Check Point NGFW Reviews

My solution is based on an on-site architecture. I currently manage a Check Point Next-Generation Firewall for my more than 400 sites such as perimeter and DMZ. For the sites with a perimeter to the internet, I have them in a high availability scheme with balancing internet services. In the case of DMZ, they allow me to control incoming and outgoing traffic through policies based on Identity awareness. I use the application control blade to allow RDP access to the specific servers needed by administrators.

In the beginning, my organization did not have a security scheme, which caused a latent security risk. My internet services were never enough due to the high traffic used towards social networks and entertainment sites. With my Next-Generation Firewall, I have managed to reduce the cost of my links since now we use them appropriately in the resources and tasks that are necessary. 

For the lateral movements, previously all of my users had access to server networks and communication could cause lateral movement of viruses and ransomware. Now, I have the perimeter towards the internet protected and I am protected against unauthorized access.

What gives me the most value is undoubtedly the security that the anti-bot and anti-virus blades provide. With the automatic updates of signatures, I am always protected against new threats. The identity awareness blade helps me to have better control and organization over unauthorized access of my users onto exclusion sites such as social networks. In the DMZ it allows me to control administrators with access to highly important networks such as servers, developments, etc.

Of the areas of improvement that I want to see in this product, without a doubt, one is the technical support. In this time of globalization, with so many cyberattacks and risks, the Check Point support staff take a long time to attend to incidents due to the high demand. 

Another change that I would like to see is the ability to be able to test the policies before launching a change. It is somewhat annoying to apply a change and then notice that, after a while, the message appears that the installation of policies has failed, either due to some duplicate rule, some duplicate port, duplicate service or IP, et cetera.

I've been using the solution for 5 years.

It really is a very stable and reliable brand.

it is better when using an open server solution since some teams are limited to growth.

The support service can improve the attention to clients as well as the escalation times.

I did not previously use a different solution. I've just used Check Point.

The installation is really simple and easy to manage.

We also previously looked at Meraki, Fortigate, and Palo Alto as options. 

We use the solution for a perimeter firewall, an internal segmentation firewall, and a routing device in our organization.

Check Point NGFW is easy to use, flexible and provides good performance. The security of the product is excellent, we do not have to do a lot of patching or upgrades because of vulnerabilities.

The solution could improve by keeping more up-to-date with technology. For example, if Amazon releases something in the security field, Check Point should have integration or adoption of this feature a bit faster than it is today. Sometimes we can hear a lot of the marketing information about an attractive feature, which we would like to have, but the feature will be released in two years. This timeframe should decrease.

I have been using Check Point NGFW for approximately nine years.

The solution is stable.

This solution provides service for 50,000 employees in my organization.

We have premium support which is different from regular support. We have had good experiences with the support.

We have used BitScaler previously and use Check Point CloudGuard Network Security.

The installation is easy. It can be installed through an image very quickly.

The solution has saved us a lot of costs from an operational perspective.

There is an annual license required for this solution.

I would recommend this solution. However, I would advise everyone to carefully evaluate their needs against this vendor and compare them with the competition. There is a lot of strong competition between Palo Alto and Fortinet. One could have an advantage over the other for a customer's specific use case.

I rate Check Point an eight out of ten.

In my previous company, one of the clients was a big chocolate company. They had this payment card infrastructure (PCI), where they needed to have auditors from PCI check the firewalls to see if everything was okay. So, they had web-based authentication. 

I'm working with the 5800, 5600, and 5200 models. I work with the UTMs as well. These are physical appliances as well as open servers.

It helped clients get through big audits for PCI, which has been very cost-effective for them. In one hour, they make 30,000 to 40,000 pounds worth of sales. A PCI audit has actually threatened them, "If you don't do it by this date, you will have to stop taking payments." Even if the audit is delayed about an one hour or so, they'll have thousands of pounds worth of losses. The previous company may have spent a lot of money on Check Point, but they save a lot as well. So, they were quite happy with that. 

The most valuable feature is definitely the logs. The way you can search the logs and have the granularity from the filter. It's just very nice. 

I love the interface of R.80.30. The R.80 interface is very nicely thought out with everything in one place, which makes Check Point easier to use. When I started in 2014, I was just confused with how many interfaces I had to go on to find things. While there are quite a few interfaces still in the older smart dashboard versions, most things are consolidated now.

The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.

In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time. 

I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point. 

Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.

Six to seven years.

It is very stable. 

The headache with these firewalls is when they failover. The client will ask us why. We have a separate service desk and Tier 2 guys who monitor these firewalls. But, in these cases, they can't tell why, because you have to deep dive. The reason was unclear on R77.30, so I had to find it in the logs. However, in R.80, it's quite clear. We will just use a cphaprob stat to tell us the failover reason for the last time. 

Sometimes, it is very difficult to find something in Check Point Firewalls when you are stuck. Therefore, you need to know exactly what you are doing.

They do scale well as long as a company is not scaling rapidly. This is the reason we have a CPSizeMe tool. With normal growth, they will easily go for five to 10 years. Normal growth means setting up a few offices, not doing big mergers.

We have about four to five Check Point users out of 20 network engineers.

In my new job, we have 80 clients in user center.

I would rate the support as a three out of 10. It seems like they are all Tier 2 guys. If there is a problem, you search everything and read all the articles, then you contact their support center who forward you to the same articles. It is very difficult to work with their support guys, unless you work with the guys in Israel.

From my last job, I had a web UI issue on one of my firewalls. It's been a year now, and it's not been resolved. Although it's been to the Israel as well, It's still been delayed. We couldn't live with the issue, so we decided we would buy a new open server, as the previous open server was quite old, then we did a fresh install of R.30 on it.

if you buy the appliances or licenses through partners, they will try to resolve your issue or talk in a way that makes sense.

My previous company used to have Junipers that used to send all the credentials via HTTP. Because all Juniper SRXs didn't do that, since they were quite old (version 570), they had to buy new firewalls. I tried to do it, but I couldn't do it on the Junipers, especially since they were out of support and nobody would help me from Juniper.

I told my previous company, "Check Point would be the best solution for them. In the long run, while you might have a lot of issues with auditors, we will actually be able to combat this using Check Point firewalls if you get the proper licensing." Then, we did web bots on Check Points. 

About five years later, an auditor said that we needed to do a RADIUS Authentication, not a clear text password nor the Check Point local password. So, we implemented that as well. This was a bit tricky because they didn't want the local guys to have RADIUS Authentication, but anybody coming from the outside would have to go through RADIUS. This was a bit tricky with Check Point because I had to involve Check Point support in the process as well, but we were able to do it. This was one of the client use cases.

The initial setup was straightforward. I told one of my colleagues in my last job, "Just follow the prompts and you should be able to install it. It is a very simple, basic thing. Just do it as a gateway, then that's it. You are done". 

Before, on R77.30, there were cluster IDs and people needed to know what they were doing. In the R80 cluster, the cluster ID is gone, so it is very straightforward and you don't have to be an expert to install it.

A new installation on the VMs (about a week ago) took me around 20 minutes or less. This was a lot faster than I imagined, and I've created quite a lot of resources to their management and Gateway as well.

If the firewalls go down, then the employees' car payments would stop. This would be a disaster. 

There are three types of licensing: Threat Prevention, NGTP, and Next Generation Threat Extraction. Before, it used to be you would just enable the license of whatever blade you wanted to buy. Nowadays, Threat Prevention would be sufficient for most clients, so I would think people would go for the NGTP, license which includes all the blades.

All sorts of councils in London use the solution. In my new job, there are quite a lot of councils and schools as well. They need to know the web traffic from their users, e.g., what they are searching and looking for and where they are going. Therefore, its application and URL filtering comes in quite handy. I've seen the application and URL filtering on Palo Alto, and it is a pain to get those details from it and create a report for users. Whereas, the user report is very easy to get with Check Point.

I have not seen another firewall offer the same level of logs that Check Point offers. I have worked on ASA and Juniper SRX. While they are a bit similar, they are not exactly what Check Point has to offer.

This is not day-to-day firewall work, where maybe a node can do it. If you get into a trouble, you can't actually involve Check Point support all the time, especially when you won't get a response. You need to employ people who are certified. Check Point has a lot to sink in, and it's not an easy thing. You might just expose your environment, even after spending a lot of money.

It is future-proof. I would rate this solution as a nine out of 10.

The product is an excellent perimeter firewall solution. But compared to Palo Alto, the management console is critical. It's difficult to let customers understand the dashboard of the firewall because there are three distinct dashboards. The three dashboards include smart connect, Check Point Firewall dashboard and more. 

The solution is used by our organization for security purposes across small and medium banks in our country, who happen to be customers of our company. 

The architecture of the solution is extraordinary because when a Check Point Firewall protects a customer or organization, a DDoS attack can hardly occur. Another valuable feature is the real-time zero-day protection.  

The user interface needs to improve and should be user-friendly. The customer of this solution also needs to undergo training to use the solution dashboards, unlike products like Palo Alto. 

In the next release, Check Point can try to add the DDoS or web application firewall within the overall firewall. If Check Point is able to implement the aforementioned integration within the firewall module, then people don't need to buy each firewall separately. The comprehensive firewall addition will increase the sales volume of any next generation firewall because TCO (Total Cost of Ownership) will be low. 

I have been using Check Point NGFW for five years. 

I would rate the stability an eight out of ten. 

If you have the Maestro version, scalability is the best among all competitors. For large organizations that have ten thousand users, they don't need to bother about the extra cost of the Maestro version. For organizations with one or two thousand users, the Maestro version can be a luxury for them. 

The tech support is very helpful for Check Point NGFW. The support team even asks for remote access to resolve the problem immediately. But sometimes, it takes between eight to twelve hours to connect with a level three engineer to get the support. The response time needs to improve. I would rate the tech support a six out of ten. 

A firewall is a critical asset, and when there is a problem with the perimeter firewall, an individual cannot communicate outside the organization, so support is required immediately. 

Neutral

Our company's usual deployment model for the solution is on-premises because cross-border data transmission is prohibited. The installation of Check Point NGFW takes between seven to ten days (working five hours a day). For the banks who are customers of our company, we could only work for deployment after the usual banking hours, so it took longer. 

I can conclude that deployment and running the User Accessibility Test (UAT) can take a maximum of forty hours. Two engineers are needed to deploy Check Point NGFW. 

I have evaluated SentinelOne and CrowdStrike. The rollback feature of ransomware attacks in SentinelOne cannot be found in competitors. 

I would recommend Check Point NGFW over Palo Alto and Cisco as a complex security solution for a complex environment. I would rate the solution a ten out of ten. 

We use the solution as a perimeter and OT demarcation firewall. As we are a large utility company with a distributed network, Check Point plays a vital role in terms of network segmentation. Specifically, we need identity-aware authentication to give us the best VPN compared to other players in the market. 

Centralized management is a major plus of Check Point, which provides us with a better user experience. 

We use it to safeguard our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. 

Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

Check Point has a Purpose fit solution for our environment A lot of things need to be improved in Check Point NGFW. 

For example, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. 

Visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security. 

Support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product offers a robust and intuitive experience, catering to the essential needs of users. 

The Cleanup Rule's ability to discard unwanted traffic and the inclusion of default Autonomous Threat Prevention Profiles does simplify security measures; we're able to cater to various deployment scenarios. 

I was impressed by how easy it was to activate blades and implement them on a security gateway. 

The Smart Console's efficient user interface ensures that the changes to the policy are swiftly made. We're also able to maintain proper audit logs.

The solution requires improvements in the following areas:

- Having the Zone Alarm and the standalone endpoint VPN become compatible products. 

- Having Smart Console in-place upgrades with IP/fingerprint retention 

- A Mac version of the Smart Console.

- Streamlining of the endpoint solution and deployment options.

I've used the solution for ten years.

Technical support is excellent.

Positive

The initial setup was straightforward.

We implemented the solution through a vendor. They offered excellent support.

We use the product for safeguarding our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. 

Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. 

It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

A lot of things need to be improved in Check Point NGFW. For example, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. 

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, Mac addresses, and sometimes usernames. More granular detail is crucial for security. 

Support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product offers a robust and intuitive experience, catering to the essential needs of users. 

The Cleanup Rule's ability to discard unwanted traffic and the inclusion of default Autonomous Threat Prevention Profiles simplifies security measures, catering to various deployment scenarios. I was impressed by how easy it was to activate blades and implement them on a security gateway, with the process taking less than five minutes. 

Additionally, the Smart Console's clear and efficient user interface ensures that the changes to the policy are swiftly made, with the added benefit of maintaining proper audit logs.

Places for improvement include:

• Having a Zone Alarm and the standalone endpoint VPN that become compatible products.
• Having a Smart Console in-place upgrades with IP/fingerprint retention.
• Offering a Mac version of Smart Console.
• Integration of CPview and things like fw accel stat in the monitoring blade.
• No more legacy SmartDashboard for some features.
• Streamlining of the endpoint solution and deployment options and also offering the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.
• Offering a fixed deployment schedule for accumulator hotfixes. This would help us foresee maintenance windows in organizations with rigid change management procedures.
• Finding a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.
• Scheduling policy pushes in Smart Console.

I've used the solution for ten years.

For Check Point, the main cases are just perimeter security, network security, basically detecting threats on the network, antivirus, application control, visibility, login, and data threat prevention.

I like the GUI. In terms of functionality, it used to be the detection capability. Check Point has good security intelligence, which helps detect threats. They have the historical background to do that. But now, Fortinet is a bit better. 

A lot of things need to be improved in Check Point NGFW. One, their support team isn't very efficient and useful. 

The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess.

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security.

So support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

I have been with Check Point for a very long time. So, it has been almost six years.

I would rate the stability a six out of ten. There is room for improvement here. 

I would rate the scalability a seven out of ten. My customers are mostly medium-sized businesses, but my clientele also includes enterprises.

There is room for improvement in the customer service and support. 

Neutral

I'm heavily biased towards Fortinet. Check Point is a direct competitor, so from my experience, it's a decent firewall. There are strong points and weak points, but Fortinet is superior for various reasons.

The initial setup is really straightforward. The GUI is very good. However, the issue I have is with the stability. In terms of simplicity, I don't consider Check Point to be a straightforward solution. Another point to mention is my experience in planning within customer environments. The outcomes are not always as expected. 

For instance, when setting up Check Point firewall and flat policies, the policies didn't take effect immediately. There was a situation where the policies took effect after about two hours. Such instances were mind-boggling. Regarding VPN issues, when implementing IP protection between Check Point and other vendors, remote access can be challenging.

In Nigeria, it's predominantly on-premises. Many organizations are moving towards cloud, but many others use a hybrid approach, both on-premises and in the cloud. 

A few are using Check Point in the cloud, but most test with Fortinet due to easier integration with public cloud providers like Microsoft. Public cloud vendors also have their own firewalls, like Microsoft and AWS. In terms of adoption, Check Point is behind in cloud adoption in Nigeria.

Overall, the process is very fast and depends on the type of deployment. For example, replacing a Cisco firewall with Check Point requires converting policies, which can take quite a while, depending on the size of the policy base. In my personal experience, setting up Check Point was very quick.

It's reasonably priced, but competitors offer much cheaper options. It's market-related, so the pricing makes sense for what Check Point offers.

My recommendation is to consider Fortinet as an alternative. Overall, I'd rate it a seven out of ten. There's room for improvement, especially since Check Point doesn't seem too focused on our region. 

In Nigeria, procuring the firewall and bundled services like technical account management and professional services can be challenging. The service delivery is not as efficient as one would expect, which wouldn't be the case for a European customer.

The primary use case is to enhance security by safeguarding the internet connection for both servers and users.

Its greatest asset lies in its user-friendly interface, making it exceptionally suitable and reliable for managing gateways.

When it comes to Check Point's small business gateway series, there might be a need for hardware upgrades, as configuring them can sometimes be a bit challenging.

I have been working with it for two years.

I would rate its stability capabilities eight out of ten.

I would rate its scalability abilities eight out of ten.

Seeking solutions from them can be quite challenging and often takes a while, which then impacts our workload. I would rate it seven out of ten.

Neutral

I have some experience with Juniper, WatchGuard, Cisco, and Fortinet.

The initial setup is relatively complex.

Deployment duration varies based on the customer's specific conditions. On average, an installation might take around twenty minutes.

The best solutions tend to come with a higher price tag. If something is inexpensive, it often implies a compromise in quality. The solution is indeed costly. I would rate it eight out of ten.

Overall, I would rate it eight out of ten.