We use Check Point firewalls to secure our internal network from the outside world and to provide a good, comfortable, and secure environment for our employees.
We have various models from the R80 series, such as the R80.10 and the R80.30.
We use Check Point firewalls to secure our internal network from the outside world and to provide a good, comfortable, and secure environment for our employees.
We have various models from the R80 series, such as the R80.10 and the R80.30.
Before, we were using firewalls from Palo Alto. The benefit of the Check Point firewall is that it has more security features. It has antivirus signatures and additional features for which we should require additional hardware devices in the firewall. It also gives us a central management system, which was not present in the Cisco ASA.
Check Point's Next Generation Firewall has many good features. It has a central management system, and that means we do not have to go to each and every firewall to configure it. We can manage them with the central device.
There are also additional features, compared to a Layer 4 or Layer 3 firewall, such as AV signatures and devices, which are very helpful for securing the company's network.
The only thing which I think should be improved is that training should be increased. In my position I also interview potential employees and I haven't found many people in the market, nowadays, who are familiar with the Check Point firewall. They are more familiar with Palo Alto and Cisco ASA and they are more comfortable with them. Check Point is one of the good firewalls and training should be increased by the company so that more people are familiar with it and with their switches.
I have been using Check Point's firewalls for the last three-and-a-half years.
The stability is very good. The updates we get for the antivirus and the URL filtering sites are also very nice and happen very often. That is a good thing because there are various new attacks coming out but we get their updates on time.
In terms of the scalability, it is very easy to extend the utilization of Check Point firewalls. We did so in the past. We extended our environment in our organization and it was very easy to extend it.
We have around 4,000 to 5,000 people who are using the Check Point firewalls directly or indirectly. They are passing their traffic through it. Expansion of our usage completely depends on the organization. If they want to do so they will tell us and, if that happens, we will definitely go for Check Point firewalls.
We have used Check Point TAC to resolve our issues. We have had good support. They have good engineers there.
We were using Palo Alto and Cisco before and we replaced them with Check Points.
We used Palo Alto in a few of our sites, but we found Palo Alto was more expensive and its updates and services were also more expensive compared to the Check Point firewall.
Cisco is a very basic firewall in the market, and it has a limited set of features, compared to Palo Alto and Check Point. Palo Alto has rich features, but it is one of the more expensive firewalls in the market. The Check Point firewall is not too expensive, but it is also a third-generation firewall.
The drawback of the Check Point firewall is the lack of training materials. That should be increased.
We have a team of seven to eight people who have all installed and configured environments so the initial setup, for us, was a very straightforward process. And these are the people who handle maintenance of the firewall and manage it, during different shifts. They are all network engineers.
It took us between nine and 12 months to do the implementation. We have Check Point hardware so we followed the recommended, three-level architecture, in which there is a SmartConsole, the hardware security gateway firewall, and the central management device.
The pricing is good. It is less than Palo Alto's firewalls. Check Point has the same features as Palo Alto, but the licensing and cost of these firewalls are not too expensive. It is one of the best firewalls in the market in this range.
Check Point firewalls have many features. Before configuring it in an environment, you should know each and every feature of the firewall. You should also follow the three-level hierarchy which is recommended by Check Point.
There are a few add-on features for Check Point firewalls. I only learned that by using the firewalls. I'm very happy with the way Check Point is progressing. They continue to work on their firewalls even after making their name. That is something we should follow in our lives as well: Once we have made our name, we should not stop there. We should further build the reputation of the company and product.
We are very happy with the Check Point firewalls. The only thing missing, as I mentioned earlier, is that training should be increased for the firewall by the organization. Otherwise, we are very happy with investment in this solution.
We use the solution to protect our organization and workers from the outside Internet or any untrusted network.
We have the three-tier architecture of Check Point. We use its consoles, central management system, and firewall device for managing it. This three-tier architecture is recommended by the Check Point Community.
We protect our internal customers using Check Point Firewalls by providing them security as well as detecting vulnerabilities.
The most valuable feature would be the central management system of Check Point because we can manage multiple firewalls through it at the same time. It doesn't matter the location.
I also like the advanced Antivirus feature of Check Point.
The Threat Management feature makes it very easy to detect the vulnerabilities and other factors. We can make new policy according to it. Policy creation is very simple in Check Point. Because the logs are very good in Check Point Firewall, this reduces our work with the reports that we are getting from the Threat Management. It is very convenient for us to use the reports to make new policies for security and other things.
It is very user-friendly.
The training for Check Point Firewall should increase, including the number of Training Centers. For most new people in our organization, we have to provide them training from our end, as they are not trained in Check Point Firewalls. So, we have to do the training, from our point of view, to make our engineers able to use Check Point Firewalls. However, with other firewalls, they are already trained, so we are not require to provide them training. This could be improved by the Check Point Community.
I have been using it for the past six years.
The Check Point Firewall is stable.
The updates that we get are also very stable. We haven't found any stability issues in the updates at all. Features, like the Antivirus, are updated with almost every release and done on a frequent basis.
The scalability is very good for Check Point Firewall. It is very easy to increase. For example, during the COVID-19 period, we increased our deployment on an emergency basis, and it was very easy.
My organization has around 4,000 people.
For Check Point, we have a team of around eight people who manage it. We are basically a team of senior network engineers.
The tech support is very good for Check Point. We get straightforward solutions for it every time, and they do not take a lot of time since we have to resolve the cases quickly in a live environment. So, they are very helpful and capable.
We are also using Cisco ASA, and we have been thinking that we need to go with Cisco or Check Point. At last, we have decided to go with Check Point because of its advanced features.
The initial setup was very straightforward. We didn't have many problems.
The deployment part took around nine to 10 months. We completely planned the deployment before doing it. Since we already installed Check Point Firewall in multiple branches earlier, we used those same plans to configure it.
We didn't require any external help for the deployment. Our R&D and tech were capable of doing it. Our deployment team consisted of six to eight people, working in different shifts, to configure it.
Overall, it is a good cost saving product. We do not have to purchase additional hardware for it, which is a good. This saves us 10 percent in costs compared to Cisco.
The solution saves us about 20 percent in our time, which is substantial.
The price could be decreased, because the competitors of Check Point Firewall are giving lower prices in comparison.
The licensing part is something that is very easy to do in Check Point Firewall. We just need to purchase the license, then we have to write the keys in while installing it. The good thing is that it is an easy process to update the license.
We are also using Cisco ASA and FTD. The problem with Cisco ASA is the GUI is missing, while the GUI is good for Check Point Firewall. Apart from that, in Check Point, there are advanced features, like Antivirus and Threat Management, for which we do not require other hardware, where it is required for Cisco ASA Firewall. So, Check Point provides us a cost savings in that way.
The central management system of Check Point is missing in Cisco ASA. This is a good feature because it saves time. We can use it to manage multiple firewalls through one central management device. It is also easy to use.
We are slowly eliminating Cisco ASA and using more Check Point Firewalls, bringing more Check Point Firewalls into our environment.
I have also used Palo Alto, but the organization is using Check Point because they have more confidence in things like Check Point's stability factor. However, more people are trained to use Palo Alto.
Get good training on Check Point, which is very rare to obtain at this point of time. Before implementing or deploy the product, you should be trained properly so you know all the features. It has heavy features in terms of quantity. You should know about each feature before using or deploying it.
I would rate the solution as an eight out of 10.
Our primary use cases for Check Point NGFW are for perimeter security and content filtering for browsing behavior.
We have a lot of flexibility now and a leg up identifying zero day threats. We have multiple ways of doing policies now that we didn't have before. The options are more robust over previous products and I would say that we're pleased with the product. The reports I'm getting are that we're satisfied, even impressed, with the options Check Point offers.
Packet inspections have been a strong point. Our Identity Collectors have also been helpful. In many ways, Check Point has been a step up from our SonicWalls that we had in-house before that. There's a lot of additional flexibility that we didn't have before.
We saw a noticeable performance hit using SonicWalls. Whether it's because we've provisioned the Check Point gateways correctly from a hardware standpoint or whether it's the software that is much more efficient (or both), we do packet inspection with very little impact to hardware resources and throughput speeds are much improved.
With SonicWall, after it would calculate inspection overhead, we might see throughput at, and often below, 15%. My network administrator gave me data showing Check Point hovering at 50%, and so we were actually seeing Check Point fulfill its claims better than SonicWall.
Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap would help us as we navigate the options.
The VPN setup could be simplified. We had to engage professional services for that. That's not a problem, but compared to other products we've used, it was a little more complex.
We started putting Check Point NGFW into production late first quarter this year, right before the pandemic hit. We put in two gateways and one management server.
Stability is there especially compared to previous security products. Certain things had quirky behaviors. For instance, once we upgraded to 80.40, a couple items inexplicably acted up (not uncommon for any software upgrade). Certain policies would drop and then show up again (remained in force, just briefly disappeared from management console). I would have to get some specifics from my network administrator, but I do recall some strange behaviors. One of them was fixed by a patch and another one still has a backup issue that's pending right now about how to best back up the device before we upgrade.
I haven't had to test scalability yet because we purchased it for our existing needs and as a company, our performance and our needs are pretty flat. We don't really have need to scale yet.
We are adequately equipped for what we need and we have room to grow and to add all of our users and possibly add additional products down the road and still have plenty of room to do so on how these gateways are powered.
We have a total of about 620 employees that use Check Point NGFW. I would say we are 80% there. There are still some users that have to be migrated to it once we test their accounts, their kiosks, that kind of stuff.
There is one primary employee who is dedicated to maintenance and there are another two who back him up but our network administrator is primarily responsible.
Mixed experience, mostly satisfactory. Some support engineers are quite helpful and efficient, others required more patience working through support incidents. ATAM support has been high quality, and as previously mentioned, local support has been key to resolving some cases much more quickly. If we were giving their support a letter grade, it would be in the B range.
We were previously using SonicWall. We switched because we were struggling with performance, support, and strategy. There were things that were broken that did not have coherent or reliable fixes. At the time we did not consider it to be next-generation technology. There were problems with GeoIP enforcement. There were also quite a few performance problems, especially with inspecting traffic. It would literally bring the device to its knees once we turned on all the inspections that we really felt that we needed. It was under-provisioned, under-specced, and coupled with all the support problems we had, we started shopping for a new solution.
The setup was both straightforward and complex. There were some complexities in there that required us to get help. We have some local representatives that are very helpful and so we frequently contacted them for guidance.
We're still migrating people behind Check Point, especially in our main facility, but the heavy lifting was done by early summer. It took around three to four months.
Our strategy was to set it up in parallel with the existing firewalls and begin setting up policies and testing the policies against individual services in-house. Then, as we were successful, we would grab pilot users and migrate them to Check Point and have them start trying to break things or browse to certain sites and see what behaviors they were getting.
It was a slow migration with a handful of people at first. We tweaked their experiences and just kept adding people. It was gradual. We tested, fixed, and then migrated a few more incrementally.
We had two different ways of getting help. We have local representatives who are in the same metropolitan area and they were very responsive. Then when we would have to contact standard support. We were satisfied about 80% of the time. Sometimes follow-up was not there. Sometimes there would be delays and occasionally there would be rehashing of information that didn't seem like it was efficient. Eventually, we would get the answers we would need.
That's why we rely heavily on the local people because they could sometimes light a fire and get things moving a little bit quicker.
Primarily it's offered stability and caught behaviors and given users (and administrators) a level of confidence as they are doing their daily jobs. The inspection that Check Point does, even when we download a document or a PDF, offers a bit more peace of mind in those types of transactions. GeoIP is working like we had hoped compared to SonicWall.
We have a lot of granularity in our policies. We can accommodate some really interesting scenarios on our operations floors, certain groups needing certain types of access versus other groups. We're accommodating them fairly seamlessly from migrating from SonicWall to Check Point. We might have struggled to try to make stuff happen in SonicWall, and Check Point just seems to ingest it and run with it. Having access to Check Point's AI ThreatCloud cloud has given us a lot of peace of mind. ThreatCloud is 25+ years worth of exploit research that informs and feeds CP technologies and gateways.
Another feature that's been helpful is the sandbox feature. A lot of companies offer this type of thing now, but CP has been offering it for quite a while. If end users are browsing websites, and they download a payload-infected document from a website, SandBlast will detect it and take it offline. It will sandbox it, detonate it there safely, pull out the content that we're actually looking for, then re-present that cleaned content back to the user.
Strongly consider augmenting standard support with Check Point's premium option or by purchasing ATAM/professional services time blocks, especially during deployment.
Standard support is decent, though occasionally frustrating from a turnaround perspective. While we sometimes wait a while for resolution on some cases, the information we receive is usually quality; that's been our experience.
We looked at Palo Alto, Fortinet, and Sophos. I brought some of that experience to bear on our decision but our shortlist was Palo Alto, Fortinet, and Check Point.
The reason I selected Check Point was partly its pedigree, knowing that Palo Alto formed out of Check Point. Both companies are built from the same DNA and each has a history and a culture I respect and trust. Check Point Research is regularly in the news it seems for finding exploits and vulnerabilities in popular cloud platforms.
Check Point offered quality local support, including our technical sales representative and a support manager that live in the area. A couple of executives also live in the area. If we needed to escalate, we had the people here locally that could help us with that.
My former company used Palo Alto and, while I didn't interface with the products on a regular basis (we relied on the network team for analysis), I'd overhear frustrations with support. Palo Alto is also a great product and it wasn't an easy decision choosing between CP and PA from a technical perspective. I had never used Check Point prior to this position, but it outpaced its competitors in a few key areas, especially the pre-sales phase, POC engagements, local support options, and the maturity of Check Point's ThreatCloud technology.
My advice would be to look hard at premium support options. Know what your tolerances are, and if you expect fairly quick turnaround on support incidents, go ahead and invest that money in support. Definitely take advantages of pro services, buy a block of hours, whether that's 10 hours or 20 hours, and use that to fill in the knowledge gaps, especially during deployment. If you rely on standard support during setup, depending on how complex your environment is, you may be frustrated.
We did well doing what I recommended here. We bought two rounds of pro services (20 hours). I don't want to pile on standard support - it's not bad - it's just that if we were to rely only on standard support, I think our migration would have taken longer, and there might have been more frustrations. Because we had local support and because we bought pro services, it accelerated our timeline and it got us into production much quicker.
From what I've seen and heard from my staff, I would rate Check Point NGFW technology a nine out of ten.
We use it to protect our network from the outside world and unsecured networks. We also use it to provide a safe, secure network to the internal users of our organization.
I am using various versions on the model, like R80.10 and R80.30.
These are vital, advanced firewall features for the market. They protect the environment more than the usual firewalls.
Check Point's study materials should be provided by the company directly and be of very good quality. This is not provided right now and something that the company can improve.
A disadvantage about Check Point is people in the market are not too familiar about its usage and people lack training on it.
I have been using it for the last six years (since 2014).
Check Point Firewalls are very stable. Check Point is one of the oldest company in firewalls with a very stable product. They provide good, stable updates.
It scales well. Recently, during COVID-19, we did the scalability process, and it was easy.
Currently, this is used only for our inbound networks to provide security to our internal network. Around 6,000 people are taking advantage of this technology directly and indirectly in our organization.
We have certainly increased number of firewalls in our organization. In the future, if is required, then we will definitely use more.
I have used the technical support very frequently. I would give them around a nine out of 10. They have very good support. In critical scenarios, they provide us very quick solutions, are very well-trained, and have a good knowledge about the product. That is what we expect from them. I am deducting one mark to allow room for improvement.
Previously, we were using the Cisco ASA Firewalls, which are one of the most demanded firewall in the market. We switched to Check Point because their firewall is more advanced than Cisco ASA. They are also providing us the extra benefit of features, like their central management system, Antivirus, and Threat Prevention, which were not provided by Cisco ASA.
It was straightforward; it was not too complex. It was simple to install and use the features, as we were already trained. Our company used their trainers before installing it. Getting all the knowledge of the firewall's features beforehand worked very well for installing/deploying the solution in our environment.
We were using different firewalls that we had to replace. For that replacement, we required two years for the transition to Check Point to get it to work.
For our implementation strategy, we used three-tier architecture strategy in which we have a console, three-tier management Gateway, and the firewall.
We have around 20 people on the team, because it is a large company. So, I deployed it with the help of 19 members. The team of 20 people work on different shifts and we manage all the organization's firewalls. We are all network engineers, though some of us have different designations.
It has a good return in terms of usage and the security that it provides. We are very happy with the security capabilities that this firewall has.
Check Point Firewall costs more compared to the other firewalls in the markets, as pricing is little high. However, it is easy to take the license and use it in the firewall.
We did an evaluation between Cisco ASA and Check Point. We had options to extend Cisco ASA or switch to Check Point, but we switched to Check Point Firewall.
Be knowledgeable before implementing this firewall because it has many advanced features compared to the normal firewalls in the market. If you want to use it in a better way, then you need to be trained on it.
There were a few members who joined our organization who were familiar with Check Point, but they do not know about every feature which could be used and taken advantage of to better secure our network. I recommend getting proper training before using it.
I would rate this solution a nine out of 10 because I am a very happy customer of Check Point. I have had a good experience with this firewall. I like is the way it is improving a lot with the times.
We use it as a normal firewall for perimeter security, using some of the Next Generation features, like Anti-Bot and Antivirus.
We have two ISPs. We have a different firewall system in front of the Check Point Firewall. We also have normal Cisco switches combined with the Check Point solution. Then, our internal network is with Cisco, which is about 300 servers and 1,500 clients.
Since we are an insurance company, the solution is a necessity.
Two-thirds of our employees are working at home at the moment, so we use the VPN feature more than we used to. Of those two-thirds, only 100 or 200 are using the remote client from Check Point. The other employees are using other technologies, like NetScaler from Citrix.
We use the basic firewall functionality, plus the VPN functionality, a lot.
We have about 100 remote sites, which is where we use the VPN functionality. For private lines, we prefer to do further private encryption on the line. It is very convenient to do it with Check Point, if you have Check Point on both sides. It is convenient and easy to monitor.
The firewall feature and DDoS Protector, when turned on, keep away attacks from the outside. They also prevent users from accessing things on the Internet that they are not supposed to access.
The Threat Emulation definitely needs improvement. A couple of years ago, we did a comparison with other companies, e.g., Lastline, offering threat emulation and threat detection functionalities, and Check Point was lacking.
I have been using Check Point for 22 to 23 years. I have been using Check Point NGFW for 15 years, since 2005.
We used to have more problems. For the past five years, unless we have had a bug, which happens like once a year, it has been pretty stable. We did have a bug for the last three months, which has just been fixed. Before that we had another two or three major bugs. However, when there is a bug and it's not known to Check Point, they need quite a while to get it fixed. If they have a fix already, then there is a pretty quick turnaround to get it fixed.
There are three people working on firewalls, but not at 100 percent. We have the equivalent of one person doing firewalls 100 percent of the time using three people.
For our requirements, it's scalable enough. We have a 1 gig uplink to the Internet, which is easily doable with open servers.
We used to have some problems with the performance, then we upgraded the license and the scalability has worked well since.
There are 1,200 to 1,500 users.
It depends whether the problem is known to Check Point. If they are aware there is a problem, quite often it will then depend on which tech you finally land on if it's easier or harder to get to the root cause. The last issue was in India so that was pretty bad. It's easier if you get directly through to Tel Aviv or Ottawa, but you can't choose. Once they know what the issue is, it's pretty good. It pretty much depends on the engineer that you get. There are pretty good engineers and there are many engineers who are at just the starter level at Check Point who are not really into the stuff. Sometimes it's hard, sometimes it's easy, depending on the problem and the tech engineer you get.
To the next manager, it's pretty easy to escalate an issue, if needed. Though, it depends on the manager.
Our current sales staff isn't too good. Though, the one before was pretty good. So, you can escalate on that process well. As an escalation path, it works most of the time.
Once you do it for over 20 years, it is straightforward. If you have done it a couple of times, then you know what to do. However, even if you are a beginner, Check Point is more straightforward than Palo Alto or something like that. Once you get the idea of how a firewall works, Check Point does it that way.
There is a central location where we deploy upgrades, which normally take one business day since we have several clusters there.
When deploying the solution to remote locations, we have several models to choose from.
When we tried Threat Emulation, we have received professional services from Check Point. However, for the normal setup, we don't involve any professional services.
It is like insurance for us.
The pricing and licensing are pretty steep. They know that they are good, so they are pricey.
We are also using Forcepoint, which is a little bit different on the OS and focused more on IPS/IDS. It is a good practice to combine two different firewall vendors in case one of them gets hacked.
We also evaluated Palo Alto, like five years ago, but that doesn't make much sense for us.
Since we are trying to get our customers to do more self-service, we should see more inbound traffic. So, the usage will increase in the next two years.
We get more attacks from the outside these days, so it has become more important to use systems like Check Point. When I started with security 25 years ago, it was still something not everybody was aware they needed. Today, it's common sense that everybody needs to protect their perimeter.
Plan first, implement last. You should first be aware of what assets you want to protect and what are your traffic patterns. You should plan your policy and network topology ahead of time, then start to implement a firewall. If you just place it there without any plan of what it's supposed to do, it doesn't make too much sense. I think planning is 80 percent of the implementation.
I would rate this solution as an eight out of 10. It would be better if the support was quicker in the cases we had. Apart from that, we are happy with the functionality.
I support multiple clients within the UK, the EMEA region, the US, and now in Asia Pacific as well. I specialize in Check Point firewalls. I design and secure their data centers, their on-premises solutions, or their businesses security.
The firewalls are mostly on-premise because most of our clients are financial organizations and they have strict compliance requirements. They feel more secure and have more control when things are on-premise in the data center. However, there are use cases where I have helped them to deploy Check Point solutions in the cloud: AWS, Azure, and in Google as well. But cloud deployments are very much in the early stages for these clients, on a development or testing basis. Most of the production workloads are still on-premise in data centers.
Most of my customers are still using R77.30, and they are on track to upgrade from that to R80, which is the current proposed version by Check Point.
One of our customers has just recently been attacked by malware and internal DoS attacks, and they have a multi-vendor, multi-layer firewall approach. The internal firewalls are Check Point. The great thing about Check Point is that because of its central architecture, you can very quickly pinpoint where the attacks are coming from. It gives you comprehensive reporting when the attacks start and when they've stopped, so you can see the complete, end-to-end picture: where the point of attack is, at what time, and what host. They can track all of that.
However, in parallel, that customer is using other firewalls which have no visibility. One of the main advantages of having Check Point firewall is definitely that it gives you absolute in-depth visibility.
Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features.
One of the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use.
The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.
The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.
The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.
If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different.
It seems like they were possibly built by different teams, independent of each other.
I've been using Check Point firewalls for about 16 years. I am the main network or security lead and I have four other engineers who report to me. They also do design and deployment.
I work with approximately 40 companies that utilize Check Point.
Check Point firewalls are very stable. One good thing about Check Point is that they do rigorous testing internally before releasing updates, which is something I have not found with any other firewall products. With most of the other firewall products, when they release something, it's like the customer becomes the guinea pig for that particular version, whether a minor or a major update. However, with Check Point, you can see all the white papers and what ways they have tested a minor or major upgrade of the software version, and what the performance was like. What are their known issues and is somebody working on them or not?
So the software releases are very stable and you have visibility into how they operate and what the known issues are, so you know whether you should go ahead with them or not. And in case there is a problem, the support is excellent. You can reach out to Check Point and say, "Look, I've done the software upgrade and I'm experiencing these problems. How can I deal with them?" They are there to help you out.
There are times when we have problems in terms of software or hardware defects. We have sustained downtime, but most of the architecture I design is resilient, so if one device is down, the other one is working fine. Then in the background, I or my support team will deal with Check Point directly, to get a replacement. They're definitely quick to respond and very efficient.
In the past, we had a lot of problems with licensing, specifically, but Check Point has redone the whole way they do licensing. It's very quick now, and very efficient.
Check Point firewalls are extremely scalable. Recently, I deployed Check Point in an AWS cloud solution for one of my clients, and it's been absolutely excellent in handling growth. They've grown from 10,000 users to a million users. The way Check Point has advertised the product, it is supposed to be highly scalable, which means it grows as your demand grows, and that has been the case.
Recently we have set up a test case where we are moving over management servers from on-premise to a Check Point-provided Infinity cloud solution. We are still at the testing phase but, overall, it's been a great experience so far.
The teams we deal with within Check Point are extremely knowledgeable. They know how to understand the background of the problem, and they're very good about articulating how we deal with the issue, whether it's a minor software upgrade issue or it's a major failure of the hardware itself. They know where to look for the right stuff. The key point is they're very knowledgeable and very technical. And if somebody doesn't have the technical capability, they will definitely help you out to make sure you get to the bottom of the problem.
In the past, most of the customers I've worked with have used different firewall vendors, such as Cisco, Palo Alto, and Juniper.
I've recently seen deployments where customers have tried to move from Cisco ASA to Cisco Firepower and the deployment has gone horribly wrong because the product has not been tested by Cisco very well and is not a mature product. I've gone in and reviewed their business requirements and technical requirements and, based on that, I've recommended Check Point and done the design and deployment. They've absolutely been happy with the solution, how secure and how capable it is.
We use Check Point across multiple types of customers, such as financials, retail, and various other public and private sector organizations. I review their security architecture, which is firewall specific and, based on that, I have recommended Check Point. In most cases, I've managed to convince them to go ahead with Check Point firewalls as a preferred secure firewall solution.
The main reason is that Check Point is far ahead in the game. They're definitely the market leader. They are visionaries when it comes to security. Another reason is that a lot of firewall architecture starts from the firewall itself, which is the local firewall. It can easily be hacked and manipulated. However, the Check Point architecture, out-of-the-box, is very secure. They have a central Management Server and all of the firewalls are managed through that one central point. So in case somebody breaks into your firewall, the firewall is encrypted; they will delete the database. The architecture is secure by default. The good thing is that other firewall vendors have realized this and they've started to copy the same system that Check Point has used for the past 20 years now.
When working with the Check Point team on deployment, they're really helpful and very talented people. When you speak to other firewall vendors, they just think about the firewall from their point of view. The good thing about Check Point engineers, or technical staff, or even management staff, is that they understand what the requirements of business are and how they can improve or align the proposed solution. Overall, Check Point staff are very knowledgeable, they understand different industries, and they understand the product very well. That's definitely a competitive edge compared to other firewalls.
Once the design is done, for something simple the deployment can take half a day, whereas for a complex deployment in a data center it can take about five days.
Our implementation plan is divided into different phases. Phase One might be the physical cabling of the firewall device itself. Phase Two would be the logical setup, which means defining the interfaces and the virtual setup of the firewall itself. The final phase would be to bring it online in parallel with production, in a non-prod service, and test it to ensure it works as per the design.
A customer I'm working with right now was running with Check Point and they wanted to move to Fortinet firewalls. However, when I worked with them on the design to upgrade the existing Check Point firewalls, what we worked out was that even though the Fortinet might have seemed like a cheaper option, it didn't have the security capabilities that Check Point is offering. On that basis, the customer signed off on a project for upgrading their existing firewalls, on-premise and cloud, from R77.30 to R80.10.
It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point you get all of that.
With Juniper, one of the biggest downsides is support. The support portal is slow and I won't say the staff is competent in terms of understanding. They're very disconnected internally. What I mean is that the team working on the software development of the firewall has no interface with the support teams that are handling day-to-day TAC cases. They definitely struggle when it comes to understanding challenges, problems, and incidents with the firewalls.
In the past, Juniper firewalls were good, but recently the security offering has just not been there. They don't have anything like SandBlast from Check Point. They don't have up-to-date Zero-day attacks control. They're still running a very old architecture. They can do things like antivirus and URL proxy, but those are very simple features. They have none of the advanced feature set that Check Point has.
Palo Alto is very competitive with Check Point when it comes to security. However, one of the challenges with Palo Alto is that, overall, the solution can be extremely complex and expensive. That is one thing I've heard from customers again and again. Either they have existing Palo Altos or they plan to go to Palo Alto, but when they do a comparison with Check Point, what they find is that the overall value with Check Point is much greater than with Palo Alto firewalls.
If you're looking to implement Check Point as a security solution, definitely do your homework. Do some research, not just in terms of firewalls, but overall security architecture. Which ones are the leaders in the field? Which ones are there to deliver what they promise? And overall, how does the architecture work? Is it secure or not? And does it come from a team that understands how to support the solution itself? Are they consistent? Look at their track record for the past 10 or 15 years, or are they a new player? If they are, you don't know whether they're going to stay in the game or not. A good thing about Check Point is that its core product is security. They've been doing it day in and day out. You know they're there to stay in the game. You can trust them.
Check Point is a proven solution. A lot of customers and clients already rely on it. And for the Next Generation Firewalls, they're coming up with new features as security threats become known.
If somebody wants a secure and stable environment, Check Point is definitely the leader to go to; definitely the number-one choice. It's not only what it says on the box. In reality, I've worked with hundreds of banks and they're happy with the product because it works; in practice, it works. That's the main thing.
We use it for VSX virtualization and we use it for normal firewall functions as well as NAT. And we use it for VPN. We don't use a mobile client, we just use the VPN for mobile users.
We are able to virtualize about four firewalls on one machine. Before, we needed to have four firewall hardware devices, physical devices, from Cisco. We had four appliances, but now, with Check Point, we just have one. We can manage them, we can integrate them, and we can increase connections using one and the other. It has broken down connection complexities into just a GUI.
Also, previously we had downtime due to memory saturation with our old firewalls. We were using Cisco ASA before. During peak periods, CPU utilization was high. Immediately, when we switched to Check Point, that was the first thing we started monitoring. What is the CPU utilization on the device? We observed that CPU utilization stayed around 30 percent, as compared to 70 percent with the Cisco we had before, although it was an old-generation Cisco. Now, at worst, CPU utilization goes to 35 percent. That gives us confidence in the device.
In addition, the way Check Point built their solution, there is a Management Server that you do your administration on. You have the main security gateway, so it's like they broke them down into two devices. Previously, on the Cisco, everything was in one box: both the management and the gateway were in one box. With Check Point breaking it into two boxes, if there's a failure point, you know it's either in the management or the security gateway. The management is segmented from the main security gateway. If the security gateway is not functioning properly, we know that we have to isolate the security gateway and find out what the problem is. Or if the management is not coming up or is not sending the rules to the security gateway, we know there's something wrong with it so we isolate it and treat it differently. Just that ability to break them down into different parts, isolating them and isolating problems, is a really nice concept.
And with the security gateway there are two devices, so there's also a failover.
The way we use the VPN is usually for partners to connect with. We want a secure connection between our bank and other enterprises so we use the VPN for them. Also, when we want to secure a connection to our staff workstations, when employees want to work from home, we use a VPN. That has been a very crucial feature because of COVID-19. A lot of our people needed to work remotely.
The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.
It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.
Apart from that, we are coming from something that was not so good to something that is much better.
I have been using the Check Point Next Generation Firewall for 10 months.
The stability of Check Point's firewall, for what we use it for now, is pretty good. Especially, with the licensing of blades and the way they script it down into different managers. You have a part that manages blades, you have the part that manages NAT, and you have the part that manages identity. The VSX is another one on its own. So it is very stable for us.
When we add more load to it, when we go full-blown with what we want to use the device for, that will be a really good test of strength for the device. But for now the stability is top-notch.
They scale well.
All information passes through the firewall. We have about 8,000-plus users, including communicating with third-party or the networks of other enterprises that we do business with.
We've not used technical support. We asked our questions of the vendor that deployed and he was quite free and open in providing solutions. Anytime we call him we can ask. He was like our own local support.
There is also a Check Point community, although we've not really been active there, but you can go and ask questions there too, apart from support.
The initial setup was pretty straightforward.
It took a while about a month, but it was not because of the complexity. It was because we gave them what we already have on the ground. We were on Cisco before and they had to come up with a replica of the configurations for Check Point. When they got back to us we had to make some corrections, and there was some back-and-forth before everything finally stabilized.
Four our day-to-day administrative work, we have about four people involved.
We used a Check Point partner for the installation. I was involved in the deployment, meaning that while they were deploying I was there. They even took us through some training.
We have surely seen ROI compared to the other vendors I mentioned, in terms of costs. And we tested all the firewall features to see if it is doing what it says can do. And so far so good, it's excellent. It's a good return.
Check Point offers good solutions, but it won't kill your budget.
Going into Next-Generation firewalls, you should know what the different blades are for, and when you want to buy a solution, know what you want to use that solution for. If it's for your normal IP rule set, for identity awareness, content awareness, for VPN, or for NAT, know the blades you want. Every solution or every feature of the firewall has license blades. If you want to activate a feature to see how that feature handles the kind of work you give, and it handles it pretty well, you can then move to other features.
We evaluated Palo Alto, Fortinet FortiGate, and Cisco FirePOWER.
Check Point was new to the market so we had to ask questions among other users. "How is this solution? Is it fine?" We got some top users, some top enterprises, that said, "Yes, we've been using it for a while and it's not bad. It's actually great." So we said, "Okay, let's go ahead."
I would recommend going into Check Point solutions. Although Check Point has the option of implementing your firewall on a server, I would advise implementing it on a perimeter device because servers have latency. So deploy it on a dedicated device. Carry out a survey to find out if the device can handle the kind of workload you need to put through it.
Also, make it a redundant solution, apart from the Management Server, which can be just one device. Although I should note that up until now, we have not had anything like that.
I had 3200 appliances deployed in my company where we had two CMSs. We had multiple VSXs on those appliances due to the main firewall that we had on the VLAN. We also had an external firewall on the VLAN, which were used to monitor and allow the traffic within the network. That is how we were using it.
They have a new R81 in place. Currently, they also have R75 deployed in the environment, but they are planning to upgrade to R80.20 because that particular firewall has very high CPU utilization and there is no more support for R75.
I like that it first checks the SAM database. If there is any suspicious traffic, then you can block that critical traffic in the SAM database instead of creating a rule on the firewall, then pushing that out, which takes time.
The Anti-Spoofing has the ability to monitor the interfaces. Suppose any spoofed IP addresses are coming from an external interface, it won't allow them. It will drop that traffic. You have two options with the Anti-Spoofing: prevent or detect. If any kind of spoof traffic is coming through the external interface, we can prevent that.
I like the Check Point SandBlast, which is also the new technology that I like, because it mitigates the zero-day attacks. I haven't worked on SandBlast, but I did have a chance to do the certification two years back, so I have sound knowledge on SandBlast. We can deploy it as a SandBlast appliance or use it along with the Check Point Firewall to forward the traffic to the SandBlast Cloud.
Working on Check Point for me looks simple. For the user or anyone else who is using Check Point, they are more into the GUI stuff. Check Point has its SmartConsole. On the console, you have to log into the MDS or CMS. Then, from there, you have to go onto that particular firewall and put in the changes. If the management console could be integrated onto the GUI itself, that would be one thing that I would recommend.
The ability for the multiple administrators to not do changes was fixed in R80.
I just changed companies six months back. I have been using Check Point for around two and a half years. I was working on the Check Point technologies in my previous company. I did the implementation of Check Point and was also monitoring the Check Point Firewall in my last company during firewall upgrades.
We had two Check Point Firewalls deploy in the HA. There was one particular change that we did regarding the FQDN objects. However, after deploying this new change, which already had multiple FQDN objects, the behavior of the firewall was changed in terms of the live traffic. Because after deploying the critical chain, the users were facing intermittent Skype and Office 365 issues. We checked the performance of the Check Point, which also decreased due to the FQDN objects that were pushed onto the firewall. Therefore, we had to reverse back the change in order to increase the performance, because it was utilizing 80 or 90 percent of it. Once we reversed that particular change, then it was working fine.
These firewalls are stable. The customer is looking forward to upgrading to the latest version of Check Point.
It is scalable.
The entire company network resides behind these particular firewalls. All of the users, if they wanted to go out onto the Internet, have to go through this firewall.
There are around five to eight people who worked for my team. We monitored the firewall. In case of issues, we would then go a call with the customer and troubleshoot that issue.
Sometimes, I faced issues while troubleshooting. In those cases, I did have to contact Check Point's technical support because some of those issues were complex.
I would give the technical support a four out of five. They would get on the call and try to resolve that issue as soon as possible.
Initially, I was working on the Cisco ASA Firewall, then I got an opportunity to work on the Check Point Firewall. The main difference is regarding the architecture. Check Point has three-tier architecture, whereas ASA doesn't have that architecture so you have to deploy every rule on the firewall manually. With Check Point, you have a management server and you can have that policy package pushed onto the other firewall, which is one of the key features of Check Point: You don't have to deploy every tool on the firewall manually. We can just push that particular policy package onto the new firewall based on global rules that we have Check Point.
Every time, I had to deploy all of the rules and basic connectivity, SSH and SNMP management, on the ASA Firewall. Whereas, in Check Point, I can just go onto the global rules and put that policy onto the Check Point Firewall, then it will have all those global rules required in the company.
Check Point also has the Identity Awareness feature, which is using a captive portal. This is something good which I like.
It was pretty easy and straightforward for me to deploy these firewalls.
It took around the 15 days to do the initial deployment and get the basic connectivity to the Check Point Firewalls. We had to send a field engineer to do the cabling and everything, like the data connectivity. It takes time to do all the network, cabling, etc. Once the basic connectivity is established, then we can move ahead with the implementation of the rules on the firewall. The company had an initial set of rules to follow for the setup.
We initially opened a case regarding the upgrade. Check Point's technical support was there on the call because the upgrade was going from version R77 to R81.10. This was a major update for the entire network, and they were there supporting us in case of any issues.
The customer feels more secure because they have two layers of security and comfortable working with this particular Check Point Firewall because they previously used Check Point R75.
Pricing is fine.
We had to get separate licenses for the different blades. It would be nice to have a feature where we can get the multiple licenses all-in-one instead.
The licensing feature is good for the Check Point. It attaches to the management IP address of the central management server. So, you can remove that particular IP and then use that license on another device on some other firewall, if you want.
Compared to the Cisco ASA Firewall, the Check Point Firewall makes your work easier because you're not deploying the firewall, then pushing the policy, which takes time. Initially, when I was working with the ASA Firewall, we used to implement the firewall, then we used to hand it over to operations for the maintenance. So, I had to manually implement all of these rules, etc.
When I learned about Check Point and had basic training for it, I got to know the architecture was different for the Check Point Firewall. You can just have a policy package and deploy that policy package on any of the firewalls that you want. It already has that particular set of rules, which makes your life easier while implementing the rules on the firewall, e.g., if there are multiple firewalls on the network that should have the same policy.
Anyone who is new to Check Point Firewalls should have the basic understanding and training so it becomes easy to deploy and implement. You can go onto YouTube and find various training videos regarding Check Point, where you can get a basic understanding of the Check Point Firewall.
I would rate this solution as an eight out of 10.
We have been using Check Point for the last 14+ years since it was called Nokia Check Point. It is a wonderful product with wonderful support. Technology advancement is also part of the life cycle.