Check Point IPS Reviews

Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. 

The Clusters serve as the firewalls for both inter-VLAN and external traffic. We have the Intrusion Prevention System (IPS) blade activated on both Check Point HA Clusters as the counter-measure against advanced threats and malware. The IPS blade mostly used for ingress traffic from the Internet to the DMZ VLAN.

I think that the security of our DataCenter has been increased to a large extent by activating of the Check Point Intrusion Prevention System software blade. Before that, we used the Cisco ACLs and Zone-Based firewall configured on switches and routers, which currently not an efficient solution for protecting from advanced threats. Now we have state-of-the-art, true, and efficient Next-Generation firewall, and the IPS blade is the heart of it. The security profiles activated in the IPS blade check the traffic not just by TCP/UDP port of the connection, but by traffic patterns and the application behaviour. 

The number of IPS protections is amazing - after the latest update, I see more than 11000 in the SmartConsole.

All the protections are tagged and categorized by the vendor/type/product, the severity of the threat, confidence level, and performance impact of the activation, which helps in finding and enabling only he profiles that we really need (e.g. we don't have any Microsoft Windows servers in our environment, so decided to disable such protections by default).

The protections are updated based on the schedule - we used the default once-a-day approach.

I also like that the new protections may be automatically activated in the "Staging mode", which only detect the possible threat and alerts them, but doesn't block the actual traffic, thus minimizing the impact of the false positives. 

In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed.

Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.

We have been using this solution for three years, starting since late 2017.

The solution is reliable and stable, we didn't have any software or hardware issue while using it.

The Check Point software blade is activated on the HA Clusters in Active-Standby mode. There's a space to grow with the current setup, but eventually, we may switch to the Active-Active mode and add additional appliances to the clusters.

Even so we had a number of the support cases opened with the Check Point team, none of them was connected with the IPS blade. In general, there are professionals in the support team, but some cases took surprisingly long time to be resolved. 

Before the Check Point IPS, we relied on the simple stateful firewalls configured on Cisco switches and routers and moved to Check Point to get improved security against the modern threats.

The initial setup was easy, as was the configuration. Now the solution almost doesn't require the time for managing it.

The implementation was done by the Certified Check Point Expert we have in the in-house team - the Check Point solutions are popular, so there are such engineer available on the job market.

The overall cost of the solution is really high. You should properly scale the setup you are planning to purchase. 

The licensing model is simple, but some of the software blades are not included into the default bundles and should be purchased separately - pay attention to that.

We didn't evaluate the other solutions.

The correct performance sizing is essential for this kind of software - use the tools provided by the vendor, and consult the sales if you are still not sure.

The solution's IPS functionality and firewall functionality are the solution's most valuable features.

The detection needs improvement. We fear that it doesn't detect everything that we want to see.

The solution needs enhanced reporting. The reporting on Cisco Stealthwatch and Darktrace is much bigger. The visibility that they grant for the filtering capabilities over large infrastructures are far superior.

The stability of the solution is good. We've never had any issues.

Scalability is very good. 

We run a very large network. It was really easy to cover the full traffic flow. We just don't know about the reporting aspect - on whether it sees all the traffic that we want to capture. I'm unsure if we will increase usage in the near future as we're currently moving away from the product.

Technical support is okay. I'd rate it seven out of ten. Our biggest complaint is that they are rather slow.

We weren't previously using a different product.

I wasn't involved in the initial setup.

We use the on-premises deployment model.

We're still in the process of evaluating options. We're doing a POC with Cisco and Darktrace and are moving away from Check Point.

I'd rate the solution seven out of ten.

We use the solution as a firewall to monitor and prevent intrusion into our system.

The notifications are the most valuable feature of the solution.

The solution is expensive and the cost has room for improvement.

The installation documentation has room for improvement. We can use more detailed information because sometimes it is difficult to understand.

I have been using the solution for two years.

The solution is stable.

The solution is highly scalable.

We have 100 people using the solution in our organization.

I have had issues with the technical support not contacting me back.

Neutral

The initial setup is straightforward. The configuration is completed with a few clicks. After the configuration, we can access the portal and start using the firewall. 

We used a vendor for the implementation.

I give the solution a nine out of ten.

The maintenance is easy.

Check Point IPS has zero-day detection and next-generation servers which make it a good solution and I recommend it.

Most of our clients have the majority of their critical resources on prem to protect their DMZ, so we use IPS for that. We are resellers, implementing and providing support to our clients. I'm a system engineer IT support.

The solution helps our clients because once IPS is implemented, they don't have to worry about the security of their most critical infrastructure, and they can focus on their core business rather than the IT side of things. They know that once the solution is in place, they can have full trust in it.

The product is user-friendly and easy to implement. We receive training on how to onboard and when we are onboarding clients, we have the option of engaging Check Point to assist. It's a good provision to have. In terms of functionality, it's one of the best solutions on the market. 

Most complaints for Check Point relate to licensing fees. You need to be prepared to pay extra for implementing this product. 

I've been dealing with this solution for over a year. 

The solution is stable and robust. 

The solution is easily scalable. 

The initial setup is quite straightforward and they provide documentation that is of good quality. Deployment takes around 30 minutes and maintenance is easy.  

This is not a difficult tool to use as long as you understand the basics of networking and security. I rate this solution nine out of 10. 

The Check Point IPS module is applied to both internal and external traffic.

Many times, we only think about protecting ourselves from what comes from the Internet but it is also good to analyze what passes inside between one network and another and what goes out to the Internet.

I'll never forget the first backdoor report. We immediately activated email alerts for the most important reports and it was an email that indicated the compromised server. There were three of us and it took two hours to discover that through the image upload form, there had been an attempt to upload a backdoor. This IPS module had blocked this attempt.

The Check Point IPS module certainly is of great support in ensuring the security of every organization. You cannot say that users only surf the internet and you do not need this type of protection because the danger does not come only from the internet, but also from within. 

We immediately implemented the module on internal traffic and if there is any server or user that does something that should not be done, it is immediately identified. 

Valid support also comes from applying, before their official publication, the protections inherent to server and application updates. In this way, we are not forced to install updates on the servers as soon as they are published. Rather, we can also schedule updates and incorporate a delay. This protects us from the possible publication of incorrect updates that are withdrawn immediately afterward.

The Check Point IPS module allows me granularity in creating rules. I can specify which definition to apply and to which scope or network.

I can create multiple profiles, which is helpful. Profiles are the set of rules and I can choose which one to apply. Having more profiles and more options, we have not always moved in a guaranteed way with respect to internal traffic, and rigorously with respect to external traffic.

From the outside, we block directly without waiting to look at the logs. If anything, then we will allow this traffic. From the inside, we allow traffic by default and maybe we will block it after looking at the logs.

These decisions were also supported by the degree of reliability declared by Check Point itself. If we are talking about a high degree of reliability combined with a dangerous vulnerability then you can immediately block traffic with greater confidence in not having false positives

The logs and related functionality are done very well.

To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically.

If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability.

Having additional reports available would be helpful.

I have been using Check Point IPS for twenty years.

This has always scared me because it is known that activating this module in an inconsiderate way causes malfunctions of the firewall. However, Check Point tells you to apply only the IPS definitions that are useful in your environment and warns with specific pop-ups when you want to activate a definition that requires a lot of resources.

In case of high volumes of traffic, it is possible to balance the same by adding other nodes to the cluster.

It was certainly a good experience, a daily challenge to overcome oneself and compete with the world.

Prior to this product, we did not use a similar solution.

The initial setup is complex and must be done by a team, necessarily also made up of internal staff, who are highly skilled.

In the beginning, it is good to evaluate the single definitions in order to reduce the false positives and to avoid a waste of firewall resources. Subsequently, the new definitions released must be reviewed daily.

We implemented it with the support of an external team that proved to be up to the task entrusted to it.

The module has a considerable cost but you can save by purchasing a package with several modules instead of making a single purchase.

The implementation has a high initial and management cost.

We did not evaluate other options.

In summary, this is a well-made product and I don't feel like I would suggest improvements other than having more reports. I recommend its adoption to those who have the availability of a team, internal or external, that has the ability to manage it and the knowledge of the company.

The most valuable feature is security.

There are several technological points that could use improvement.

We have a lot of false positives and the list of IPs are not up to date in terms of their location. For example, we recently blocked traffic from both North and South Korea because we have no relationship with these countries. The problem is that the list of IPs is not up to date, and we had a problem where regular traffic was blocked but malicious traffic was not.

The proxy should be improved.

The documentation should be easier to read.

When you want to block according to the signature, you have to do them one by one. You cannot create a group.

I have been working with Check Point IPS in this role for several months.

In the past, I was an employee of a company that was a Check Point partner for 11 years.

This is a very stable product.

The scalability is good, provided your machine is powerful enough. The product works with a variety of equipment from low-powered to high-powered.

The price of this product should be reduced.

For the most part, we don't have any problems with this product.

I would rate this solution an eight out of ten.

We use Check Point IPS to protect our infrastructure against threats. It internalizes different attack buttons. We started by deploying it only on the on-prem firewalls, but now we are also rolling out to the internal firewalls, the ones that segregate environments, the production, and the corporate environment.

Check Point has improved my organization by stopping almost 100% of the attacks we see. It also protects us from SQL injection and other injections. When people try to attack our websites, I see protection for that. I also see SSH over non-standard ports. 

Some IPs in the United States try to attack our exposed websites. It is very important to protect our hosting infrastructure with our website for these kinds of attacks.

The most valuable feature is that it protects us against hundreds of different attack vectors, like ransomware. The protection is always being triggered. People try to access websites that are categorized as malware, so when the users do a DNS request for the IP of those malware websites, the IPS Blade replaces the real IP of the website that is malware with a bogus IP. The user gets an IP that doesn't exist and when he tries to access, it won't work. This is the protection that triggers the most on our infrastructure. For example, if a user tries to access malware.com, the DNS response gets changed by the IPS Blade to an IP that doesn't exist.

In my opinion, IPS is one of the better Check Point products because it's very easy to configure. You don't need to go protection by protection to check which ones you want to enable. You can enable the ones that are medium or higher severity and all those protections are immediately enabled. 

When you deploy this on an existing firewall that is already working, it's always better to set it on detection mode before you put it on prevention mode. It's very easy to detect a profile and then check for a month if there are some false positives that you want to filter before you put it on prevention. It's very easy to work with.

The only thing they could maybe improve is that we notice right away that the performance decreases when we enable the IPS, especially beyond the CPU and memory usage. If you want to enable the IPS and you have a lot of traffic, it can have an impact. The performance could be improved.

We have been using Check Point IPS for four years. 

It's very stable. We never had any issues of it stopping to work. It's been very stable. 

It's very scalable in the way that you can create a profile and a Blade throughout your firewalls. When you create an exception, it will apply to all your firewalls, if you want it to. 

Three network security engineers work with Check Point IPS currently. It's used on all our permitted firewalls and most of the internal firewalls. We aim to deploy it on all our firewalls next year. It's deployed in 10 clusters.

At one point, we had an issue where we had some firewall Blade logs that were empty. They didn't have any information and we didn't know why. We had some remote sessions, but we couldn't find the root cause. We gave up on it because we couldn't find a solution. Support could be better.

This issue sometimes happens on a daily basis but we started to ignore it because we had a lot of sessions and we couldn't find the problem. It doesn't impact service. It's just one log in each 1,000 or more.

We also use Cisco Firepower. At first, we only had Cisco Firepower and then we started enabling IPS on the Check Point firewalls. At the moment, Check Point IPS is the only one that is in prevention mode. Cisco Firepower is only on detection. I think the biggest difference is that the advantage is that we already had the Check Point firewall. It was only a matter of enabling the new feature, the traffic was already going through it. We didn't need to add another appliance for doing the IPS on the Check Point port. Firepower has different hardware, so we need to do batching and put the traffic going through it. The biggest advantage of Check Point IPS is that it's integrated into a product that has other features. It's just a matter of enabling the Blade on the firewalls that are already receiving the traffic. I think it's the biggest use.

It's better to have everything in the same place. You can configure the firewall rules for allowing traffic and then you can also enable IPS protection on the traffic. It's better in that sense, but on the other hand, it will consume more resources on the firewall which is also doing other stuff. 

Check Point has some advantages and some disadvantages when you compare it with Cisco Firepower. With the protection itself, both of them are very useful. We don't have complaints about Firepower. The idea is to compliment one product with the other. The idea is to have both vendors with different kinds of protections.

My advice would be that if the firewall is already in place, you should also always put it in detection mode to see the report and see if you need to put any kind of exceptions before you put in prevention. You should also make sure that the hardware is capable of running the IPS for the amount of traffic that you want to analyze.

The initial deployment was very easy. You just need to buy the license, enable the Blade, and create a profile. It's easy when you create a profile because you just need to select which kind of protections you want to enable. You can select in terms of severity and performance impact. There are some protections that if you enable them, they have more impact than others. You can, for example, enable only the protections that have a medium or lower impact on the firewall performance and the medium or higher severity on the severity attacks. It's very intuitive and very quick to create the profiles.

The first deployment took three or four hours to add the license but then we waited for a month to create a new profile for the prevention mode. We deployed it ourselves. 

Our return on investment is that we feel that our infrastructure is protected. Especially for our web hosting infrastructure, where we have our websites and our portals, which are always under attack.

Compared to Firepower, the pricing for IPS is competitive. It's in line with Firepower and I think it's even a bit cheaper. Pricing is competitive. 

Licensing is per-device. When we renew the firewall content, we buy the IPS license for each firewall where we want to deploy it.

My advice would be to always have it with the latest database because you want to be protected against the latest attack vectors. It's very important to have it doing automatic updates so that when Check Point reviews an update of an attack that is currently happening, you always get it first before you get the effect.

I would rate Check Point IPS a nine out of ten. Not a ten because of the logging issues we've experienced. 

We are using Check Point IPS for securing our internal networks and our website, as well as all of the traffic that goes through us. The traffic is analyzed by the IPS, which checks for things like malicious files and different attack patterns.

We are using the virtualized version.

Our old IPS was much more difficult to administer so the adoption of Check Point has helped us in this regard.

The most valuable feature is ease of use.

Check Point IPS has quite a decent database of attacks.

The reports are well written so that you can understand what type of attack has occurred, the originating IP address, and other details.

It is always possible to improve the speed of an IPS, although there is always a performance penalty when using additional security software.

Occasionally there are glitches and errors like false positives, which would be a nice area of this solution to improve upon.

The pricing could be improved.

I have been using Check Point IPS for six or seven years.

The stability is quite good. The product itself is quite good and although we had some issues, they were usually hardware related. Since we upgraded to the virtual edition two or three years ago, we have had almost no incidents. 

We do not have a very big scale so I cannot comment on scalability. The performance is enough for us and to test scale, you would need a bigger connection speed. We have a 500 megabit internet connection and it is almost never saturated. We have tested ours and it works well. The only time we hit a bottleneck is when we are transferring large amounts of data or creating many connections, but that is not our typical use case.

We have 205 employees and they are all protected by Check Point IPS. They are all end-users except for our one system administrator. We do not plan on increasing our usage at this point.

With Check Point, we have had quite good support. They usually respond within two or three days with some kind of resolution or at least they collect logs and analyze them.

Most of our cases are solved with first-level support, which is local. They are our partner who sells this product and they have their own technical people who know our infrastructure. We generally do not need to escalate our issues to Check Point.

Prior to using Check Point IPS, we were using a solution by IBM. It was much more difficult to administer. However, we had already been using the Check Point Firewall product and moving to Check Point IPS was a logical choice. It was easier in terms of administration because it is the same console and we did not need additional servers. In fact, our infrastructure got a little bit smaller and the performance, I would say, is better.

With respect to the performance, having the solutions on the same machine means that the traffic is analyzed once instead of twice. There are fewer hops.

The initial setup was quite straightforward. We had to add the license and enable the policies, which was done within two days. After that, of course, we had some fine-tuning but I wouldn't say that it's a headache. In total, it took about a month before we had the configuration ready and it was in production.

One person was responsible for the deployment and one person is enough to take care of maintenance.

We had some trouble doing all of the troubleshooting and setting up some of our rules, so we had assistance from technical support during this part of the setup. We took care of the main deployment but they guided us when necessary.

It is difficult to calculate ROI for an IPS or a firewall because you can actually live without fancy security if you don't have any data to protect.

This is an expensive solution. I am not exactly sure of the pricing because we have a package deal that has the licenses included. I think that the price of support is around $40,000 USD or $50,000 USD per year.

How it works is that we license a pair of virtual CPU cores, as well as the firewall, and then the IPS is included along with the antivirus and additional products.

We did evaluate several IPS products by different vendors but they all had trouble integrating with our Check Point Firewall. We made the decision that even if the other products were cheaper to buy, they would need additional integration and custom development, so ultimately it was not worth it.

My advice for anybody who is researching this type of solution is that they need to choose the product carefully. Most importantly, I would look from a performance perspective. Secondly, I would consider it from a pricing perspective because there are cheaper solutions available like Sophos and Fortinet, and they are good at what they do. If there is no firewall in place at all and this is their first project with protecting the enterprise, then it is reasonable to look at all of the vendors and look at what features are needed. The most important part is what your administrators are used to using because if you need to train them then it's additional costs.

The next thing that I would suggest is to make sure that you get a good partner because it is important to have good first-level support.  

The biggest lesson that I have learned from using Check Point IPS is to be quite careful about which features you enable with it, and which protections to use. You need to balance performance with security, finding exactly the right configuration for your environment and requirements.

Overall, I would say that this is a decent product. If the pricing were cheaper then I would say that it was perfect.

I would rate this solution an eight out of ten.