Check Point NGFW Reviews

We use Check Point Next-Generation Firewall as a perimeter firewall. This means that all incoming and outgoing traffic from our premises is routed through the Check Point firewall. Within our configuration, we have activated several security features and licenses, including the firewall itself, site-to-site VPN functionality, application and URL filtering, Identity Awareness, threat simulation, and anti-bot protection. Additionally, we possess the license for the NGpX version, which includes extraction capabilities.

With our previous firewall solution from a different vendor, we were limited to basic firewall functionality without features like IPS and content filtering. With the implementation of Check Point firewall, we got a comprehensive set of features that enables us to gain clear visibility into how our applications behave and which areas we have control over. It allows us to monitor and manage application usage effectively while allowing us to filter and enforce rules in accordance with our organization's security policies.

The most invaluable features we have are content filtering and application control. These features operate seamlessly, thanks to the integration of Identity Awareness. Through Identity Awareness, we established a connection with our internal LDAP server, which enables us to exercise complete control over user access. We can precisely determine who has access rights and who is granted permission, regardless of their connection point.

We implemented our firewall in a clustered configuration with two gateways. We faced some limitations with the Security Management Server (SMS) application. The SMS functionality is restricted as it only supports specific deployment modes on virtualization environments like Microsoft Hyper-V and VMware ESX and Open Server mode. Our organization utilizes a different virtualization setup, and we couldn't obtain assurance from the vendor that they would provide support if we deviated from their recommended deployment methods. That is why we had to deploy the SMS on a separate server, which introduced additional complexity. Improvement regarding the expansion of the SMS's compatibility to include various virtualization environments would be beneficial. Also, when attempting to enable SSL offloading mode, we faced functionality issues. This feature should be enhanced to ensure seamless SSL offloading, without negatively impacting the core functionalities such as HTTPS and content filtering.

I have been working with it for more than three years.

Its stability capabilities are impressive. We have not encountered any issues. I would rate it nine out of ten.

The scalability is relatively good, especially when considering its database capabilities. Our physical gateway hardware can comfortably handle up to nine units. When it comes to the monitoring appliance, such as the Check Point SMS (Security Management Server), it requires substantial resources. Due to limitations with supported virtual environments, we encountered challenges in expanding its capacity. I would rate its scalability 6 out of 10 since there is room for improvement in this area.

We chose the Pro Support option, which has allowed us to automate many of the Security as a Service (SaaS) functions. This means that whenever there's an error in the gateways' flow, an SR (Service Request) is automatically generated and promptly communicated. The support provided has been exceptionally efficient, with quick and responsive assistance. I would rate it nine out of ten.

Positive

We previously used the Cisco ASA 5525X version, but we found that its management and performance capabilities were distinct. Cisco retired some of its features, and the replacement version offered came at a higher cost for the features it provided. Consequently, we decided to transition to Check Point, which offered us a more favorable price point without compromising on functionality.

The initial setup was easy. I would rate it eight out of ten.

The deployment process took approximately a week and a half, and about half of the challenges we faced were related to the physical connectivity issues on our end. Despite those hurdles, the deployment timeline remained relatively swift. One critical aspect for anyone planning to deploy this solution is to thoroughly understand where it fits within the network architecture and how it should be physically connected. This is especially important when implementing clustering, as the physical connectivity can become intricate. It's essential to consider high availability and compatibility with other devices it will connect to, such as core switches or perimeter routers. Ensuring that these devices support the desired failover and reliability modes is key to avoiding complications. The duration of the deployment also depends on the expertise of the person responsible for it. In our case, we opted for professional services, which included on-site configuration support. If the person handling the deployment is familiar with the surrounding devices and network environment, one individual may suffice. If there are connections to devices from different vendors, and the configuring expert lacks expertise in those areas, I would advise involving additional personnel with the relevant expertise to ensure a smooth deployment process.

It may be considered relatively expensive, but the investment is justified when compared to other competitors. Check Point's functionality and capabilities are notably strong. The cost of licensing can vary based on the prevailing exchange rates. In our case, we paid for the renewal in our local currency, but on average, it amounts to approximately $32,000 USD annually. I would rate it eight out of ten.

It is highly commendable for its stability and performance. When deciding on the appropriate licensing option, it's important to carefully consider your needs. Opting for two-year or five-year licenses can provide cost savings through discounts. After it is deployed, those with experience using other next-generation firewalls will find it relatively straightforward to manage. It doesn't require significant additional effort, and users with a basic understanding of next-generation firewall features can navigate through the management and rule settings easily. I would rate it eight out of ten.

We've used the solution for perimeter and DMZ security as we host a website that is accessible online.

On the perimeter, we have Check Point acting as the entry point to our web server farm with load balancers. The access policy is configured with the least privilege, only allowing connections that are part of business requirements.

Intrusion prevention is enabled in prevent mode to detect and block well-known vulnerabilities and attacks. The device connects to Check Point's cloud for updates on signatures to new threats. 

We are peering with Partners via Site-to-Site VPNs for Services.

1. It's offering perimeter security to publicly accessible sites. There's better security at the edge and DMZ with the use of access policies. 

2. The activation of Intrusion Prevention Blades offers better security at the perimeter and between DMZ Zones. IPs also have prebuilt security profiles making deployments of IPS fast and efficient, and exceptions to the rule base are easy.

3. The use of a remote access VPN is used to connect to partner sites.

4. Check Point offers virtualized systems, making it easy to scale. Instead of buying new equipment, we have set up virtual systems for the DC and user networks.

1. Intrusion prevention. Preventing and detecting well know vulnerabilities to our publicly accessible systems is easy. Inbuilt predefined security profiles can be deployed out of the box.

2. Virtualized security. Virtualized products are used to provide more scalability and ease of administration to the network.

3. Identity awareness. Granular policies on the firewall are based on identities.

4. Site-to-site VPN. We can make connections with partners securely.

5. Reporting. Prebuilt reports that are already in a well-presented manner could be presented to management.

6. Access Policy and NAT rules base.

1. Complexity in upgrades. Currently, upgrades are quite cumbersome. I would prefer the click of a button and process upgrades.

2. Pricing. The pricing is quite high as compared to other industry firewalls (such as Cisco or Fortinet).

3. Documentation. They have to improve on providing more documentation and examples for certain features online. In other sections, it feels shallow and we could use more information and examples.

4. Complexity in system tweaks. There are some knobs that need to be tweaked at the configuration files on the CLI which can be considered complex.

5. Check Point Virtual Security. The features take a bit more time to be released as compared to physical gateways.

I've used the solution from 2017 until now.

A word of caution, especially on new software: you might hit a couple of bugs. Therefore, the general recommendation is to wait for a few takes before upgrading to a major version.

With older versions it's stable.

The solution offers high-performance devices ranging from small to big data centers.

Virtual Security offers up to 13 connected gateways helping with managed security.

First-line support is hit or miss, and at times getting an engineer to assist on the call can take hours.

Opening tickets on the Check Point platform is ok with the first response depending on the workload of the engineers.

This is one place Check Point needs to improve.

Positive

Previously we were using Cisco ASA 5585. However, the performance was not reliable, and scaling would have been an issue.

We opted to go with Check Point, which could handle high performance and scaling was easier. Check Point also offered IPS features which were easier. Check Point also had better reporting and management tools.

The initial setup was a bit complex since we were deploying virtual systems.

The interface configurations, access policy, VPNs, and NAT setup were easy. The complexity was in understanding how Check Point handles virtualized security instead of physical security gateways.

The initial implementation was with the help of a vendor with good knowledge of the product.

It's used to protect the organization from security threats and provide connectivity to our applications which is the main platform for business. That's the ROI we've noted.

The pricing and licensing for Check Point are high.

Due to experience with Check Point, we did not evaluate other options (like Fortigate or Palo Alto).

Generally, Check Point is a good product with a lot of security features that I would recommend to any organization.

The primary use case of many organizations is to protect their environments from outside cyber threats across multiple layers of infrastructure. For example:

1. At a perimeter level, it protects the network at the parameter; many organizations use this firewall.

2. It provides scalability and seamless traffic flow in a network. 

3. It has all-in-one next-generation features, so many organizations save money using this firewall.

Check Point NGFW helps in many ways, including:

1. Using the application filter feature, I can block all the unwanted applications which are not used in the organization. Due to this, less bandwidth is used in the network. This leads to a cost cut in the ISP bill. 

2. With the help of URL filtering, I can block very easily. If this is not blocked, users may surf malicious websites or download malicious files.                             

3. Evaluation licensing helps us to conduct POCs and explain all features to customers. 

I love the application filter, as the user cannot access any applications that are not relevant to them. This reduces the likelihood that someone may access an application that contains a malicious link or file that the user may download, which in turn reduces ransomware attacks and DDoS attacks.

They just need to improve the technical support and professional services in India. We have received many complaints about them from clients and also face the same issue ourselves. 

For the past one and half years I have been using Check Point Firewall for security.

We have a good impression of stability. 

The performance is very good; there is no issue with performance.

I've only deployed Check Point Firewalls and have used other older Check Point devices that reached EoL.

The initial set up is simple. Users just need to run the wizard to set up, and they are done.

I deployed the solution for many customers in the banking sector.

Costing and licensing are high as compared to other OEMs.

I mostly work on Check Point; others which I have evaluated include Cisco and Fortigate.

Check Point is mainly used for internal communication. Our clients have multiple platforms, and customers use it for internal communications and protection, from the DMZ to the LAN to the DMZ, and also for MPLS connectivity with multiple branches. 

As I've seen, the customers also use it as a gateway for publishing their website. This is only for the perimeter, however.

It is very easy to identify the logs. It is also very well managed because of the threat cloud architecture. 

Another thing is that whenever we make changes on the firewall, we first need to publish them and then install the policies. This allows us to double-check the policies before they are implemented, which is helpful.

We faced many challenges. For example, an issue with the managed view that Check Point has. When clicking on a rule, we are supposed to have a full view of that rule and its log portion. This should show what's passing through the rule, what's coming to the rule, and all of that on a single pane of glass. Currently, the log isn't showing when we click on a particular rule. This might be an issue with an upgrade or something. Because of this, we can't implement anything on the live system; we only have a maintenance window every weekend, and it's hard to troubleshoot within an hour.

Another problem is that when we created around two lakhs of Check Point objects on the firewall, it became very slow.

I have been using it for two months. 

It is not slow. But, we implemented two lakhs of objects on the firewall, and that caused the slowness. It can happen with all firewalls, not only Check Point.

Currently, I work with enterprise customers.

It was good. No issues with that.

Positive

I can recommend Check Point, Fortinet, and even SonicWall. 

I come from a system integrator background, we first understand the customer's requirements before suggesting a firewall. Sometimes we aggressively push SonicWall because the user's requirements are more aligned with SonicWall. That's how we propose solutions.

It is very easy to install, not that complicated.

The complexity and time depend on the customer's requirements.

No maintenance: In the past two months, we haven't faced anything that required replacements on the firewall.

Pricing is good. The price is very reasonable for enterprise customers.

It offers average pricing. Previously, I worked as a system integrator, and we faced some cross-product environments where Check Point was quite costly compared to the product we were working with.

Overall, I would rate it an eight out of ten. 

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

We are a large University with more than 1000 employees across seven faculties and growing. Student population is more than 15,000 in-house and 30,000 external. The University of Kelaniya Sri Lanka primarily uses the Check Point 4800 device to protect users and servers. The product also enables the VPN with advanced security policies inside our network. This gives us a better security posture. Valuable features include a good VPN, IPsec, and SSL. We use Check Point 4800 as a perimeter firewall and our internet bandwidth expanded to 1Gbps.

We use it mainly for security and content control. Earlier, we could not block BitTorrent and other high bandwidth downloads from our firewall. After introducing this NGFW, we have improved our security posture, and now, have peace of mind. 

The most valuable feature is the IPsec VPN. The application and content filtering is perfect for our university. This device gives us alerts and reports on a daily and weekly basis. It gives us the opportunity to know what is going on. The Smart Dashboard and other user interfaces are very easy to use and can be handled without any significant IT skills. It allows for easy policy management.

The Check Point Capsule VPN is a great feature. It connects to our university in a few seconds.

It's easy to handle and manage. No need for significant IT skills to manage this solution.

Check Point Smart Dashboard does not support my Apple MacBook Air. It only supports Windows versions. Checkpoint does not support captive portal in IPv6. We had a big issue. Not solved yet by Checkpoint experts.

Check Point is a stable product.

No issues with scalability. 

We used Cisco ASA 5510 as our perimeter firewall before purchasing this NGFW. It only had firewall features. We switched because we were looking for a strong gateway level security with attributes like antivirus, anti-spam, IPS, web content filtering, application control, and secure wireless access points.

The initial setup was straightforward.

A vendor team implemented this. They gave us in-house training for our staff. They are experts in Check Point and taught us well.

It has a great ROI. 

Pricing is negotiable and competitive.

We selected the following brands and models by going through different reviews:

• SonicWall 9200
• Sophos XG 750
• Fortinet FortiGate 1500D
  
• Check Point 15400

We requested that the vendors do a PoC. Check Point, SonicWall, Sophos and Fortinet agreed to run one. Finally, we chose Check Point.

We are in the higher education sector in Sri Lanka. We produce graduates to our country and other countries.

It's just enterprise firewalls, firewall clusters for redundancy to secure the company network from the internet, and as well as a data center firewall, for example, if you want to split up subnets to control traffic between them.

The management is very handy and intuitive, and it has a lot of features. I think it's one of the products in this market which has the most possibilities.

I saw some other firewall vendors or firewall solutions from other vendors. And maybe I like it because I'm very familiar with Check Point and the management of the Check Point gateways. So, probably, I'm just not aware of how other solutions work and how to use them. 

We also see or have a lot of customers with Palo Alto. That's also a solution we see a lot, but we have been a Check Point partner for more than seven or eight years since the beginning of our company. We have done a lot of research on firewall solutions. 

In our opinion, it's one of the best because the management is very handy. So it's easy to implement every possible configuration, and you have a good oversight of your rule set. 

If I compare it with Cisco Meraki, for example, if the rules grow, then it's very hard to get oversight or to have oversight over the whole rule set. So then it becomes hard to manage.

With Check Point, it's easy because even when you have 200 or more rules, it's still very user-friendly, and you can still quickly manage your whole rule set.

What I like about Meraki is the whole cloud-managed feature, where it can configure gateways in the cloud and preconfigure it as well. So I don't need to have access to the device or create a configuration in the cloud. 

And as soon as the firewall comes online connected to the internet, then it downloads its configuration from the cloud. I think Check Point does also have such a solution, but I'm not aware that it's as easy as Cisco Meraki. Sometimes it would be nice if they would have the same possibilities.

I have been using it for about five years now. 

I have not yet faced any challenges with performance or stability. Sometimes when we implement core firewalls, there are applications that have longer session timeouts than the Check Point firewalls in the default settings. 

Windows has a default session timeout for about two hours, I think, and Check Point's is one hour. So, it's not a performance issue, but the application will not run as well as before the security gateway analyzes and blocks traffic. So, it depends.

Scalability  is a very good point of Check Point's solution. They can scale very well and very large.

The technical support is also very well and specific. It's very useful to have technical support from Check Point.

Positive

I have experience with Nutanix Flow. It's also possible to enable training in Nutanix Flow where you can redirect the traffic to Check Point gateways. I think that's a very useful feature if you need layer seven traffic analysis and blocks. But I don't have any customers, or we don't have any customers, who use chaining. We also don't have any customers who use a micro-segmentation solution from Check Point. So, I'm not aware if they have a comparable solution like Flow.

For the initial setup, you need a good knowledge of the operating system, Gaia OS. It needs some knowledge to get started, but if you've done it once, then it's easygoing.

Normally, we check the customer's requirements. Then we start to deploy the gateway and start with a basic rule set so the customer is able to refine it for their needs. If we are in charge of creating a complete rule set, we will bring all the requirements into a concept and then create a rule set in a more suitable way.

Some customers have very basic requirements. If it's just to deploy the gateways, then it's very easy and quick. You just need maybe a few days and a maintenance window outside of business hours. But there are also customers who have a lot more requirements, like scanning or analyzing the traffic for subnets inside of the network. 

For example, a core firewall can be very time-consuming. You need to do a lot more research and concepts or write concepts on how to achieve that. That can take a few months.

For maintenance, you need to know what you do. It can be difficult if you don't know what you want to achieve. If you are not aware of network security, then probably it's not that easy, and you may run into configuration errors or mistakes. It's easy to manage, but you have to know what you do.

Check Point is not the cheapest vendor in the market, but it has everything you need compared to other solutions. So that's probably the main reason for the cost or the prices. I think it's probably on the same level as Palo Alto.

I would recommend Check Point to other users who are looking into implementing it.

I would advise others to compare or write down their requirements and have a look to see if Check Point is able to fulfill all the requirements.

Overall, I would rate it a nine out of ten.

The customer purchased Check Point 6200 Firewalls to replace their aging Cisco ASA firewalls on the perimeter of their sites. The Cisco Firewalls must be replaced due to insufficient capacity.

It is envisioned that the initial migration will be a direct replica of the ASA configuration, with the client expanding the solution post-migration, with Check Point NGFW features.

This project consisted of the following deliverables:
• Rule base is migrated like for like, in which ASA Firewall zone-based rules will be converted to Check Point Parent/Child layered rules.
• Firewall zones to be imported and reviewed post migration by client.
• NAT rules will be migrated “as-is”.
• Geo-location rules from FTD will be honored and mapped into Check Point.
• Client-based blacklisting will be migrated into the solution, using external feeds via URL.
• A single IPS profile consisting of a clone of the vendor's “out-of-box” balanced profile (optimized).
• 1X site-to-site VPN.
• Integration into Client’s Cisco ISE solution for RADIUS-based admin authentication.
• NGFW licensing and blades to be installed on firewall devices, to allow features to be enabled in the future and expand the solution.

The Client wishes for the ASA firewalls to be replaced with a Check Point systems solution, which consists of 6200 Plus Appliances. 

The initial requirement was to migrate the configuration in an “as-is” state, with the necessary licensing purchased and installed to enable expansion of the solution with next-generation feature sets in the future.

The solution was able to meet and exceed the client's requirements thereby improving the client's environment.

The management server is software-based.

Firewalls and licensing include:
• FW
• IPS

The solution provides a single pane of glass management of rules/logging.

The solution supports IPsec tunnels FOR 1X IPsec VPNs.

The solution integrates with the client’s Cisco ISE RADIUS solution for administrative access.

The compute power of the appliance is great. The Check Point appliances are considered NGFW devices and can process both the ASA and FTD requirements on a single instance, removing the requirement for an expansion SSD module and/or additional hardware.

We'd like an option that can convert other vendors' NGFW configurations to supported Check Point NGFW config for ease of migration.

Check Point configuration options can be very enormous and overwhelming.
Check Point comes with a very lean learning curve even though they offer a robust knowledge base. 

A lot of configuration cannot be accomplished via the web interface or the smart dashboard software and must be done manually via the command line interface.

I'd like to see some built-in automation for the firewall alerts/events to trigger an automated response or recovery.

I've used the solution for three years.

The solution is stable with frequent version and management updates.

The solution is highly scalable and expandable.

The solution offers great customer support.

Positive

We used a different solution and needed more processing power and functionality which this had compared to industry competitors.

The setup was straightforward yet third-party device migration contained a lot of manual configuration conversions.

I implemented this myself.

Pricing can be relatively more expensive when compared to industry peers, however, the functionality makes up for the price difference.

We also evaluated:

• Cisco NGFW
• Fortigate NGFW
• Palo Alto NGFW

This is a great overall solution.