I first identify some signature behaviors and secure levels and then I apply some signatures. I usually do not deploy IPS from CheckPoint. Overall, I manage signatures.

The Check Point IPS feature I find the most valuable is the firewall. It is great and easy to work with. 

I'm not sure what I really like in IPS because it's automated. You read the permit and you try to apply the signature and read the behavior of the solution and find how to fix it. So I don't think Check Point IPS is a great solution. 

I don't I like working with it very much because there's other stuff you can do to have more information. However, Check Point IPS does prevent important attacks easily.

What I would like to improve in IPS would be the capacity of the hardware. I would also like to be able to sort signatures by severity. This would greatly impact how well I can manage my environment. 

In the next release, I would like to see automatic signature deployment. 

I have been using Check Point IPS for nearly a year now. 

On a scale of one to ten, with one being the worst and ten being the best, I would rate Check Point IPS an eight. 

We have a hybrid infrastructure with an on-premise data center, cloud data center, and multiple branch offices. All of these firewalls are managed via Check Point Multi Domain Management as well as Smart Event to see security events across our environment.

IPS is set primarily to prevent and only some signatures are set to detect (only after some false positives) so we still see them and get notifications via the Smart Event reports.

IPS is updated automatically and pushed to all gateways every two hours. 

Check Point's IPS simply works and is continuously kept up-to-date on all gateways. Via the management, it's possible to let the gateway update the IPS signatures itself, instead of letting the management update itself and then push the updates to the gateways.

If there's a new data center or branch office and everything is still in the test phase, it's possible to set the IPS policy to detect only so you can gather data and create a baseline without completely disabling IPS. That way, you can still see log entries.

Automatic updates can be done either via management or the Gateway itself, without any user interaction. The gateway is up-to-date with the newest signatures.

If you're unsure which profile to use, Check Point has some pre-defined profiles according to its best practices. Each one adds a different load to the relevant gateway, so you have to first check the current load and then decide on the right profile.

IPS signatures can be set quite granularly depending on your environment. You can filter on performance impact, severity, and confidence which makes sizing and adapting easier.

You can't turn off IPS completely as there are some signatures that are set even without activated IPS. If you know that, you can act accordingly. But sometimes you have to do a general exception instead of a granular one.

There are always some false positives with non-RFC traffic. This is good for security, however, it will cause some effort in day-to-day business as there will have to be exceptions for certain applications.

Threat Prevention policies are not very easily manageable as there are several profiles/policies/etc. Therefore, there are several ways to add exceptions and check the configuration.

I've used the solution for over ten years.

The solution is very stable.

The scalability is quite good, depending on which IPS profile you're using.

The solution is easy to set up.

Intrusion prevention and detection are the most valuable pillars in the security system, which detects and prevents exploits or weaknesses in vulnerable systems or in applications and protect against threats not only based on signatures but also based on anomalies, behavioral analysis, etc.

IPS is already integrated and comes as a security license in Check Point NG Firewalls and NGTX Firewalls.

Every defense system must have a feature set that provides complete security for Network IPS and Check Point has very powerful high throughput - almost at terabyte speed - with the help of a hyper-scale approach.

Organizations can scan for vulnerabilities know as VAPT, which many prefer as one-step closure for maximum security for the entire network. Check Point IPS plays a leading role in patching those vulnerabilities based on CVE IDS.

Based on updates received from the Check Point Threat Cloud, CVE IDs get updated or we can manually add those signatures.

It helps organizations to get a complete report for vulnerabilities in applications, the host running in the network (which helps to fixed to vulnerabilities based on CVE IDs), and gives reports for the compromised host, C&C host, DNS tunneling attempts, and protects against vulnerability in SNMTP HTTP POP, etc.

There's a good out-of-the-box configuration for recommended security based on severity levels, confidence levels, and network impact - also known as an IPS Profile.

For better security, we can edit options based on requirements and we can keep actions as detect-only which gives us alerts but allows traffic to flow without stopping anything.

There's an automatic update after every 2 hours which makes sure that the database is up to date and providing zero-day vulnerability protection.

Check Point IPS provides reports for running vulnerabilities which help enable SOC teams to respond to the highest-priority events first to patch them.

After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market.

Most customers take an IPS license but they don't take a SmartEvent license and when this happens, they will not be aware of the report parts such as current threats in the network open ports/protocol, vulnerabilities in a system, or detected/prevented attacks. For such cases, Check Point should provide a bundled license with IPS. 

I've been using the solution for more than four years.

The solution is highly stable for this particular blade.

Scalability can depend on throughput and if we use Maestro Hyperscale, we can distribute load across multiple Check Point Firewalls to get the maximum (in TPS) throughput.

Most of the time there is no need to take support for this,  but the CVE closure technical support team helps lot.

Customers may have had different NGFW solutions, however, after, they migrated over to Check Point NGFW.

The installation was straightforward in terms of configuration and onboarding.

We are service providers and provide services to customers.

Attacks are getting prevented and detected based on severity which helps our organization to get rid of compromising attacks.

Check Point IPS license is a must-have, and users need to make sure the database gets updated on daily basis after every 2 hours as per the defined configuration (which helps to get maximum protection).

The configuration is very simple and effective if you refer to the configuration guide properly.

We did not look at any other solution.

The solution is best in class.

We use this solution to secure the organization against any attack coming into the network via the internet, a third party, or any other connected network. It is used to detect and prevent identified threats at the perimeter level so attacks do not penetrate the network.

With so many access points present on a typical business network, it is essential that we have a way to monitor for signs of potential violations, incidents, and imminent threats.

We also use it to provide flexibility for the SOC admin to identify any suspicious activity and either detect and allow (IDS) or prevent (IPS) the threat. It logs and reports any such incident to the centralized logger so the required action can be taken by the SOC team.

This IPS device is protecting the organization's assets from any know vulnerability or threats that are coming from the network and vice versa.

It protects against specific known exploits but also, with SandBlast integration, it is able to protect against unknown or zero-day attacks at the perimeter level. An example of this is C&C communication, which is getting trigger by compromised systems.

It's able to detect and prevent any tunneling attempt that is happening via compromised systems, thereby avoiding data leakage.

It provides the capability to enable security policy based on templates, which can be enabled by the organization, depending upon their need. For example, enabling the highest security with the lowest performance impact is a matter of selecting templates accordingly.

IPS can be enabled on the same security gateway and does not require any additional hardware purchase or additional network connectivity.

It provides complete visibility and reporting on a single dashboard for the entire NG firewall, including the IPS blade on the Smart Console.

Signatures are constantly updated and it also provides virtual patching protection up to a certain extent. 

It provides a detect-only mode for IPS Security policy that the admin can enable on a required segment for monitoring, giving an opportunity to observe prior to blocking.

There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic. 

There is no separate, dedicated appliance for IPS.

In the case of the IPS blade enabled on the NG firewall, it does not provide flexibility to monitor specific segments as easily as the IPS policies that are applied on the security gateway. There is lots of configuration and exclusion policy that need to be configured to bypass traffic from IPS Policy. 

IPS gets bypass in case performance goes above certain limit. This is the default setting that is provided.

I have been using Check Point IPS for more than six years.

This is a stable product.

Most of the organization is deployed on the NGFW and it has scaled accordingly, with most devices in HA mode.

Technical support is excellent.

We did not use another solution prior to this one.

This is a blade/module that needs to be enabled, selected, and applied across the security gateway.

Our in-house team was responsible for deployment.

Enabling IPS does not require any additional license purchase from OEM, as it comes by default with the NGFW bundle. This blade/module can be enabled based on the requirement and can be pushed to the security gateway.

We did not evaluate other options.

We make use of Check Point IPS to protect our corporate network against incoming threats of all varieties. We have a very minimal intranet/network and this is installed and configured on our firewall that monitors all incoming/outgoing traffic.

We felt it was necessary to have this in place as part of our security hardening in preparation for a third-party penetration test of our corporate network. Their goal was to access our network undetected and exfiltrate information. They were unsuccessful.

Once we installed our Check Point firewall and activated and configured the various software blades and services, we successfully locked down our network with a near 100% success rate in preventing security threats.

I can easily monitor all of our connected devices and I get instant notification of reconnections and new connections, which removes some of the monitoring burden.

The biggest improvement is that it protects us against many different potential attacks like ransomware and malware coming from malicious IPs.

The most valuable features of Check Point IPS are the protection it provides against the various attack vectors out there with ransomware and other malware. Once we had Check Point IPS up and running, which was really quite easy and straightforward to do, we noticed a surprising number of times that it was getting triggered.

It was a little scary thinking back to how vulnerable we were prior to having Check Point IPS in place and simply relying on our users, albeit not that many, to be safe and responsible.

Really, the only thing we noticed once it was running in prevention mode (we started out in detection mode just to get a feel for how it worked and how often protections were getting triggered) was that there was a little bit of a slowdown in performance. It is generally good, but improving the performance would be the one thing I'd take a look at right now.

We have been using Check Point IPS for two years.

This solution has been extremely stable with no issues.

We're small and haven't had to deal with scaling, but I would think it should scale fine.

We did not use another similar solution prior to Check Point.

The initial setup and configuration was easy and straightforward.

Our return, in terms of peace of mind that our network is protected, is well worth the cost of implementation.

The pricing for Check Point IPS is competitive and brings good value for the money.

In summary, since we have installed Check Point IPS, we really have not had any major complaints or requests for improvement. It was pretty easy to get up and running and configured to protect our environment.

I work in MNC company and we have 6 GEO locations in India and all of our locations are using Check Point as a perimeter firewall. I sit in our HO Office and I am maintaining all the location firewalls with my team, except for 1 location. We regularly monitor the security alerts on our perimeter and based on that we will align our location IT to check and update us. IPS is our core blade for network security, it is provide the details that some suspicious activities happen on our network as per the IPS signature database, and based on that we will work on that.

As our primary use case with IPS blade we are daily receiving non-compliant IKE alert, and we know if we prevented it then what impact will happen, our all site to site tunnel will stop working which is running with noncompliant IKE and we are not forcing our client to update that noncompliant IKE protocol. 

We have configured the IPS daily report on our Check Point Gateway so we get daily reports with details of IPS related alerts. Based on the report we will check whether it is in prevention or detection mode and based on that we will check with the internal team and work on that. This is a very useful blade to prevent unwanted and unknown attacks. We can also create strict policies in the IPS blade to prevent high and critical severity but in our organization, we follow the same but in some cases, we have created exceptions.

Overall with the IPS blade we can say we are secure with unknown attacks. 

The default category (Low, Medium, High, Critical) is the most valuable feature because we don't know what type of attack will happen, but with this category, we can create a policy to prevent any high and critical severity behavior. With this, we can protect our organization from weakness exploit of vulnerable systems.

IPS can protect our organization with any old vulnerabilities or if any vulnerability was detected within a few minutes. IPS can protect us as per our configured policy.

I strongly agree that with IPS blade we can protect our organization vulnerabilities. I would like to have the ability to virtually patch our application or vulnerable machine that is talking ourside our network. If it is there then we can protect our application and systems to any unknown attack if our system or application has a weakness or vulnerability. 

I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good.  

I have been using Check Point IPS for the last four years. 

Sometimes it will not connect to the threat cloud.

This is a fully salable blade.

Overall okay.

Straightforward.

Vendor team

Priceless.

Reg. cost and licensing part out procurement team taking care.

The IPS is a very good blade in Check Point NGFW.

Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. 

The Clusters serve as the firewalls for both inter-VLAN and external traffic. We have the Intrusion Prevention System (IPS) blade activated on both Check Point HA Clusters as the counter-measure against advanced threats and malware. The IPS blade mostly used for ingress traffic from the Internet to the DMZ VLAN.

I think that the security of our DataCenter has been increased to a large extent by activating of the Check Point Intrusion Prevention System software blade. Before that, we used the Cisco ACLs and Zone-Based firewall configured on switches and routers, which currently not an efficient solution for protecting from advanced threats. Now we have state-of-the-art, true, and efficient Next-Generation firewall, and the IPS blade is the heart of it. The security profiles activated in the IPS blade check the traffic not just by TCP/UDP port of the connection, but by traffic patterns and the application behaviour. 

The number of IPS protections is amazing - after the latest update, I see more than 11000 in the SmartConsole.

All the protections are tagged and categorized by the vendor/type/product, the severity of the threat, confidence level, and performance impact of the activation, which helps in finding and enabling only he profiles that we really need (e.g. we don't have any Microsoft Windows servers in our environment, so decided to disable such protections by default).

The protections are updated based on the schedule - we used the default once-a-day approach.

I also like that the new protections may be automatically activated in the "Staging mode", which only detect the possible threat and alerts them, but doesn't block the actual traffic, thus minimizing the impact of the false positives. 

In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed.

Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.

We have been using this solution for three years, starting since late 2017.

The solution is reliable and stable, we didn't have any software or hardware issue while using it.

The Check Point software blade is activated on the HA Clusters in Active-Standby mode. There's a space to grow with the current setup, but eventually, we may switch to the Active-Active mode and add additional appliances to the clusters.

Even so we had a number of the support cases opened with the Check Point team, none of them was connected with the IPS blade. In general, there are professionals in the support team, but some cases took surprisingly long time to be resolved. 

Before the Check Point IPS, we relied on the simple stateful firewalls configured on Cisco switches and routers and moved to Check Point to get improved security against the modern threats.

The initial setup was easy, as was the configuration. Now the solution almost doesn't require the time for managing it.

The implementation was done by the Certified Check Point Expert we have in the in-house team - the Check Point solutions are popular, so there are such engineer available on the job market.

The overall cost of the solution is really high. You should properly scale the setup you are planning to purchase. 

The licensing model is simple, but some of the software blades are not included into the default bundles and should be purchased separately - pay attention to that.

We didn't evaluate the other solutions.

The correct performance sizing is essential for this kind of software - use the tools provided by the vendor, and consult the sales if you are still not sure.

The solution's IPS functionality and firewall functionality are the solution's most valuable features.

The detection needs improvement. We fear that it doesn't detect everything that we want to see.

The solution needs enhanced reporting. The reporting on Cisco Stealthwatch and Darktrace is much bigger. The visibility that they grant for the filtering capabilities over large infrastructures are far superior.

The stability of the solution is good. We've never had any issues.

Scalability is very good. 

We run a very large network. It was really easy to cover the full traffic flow. We just don't know about the reporting aspect - on whether it sees all the traffic that we want to capture. I'm unsure if we will increase usage in the near future as we're currently moving away from the product.

Technical support is okay. I'd rate it seven out of ten. Our biggest complaint is that they are rather slow.

We weren't previously using a different product.

I wasn't involved in the initial setup.

We use the on-premises deployment model.

We're still in the process of evaluating options. We're doing a POC with Cisco and Darktrace and are moving away from Check Point.

I'd rate the solution seven out of ten.