Check Point NGFW OverviewUNIXBusinessApplication

Check Point NGFW is the #4 ranked solution in best firewalls. PeerSpot users give Check Point NGFW an average rating of 8.8 out of 10. Check Point NGFW is most commonly compared to Fortinet FortiGate: Check Point NGFW vs Fortinet FortiGate. Check Point NGFW is popular among the large enterprise segment, accounting for 54% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 17% of all views.
Check Point NGFW Buyer's Guide

Download the Check Point NGFW Buyer's Guide including reviews and more. Updated: March 2023

What is Check Point NGFW?

Check Point NGFW is a next generation firewall that enables safe usage of internet applications by blocking malicious applications and unblocking safe applications. Check Point NGFW, which uses deep packet inspection to identify and control applications, has features such as application and user control and integrated intrusion prevention (IPS), as well as more advanced malware prevention capabilities like sandboxing.

Check Point NGFW includes 23 firewall models optimized for running all threat prevention technologies simultaneously, including full SSL traffic inspection, without compromising on security or performance.

Benefits of Check Point's Next Generation Firewall

  • Robust security: Check Point NGFW delivers the best possible threat prevention with SandBlast Zero Day protection. The SandBlast protection agent constantly inspects passing network traffic for exploits and vulnerabilities. Suspicious files are then emulated in a virtual sandbox in order to detect and report malicious behavior.

  • Security at hyperscale: On-demand hyperscale threat prevention performance provides cloud level expansion and resiliency on premises.

  • Unified management: Check Point's SmartConsole makes it easy to manage and configure network security environments and policies. With the SmartConsole, users can manage all the firewall gateways and access logs and install databases from one location. Unified management control across the network increases the efficiency of security operations and reduces IT costs.
  • Continuous logging: Check Point NGFW’s Threat Management feature detects vulnerabilities and logs them. Using the logged data, users can easily create and implement efficient security policies.

  • Remote access: The remote access VPN provides a seamless connection for remote users.

Check Point NGFW is suitable for organizations of all sizes, from small businesses to larger enterprises.

Reviews from Real Users

Check Point NGFW stands out among its competitors for a number of reasons. Two major ones are its intrusion prevention feature as well as its centralized management, which makes it very easy to deploy firewall policies to many firewalls with one click.

Shivani J., a network security administrator, writes, "Check Point has a lot of features. The ones I love are the antivirus, intrusion prevention, and data loss prevention."

G., a network administrator at Secretaría de Finanzas de Aguascalientes, writes, “Within the organization, the inspection of packages has given us great help in detecting traffic that may be a threat to the institution. The configuration of policies has allowed us to maintain control of access and users for each institution that is incorporated into our headquarters.”

Arun J., a senior network engineer, notes, “The nicest feature is the centralized management of multiple firewalls. With the centralized management, we can easily use and operate multiple firewalls as well as create a diagram of them.”

Check Point NGFW was previously known as Check Point NG Firewall, Check Point Next Generation Firewall.

Check Point NGFW Customers

Control Southern, Optimal Media

Check Point NGFW Video

Check Point NGFW Pricing Advice

What users are saying about Check Point NGFW pricing:
  • "The licensing is straightforward; there are only three types of licenses that include NGFW, NGTP, and SNBT, so the organization can choose its license according to their requirements."
  • "Check Point is competitively priced; however, there is an additional charge for the Annual Maintenance Contract (AMC) and it is easy to understand."
  • "An annual technical support fee is paid to maintain the equipment with the most updated licenses and versions and thus avoid vulnerabilities"
  • "Check Point offers the same applications and features as Palo Alto for roughly a third of the price."
  • Check Point NGFW Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    User
    Top 20
    Scalable with seamless failover capabilities and excellent logging functionality
    Pros and Cons
    • "The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats."
    • "We find the GUI to be wrong and the CLI doesn't always show all of the connections."

    What is our primary use case?

    We needed to replace our external firewall solution as we were having issues with the HTTPS inspection on our previous solution and the level of support being provided was terrible, leaving us with an issue that could not be fixed for over six months. 

    We had already deployed a new internal firewall solution but needed something that would protect that from external factors. We also needed a new solution to replace our client VPN solution. The Check Point solution gave us that as one whole solution instead of having to manage multiple services.

    How has it helped my organization?

    Our policy is to deny all outbound traffic unless we allow it, which can generate a lot of work to build a rule base that allows everything we need to get out. 

    This solution has made managing connections out to the web much better due to the categorisation and app control that is available. Being able to say certain apps and services are allowed out, instead of finding all the relevant IPs, has massively reduced the workload. The ability to manage the Client VPN and relevant rules for that in the same location has also improved the way we work. Having links into AD for group membership recognition and having rules based around this has been very useful in improving the way remote users can access the network.

    What is most valuable?

    Logging has been excellent. Being able to see all logs from all the various firewalls at different sites in one window has made fault finding much easier. We can see how the traffic is moving through the sites and on which firewall. 

    It has also been easy to see machines that may have had infections as we can report easily on devices trying to talk out to sites and services that are known to be dangerous. We have these set up as an HA pair on our main site and we have a lot of audio and video services that go out over the web. 

    The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats. 

    What needs improvement?

    The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. 

    We find the GUI to be wrong and the CLI doesn't always show all of the connections. 

    From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

    Buyer's Guide
    Check Point NGFW
    March 2023
    Learn what your peers think about Check Point NGFW. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
    685,707 professionals have used our research since 2012.

    For how long have I used the solution?

    I've used the solution for six months.

    What do I think about the stability of the solution?

    On the firewall side and content filtering side of the solution, it has been faultless. There has been no real downtime to note and the access to the web via relevant rules has always worked as expected.

    What do I think about the scalability of the solution?

    We have a fairly small setup in the grand scheme of things, however, from what we have seen, the ability to add in new firewalls or increase the hardware spec seems very good and it would be easy to transition from older to newer hardware when the time comes.

    How are customer service and support?

    Due to the support model we signed up for, we don't deal directly with Check Point support. We deal with the vendor first and they will deal with any 1st/2nd and even most 3rd priority issues. They would then go to Check Point if they need more assistance on our behalf. The level of support and responsiveness of their support has been excellent. We're always getting at least a response within a few hours, even on a P3/P4 issue.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did have another solution, but due to an issue with the HTTPS inspection that the manufacturer was not able to properly rectify or fix for 6 months, we lost faith in their ability to provide adequate support going forward for any issues we might come across. 

    How was the initial setup?

    The setup was complex due to the nature of the Check Point firewalls and us having to make some config setup in one portal and others on the CLI. We also had to arrange the rule base via the management console. There could be 3 different places you need to make various changes. We also used private microwave links as redundancy for VPN connections and that had caused significant issues in getting set up as the link selection did not cooperate at first.

    What about the implementation team?

    We implemented via a vendor and I have to say their level of expertise was brilliant. Every question we threw at them, they were able to provide an answer to. 

    What was our ROI?

    It was not the cheapest solution to go for, but the amount of admin time that has been saved by the use of Check Point firewalls has definitely given us a great return, giving us more time to work on other aspects of our network. Also, being able to consolidate 2 solutions (Firewall and Client VPN) into one solution has saved more money and admin time. 

    What's my experience with pricing, setup cost, and licensing?

    We found that Check Point was very flexible with its pricing. We were looking at a spec of hardware in other solutions. We found that Check Point did not have a direct competitor, but to help with the bid, they managed to reduce the costs of their higher-spec hardware to make it competitive with the other solutions we were looking at. It's not our fault they did not produce the hardware of a similar spec. It's up to them to try and provide a solution that would make it a competitive solution. 

    Which other solutions did I evaluate?

    We looked at several other solutions in including Palo Alto at the top of the market and Sophos XG further down.

    What other advice do I have?

    I would say as good as the solution is, if you are looking to get the most out of it, you should look to get a company or consultant who knows the Check Point solution inside out to assist with the setup. We found a partner who specialized in Check Point and we would not have been able to get it to the stage we have without them.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    Senior Manager at a financial services firm with 10,001+ employees
    Real User
    Top 5Leaderboard
    Good support, flexible, scales well, and provides centralized policy management
    Pros and Cons
    • "It provides access to the Internet for corporate resources in a secure manner."
    • "The firewall throughput or performance reduces drastically after enabling each module/blade."

    What is our primary use case?

    The primary use is to protect the organization from any kind of attack. It is able to isolate, secure, and control every device on the network at all times. Solutions should have the ability to block infected devices from accessing corporate data and assets.

    It provides access to the Internet for corporate resources in a secure manner. Our resources are used to host applications and services that are accessible to end-users over the Internet.

    It is used to provide required/limited access for third parties who want to connect to our corporate network. Access is granted based on application type and should be independent of port or protocol.

    It provides next-generation protection including IPS/Web Filtering/SSL decryption and more. 

    It offers centralized policy management capabilities for all firewalls.

    How has it helped my organization?

    This solution was able to provide access to our internet-based resources using our application/FQDN.

    The license offers different modules for NGTP and SNBT. It provides multiple functionality or blades, which can be enabled on the firewall depending upon organizational requirements.

    Other than stateful packet filtering with the NGTP license, it provides blades such as IPS/URL/VPN/Application Control/content awareness/Anti-Bot/Anti-Virus/Anti-Spam. With SNBT, it provides additional security using the SandBlast Threat Emulation and SandBlast Threat Extraction for Zero-day attacks in real-time.

    Any file, before it reaches an endpoint, is executed in a virtual environment for analysis. Based on the verdict and configured policy, a decision will be made as to whether it should be delivered to the endpoint or not.

    What is most valuable?

    It provides the flexibility to use any module with the NGTP and SNBT license. Depending upon the requirements, the blades/module can be enabled on the firewall security gateway and it can be deployed easily.

    In case SSL decryption or IPS need to be enabled on any security gateway, it is simple to do. We can go ahead and enable the module/blade and then create a policy, deploy it, and it will start to work.

    It has a default five-user license for Mobile/SSL VPN, so the organization can check the solution any time or can even provide access to critical users on an as-needed basis, without getting the OEM involved, all on the same box.

    For smaller organizations with the correct sizing of the appliance, they can use the full security solution on a single box. It will provide financial benefits along with reducing the cost of purchasing additional solutions or appliances. 

    For example:

    • URL Filtering Module: It can replace the proxy solution for on-premises users with integration of application control and the Identity module. Active Directory access can be provided based on the User ID and the website or application.
    • SSL VPN or SSL decryptor, and more. 
    • Core assignment for each interface, which can be done using the CLI. If the administrator determines that a particular interface requires more compute, he can manually assign additional cores accordingly. This is done by enabling hyperthreading on the firewall. 
    • The policy can be copied from any security gateway and pasted onto another one.

    What needs improvement?

    This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.

    For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.

    Source: User machine
    Destination: any
    Port: HTTPS
    Action: allow (for allowing the user's machine access)

    This has to be done along with the below policy:

    Source: User machine
    Destination: Other Zone created on Firewall
    Port: HTTPS
    Action: block 

    The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.

    The firewall throughput or performance reduces drastically after enabling each module/blade.

    It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

    For how long have I used the solution?

    I have been using the Check Point NGFW for more than eight years.

    What do I think about the stability of the solution?

    This solution is very much stable and does not require frequent changes in architecture. The patch frequency is limited and it does not require frequent maintenance windows in terms of downtime.

    What do I think about the scalability of the solution?

    This firewall is very much scalable. The introduction of Maestro has changed the concept of hyperscaling.  

    How are customer service and technical support?

    The technical support is excellent. The center is located in major cities in India along with the Check Point presales team.

    Which solution did I use previously and why did I switch?

    We did not use another solution prior to this one. We have been using Check Point for a long time.

    How was the initial setup?

    During the initial setup, support is excellent. It is a well-known OEM and they have people ready to resolve any issue that should arise.

    What about the implementation team?

    Our in-house team deployed it with support from the OEM.

    What's my experience with pricing, setup cost, and licensing?

    Cost-wise, it cheaper than industry leaders such as Palo Alto. The licensing is straightforward; there are only three types of licenses that include NGFW, NGTP, and SNBT, so the organization can choose its license according to their requirements.

    Which other solutions did I evaluate?

    We have evaluated solutions by Juniper, Cisco, and Palo Alto.

    What other advice do I have?

    Before implementing the security gateway, you need to be sure about the license and modules that you are going to enable. This includes determining the proper size, as it can affect throughput drastically after enabling each module. This is especially true for SSL decryption.

    The architecture needs to be studied before finalizing, as the configuration is done remotely using the centralized smart console. All of the security gateways need to be connected to the management server for any policy configuration, and they should be available at all times.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Check Point NGFW
    March 2023
    Learn what your peers think about Check Point NGFW. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
    685,707 professionals have used our research since 2012.
    IT System Operations Manager at Hamamatsu Photonics KK
    Real User
    Top 20
    Has a well-designed dashboard with great threat analysis reporting and good scalability
    Pros and Cons
    • "Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released."
    • "The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing."

    What is our primary use case?

    Check Point is currently our perimeter firewall at various locations. We use their failover clustering with high availability option, which performs flawlessly. Upgrades are easy to perform and have always worked reliably for us. Technical support is always available to assist with these operations, which makes the process less stressful to the admins. 

    We are also using their ISP Redundancy feature, which works as advertised - perfectly! It's easy to implement, especially with the awesome documentation from our engineer. We also use their Remote Access VPN offering and have really seen its value this past year, due to COVID-19. The VPN has been 100% rock solid, especially during the most critical times in our history.

    How has it helped my organization?

    As mentioned in the primary use case question, ISP Redundancy and VPN are the two primary use cases. When the pandemic hit, a sudden shift to a remote workforce was a major requirement for us, and we needed a reliable and stable firewall. Implementing ISP Redundancy helped ensure that, as well as having a tried and tested VPN solution. Upgrades have occurred during this time and manually planned failovers as well; every upgrade and test went smoothly and without issue. The last thing we could afford is an outage.

    What is most valuable?

    They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements. 

    Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released. 

    Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.

    What needs improvement?

    The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading. 

    The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing. 

    Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

    For how long have I used the solution?

    We have been using Check Point firewalls for 20+ years. We originally used the Nokia hardware platform, which was not technically NGFW at the time, however, the OS and its configuration have maintained some similarities over the years. It keeps getting better every release.

    What do I think about the stability of the solution?

    Lately, stability is 100% reliable. Earlier generation firewalls were a bit unreliable, however, as Check Point acquired third-party hardware. For example, their Nokia acquired security appliances had a firmware that worked, until they started to modify the firmware (IPSO 6.0 was solid, but problems started with our upgrade to R75), then it became less stable; frequent crashes, settings not saving, high availability issues, frequent reboots required.  Eventually, we upgraded to their NGFW offerings.  Their newer hardware, and firmware R77.x was released, and we have been stable ever since.  Upgrades to R80.x have been flawless, HA works as expected, and we have had zero performance issues.

    What do I think about the scalability of the solution?

    They are very scalable. If you need more computing resources, adding more hardware is easily done.

    How are customer service and support?

    Customer support is not always as responsive to finding solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We have always used Check Point.

    How was the initial setup?

    Setup was very straightforward and easy. We did have the assistance of our Check Point engineer, which is just awesome.

    What about the implementation team?

    We implemented through Check Point directly.

    What was our ROI?

    I do not measure ROI financially, although personally speaking, we have definitely gotten back every dollar we've spent by having reliable and secure infrastructure.

    What's my experience with pricing, setup cost, and licensing?

    The setup cost is not a challenge at all. Check Point engineers work directly with you throughout the whole process. The pricing is high, for the hardware and software, although discounts are negotiable. The software blade licensing is broken down into many flavors, depending on your needs. It is very a la carte and provides various product offerings, including endpoint management, VPN, disk encryption, etc.

    Which other solutions did I evaluate?

    We did review a few competitors during a possible migration plan. The proof of concept did not yield better results, so we stayed with Check Point. We reviewed Cisco, Palo Alto, and SonicWall.

    What other advice do I have?

    If you don't need/use their a la carte software blades (FDE, Ransomware, etc.) you can always add on later. They are very accommodating with trial licensing to test in a proof of concept way. If you already have other third-party products that perform those functions, you can bundle Check Point's and save a bit of money consolidating them.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    Cybersecurity Operations Engineer at a tech services company with 201-500 employees
    Real User
    Top 5Leaderboard
    Easy to install, protects well, and offers an excellent GUI
    Pros and Cons
    • "It is always on the top of the list of best firewall solutions."
    • "The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI."

    What is our primary use case?

    I have been using this solution as a perimeter firewall. 

    Our organization has ISP-based DDoS protection on the outer attack surface. Then, we have Check Point Next Generation Firewall with an IPS module as a second layer of protection. And then, we have Check Point Access Control, Application, and URL filtering, anti-virus, and anti-bot modules enabled. We also have the cloud-based Check Point Threat Emulation solution and different segmentations on Check Point Firewall as a DMZ zone, internal zone, and external zone. Our internal zones have different segments to improve our security level. We apply it by dividing our network into different VLANs by using the Check Point solution.

    How has it helped my organization?

    Check Point is the first vendor in which we found the stateful firewall terminology. It is always on the top of the list of best firewall solutions. 

    Financially, the benefit of Check Point is very high when I compare it with an average firewall solution. At the end of the day, the benefits it provides are already higher than I paid. 

    Our business performance is already doubled by the help of Check Point. If we need to talk about efficiency of administrators while managing a security  solution, I consider it as one of the most important item. 

    Thanks to Check Point, our security team can easily handle different problems in time.

    What is most valuable?

    Check Point gateway and management installation are very easy. After the console-based installation steps, you can continue on the web GUI interface. This is very valuable. It doesn't let you make a simple mistake, which might be a reason to install all the systems from the beginning. It has been designed to give you flexibility as much as needed; not more, not less. It prevents human mistakes, basically.

    If I have to say just one thing as the most valuable; I will say it is the most reliable firewall solution in the world. It is easy to prove that when I compare the number of CVEs which are published in a year among firewall vendors.

    What needs improvement?

    The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI. It might be a little bit confusing when an administrator remembers the location of the settings. Also, it is hard to manage the settings by always jumping from GAIA Web-based graphical user interface to Java based Smart Console dashboard. Also, Check Point Next Generation Firewall has a very detailed and well-organized CP view on the console on both CLISH and expert (/bin/bash) shells; which gives an administrator a real-time monitoring option on the console.

    For how long have I used the solution?

    I have been using it for more than six years.

    What do I think about the stability of the solution?

    On a heavy load, I haven't experienced packet loss or inconsistent behaviors.

    What do I think about the scalability of the solution?

    In the beginning, I would consider Check Point solution as not scalable enough. However, after Maestro architecture, it is extremely scalable now. The organizations does not have to pay a lot of money to plan for the next 2-3 years. They are flexible enough to allow for the extension of their systems by adding another module like a blade.

    How are customer service and support?

    The customer service and support team respond in minutes. If it is a critical issue, you can reach them in seconds via chat.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I used Palo Alto and Fortinet firewalls before. From Fortinet to Palo Alto it was a big change. 

    Fortinet was not a good enough solution as compared to PA. Then, due to finances and some other reasons, I switched to the Check Point and it was one of the best decisions in my life.

    How was the initial setup?

    The initial setup is straightforward. You just need to define disk allocation for logs and system files and backup files as an amount. Then you can continue with Web GUI to set up network, DNS, etc. settings. Then you complete your setup by installing the Smart Console interface.

    What about the implementation team?

    The Check Point support team is one of the best. When I need them, they can escalate the ticket to an appropriate level of engineer to fix the problem.

    What was our ROI?

    As a security solution in this kind of market, prestige and being reliable cannot be measured with money. It costs more than a million dollars to have a defacement attack. The costs to prevent this kind of attack cannot be measured with money, in my opinion.

    What's my experience with pricing, setup cost, and licensing?

    I'd advise others to worry about changing their firewall habits from any vendor to Check Point. It will be one of the best decisions of their life. If you have time and money to take care of other vendors, go ahead. However, if you are smart enough to manage your money and time, don't be afraid to give a chance to Check Point solution.

    Which other solutions did I evaluate?

    I did get some PoCs from other vendors such as Sophos and some other firewall vendors which are focused on small-size organizations mostly.

    What other advice do I have?

    I recommend to all system managers and security administrators to try all the enterprise firewall solutions. Then, most likely the final decision will be to use the Check Point Next Generation firewall.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    TitleNetwork Manager at Destinology
    User
    Top 20
    Very configurable with good VPN clients and a helpful smart view tracker
    Pros and Cons
    • "As a system administrator my favourite part of Check Point is the smart view tracker. This alone is a must-have tool for tracking all traffic traversing the Check Point appliance."
    • "The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming."

    What is our primary use case?

    Our business houses just over 100 staff, along with over 200 devices ranging from mobile to tablets, computers, laptops, and Servers. 

    We use a Check Point 5100 cluster running R80.40 to protect our business from external threats. 

    Our network is also extended to the likes of Microsoft Azure, Amazon AWS, and other 3rd parties utilizing secure VPN tunnels terminating on our Check Point 5100 cluster. 

    Our business also offers the ability of hybrid working - which is only possible with our Check Point solution.

    How has it helped my organization?

    Prior to using Check Point, we had a Draytek small business firewall, the Draytek would often hard lock, which resulted in the loss of internet connectivity for the business. The only way around this was to reboot the Draytek device which in turn would lose logging data as to what was causing the issue. 

    Moving onto Check Point completely solved this problem. The hardware is much more capable and the logging and alerting functionality means, should anything happen (like it did with the Draytek), we would have visibility on the logs which would give us a direction for troubleshooting and mitigation. 

    What is most valuable?

    Check Point offers a secure VPN client. We distribute to our agents via group policy. Our agents can then connect to our network when working from home - which was a game-changer due to the recent pandemic situation. 

    Check Point also offers a mobile app capsule connect which, as a system administrator, has proven very useful when a high-priority issue occurs. I am able to connect to my internal network via a phone or tablet - which has proven useful in some scenarios. 

    As a system administrator my favourite part of Check Point is the smart view tracker. This alone is a must-have tool for tracking all traffic traversing the Check Point appliance. It makes troubleshooting much easier. This software alone sets Check Point out in front of the competition.

    What needs improvement?

    Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. 

    The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. 

    Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software. 

    For how long have I used the solution?

    I've used the solution for five years.

    What do I think about the stability of the solution?

    The solution was not always stable when running the older R77.30 version. Paired with a mid-spec box, we did find some issues with performance on more than one occasion, specifically the network would slow to a halt until a system reboot, there was nothing within the error logging and our external SOC couldnt find anything either. We'd often when updating the firewall policy it would fail to deploy usually taking around three or four policy pushes each taking about 20 minutes. We are now running much faster hardware with the later R80.30 release and those issues have completely disappeared.

    What do I think about the scalability of the solution?

    Scaling is dependant on the size of your network. Check Point does offer a wide range of lower to high spec appliances depending on your scale set.

    How are customer service and support?

    I've only had two instances using their support as we have a third party on contract for third-line issues that I cannot resolve. They were prompt yet not shy about pointing out potential issues with third parties and it not being their appliance. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We used Draytek. It didn't offer the security features that Check Point does and we were a victim to a successful attack from external sources which Check Point would have caught. We also found the hardware of Draytek was too underpowered to handle the size of our network. 

    How was the initial setup?

    A third party installed the appliances initially. It is a complex process, as Check Point is vast in features and very configurable. You find yourself using the web interface, their own management software smart dashboard, and a mixture of CLI and config files to get your end result. 

    What about the implementation team?

    We implemented it through a vendor team. Their level of expertise ranged as we moved through three separate technicians during our installation which was problematic. I wouldn't use this particular vendor again. That said, this was nothing against Check Point. 

    What was our ROI?

    You cannot put a price on security. Check Point is a field leader. However, it comes at a high price. 

    What's my experience with pricing, setup cost, and licensing?

    If you have no experience with Check Point and you are on a deadline, it's essential you find a company certified to help with the deployment and configuration. The feature set is rich however, it's not always user-friendly. 

    Pricing, including licensing, is very expensive compared to alternate products such as Sophos, Barracuda, or FortiGate

    Which other solutions did I evaluate?

    We evaluated Fortigate, Sophos XG, and Barracuda. However, ultimately the decision boiled down to our parent company already using Check Point. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    AGM Cyber Security CoE at Bata Group
    Real User
    Top 5
    Flexible, provides good visibility, and it's easy to manage with a centralized dashboard
    Pros and Cons
    • "It creates granular security policies based on users or groups to identify, block or limit the usage of web applications."
    • "Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult."

    What is our primary use case?

    We use this solution for complete protection against advanced zero-day threats with Threat Emulation and Threat Extraction. We also use:

    • NSS Recommended IPS to proactively prevent intrusions
    • Antivirus to identify and block malware
    • Anti-bot to detect and prevent bot damage
    • Anti-Spam to protect an organization's messaging infrastructure
    • Application Control to prevent high-risk application use
    • URL Filtering to prevent access to websites hosting malware
    • Identity Awareness to define policies for user and groups
    • Unified Policy that covers all web, applications, users, and machines
    • Logging and Status for proactive data analysis

    How has it helped my organization?

    The solution has improved the organization with respect to the following:

    • Simple implementation and operation
    • Central dashboard for managing branch firewalls
    • Easy measurement of security effectiveness and value to the organization
    • Proactive protection with the help of many inbuilt blades
    • SandBlast Threat Emulation and Extraction provides us zero-day protection from known and unknown threats in real-time 
    • Great visibility on the number of threats being blocked at the dashboard
    • Helps to clean traffic, both egress and ingress
    • A simplified URL filtering option is available for users with detailed granularity to map user/departments with respect to specific access
    • It does deep packet inspection for checking HTTPS traffic. There is a shift towards more use of HTTPS, SSL, and TLS encryption to increase Internet security. At the same time, files delivered into the organization over SSL and TLS represent a stealthy attack vector that bypasses traditional security implementations. Check Point Threat Prevention looks inside encrypted SSL and TLS tunnels to detect threats, ensuring users remain in compliance with company policies while surfing the Internet and using corporate data
    • It helps in the identification of C&C via Anti-Bot
    • It provides geolocation restrictions that may be imposed via IPS
    • Excellent Application Control for the administrator to manage the access for users
    • Secure remote access is configured with mobile access connectivity for up to five users, using the Mobile Access Blade. This license provides secure remote access to corporate resources from a wide variety of devices including smartphones, tablets, PCs, Mac, and Linux

    What is most valuable?

    We are using the Check Point Next-Generation Firewall to maximize protection through unified management, monitoring, and reporting. It has the following features:-

    • Antivirus: This stops incoming malicious files at the gateway, before the user is affected, with real-time virus signatures and anomaly-based protections.
    • IPS: The IPS software blade further secures your network by inspecting packets. It offers full-featured IPS with geo-protections and is constantly updated with new defenses against emerging threats.
    • AntiBot: It detects bot-infected machines, prevents bot damage by blocking both cyber-criminals Command and Control center communications, and is continually updated.
    • Application Control: It creates granular security policies based on users or groups to identify, block or limit the usage of web applications.
    • URL Filtering: The network admin can block access to entire websites or just pages within, set enforcements by time allocation or bandwidth limitations, and maintain a list of accepted and unaccepted website URLs.
    • Identity Awareness: This feature provides granular visibility of users, groups, and machines, enabling unmatched application and access control through the creation of accurate, identity-based policies.

    What needs improvement?

    I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best.

    Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.

    For how long have I used the solution?

    We have been using the Check Point NGFW for the last four years.

    What do I think about the stability of the solution?

    This is a very stable product.

    What do I think about the scalability of the solution?

    It is highly scalable on cloud and does provide customers with lot of flexibility while performing the sizing of the appliance.

    How are customer service and technical support?

    Technical Support needs improvement, especially the L1 engineers.

    Which solution did I use previously and why did I switch?

    Prior to this solution, we were using GajShield. However, due to limited visibility and support, we opted for a technical refresh and upgrade of products.

    How was the initial setup?

    Yes initial setup was complex as migration of policies from one OEM to another is a challenge. however we meticulously planned and completed the implementation in phases.

    What about the implementation team?

    Yes we took help of the Certified Vendor. Vendor support was good.

    What was our ROI?

    We did not calculate our ROI; however, it provides good visibility to us.

    What's my experience with pricing, setup cost, and licensing?

    Check Point is competitively priced; however, there is an additional charge for the Annual Maintenance Contract (AMC) and it is easy to understand.

    My advice is to negotiate upfront with a support contract of between three and five years.

    Which other solutions did I evaluate?

    We evaluated Palo Alto, Barracuda, and Fortinet.

    What other advice do I have?

    In summary, this is an excellent product and featured consistently in Gartner for the last 10 years. They have good R&D and support services across the globe. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Gonzalez - PeerSpot reviewer
    Network Administrator at Secretaría de Finanzas de Aguascalientes
    User
    Top 20
    Helpful support, easy centralized management, package inspection facilitates malicious traffic discovery
    Pros and Cons
    • "Within the organization, the inspection of packages has given us great help in detecting traffic that may be a threat to the institution."
    • "The equipment is complex, so you need guidance from specialized people or those who constantly work with Check Point. Better forums and information manuals could be provided so that users from different institutions can have more access to the information."

    What is our primary use case?

    We support various clients in the government sector in Mexico. We provide different solutions in terms of network security, data security, and perimeter security. The NGFM Firewall is available locally and different offices and/or institutions of the government sector pass through a more secure and controlled infrastructure.

    This type of infrastructure has different zones or areas that are managed and keeping them centralized has helped us to maintain and control them. In addition, we are generating fast and safe solutions for our users on each site.

    How has it helped my organization?

    Check Point has provided us with an easier way to control all of the access traffic for more than 50 segments that we have within the organization. In addition, we have been able to maintain stricter control of the users and/or equipment that are had in all the institutions that make up the government sector of the entity.

    Check Point technology has allowed us to keep the organization and distribution of the network in order within the institution. In addition, the VPN service we have has worked correctly for users who want to work remotely from their homes, which was of great help during the pandemic.

    What is most valuable?

    Within the organization, the inspection of packages has given us great help in detecting traffic that may be a threat to the institution.

    The configuration of policies has allowed us to maintain control of access and users for each institution that is incorporated into our headquarters. It is well organized.

    Some other of the services that have worked well for us are antivirus, anti-bot, and URL filtering. Together, these have allowed us to maintain control and organization amongst the users.

    Another one of the pluses that have helped us a lot has been the IPsec VPN, especially in these times of pandemic.

    What needs improvement?

    Using the tool is somewhat complex when teaching new staff, although after practice it is quite easy to get used to this technology.

    One of the improvements that could be included is to have a help menu to obtain advice or help for the different options that are presented in the application.

    The equipment is complex, so you need guidance from specialized people or those who constantly work with Check Point. Better forums and information manuals could be provided so that users from different institutions can have more access to the information.

    For how long have I used the solution?

    The company has been using the Check Point NGFW for more than four years.

    What do I think about the stability of the solution?

    Compared to other networking equipment I have used, I would say that Check Point's NGFW is just as stable. We rarely have problems, and they can all be properly fixed without affecting productive or critical network elements.

    What do I think about the scalability of the solution?

    There are currently more than 5,000 users within government facilities in Mexico. This team has provided us with the necessary resources to provide services to users in record time.

    With the teams that we currently have, we have not considered increasing the number of technicians. If the need should arise then Check Point is still a very good option.

    How are customer service and technical support?

    Technical support has been available when we have problems, and they are always there to help us get back up and running as quickly as possible. In addition, the equipment is kept up-to-date with the latest versions, or alternatively, those recommended by the provider.

    Which solution did I use previously and why did I switch?

    This solution was deployed before I entered this governmental organization. What I have heard is that prior to this, the security and segmentation control was not ideal and they wanted to improve it. With the implementation of Check Point, great improvements have been provided to the infrastructure, maintaining order within the organization.

    How was the initial setup?

    When I entered the company, the equipment was already installed. With the passage of time, some configurations have been improved and some extra services have also been achieved for mobile users.

    What about the implementation team?

    It was implemented through a provider that has been guiding us towards the correct use of the equipment and the best practices to keep it updated. The service has been excellent, both in common day-to-day ticketing situations, including the most serious incidents.

    What was our ROI?

    It has been well worth the investment, as the Check Point technology is there to help when we need it.

    What's my experience with pricing, setup cost, and licensing?

    One of the main reasons that Check Point is used is that it helps us to administer security at a reasonable price. This is naturally in addition to meeting the expectations of the institution.

    An annual technical support fee is paid to maintain the equipment with the most updated licenses and versions and thus avoid vulnerabilities

    Which other solutions did I evaluate?

    Check Point is the option that has always been considered for its good firewall organization, which allows us to have excellent security.

    What other advice do I have?

    My advice is to always have a supplier with whom you can resolve doubts or more specific technical questions. Since the equipment requires many very technical parameters, it is helpful to have a person who understands and uses this technology correctly.

    Which deployment model are you using for this solution?

    On-premises

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company has a business relationship with this vendor other than being a customer:
    PeerSpot user
    Network security engineer at Fidelity Bank
    Real User
    Top 5
    Cisco dominated the African market until Check Point came along
    Pros and Cons
    • "Check Point has a really cool GUI."
    • "The end-user VPN could be improved. It could benefit from some modification."

    What is our primary use case?

    We use this solution for permissions regarding access ports and services. We also use Check Point Remote Access VPN as an endpoint VPN. We use it for site-to-site configuration. 

    All of the traffic that comes through our sites passes through our firewall. Basically, everyone, including our staff and clients, passes through our firewall. In other words, we have thousands of users using this solution.

    How has it helped my organization?

    The NGFW has helped our compliance to regulations authorities such as PCIDSS. It has has helped the bank create secure connections to vendors and third party service providers as well as remain stay protected from attacks and intrusion attempts.

    What is most valuable?

    The management of services, including forming access lists with the services we have, connecting servers to servers, permissions between servers and users — this is all great. In addition, Check Point has a really cool GUI.

    What needs improvement?

    The end-user VPN could be improved. It could benefit from some modification. 

    The VPN timeout feature needs to be improved. When we try to connect to the VPN, it times out before we can even enter our user name and password. If you can't prove you are who you say you are within seven to ten seconds, it just kicks you out.

    For how long have I used the solution?

    1 year +

    What do I think about the stability of the solution?

    Check Point has actually failed twice within the last year. The first failure was a disk failure. Check Point offers a software solution, they don't actually offer hardware. They will only provide you with the software and licenses. Because of this, when our disk failed, we had to wait for them to ship in some new hardware for us to fix the issue.

    Aside from the disk failure issue, a month ago, our Check Point device froze. We don't exactly know what caused it to happen. It caused the entire organization to go down for about two to three hours until we found out that Check Point was not allowing anything to pass through. Our Check Point is clustered, so primarily it's supposed to have a failover feature. For some reason, the failover feature didn't work. When the primary gateway went down, it affected everyone.

    What do I think about the scalability of the solution?

    We've not tried to expand Check Point. We have two sites. We have a primary site and a secondary site that is off-prem. For this reason, we planned big. We planned for a high amount of availability for our two sites. We use clusters of four gateways: two gateways are in one cluster, and another two gateways are in another cluster. If one goes down, it switches to the other. If the second goes down, it switches to the other DR site. We've got backups of everything. 

    How are customer service and technical support?

    The technical support is very responsive. We have a vendor that acts as a buffer between us and Check Point. In our country, these companies all have a local vendor that pushes their product.

    When we contacted our vendor, our vendor called Check Point and as they were talking, Check Point shipped the hard disk, to fix the issue I mentioned earlier. They just placed the order immediately, while we were still talking. We think that they knew that delivery was going to take about five days — it was actually very fast.

    How was the initial setup?

    The initial setup and deployment were straightforward. We deployed it with RADIUS servers;  it was not complex at all.

    What about the implementation team?

    From scratch to finish, deployment took about a month. It took this long because we had to convert all of our existing configurations from Cisco Firewall to Check Point. We had to get help from our vendor to do this. He had to manually convert each and every command from our existing Cisco device to Check Point — that took a while. This was the main reason that deployment took so much time.

    The end-user VPN didn't take much time to deploy. Neither did the site-connecting with the VPN — that took a day or two to deploy.

    What's my experience with pricing, setup cost, and licensing?

    I think our licensing is on a yearly basis, but it could be every three years. Either way, it's not more than three years — that I am certain of.  

    The pricing was actually what made us go for Check Point. Palo Alto was much more expensive. Check Point offers the same applications and features as Palo Alto for roughly a third of the price.

    Which other solutions did I evaluate?

    We evaluated Palo Alto, Cisco (which we were using), and we also evaluated Check Point — which we ended up with.

    What other advice do I have?

    I would recommend Check Point to others. We are still learning as we're just about a year into using it, but so far, the support and the solution in general has been good. I'd recommend Check Point, especially to users that are looking for an affordable solution. 

    Check Point also has a great community. They have this community where users can go to share ideas. They also have great networks. 

    Overall, on a scale from one to ten, I would give this solution a rating of eight. Cisco dominated the African market until Check Point came along. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Check Point NGFW Report and get advice and tips from experienced pros sharing their opinions.
    Updated: March 2023
    Product Categories
    Firewalls
    Buyer's Guide
    Download our free Check Point NGFW Report and get advice and tips from experienced pros sharing their opinions.