Check Point NGFW Reviews

For the SMB appliances, the use case is tricky because I don't actually like them too much. If you have a very small branch office, you could use one of them, but in that case I would just go for the lowest version of the full GAiA models. But for small locations that are not that important, it is possible to use one of the SMB appliances, the 1400 or 1500 series. 

The full GAiA models, starting with the 3200 and up to the chassis, are the ones we work with the most, and you can use them in almost every environment that you want to secure, from Layer 4  to Layer 7. The only reason to go higher is if they don't perform well enough, and then you go to the chassis which are for really big data centers that need to be secure.

About a year or a year-and-a-half ago, they introduced the Maestro solution, which gives you the flexibility of using the normal gateways in a way that you can extend them really easily, without switching to the chassis. You can just plug more and more gateways into the Maestro solution.

It's difficult to say how these firewalls have improved our clients' companies because a firewall isn't meant to improve things, it's meant to make them more secure. Nine times out of 10, it's going to give you something that the end-users aren't so happy with. But Check Point Next Generation Firewalls improve security and, indirectly, they improve the way users work. They can access practically everything on the internet without being concerned about what's going to happen. They give users more confidence when doing something, without having to worry about the consequences because the gateway is going to help them out where needed, preventing malicious stuff.

The feature I like the most is their central management, the Smart controller which you can use to manage all the firewalls from one location. You can get practically all information — but not all the information, because not everything has been migrated from the previous SmartDashboard version into the SmartConsole. Being able to access almost everything in one location — manage all your gateways and get all your logs — for me, is the best feature to work with. 

As for the security features, that depends a bit on what you're doing with it, and what your goal is. But they're all very good for application URL filtering. Threat Prevention and Threat Extraction are also great, especially the Threat Extraction. It's very nice because your end-user doesn't have to wait for the file that he's downloading to see if it's infected, if it's malware or not. It gives him a plain text version without active content, and he can start working. And if he needs the actual version, it will be available a few minutes later to download, if it isn't infected. That's a great feature. 

Anti-Bot also is also very nice because if a PC from an end-user gets infected, it stops it from communicating with its command and control, and you get notification that there is an infected computer.

It's difficult to distinguish which feature is best, because they're all good. It just depends on what your goals are. As a partner, we are implementing all of them, and which ones we prioritize depends on the client's needs and which is the best for them. For me, they're all very good.

The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.

But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.

A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.

I started working with Check Point firewalls in 1999, so it's been about 20 years. In the last year I have worked with all the SMB appliances, through the full GAiA and up to the 64000 series.

There's not much difference between a Check Point 3200 and a 5200 because they're running the same OS. There are just performance differences. So I can't say I've worked on every model, because I don't always check the model when I come to a client. But I've worked on every model that runs different software. I've worked with all three kinds of software that are used by Check Point.

The SMBs have room for improvement in stability. They're not as stable as they could be.

The chassis are great, but they are running behind. Maybe "running behind" is an overstatement, but the roll-out of new features on them is really slow because they want them to be tested and tested and tested. The clients installing these chassis are large banks or very large customers that can't have any downtime whatsoever, so it's normal that they test them more thoroughly. 

For the mainstream models, we do run into bugs on a regular basis, but they're mostly not showstoppers. You can run into a bug, but either there's a possible work-around or it doesn't impact things so much that there are huge problems for the client.

The SMBs are not scalable. New devices come out from time to time that are more performant. The mainstream devices are also not scalable except if you go with the Maestro version, and then you can just plug in an extra firewall and it scales up. With the chassis you just plug in an extra blade and it scales up also. So the Maestro and the chassis are very scalable, but for the other models it comes down to buying new boxes if the current ones aren't sufficient anymore.

Check Point support is a very difficult question because not so long ago I had a major complaint with Check Point about their support. Now, they give us much better support because we have the highest level of partnership. They recognize that the people from our team, in particular, are very skilled, so we don't go to first-level support anymore. The moment we open a ticket, we get tier-three support, and that is good.

But we haven't had this privilege for that long and, in the past, support could be a bit tricky. If we got a tier-one engineer it could be okay for support that wasn't urgent but if we were doing an implementation, especially since we had a lot of experience, they were mostly asking questions about things that we had already checked. Often, we had more knowledge than they did.

For us, it's great that we now immediately get access to tier-three. I just wrote an email to the support manager this morning about an issue we had last night, and I told him the support was great; no complaints anymore. It took a while, but now it's good. I can't complain anymore.

It depends on the partnership you have with Check Point. If you're a lower-level partner, you have to go through the steps and it takes a bit of time. If you're working in a company that has a good partnership and you can negotiate some things, then support is good and you get very good people on the line.

The initial setup of these firewalls is fairly straightforward for me, but they're not the easiest ones to learn and to set up. But I've been working with Check Points for 20 years. So if you're a new user, I wouldn't say it's easy. If you have experience, it's not really that difficult. But the learning curve is higher than some of the competitors.

The time for deployment depends on the features you want to enable on the firewall and the environment you want to put it in. If it's a branch office with a small network, a DMZ and an internet connection, that would take half a day or a day. It also depends though on if it is a completely new installation where you also have to install a Management Server. On average, we count on about one day per gateway and one day for the management, but it depends on the complexity of the environment, of course.

Our implementation strategy differs per client, and it even differs by the engineer who does it because everyone has his own skills and tricks from the past that they're using. But a uniform implementation approach, especially for different clients, is very difficult to do because every firewall is a complex product. You can't do for client A what you're going to do for client B.

If it's an installation we go the standard route, with a high-level design and get it approved by the clients. Then we go for the low-level design and implementation. A standard implementation is a clustered environment with a separate Management Server. We almost never deploy one gateway, so one cluster with a separate Management Server is the most basic level. We usually set up the management on a virtual system, not an appliance, and we try to go for appliances for the gateways, depending a bit on the customer's needs; it could be virtual.

Make sure you get the correct license. For instance, I did an audit for one of our clients recently and I saw that they always were buying the most expensive license and not using the features that were included in it. That's one thing to look at: If you're not going to use some features, don't buy the license related to those and go for a cheaper license. 

Also, negotiate. There's always room for discounts.

You get licensing bundles, so depending on which features you want to activate, your license is going to be more expensive. Some things, like Threat Extraction and Threat Emulation, require subscriptions. They don't come with a standard firewall. 

I'm not a licensing expert, but as far as I know there's the standard firewall, the Next Generation Firewall, and then the Next Generation Threat Prevention license. The price goes up in those bundles.

Another vendor I work with and have the most knowledge about, when compared to Check Point, is Palo Alto. They force you to work a bit more with applications instead of ports, although that's not something Check Point cannot do. 

The central management is different for Palo Alto. You can install it, but it doesn't work the way it works with Check Point. I like both. I like that with the Palo Alto you just go to a web browser and can configure the firewall all the way, but it's also easy to have the SmartConsole from Check Point where you can manage multiple devices. Palo Alto doesn't really have that. They have a central manager where you can get logs and where you can distribute some policies, but it doesn't work the way Check Point's central management does.

Both have their pros and cons. It depends on how you like to work. I like working with both of them. It's a bit different, but in terms of security and features, I don't think they're that different. It's just another way of working.

Make sure you have a good partner doing Check Point work for you because, as a direct client, it's very hard to get the necessary skills in-house, unless you're a very big company. Contact Check Point and ask them which partner they recommend and go that route. Don't try to do it yourself. The firewall is too complex to set up and maintain yourself, without the assistance of people who do it every day.

Learn and get experience with it. Don't be overwhelmed. When you start with it all the features and all the tips and tricks that you need to know to maintain it, it can be overwhelming. Like I said, the learning curve is very steep, and when you start with it, it's going to look like, "Whoa, this is impossible." But stick with it and when you get some experience it's going to be okay. It's a difficult product, but once you get the hang of it, it's one that's really nice to work with. We still run into issues from time to time, but Check Point products are very manageable and fun to work with. Check Point is my favorite vendor. I like working with it a lot.

I would rate Check Point's mainstream solutions at eight or nine out of 10, and the same for the chassis. I would rate the SMBs around a six. I don't really like those too much. Overall, Check Point is an eight, because most people are going for the mainstream solutions and those are very good.

For Check Point, the main cases are just perimeter security, network security, basically detecting threats on the network, antivirus, application control, visibility, login, and data threat prevention.

I like the GUI. In terms of functionality, it used to be the detection capability. Check Point has good security intelligence, which helps detect threats. They have the historical background to do that. But now, Fortinet is a bit better. 

A lot of things need to be improved in Check Point NGFW. One, their support team isn't very efficient and useful. 

The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess.

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security.

So support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

I have been with Check Point for a very long time. So, it has been almost six years.

I would rate the stability a six out of ten. There is room for improvement here. 

I would rate the scalability a seven out of ten. My customers are mostly medium-sized businesses, but my clientele also includes enterprises.

There is room for improvement in the customer service and support. 

Neutral

I'm heavily biased towards Fortinet. Check Point is a direct competitor, so from my experience, it's a decent firewall. There are strong points and weak points, but Fortinet is superior for various reasons.

The initial setup is really straightforward. The GUI is very good. However, the issue I have is with the stability. In terms of simplicity, I don't consider Check Point to be a straightforward solution. Another point to mention is my experience in planning within customer environments. The outcomes are not always as expected. 

For instance, when setting up Check Point firewall and flat policies, the policies didn't take effect immediately. There was a situation where the policies took effect after about two hours. Such instances were mind-boggling. Regarding VPN issues, when implementing IP protection between Check Point and other vendors, remote access can be challenging.

In Nigeria, it's predominantly on-premises. Many organizations are moving towards cloud, but many others use a hybrid approach, both on-premises and in the cloud. 

A few are using Check Point in the cloud, but most test with Fortinet due to easier integration with public cloud providers like Microsoft. Public cloud vendors also have their own firewalls, like Microsoft and AWS. In terms of adoption, Check Point is behind in cloud adoption in Nigeria.

Overall, the process is very fast and depends on the type of deployment. For example, replacing a Cisco firewall with Check Point requires converting policies, which can take quite a while, depending on the size of the policy base. In my personal experience, setting up Check Point was very quick.

It's reasonably priced, but competitors offer much cheaper options. It's market-related, so the pricing makes sense for what Check Point offers.

My recommendation is to consider Fortinet as an alternative. Overall, I'd rate it a seven out of ten. There's room for improvement, especially since Check Point doesn't seem too focused on our region. 

In Nigeria, procuring the firewall and bundled services like technical account management and professional services can be challenging. The service delivery is not as efficient as one would expect, which wouldn't be the case for a European customer.

We use the solution to configure sandboxing features for enterprises. We also use it for policy-level configurations and VPNs.

Sandboxing is the most valuable feature. A majority of the configurations are very accurate. We can find what an organization's user is downloading from the internet.

The support team should be faster.

I have been using the solution since 2016.

All products have some bugs. However, we had a minimum bug experience with Check Point. I rate the tool’s stability an eight out of ten.

The product is scalable. Everyone in our company uses the product. We are 100 users. We have an on-premise firewall. We use it every day.

I have contacted the support team. I have had good conversations with the engineers. Sometimes, it takes a little bit of time to solve some issues. If it's a complex issue, we need to start from scratch and escalate to a bigger tier of support.

Positive

The initial setup is very easy.

The product is not that expensive for what it is offering, but it could be cheaper. Nowadays, all the vendors are increasing their prices. Suggesting the product to the customers will be easier if it is a little cheaper. The tool offers good attributes.

Palo Alto is also a good vendor. We chose to go with Check Point as well for our enterprise solution as distributors, and we suggest it to our customers.

I was an engineer for AT&T. I helped customers with configurations. The vendor is taking care of the user side of security with Check Point Harmony. It is a very good product. Check Point Harmony must provide administrators the ability to manage external programs remotely. Some customers want such features, and other vendors provide them. I would recommend the solution to others. The vendor has been investing a lot of money and effort to prevent zero-day attacks. Overall, I rate the tool a nine out of ten.

We use the solution for full-scale integration and end-to-end management at the organization. The Check Point NGFW implementation took place quite smoothly.

Check Point NGFW is the best in terms of comprehensive protection against network threats and security against malware and phishing attacks. It smoothly restricts these via anti-phishing algorithms.

Check Point NGFW source package covers all the bases - application control, NAT, DLP, routing, content awareness, VPN, desktop security, and much more.

It is scalable, provides end-to-end resolution and customized productive services like providing a complete solution for perimeter protection that
blocks the traffic based on an IP address or on applications
and content. This makes Check Point NGFW highly promising and makes it a complete solution.

Check Point NGFW is the best in terms of comprehensive protection against network threats, malware, and phishing and smoothly restricts these via anti-phishing algorithms.

The source package covers all the bases - application control, NAT, DLP, routing, content awareness, VPN, desktop security, et cetera.

It provides end-to-end resolution. It is a customized productive service and a complete solution for perimeter protection that blocks traffic based on IPs, applications, and content.

The most valuable services it provides are end-to-end resolution and perimeter protection; It blocks traffic based on IP address, applications, and content.

Check Point NGFW is best in terms of comprehensive protection against network threats, malware, and phishing. It has great anti-phishing algorithms.

They could improve by lowering prices. The source package is a bit more expensive than its competitors. 

We've had some downtime issues.

It could be more generalized and user-friendly in terms of its support portal for raising tickets. Ads management should all just be on a single click.

Overall Check Point NGFW is highly scalable and provides end-to-end resolution and a wide range of customized productive services with a huge community and team behind it.

I've used the solution for about 1.5 years or so.

I hadn't gone through any such solution earlier. I just tried in-built system solutions.

Check Point NGFW integration is quite smooth in terms of licensing. They are a bit more expensive, yet they are overall a strong product and a must-have for professionals.

No, I did not go through software review websites for recommendations and software services outlooks.

Check Point NGFW is highly scalable. It has a wide range of customized productive services with a huge community and team behind its technology.

We have deployed this software to provide comprehensive security beyond the Next Generation Firewall (NGFW). 

This software provides advanced analytics on any security measures that can have a great impact on our applications. 

It blocks malware attacks that can destroy data and leak confidential information to unauthorized parties. Check Point NGFW has helped the company to set up security policies that enhance the effective transfer of files and secure browsing strategies. There is improved prevention of external threats to data and increased production across the networking infrastructure.

Check Point NGFW has helped the company in the prevention of cyber attacks that could affect operations and slow down production. 

The intelligence reports from the real-time insights have helped members to avoid risks and plan efficiently for the future. 

Security threats that we used to experience before we deployed this product have been reduced, and the networking channels are ever safe. 

Sharing documents under secure infrastructure has increased the confidence of employees and enhanced faster implementation of tasks and projects.

The software provision of uncompromising security models across all the company applications has stimulated increased production. 

It has given the IT team full control and setup authority to scale down and deploy security to the most demanding platforms. 

The solution is safeguarding our financial databases and always has prevented fraud while giving employees peace of mind. 

The software has enabled us to come up with a unified dashboard that can monitor all accounting operations and investigate when there are security loopholes that can lead to data mismanagement.

The current features have a full set of security models that can protect any organization's information from ransomware attacks. 

When installed on Windows, the system with low storage space slows down. It is not compatible with all mobile devices and this may be unfair to some users. The next release can be more compatible with Windows and mobile devices for increased efficiency. 

I have experienced the best environment while working with this platform. All the data across the transactional records is ever secure under Check Point NGFW and I am proud of that great step ahead.

I've used the solution for nine months.

This platform is stable in the prevention of ransomware attacks.

I have been impressed by the performance of this software since we deployed it.

The customer support team has been always been responsive and interactive with our members.

Positive

I have not used a similar solution.

The setup was straightforward.

The deployment was done through the vendor team.

The current ROI is 35%.

The setup cost is good and the solution is affordable.

I evaluated other options. However, the company settled on Check Point NGFW due to its performance.

This is a great solution for many organizations that require stable data security.

We are using Firewall Intrusion Prevention and URL Filtering, and we just purchased the Endpoint Protection package for our workstations.

It is deployed on-premises. We have two Check Point systems in place. We have one that's between our business network and the outside world, and we also have one that's between our business network and our internal SCADA system.

We haven't updated to version 81, so we're still at version 80.

It has provided us with great protection from threats. I've been here 30 years, and we've had two incidents, and none of them were within the time we've used Check Point.

The console or the single interface on the blades is most valuable.

The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.

I have been using this solution for probably 10 years.

I would rate it a nine out of 10 in terms of stability.

Its scalability is very good. Our entire force is about 190 people, and most of them use it at some point just because they are going out to the internet and have that protection for the workstations. 

It is being used extensively. Everyone is using it, and we do have plans to increase the functionality on the device.

They provide really good support. I would rate them a five out of five. 

I can't remember the product, but what we had initially was an entry-level device. It was a single-purpose firewall. We went up to an enterprise solution that had additional features.

It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.

It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.

We used a consultant. Our experience with them was very good.

For deployment and maintenance, we have five people on our staff. We have to do some maintenance on it. It's pretty much scheduled to rotate between us so that we keep our skills fresh.

We've not done an initial study on any kind of ROI. We rarely do. In positives, we try to perform a yearly risk assessment of our systems, and we find very few vulnerabilities. So, it is doing what it's supposed to. It is keeping us safe.

Its cost is a little higher than other products.

We evaluated other options, but I don't remember their names. We basically went to the consultant we deal with for security-related things and said, "What's out there? What do you recommend?" He gave us three and recommended that the Check Point was probably the lead one.

I would advise comparing it to the other products.

I would rate it a nine out of 10. It has served us very well and given us very few headaches.

We use the product as our main and only Firewall/Gateway/VPN Gateway. we are in the finance sector, and we need a very reliable and robust system. 

We rely heavily on the VPN system, as most of our employees are working outside the office at this time. 

We also have two appliances to improve reliability, we have internet access through two ISPs configured to work simultaneously. 

Our internal LAN is with duplicated network nodes that are double connected to our Check Point cluster. That way, we have full High Availability.

Before our purchase of Check Point products, we used an open-source product that lacked good integration between products and setting up to work was very tricky.

We use the Check Point mobile VPN, which is very stable and easy to use. It allows our employees to change their internal domain password when it becomes old, even when they are outside of the office for a long time. The VPN client can connect to our internal network even before the user is logged into his laptop. This allows users to receive GPO policy updates. 

The solution offers very good central management, which saves time and is hassle-free.

One of the most useful new feature is dynamic definitions. For example, if you need to allow all of the Microsoft Azure IP addresses, you can insert them dynamically and Check Point will update them for you. Without it, to find all IP addresses would be almost impossible.

You can create additional layers for the firewall rules. This allows better organization and performance of the product by skipping to the rules that are responsible for this group of protected devices.

There are some GUI features in Check Point's SmartConsole that are still from the old versions and are in separate/duplicated interfaces; it would be most useful if it is integrated and not on different menus.

We would like to have a better search engine on the checkpoint.com site. Right now, it is difficult to find, for example, a newer version of the Check Point VPN Mobile client. The search engine shows most visited sites and the newer version won't be the most recently viewed site page. As it is right now, you have to find the general VPN page form, and from there you have to look at what version of the product you need and then go to the page of the latest version.

We have been using this product for five years.

Check Point is very stable.

We haven't needed to expand our throughput capacity.
However, based on the Check Point documentation, it is hyperscale ready  capable of up to 475 Gbps of Threat Prevention.

It is very good. Our local representatives are very helpful.

Positive

We moved from a previous solution to Check Point as it is more reliable and easy to manage, and our old solution wasn't able to provide the level of security we desired.

We have had some problems understanding how to set up HA, however, we managed to do it. This was mainly due to the fact that we didn't have experience with Check Point products in the past.

We did everything in-house.

New users should know that the first year of support is included in the equipment. After that, you have to buy it.

We choose between Palo Alto and Checkpoint.

We like it. It works well.

This is the perimeter firewall and manages all security facing towards the internet,

It's a distributed solution composed of a Security Gateway and a Security Manager. It controls all the traffic from the LAN to the Internet and the VPN tunnels for connections with external partners. We control the traffic to the internet with blades as URL filtering to manage the bandwidth, limit the use of this resource, and apply the security policies as well as protect the LAN network against advanced threats from the internet to the servers and PCs. 

This solution applies NGFW features to the inside and outside traffic of the networks. The other options did not have sandboxing, reports, and the same advantages as Check Point.

We have a small firewall from another vendor. The solution is working with limitations, as it was designed with Check Point as a security solution for the perimeter with more security features for covering our network requirements and specifications and preventing advanced threats from the internet to our servers and PCs. 

The sandbox feature is great.

The Sandblast blade is a very powerful solution that works against archives infected with ransomware.

The anti-malware is quite effective as many applications can be infected with any kind of malware with the goal of interrupting the productivity of our work equipment.

The reporting is great.

With this solution, we have had many kinds of logs and a very friendly way to view them. Now can we know what is happening within the network's traffic.

The performance has been very good. 

This security solution has grown more options and has expanded slots, including RAM slots, Optical Fiber slots, and various other features.

The anti-spam needs improvement.

A weakness with the Check Point solutions is the anti-spam, as they have a partnership with some solutions for anti-spam. They should have their own solution. We have email provided through Office 365 and they have their own way to fight spam and, due to this, we haven't bothered looking into anti-spam options. That said, Check Point is the most adapted to our necessities.

I consider the price of this solution high. It is very good, however, the prices are high - it's like buying a car.

I've been using the solution since 2018.

We changed from an older solution as it worked for five years and was old. It wasn't equipped for the new generation threats.

The price should be considered, however, it shouldn't be the only reason you choose the solution, or not.

We also evaluated WatchGuard, Palo Alto, and FortiGate.