Check Point NGFW Reviews

Our business houses just over 100 staff, along with over 200 devices ranging from mobile to tablets, computers, laptops, and Servers. 

We use a Check Point 5100 cluster running R80.40 to protect our business from external threats. 

Our network is also extended to the likes of Microsoft Azure, Amazon AWS, and other 3rd parties utilizing secure VPN tunnels terminating on our Check Point 5100 cluster. 

Our business also offers the ability of hybrid working - which is only possible with our Check Point solution.

Prior to using Check Point, we had a Draytek small business firewall, the Draytek would often hard lock, which resulted in the loss of internet connectivity for the business. The only way around this was to reboot the Draytek device which in turn would lose logging data as to what was causing the issue. 

Moving onto Check Point completely solved this problem. The hardware is much more capable and the logging and alerting functionality means, should anything happen (like it did with the Draytek), we would have visibility on the logs which would give us a direction for troubleshooting and mitigation. 

Check Point offers a secure VPN client. We distribute to our agents via group policy. Our agents can then connect to our network when working from home - which was a game-changer due to the recent pandemic situation. 

Check Point also offers a mobile app capsule connect which, as a system administrator, has proven very useful when a high-priority issue occurs. I am able to connect to my internal network via a phone or tablet - which has proven useful in some scenarios. 

As a system administrator my favourite part of Check Point is the smart view tracker. This alone is a must-have tool for tracking all traffic traversing the Check Point appliance. It makes troubleshooting much easier. This software alone sets Check Point out in front of the competition.

Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. 

The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. 

Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software. 

I've used the solution for five years.

The solution was not always stable when running the older R77.30 version. Paired with a mid-spec box, we did find some issues with performance on more than one occasion, specifically the network would slow to a halt until a system reboot, there was nothing within the error logging and our external SOC couldnt find anything either. We'd often when updating the firewall policy it would fail to deploy usually taking around three or four policy pushes each taking about 20 minutes. We are now running much faster hardware with the later R80.30 release and those issues have completely disappeared.

Scaling is dependant on the size of your network. Check Point does offer a wide range of lower to high spec appliances depending on your scale set.

I've only had two instances using their support as we have a third party on contract for third-line issues that I cannot resolve. They were prompt yet not shy about pointing out potential issues with third parties and it not being their appliance. 

Positive

We used Draytek. It didn't offer the security features that Check Point does and we were a victim to a successful attack from external sources which Check Point would have caught. We also found the hardware of Draytek was too underpowered to handle the size of our network. 

A third party installed the appliances initially. It is a complex process, as Check Point is vast in features and very configurable. You find yourself using the web interface, their own management software smart dashboard, and a mixture of CLI and config files to get your end result. 

We implemented it through a vendor team. Their level of expertise ranged as we moved through three separate technicians during our installation which was problematic. I wouldn't use this particular vendor again. That said, this was nothing against Check Point. 

You cannot put a price on security. Check Point is a field leader. However, it comes at a high price. 

If you have no experience with Check Point and you are on a deadline, it's essential you find a company certified to help with the deployment and configuration. The feature set is rich however, it's not always user-friendly. 

Pricing, including licensing, is very expensive compared to alternate products such as Sophos, Barracuda, or FortiGate

We evaluated Fortigate, Sophos XG, and Barracuda. However, ultimately the decision boiled down to our parent company already using Check Point. 

We primarily use the solution on all branch sites and now in DCs as well. We have more than 500 sites using Check Point NGFW in our organization. 

Earlier, we were using Cisco ASA and now it looks much better in many aspects, including upgrading/managing. I had only experience with Cisco ASA before, but after implementing this in my branch location it became quite easy to manage the firewalls remotely.

A few of our engineers use APIs to upgrade or push global changes for all regional locations which was tough to do. Now, with Check Point on board, it has eased our job as network engineers. 

Central management saves so much time. We were spending so much time with ASAs. I only had experience with Cisco ASA before, however, after implementing this in branch location it became quite easy to manage the firewalls remotely. 

As mentioned, a few of our engineers use APIs to upgrade or push global changes for all regional locations which were tough to manage. Now, it has eased our job as network engineers. It was a good decision by our organization.

The logging and central policy management are the most valuable aspects for us as we were not having success earlier with the ASA in terms of upgrading/managing. We are still exploring more features like IPS and IDS. We hope that these aspects will be a great experience for us as well. 

The smart consoles could be improved. Many times we have seen that smart console lags or has issues during the change. It also closes sometimes. Otherwise, the overall experience was great until now. 

As we are still exploring more features, we need more time to provide more reviews in the future. I would like to explore more with Check Point and would like to provide improvement review as we go into using the MDMS. It will be in our organization here by year-end. 

I've been using the solution for three years.

It looks very stable as compared to others.

The scalability looks great.

A few times I reached out to support help and in no time I was able to get experts who helped me through any issue I was having. 

Positive

We used Cisco ASA, however, we wanted a product that was more stable with central management. 

It was not easy to set up initially, however, we got some support from external vendors. 

We had help through a vendor and the experience was great. 

The stability makes it all worthwhile. 

It looks great the cost-wise for our organization. I've also suggested this product to other ex-colleagues for their companies. 

We did check out FortiGate and Palo Alto as well. 

We have had a great experience so far. 

We use the solution as a frontend firewall in our headquarters and in our branches. We use packet inspection, the antispam feature, and the VPN. We have configured threat prevention and content awareness to improve security on incoming email and on web surfing from interlan networks wits SSL inspection. Mobile access through the VPN mobile client is also used from all outside workers and is fully integrated with our AD. We also use the solution to route traffic on internal networks and manage security through client and server networks.

We have improved our performance and bandwidth through the networks. Security is also improved. We have better control over the logs and better integration with our SIEM. 

We can also manage all our firewall from a central management console so each policy is under control and can be developed better. Inline policies help to understand on the correct use of the policies and a more readable list. We can also manage policies in two or more people at once without problems or risk of making the wrong policy.

VPN and mobile VPN are extremely valuable to us. The policies are simple to deploy to the new branches. 

All policies can be deployed and managed in a very simple way. 

AD single sign-on with VPN mobile is very helpful and simple to manage and deploy. 

Log management is also a good place to make troubleshooting and through console manage events. 

Management of the object is also a valuable feature. At every point in the console you can manage object properties and look to each policy where it is used and simply change or find where the object is involved.

Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications. 

I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser. 

I've used the solution for four months.

It is very stable. We have reboot only to install updates.

We chose the solution for scalability and now we are running with all branches with a Check Point firewall. The solution is meeting our expectations.

We do not need customer support.

Positive

We did use a different solution. We switched to improve security.

It was complex to set up due to the fact that we changed our mind on how the firewall works. Central management is hard to improve.

We implemented it through a vendor. There was not a high level of expertise, however, I took a course with Check Point and that was very clear and now I'm very expert on the Check Point world.

We have seen an ROI in that we need less time on managed policies and we have better control.

The cost is high but the benefits are too.

We also looked at Palo Alto, WatchGuard, and Fortinet.

The solution is a good solution and at the top of the market.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.

The primary use case is as a perimeter firewall separating different security zones from each other. We separate several zones, such as Internet Of Things (ie. cameras and several sensors), Internet-facing DMZ, internal networks, and guest networks from each other. 

Also, we use the VPN feature to create Site to Site tunnels between branch offices and the headquarters. Threat Prevention features including IPS, Anti-Bot, Threat Emulation, and Threat Extraction and are used to secure our users from being victims of several threats. 

It is hard to say how a product like a firewall is improving our organization. The firewall does what it should. Primarily, the management makes this product great. There is no other product on the market that is nearly as perfect a tool for managing firewall rule bases and I know many of them. Check Point has much fewer vulnerabilities in their products and also is very quick to react to vulnerabilities.

The Threat Extraction software blade feature is the most valuable feature as it extracts any potential harmful content from several kinds of documents, which our users receive via e-mail or download from the Internet. We know, that our users tend to click on everything they get without thinking too much about the consequences. 

The second feature to mention is Threat Emulation, which is basically a sandbox, which runs executables received via email or downloaded from the Internet and creates a verdict if this executable is harmful or not in regards how it behaves on a specific operating system and application.

Unfortunately, the API is not fully complete and also it is not an API which I would refer to as a RESTful API as there are different endpoints for the same entity. For me, a restful API would use one endpoint to handle, for example, host objects and use different HTTP methods to distinguish between different operations. 

I would expect to use the PATCH method to update an object and the PUT method to create one. Currently, there are separate endpoints for these operations and all of them use the POST method. The most important issue with the API is, that there are some endpoints we are missing (for example for managing VPN users).

We have been using this product and its predecessors for about 20 years.

The stability is very good. Sometimes there are issues, however, most of the time, they have no big impact. SecureXL was sometimes a bit of a problem. That said, this has improved in the last few versions.

Check Point offers several possibilities to scale (load sharing, Maestro, and scalable platforms such as 44K or 64K appliances), however, in our case, we just replaced the appliance after a few years. If one needs real scalability, they should take a look at Maestro which is the scaling solution from Check Point.

Technical support can be good or bad. It depends. Sometimes they are really great, and sometimes very annoying. Most of the time we have a good experience.

Positive

We did not previously use a different solution.

It's really simple to set up. You simply install from an ISO with a few questions (ie. mgmt IP address and gateway) and restart with a graphical installation wizard with a few more questions (such as is this a management box or a gateway or a cluster member ASO).

We handled the setup in-house. We have enough knowledge to do that. Our expertise is CCSM level.

We evaluated several competitors such as Cisco, Palo Alto, and Baracuda

The solution protects our internal network (traffic between VLANS) and also is used as a perimeter firewall in our on-premise and cloud environments. Also, we use functionalities such as IPS, ABOT, AV, VPN, and mobile access.

We have about 200 small branches distributed all over the world protected with 1,430 devices and connected via VPN to AWS Cloud Guard and Check Point firewall.

We also have endpoint protection in about 500 devices with firewalls, antimalware, antibot, anti-ransomware, threat emulation and prevention enabled, and also port control.

We have NGTX blades so that we have protection against known and unknown attacks (zero-day). In terms of protection, we passed from none to one of the most advanced protections in the market. 

Regarding endpoints, we can see a lot of prevented attacks and phishing attempts every day. We can see the whole solution running in our environment correctly.

We gained a lot of visibility of traffic patterns, destinations, and use of network (internal and external) resources due to the logs and views within the Smartconsole.

The centrally managed firewalls are great. We can save a lot of configuration time in configuration tasks. We have deployed about 200 devices in record time due to the fact that we use a unique policy for almost all of them.

Logs, Views and Reports are the most detailed compared to other vendors (FortiGate, etc.) We can see a lot of detail in the logs and also we can configure any report we need without any problem and in two clicks.

We can see that, for IPS signatures, we have updates every day, sometimes twice a day, so we see a lot of effort from the vendor. They really try to protect our environment from known attacks and vulnerabilities.

We try to not depend of the SMS application and leave it as a web application. Sometimes it takes a long time to authenticate and open correctly. It's a windows application, so you need a machine to install the application on.

If you have the standard support level, sometimes they take a long time to understand or even give you a solution or good workaround to a problematic situation. We had a problem in the past with a VPN blade that lead some devices to flap the VPN up and down. That case lasted 6 months as we were jumping between Check Point's internal departments in order to find a solution on our problem.

I've used the solution for eight years.

We are very happy regarding the stability. In last year, we only have had three problems regarding software bugs or stability problems.

They have a solution called Maestro where you can add devices in 10 minutes to scale the solution without doing a lot of configuration.

In our environment, we have a classic deployment so it's not as easy to scale; you need to do some configuration and have a maintenance window in which to do it. 

We have the standard support service. I can't say anything too bad and nothing too good. It's normal. Regarding customer service at the local office, I can say that it is very good. They have helped us a lot in deploying some complex characteristics without cost.

Neutral

We have Cisco, however, that's for networking and not security. 

The installation was done by a partner, however, it was very straightforward.

The product was implemented by a partner and their expertise was very good.

There are a lot of licenses for almost every feature, therefore, it's possible to buy only the licenses needed and not a bundle that would have unused features. That leads to savings in costs.

We have evaluated FortiGate, and we saw that it was more user-friendly, however, some characteristics we needed in regards to complex VPN deployments were only available from Check Point.

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.

We used this firewall to replace a faulty Cisco 2500. The main solution needed packet filtering and port restriction. We found the functionality handy for filtering email spam. There's a helpful API embedded in the device. 

The online version of the documentation is well written.

The speed of the device is really impressive as it is able to process 1.8 GPS, which is a big improvement over the older device.

The delivery time was really fast. With the help of the reseller, we got the device in less than three days.  

As a replacement for an old solution in the office, we were not expecting big improvements with the firewall. However, we had noticed an improvement while we added rules into the system. The new GUI is really nice and easy to use.

We are now able to use infrastructure as a code and add the firewall into the pipeline with terraform as a controller and everything works really well. 

The API is handy and we are now testing how we can add rules via code. Also, the GUI is easy to use.

The Terraform module for Check Point is complete and really useful for managing the firewall.

Mail filtering is a really good feature that we are implementing for scam protection. 

The graphic interface is really easy to use and easy to teach to other members of the team.

The online documentation is complete and easy to read and understand.

The 3-year warranty offered is nice to have with no extra costs needed from us.

The exterior of the physical device can be improved with the use of a display and not just simple lights.

All the physical devices located in the rack are similar, Just a box with some small lights that does not provide too much information. 

For. me as a final user I will be happy if I can get a display that can show the error code when is a failure and not a simple  red led (This is the common practice). 

I just want more information when I'm on front the device. i know always can walk to my desk and check the GUI with the documentation and the information required. 

I've used the solution for three months now.

I have not had any issues since the moment of installation.

Users get a really nice performance in the order of 2.5 GPS.

Technical support is excellent. I do not have any complaints.

Positive

Yes. We used to use a Cisco 2500 and a Fortinet 110C. 

The Check Point device is better and the speed is superior.

We got full support from the provider and the manufacturer.

The vendor did all the migration in just a couple of hours.

I'm not involved in finance. I can't speak to any ROI.

I was not involved in the pricing; I was only involved in the installation and use it regularly.

The provider offers us the device in three days with the support to import the existing rules and make the migration. We didn't evaluate anything else. 

I really love the device and would choose it over the Cisco and the Fortinet 110C.