Check Point NGFW Reviews

We use the solution for our data center firewall on-premises. We have deployed a VSX Cluster that currently holds three virtual firewalls. We have several site-to-site VPNs established with our partners and hundreds of policies applied. 

We had a custom configuration in our previous policy for which we were passing traffic from one VPN tunnel to another transparently. With Check Point we had to create a new virtual firewall in order to keep it working, so from one firewall we ended up with two rerouting traffic from one firewall to another and changing NAT in order to keep this solution running. 

Finally, we created another (third) virtual firewall and configured it to be only a remote access SSL VPN firewall and to be used as a backup if our primary in our HQ fails while the other two firewalls handle production traffic. 

We selected this solution in order to replace the Cisco ASA we used to have. 

The features the CP firewall has combined with a very attractive price led us to this decision. The migration was smooth and all the features we needed have been configured easily and worked as expected. Additionally, the SmartConsole and the Log Event viewer made our every day to day tasks easier. 

Also, we were provided with a trial license for the compliance blade and the IPS which are truly amazing. I believe that the compliance blade will be used soon by our company in order to assist with the ISO certificate we are trying to get. 

Since we have already deployed an AWAF on our premises we didn't use the IPS but the features presented definitely would increase the security level. 

Although we use it as our data center firewall, it would be ideal for our HQ Office with all the security features it provides.

I appreciate the Smart Console for its ease of use and clarity in managing configurations. It's user-friendly and free of software bugs. Smart Console simplifies the management of current policies and objects, making it effortless to track an object's usage or identify unused objects, thus ensuring a tidy configuration. 

Additionally, the hit count feature proves highly valuable, enabling policy prioritization based on usage frequency and facilitating verification of traffic alignment with newly created policies. Furthermore, implementing 2FA for SSL VPN users was a straightforward process, notably without the need for additional costs, unlike the FortiTokens required for our primary SSL VPN.

Additionally, the quick and seamless option to revert to a previous configuration revision is highly valuable. The logs tab serves as a helpful tool for troubleshooting. 

It's worth noting that we've experienced no CPU or memory issues, and the system is highly responsive.

The only downside is that we are not able to have redundant VPN tunnels with our cloud environments. We tried many guides suggested by the CheckMates community and have not been able to easily capture packets in a PCAP file as we used to do with the ASDM Packet Capture Wizard.

Finally, in the past year, we faced severe downtime that lasted many days due to a misconfiguration. Support wasn't able to detect it. We are allowed to add an automatic NAT in an object and install it in all three virtual firewalls that we have. I cannot imagine a real case that needs this option. This option should be totally removed. 

The destination MAC address for this object was flapping between the three virtual MAC addresses of the FW leading to a packet loss in our service up to 30%. Our manager found the root cause at the end.

I've used the solution for three to four years.

In the past four years that we have had Check Point, we haven't faced any stability issues. It is a stable solution.

Our cluster is oversized for our needs so we haven't reached any system limits in order to face an issue or at least observe its behavior. Our solution covers our current needs and can easily handle any additional load.

Technical support is average. From my last experience, it was my manager who found the root cause of the downtime. 

Positive

As noted earlier, our transition to this solution marked a shift from our previous Cisco ASA Cluster setup. Check Point's prominent position in the network industry and the compelling price point offered made it too appealing to overlook.

The initial setup and the configuration migration were done by an integrator who specializes in such migrations. It was complex enough yet very well-planned and organized.

The implementation was done by a very qualified vendor team.

Since I am in the engineering department, I can't evaluate the actual income or costs of handling our production traffic with this solution.

I'm not sure what was evaluated. It depends on the company's unique existing infrastructure and needs.

We evaluated offers for Cisco, Fortinet, and Palo Alto solutions.

We use Check Point Next Generation Firewall both as a perimeter firewall and as an internal firewall. 

For customers, we recommend using the open platform, which is the software installed on your own server. We usually find that you get a lot more performance out of the software that way. Also, a lot of energy companies use it as well.

Check Point Next Generation Firewall helps us with routing failover, setting up a web dashboard for better management of the platform, and ensuring the stability and availability of our firewalls with its backup features.

The price point is good. You get a lot more features for the cost. How it's bundled and packaged is very simple to order. All the features are bundled with the product, and it's just a matter of checking a box to turn it on or off. 

Performance is usually better on OpenServers, where we provide the server on the Check Point platform.

The operating system and platform could be more tightly integrated. Some features are better done on the OS side of the platform. Integrating all features into one dashboard should avoid switching between the new and old dashboards.

Check Point Next Generation Firewall is quite stable. For features like backup and data, I would rate it highly.

Check Point Next Generation Firewall offers excellent scalability. With OpenServer, it's just a matter of purchasing licenses that enable more CPUs to be used. We can increase the RAM on the box and allow for more network traffic and customers onto our platform.

The support is great. I usually get it online and it meets our needs effectively.

Positive

Setup is easy. I would give it an eight out of ten.

The pricing is fair and more competitive than many competitors. On a scale of one to ten, with ten being the most expensive, I would rate it around a three in its category.

Cisco does not support SSL inspection, and its detection capabilities are limited. I would say Check Point is comparable with Palo Alto in terms of features and detection capabilities.

I would recommend Check Point Next Generation Firewall because of its detection capabilities, which ensure protection by identifying malicious files and suspicious activities. The price point is also lower compared to Palo Alto for the same features.

I'd rate the solution nine out of ten.

We use it for safeguarding our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

It provides a comprehensive and scalable security solution. With features like nanosecurity, cloud integration, and multi-domain management, they address the diverse security needs of businesses, from small enterprises to large corporations. It excels in malware prevention, utilizing features like fan black pattern and vulnerability-driven detection, ensuring comprehensive security against evolving threats.  It boasts an Infinity architecture, offering a multitude of features tailored to enterprise needs. The integration with AWS and Google Cloud, safeguarding cloud servers and networks. The Multi-Domain Management feature enables centralized control across on-premises and cloud environments, streamlining security management.

There is room for enhancement in the support system in India. Given the burgeoning market and the growing reliance on security solutions, focusing on strengthening support and implementation infrastructure would be beneficial. This could involve increased training programs to equip professionals with the necessary skills to understand and effectively implement Check Point technologies. Its scalability capabilities should be improved.

It's an exceptionally stable tool. I would rate it nine out of ten.

Scaling up is quite restricted, and the scalability needs improvement. It should be a multi-tiered and robust solution. Currently, there is a gap in the ability to seamlessly scale within the same series. I would rate it seven out of ten.

Technical support in India is lacking, and there's a clear need for improvement. There's a high reliance on third-party support, which needs to be addressed. The current rating would be around five on a scale of one to ten.

Neutral

The implementation process is generally straightforward and basic, taking around one to one and a half hours. However, if there's a need for the creation of numerous VLANs and policies, it might extend over several days.

It comes with a significant price. The cost of the six thousand six hundred models was approximately thirty-eight lakhs. Although the cost may be higher, the reliability and functionality it offers are well worth the investment. I would rate it ten out of ten.

I consider it a top leader in security, and I highly recommend it. Overall, I would rate it eight out of ten.

Our company undertook a network transformation and instead of implementing a separate IPS solution, we've opted for the NGFW of Check Point. We've leveraged the different security blades available in the Check Point NGFW. Besides the IPS blade, we've also leveraged the anti-malware threat intelligence blades for our gateways, especially for the perimeter. 

We've also enabled the IPS blade for our remote offices as part of the additional security layer for our smaller international offices and used both the IPS and anti-malware for our bigger offices. 

We've managed to reduce the CAPEX cost of the network transformation when we leveraged the versatility of the Check Point NGFW solution. 

Instead of purchasing separate solutions for the IPS, anti-malware, and threat intelligence, the security blades of the Check Point NGFW were just enabled. 

The software subscription cost is already included in the annual software and hardware maintenance cost which made the solution more cost-effective than having separate solutions wherein we need to maintain a separate subscription for each. 

Besides the basic firewall feature of the Check Point NGFW, we find the IPS and anti-malware security blades to be most valuable for our current implementation.

The IPS and anti-malware solutions have successfully identified and blocked potential threats from our perimeter. 

Though we are also using threat intelligence, we see more validation of the successful use of the IPS an anti-malware. 

The successful performance of the security blades has shown the value of the investment along with the comparable success of leveraging the NGFW over a separate specialized security solution. 

Overall, we are satisfied with the performance of the NGFW both from the functional and operational perspective. The solution has been proven effective in detecting and blocking potential and intentional threats to the company's internal network without impacting the performance of the appliance. 

What can be improved though is the capability of providing an executive summary report that can highlight the performance and operational effectiveness of the implemented security solution. The current reporting capability needs to be parsed and edited to be appreciated by leadership.

We've been using Check Point NGFW for more than 4 four years.

Check Point NGFW has been very stable and very rarely do we encounter any performance issues due to hardware or software issues. 

The solution is very scalable and easy to manage.

Customer service and support are very responsive, and we get quick and fairly consistent turnaround times for the resolution. 

Positive

We previously used Cisco Firepower, however, we were not satisfied with its performance both functional and operational. 

The initial setup was straightforward since the deployment is just the typical high-availability active standby implementation. 

We implement through a vendor team. The vendor team is very competent and has consistently displayed their expertise in the technology. 

Unfortunately, our team does not have visibility on the ROI.

If the implementation would require multiple gateways, consider leveraging the Infinity Total Protection. 

We no longer evaluated other options. 

We use Check Point Quantum Network Gateways for all our on-site firewalls. It protects the network edge, network core, data center, and our AWS direct connect. 

We are a payment facilitator and security is one of our core requirements. 

We have implemented VSX which enabled us to reduce the hardware footprint. 

We have implemented 6700NGFW, 6600NGFW, and 6400NGFW in different network segments. We have enabled basic firewall, ClusterXL, and IPS licensing. 

Due to the nature of the traffic, we do not use Application Control or URL Filtering.

With our previous firewall solution, we had no automated compliance tools. Now, with the Check Point Quantum Network Gateways, we have the ability to automate compliance reports for both GDPR and PCI3.2, and by using VSX (Virtual System Extension) we have reduced our data center footprint. This will lead us to become a more sustainable organization. 

We have found the central management (Smart Console) to be very helpful in managing all the firewalls and keeping the software/hotfix versions up to date.

By implementing VSX (Virtual System Extension), we were able to reduce our hardware footprint, reducing both direct and indirect costs. This also enables us to quickly scale up or down to meet business needs.

We have also found that the Intrusion Prevention System implemented on Check Point Quantum Network Gateways is robust, efficient, and very easy to implement. Being able to add it later as a software feature is a real boon. The customization options enabled us to zero in on our specific use case.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration.

We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The solution has been in use for one year.

During the first year of operation, we have seen 100% up-time.

Due to the VSX implementation, I would conclude that it is highly scalable.

Customer service and support from the vendor have been excellent. They have assisted in communicating issues back to Check Point and the subsequent response from Check Point has been very good.

Positive

We used Cisco ASA 5500 series firewalls, but these have reached the end of life and needed to be replaced.

The initial setup and migration was complex and we had a vendor team assisting.

The expertise of the vendor team is excellent; I'd rate their services nine out of ten.

It is important to carefully consider your needs. Additional features can be activated easily - for additional licensing costs. However, opting for extended licensing can provide cost savings through discounts.

In looking at replacing the existing firewalls we considered Cisco, Palo Alto, and Check Point. 

Check Point Quantum Network Gateways offered us a more favorable price point without compromising on functionality.

The solution is used for edge and interior firewalls. We use large-scale Check Points for our edge and have them set up in an active/passive cluster. For our internal firewalls at the remote sites, we use a virtual firewall for the OT DMZ, and then behind this virtual firewall, we have a physical appliance for the actual OT network. This allows us to fully secure the critical network yet still allow access via jump hosts or other remote management that we have approved. It also gives us excellent control over any north/south traffic.

Check Points is probably not the easiest or cheapest solution to use, however, we have never had any issues with their security and the technical issues we have had with them are few and far between. 

Most support calls for us are centered around how to best deploy a feature or why something is being blocked by a certain blade. This is one of the main reasons we continue to use them as they provide proven security for my company and the built-in blades generally always provide a benefit for us.

The central management and logging are frankly one of the top selling points. 

The actual management is perhaps a little confusing for a newcomer to Check Point - however, does not take very long to learn the basic ins and outs of. 

The logging capability of Check Point is excellent and very rarely have we wanted more. The logging is very fast and easy to use, and this makes finding items across all 80+ firewalls very easy. 

It is also easy to export all logs to our MSP since it is from a central point. The other built-in features are also helpful as it eliminates the need for some extra security appliances.

Lately, Check Point seems to be pushing new products too early. We have evaluated a few we thought may be useful to us yet were just not ready for enterprise use. Every company goes through this so hopefully, they will slow down and get the products up to speed and working better before trying to bring them to market. 

The current products that have been around for more than a few years generally do not suffer from this issue, however, their documentation does lag severely when a command changes or says the way to configure it changes. Support generally is up to date, but the KB articles are not always this way.

I've used the solution for 18 years at my current company, and another four at my previous company.

The stability is excellent.

Scalability is excellent, especially the newer products.

The technical support is mostly good. Their Tier 2 and higher engineers are excellent. Like any call center, however, their Tier 1 can be hit or miss. We use a third party for front line support so mostly never encounter anything less than Tier 3 since the only issues that get directed to actual Check Point support are already vetted out.

Positive

We used SonicWall. We switched due to wanting a more enterprise-quality product and previous experience.

The setup is complex, however, we knew this from the start so it was not unexpected.

We set up the solution mostly in-house. However, we were experienced with Check Point installs.

I have no visibility on ROI.

If new to Check Point, get pro services to help deploy it - especially if it is an advanced config. This will save huge amounts of time and grief. Once you have experience, pro services are generally not needed unless, again, you have no experience in that area.

We did not evaluate other options. 

It offers a range of models to enhance network security and it can be customized to secure endpoint client machines or user devices by deploying features like malware detection, antivirus, and mail security blades. Its integration with a web application firewall provides added protection.

Check Point's architecture is three-fold, comprising the firewall, management server, and dashboard. The dashboard provides a comprehensive view of the network and security status, enabling identification and isolation of problematic devices, performing tasks like patch updates, and monitoring logs. It provides configured automated alerts via email or notifications on mobile devices, ensuring you're informed of any threats, even during non-business hours. Another vital function is the ability to offer VPN services. This enables end users and mobile or remote workers to securely access the network from anywhere globally.

There is a strong demand for security services that can be effortlessly integrated which would ensure that security measures can seamlessly adapt to the cloud infrastructure.

I have been working with it for eight years.

It is a highly reliable tool. I would rate its stability capabilities nine out of ten.

Check Point NGFW is a highly scalable solution that can be tailored to the unique needs and infrastructure of each customer. For instance, if a customer needs to secure multiple zones, they can opt for multiple firewalls. They can consolidate their network onto a single firewall by creating virtual interfaces based on VLANs. The firewall's capability to handle network traffic becomes a crucial consideration, especially when dealing with larger user bases and higher traffic volumes. In such cases, deploying multiple firewalls in a high-availability configuration becomes essential.

The initial setup was easy. I would rate it nine out of ten.

I have hands-on experience working in various environments, including on-premises, private clouds, hybrid setups that combine both private and public clouds (e.g., AWS, Google Cloud, Oracle Cloud), and purely public cloud deployments. While the technical interfaces and options may differ slightly between these environments, the core concepts, such as Security Event and Management (SEM), remain consistent. For instance, the Virtual Private Cloud (VPC) configurations in Google Cloud are similar to those in AWS. Network components like instances and Access Control Lists (ACLs) share common principles across platforms. The key to successfully implementing it lies in understanding the specific needs of each client's business and aligning our solutions accordingly. We can leverage technology and services to meet their requirements effectively. It's worth emphasizing that the adaptability of our approach is central to achieving our clients' objectives. When starting a project, we typically initiate a POC and conduct thorough pre-checks to assess the network's specific needs. In cases where clients want to transition from legacy firewalls like Cisco ASA or Palo Alto to modern Next-Generation Firewalls like Check Point Firewall, we carefully examine their existing configurations. This allows us to manipulate and adapt the configurations to suit Check Point's requirements. The timeline for these processes can vary. For entirely new environments, which involve documentation, design, and diagram creation, it may take anywhere from 15 days to one month at most.

The pricing falls in the middle, meaning it's neither cheap nor expensive. I would rate it five out of ten.

Before opting for this solution, it is crucial to assess the customer's existing environment, including the number of users, traffic patterns, applications in use, and bandwidth utilization. It is an excellent choice and I would encourage others to consider using it for their security needs. I would rate it nine out of ten.

We use Check Point Next-Generation Firewall as a perimeter firewall. This means that all incoming and outgoing traffic from our premises is routed through the Check Point firewall. Within our configuration, we have activated several security features and licenses, including the firewall itself, site-to-site VPN functionality, application and URL filtering, Identity Awareness, threat simulation, and anti-bot protection. Additionally, we possess the license for the NGpX version, which includes extraction capabilities.

With our previous firewall solution from a different vendor, we were limited to basic firewall functionality without features like IPS and content filtering. With the implementation of Check Point firewall, we got a comprehensive set of features that enables us to gain clear visibility into how our applications behave and which areas we have control over. It allows us to monitor and manage application usage effectively while allowing us to filter and enforce rules in accordance with our organization's security policies.

The most invaluable features we have are content filtering and application control. These features operate seamlessly, thanks to the integration of Identity Awareness. Through Identity Awareness, we established a connection with our internal LDAP server, which enables us to exercise complete control over user access. We can precisely determine who has access rights and who is granted permission, regardless of their connection point.

We implemented our firewall in a clustered configuration with two gateways. We faced some limitations with the Security Management Server (SMS) application. The SMS functionality is restricted as it only supports specific deployment modes on virtualization environments like Microsoft Hyper-V and VMware ESX and Open Server mode. Our organization utilizes a different virtualization setup, and we couldn't obtain assurance from the vendor that they would provide support if we deviated from their recommended deployment methods. That is why we had to deploy the SMS on a separate server, which introduced additional complexity. Improvement regarding the expansion of the SMS's compatibility to include various virtualization environments would be beneficial. Also, when attempting to enable SSL offloading mode, we faced functionality issues. This feature should be enhanced to ensure seamless SSL offloading, without negatively impacting the core functionalities such as HTTPS and content filtering.

I have been working with it for more than three years.

Its stability capabilities are impressive. We have not encountered any issues. I would rate it nine out of ten.

The scalability is relatively good, especially when considering its database capabilities. Our physical gateway hardware can comfortably handle up to nine units. When it comes to the monitoring appliance, such as the Check Point SMS (Security Management Server), it requires substantial resources. Due to limitations with supported virtual environments, we encountered challenges in expanding its capacity. I would rate its scalability 6 out of 10 since there is room for improvement in this area.

We chose the Pro Support option, which has allowed us to automate many of the Security as a Service (SaaS) functions. This means that whenever there's an error in the gateways' flow, an SR (Service Request) is automatically generated and promptly communicated. The support provided has been exceptionally efficient, with quick and responsive assistance. I would rate it nine out of ten.

Positive

We previously used the Cisco ASA 5525X version, but we found that its management and performance capabilities were distinct. Cisco retired some of its features, and the replacement version offered came at a higher cost for the features it provided. Consequently, we decided to transition to Check Point, which offered us a more favorable price point without compromising on functionality.

The initial setup was easy. I would rate it eight out of ten.

The deployment process took approximately a week and a half, and about half of the challenges we faced were related to the physical connectivity issues on our end. Despite those hurdles, the deployment timeline remained relatively swift. One critical aspect for anyone planning to deploy this solution is to thoroughly understand where it fits within the network architecture and how it should be physically connected. This is especially important when implementing clustering, as the physical connectivity can become intricate. It's essential to consider high availability and compatibility with other devices it will connect to, such as core switches or perimeter routers. Ensuring that these devices support the desired failover and reliability modes is key to avoiding complications. The duration of the deployment also depends on the expertise of the person responsible for it. In our case, we opted for professional services, which included on-site configuration support. If the person handling the deployment is familiar with the surrounding devices and network environment, one individual may suffice. If there are connections to devices from different vendors, and the configuring expert lacks expertise in those areas, I would advise involving additional personnel with the relevant expertise to ensure a smooth deployment process.

It may be considered relatively expensive, but the investment is justified when compared to other competitors. Check Point's functionality and capabilities are notably strong. The cost of licensing can vary based on the prevailing exchange rates. In our case, we paid for the renewal in our local currency, but on average, it amounts to approximately $32,000 USD annually. I would rate it eight out of ten.

It is highly commendable for its stability and performance. When deciding on the appropriate licensing option, it's important to carefully consider your needs. Opting for two-year or five-year licenses can provide cost savings through discounts. After it is deployed, those with experience using other next-generation firewalls will find it relatively straightforward to manage. It doesn't require significant additional effort, and users with a basic understanding of next-generation firewall features can navigate through the management and rule settings easily. I would rate it eight out of ten.