Our primary use case for Check Point NGFW is as our internal firewall within the datacenter to route traffic within it as well establishing our rulebase for part of our datacenter.
We have also implemented some other nodes as ICAP servers only. They have been a great replacement even though the installation was not the easiest.
They are the last line of defense (or first depending on how you look at it) within our perimeter and are therefore a critical part of our system within the company.
Check Point NGFW have been a real rock in terms of reliability (except for Identity Awareness) and we have not had any issues in terms of CPU or memory usage as our model might have been overkill with how well it is able to process traffic and how easy and unimpactful it is when adding new blades to manage this traffic
One ability that Check Point has is that it is the first to provide us with the ability to use identities instead of using the traditional IP-based format, which allows way more flexibility in what we can do with the rule base.
Identity Awareness has been an absolute gamechanger in how we've been able to create rules within the company. It allows us to give access to certain resources in very specific ways that were not possible before.
The SmartConsole is a very powerful interface compared to many other competiting products, which allows us to seamlessly go from watching logs, to modifying the rule base and easily find what objects are used where or even check which logs are linked to a specific rule
Logs are very well parsed when sent to Splunk.
Identity Awareness has been a massive source of problems for our deployment and the ability to debug it has been lacking.
The VPN setup is definitely way harder than it should be. The wizard or anything surrounding it doesn't allow for a quick setup without having to read documentation or actually getting a project with an external company
Our gateways have not felt like a day older than when we first got them, on the other hand, our physical management server Smart-1 has been definitely showing its age as it is sometimes quite long to do anything on SmartConsole when it decides to act up.
I have been using Check Point since joining my current workplace - about 4 years ago.
In 4 years, we've only really had one big incident with availability that was due to a faulty network card, which was changed quickly once diagnosed.
Since we chose a model larger than our needs, we aren't looking for a scalable solution.
Customer service and support have been a bit hit or miss and it takes a while for escalation to happen, however, once it does happen, you get proper support right away.
Neutral
I was not present within the company when it was decided to switch from one solution to another, and actually our previous solution was Check Point as well - and it was just reaching its end of support.
I did not participate in the setup.
We used a vendor team along with our in-house team.
I would need to compare it with other solutions used in our environment, which I haven't done.
I'd advise users to only choose blades when they are absolutely necessary - unless getting a good deal with a package.
As mentioned, we switched from Check Point to Check Point.
For the Identity Awareness setup, try to follow Check Point guidelines from the start as it is really capricious and hard to debug.
Check Point firewalls are/were deployed in various parts of our network to achieve perimeter defense and internal network segmentation.
In addition to the firewall functionality, each appliance also leveraged Check Point's IPS blades. The perimeter Check Point appliances were also responsible for terminating any and all site-to-site VPN connections with third parties.
All traffic from remote locations, remote VPN users, and egress traffic to the internet is filtered through the Check Point equipment at some point in our network.
Check Point has not improved our organization. We have observed a sharp decline in the quality of both products and support.
Over the last several years, there has not been a single week where we have not had an outstanding issue open with Check Point support's advanced tier teams.
Initially, we had incredibly impactful issues regarding their scalable platform hardware (which is being discontinued in favor of Maestro) to the point we were forced to rip them out due to them being completely unreliable.
Check Point support has also seen a significant drop in quality, despite my organization even being a Diamond Support customer with Check Point. We fully believe it would be a wiser investment of time to call Geek Squad rather than Check Point.
The only area that Check Point still seems to excel in is their logging. Reviewing logs on Check Point is a snappy and intuitive process that allows the end-user to filter down traffic to specifically what they're looking for very easily and even with little knowledge of Check Point.
The ability to create filters on the fly in the GUI with simple clicks to various areas of the log is fantastic and allows one to find exactly what they're looking for with very little effort. Note that this is probably the only thing Check Point still has going for it.
Check Point's support, at all levels, needs a complete overhaul. The Check Point support staff aren't even shy about telling you how understaffed, underpaid, and underappreciated they are. Any engineer with a hint of talent is pulled from general support to higher tiers, and then, once they reach a level of competency above that of your average acorn, they leave for better-paying jobs elsewhere.
My organization witnessed this first hand fighting through the lower tiers of support and working frequently with the scalable platform team. When we switched to Diamond Support we saw no significant improvement in support save for shorter hold times.
I have personally used Check Point solutions for nearly ten years. My organization has used Check Point for 15+ years.
The solution is absolutely unstable. My organization follows vendor best practices exactly and has every deployment vetted by multiple levels within the vendor. Despite this, Check Point hardware has repeatedly proved unreliable at best, sometimes resulting in total outages for our company.
My current organization has used Check Point for the relevant past and is only recently completely switching vendors to Palo Alto.
All current Check Point hardware is destined for the recycle bin. There is a pretty low ROI.
Most firewall vendors, Check Point included, make the selection of hardware easy enough based on projected usage. Likewise setup on many vendors in greenfield environments is simple enough and should not require professional services.
I was not involved with the initial deployment of Check Point in our environment as it was before my time. However, each subsequent deployment I have been involved in with Check Point was used based on the existing relationship. Once the issues became too impactful and we realized we had no hope of seeing any improvements we began efforts to rip out the existing Check Point equipment.
Do not let Check Point's past success lure you into their current state of bottom of the barrel.
Currently, I'm working as a Lead Security Architect in the healthcare industry. We have two data centers, multiple branch offices, multiple cloud subscriptions, and over 200 employees. Our operation is mission-critical and requires it to be up and running 24/7. We need to protect multiple applications that are developed in-house, sensitive data including PHI, Financial, intellectual property, et cetera.
Check Point NGFW and its security modules have been our security solution for the past six years to protect all of our assets, including our cloud subscriptions.
Check Point Next Generation Firewalls are key components in protecting our assets and information. Their security modules are very easy to use and understand. Also, it's one of the most user-friendly interfaces I’ve had the opportunity to use and I’ve had the chance to work with more than four firewall solutions.
Their reporting and logs modules are amazing. It provides a level of detail and visibility that we haven't had before. It’s useful to understand what is happening on our network and has been very successful in blocking attacks and providing options for executive summaries.
Being able to manage all the security gateways for our multiple sites in a single management console and share policies has been very beneficial.
The Remote Access VPN has been crucial to us, especially during this pandemic. We had to be on lockdown for a couple of months and being able to deploy a remote workforce with Check Point VPN was a crucial part of our business continuity strategy.
The logs and reporting are very easy to use and manage. Also, the IPS and IDS are critical components to keeping our network secure. They are very easy to configure and there are multiple templates that can be used out of the box that provides maximum protection to our network.
The support offers the best services I have experienced. It's better than any other IT vendor.
Check Point Firewalls haven't failed me during the past six years that I have been using them.
If I had to mention anything that I would like to see some improvement on, it’s on the internet load balancing options. Internet load balancing provides either active/passive or active/active load balancing, however, I would like to see more options that provide SD-WAN capabilities while also allowing for more than two links. I know this can be performed with other network devices, however, adding the option as part of the NGFW would be awesome.
I have been using Check Point for 6 years now.
I've never had a single issue on any of my security gateways.
I haven't had the opportunity to scale, however, I have seen many demos of maestro architecture, and it looks awesome.
As I mentioned before, Check Point support is one of the best services from any IT vendor I have experienced. They answer very quickly and also provide solutions most of the time within the first call.
I have used multiple solutions in the past. We migrated from Cisco ASA to Check Point six years ago and have never looked back. Our old ASA required additional hardware components for additional security services.
The product is very easy to set up.
The implementation was performed by a vendor team in combination with our in-house security team.
My peace of mind is the ROI.
Check Point is not the cheapest firewall solution, but you get what you pay for. It's super reliable and their service is great.
I had the opportunity to review Palo Alto and Fortinet.
I'd advise other users to give it a try.
We use it as a firewall solution with built-in VPN capabilities, anti-virus, and malware detection. It has good blocking abilities and is easy to set up and maintain.
They allow VOIP traffic to pass through the firewall as well to onsite PBXes. The firewalls themselves are for SMB environments, with between five and 25 users at different sites and in different states.
Employees regularly work from home, so a VPN solution is a necessity to allow for remote file shares and or/remote desktop through a encrypted VPN tunnel.
With the added ability to have multiple VPN methods to connect, the solution has worked well for remote workers who are either utilizing the Check Point VPN client or the SSL VPN web client.
The throughput with full threat detection is adequate for the Internet circuit installed at most of the client locations and is in fact better than the previous firewall solution.
The support has been great whenever Check Point has been contacted. They help resolve an issue or explain how to perform some necessary action.
For the most part, the NGFW is easy to understand and set up and there are, of course, advanced options if a non-standard problem arises.
The reporting feature has been helpful to get a quick understanding of network traffic and threats identified. Even if a false positive is identified, it's been helpful to perform more of a deep dive into what triggered the detection and to certify that there is a problem or that there isn't a problem.
Anti-virus and anti-malware on the NGFW device have been pretty solid and have caught many threats before they entered the network.
The event logs are relatively informative and can provide information on why traffic was accepted or rejected.
Geo-blocking would be very useful. There are too many attempts to infiltrate by non-country users. I can block access by IP address or IP network, however, a country-level blocking would be more useful and much quicker to implement.
It would also be nice to have a smaller home user device that could automatically contact the main firewall and establish a VPN connection. This would be great for remote users to secure their work PC at home.
On the front page of the appliance, it lists current threats identified. It would be helpful if clicking on the threat took you to the exact logs instead of showing all host logs as you still have to scroll through the host logs to find the information you are looking for.
I have been using Check Point since 2016. It's been a little over five years.
We've had very few issues; the builds themselves haven't had any issues.
The solution is very scalable; Check Point has a variety of NGSW devices that can scale with the user base.
Support is excellent, quick to respond, and quick to provide a resolution to any problem.
Positive
We used Watchguard. We switched due to the threat protection and we felt that Check Point did a better job of providing protection.
The initial setup is straightforward and plug and play for a basic configuration to get you started. You can then begin building the NAT and policy rules, which are easy enough to do.
We implemented the solution in-house.
The malware blocking capabilities more than paid for the cost of the device and license.
I'd advise users to size their appliance correctly before purchasing it.
We did not evaluate other options.
Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. The Clusters serve as firewalls for both inter-VLAN and external traffic.
The overall security of the environment has been greatly improved by the Check Point NGFWs. Before implementing this solution we have to rely on the Cisco ACLs and Zone-Based firewall that we had configured on switches and routers, which in fact a simple stateful firewall, and currently not an efficient for protecting from advanced threats. The Check Point NGFWs brought up the security level with the help of the advanced software blades - we use Application Control, URL Filtering, IPS, Anti-Bot, and Antivirus. The setup was simple, and the performance is great - we have significant resources to expand the environment in the future without disabling any blades and thus maintaining the security on the same, high level.
1. Advanced logging capabilities - our support team on duty constantly monitors the security logs in the SmartConsole, and notifies the security team in case of major alerts.
2. Advanced networking and routing features - we use Proxy ARP to announced virtual IPs to ISP and bing domain names to it; BGP for dynamic routing over IPSec VPN tunnels to other environments, and Policy-Based Routing for connecting to two ISPs.
3. The new Policy Layers feature for building up the Access Control policy - the rules are now more understandable and efficient.
The pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly).
We also had several support cases opened for software issues (e.g. unstable BGP sessions over VPN tunnels), which, in our opinion, took too long to resolve - up to one month.
Also, even so, the new SmartConsole is declared to be unified starting from version R80.10, there are still some features that have to be configured in the old SmartDashboard (e.g. Mobile Access policy and Antivirus), or on the Gaia OS level (all the routing features).
We have been using the Check Point Next-Generation Firewalls for about 3 years, starting from late 2017.
In general, the solution is stable, but we still have had some support cases opened and have to install the JumboHotfixes on a regular basis to fix the minor bugs. Please note that the current version of the software we use - R80.10 - is not the latest one (R80.40).
The solution is scalable - we use the Active-Standby Clusters, but could switch to Active-Active and add additional Gateway nodes if needed.
We have had several support cases opened. Some of the were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level (e.g. TCP MSS clamping). The longest issue took about one month to be resolved, which we consider too long.
We relied on the ACLs and Zone-Based firewalls of the Cisco switches and firewalls, which doesn't provide sufficient security protection against the modern advanced threats.
The equipment has been delivered on time, without delays. The setup was straightforward. The configuration was easy and understandable.
In-house team - we have a Check Point Certified engineer.
Use the Check Point Performance Sizing Utility to measure and estimate the hardware needed to purchase for your environment.
The primary use case for these firewalls is to protect our perimeter from unwanted traffic in and out of our network as well as to control the flow of data to comply with our company security policies.
It also plays an integral part in restricting or granting access at a granular level for certain users or vendors allowing us to monitor and protect end-customer data as well as protecting our users and network from malware, bots, ransomware and other bad actors that could disrupt our business operations.
Check Point NGFW products have improved the operation of our organization by allowing us to secure our perimeter from attacks, probes, malware, DDoS, bots and general bad actors. It also allows us to secure outbound traffic from our users.
It allows us to fine tune how we allow users to access resources both in our DMZ and externally. This helps us to secure customer and user data in order to prevent privacy issues, prevent loss of operations or downtime which we cannot accept.
Being able to use the products in redundant pairs has also allowed us to provide a more stable network.
There are several useful features that we utilize that are now valuable assets in terms of protecting the network. These would include user identification (ID Collector), IPS, antibot, antivirus, application, and URL filtering as well as the standard firewall security rules. They all work together to provide layers of security to protect both inbound and outbound traffic in order to minimize loss of private data as well as to ensure our network is free of bad actors attempting to use malware or ransomware against us.
Check Point could improve its products by working on stability. Overall, it is a stable platform, however, at times we have issues with 'quirks' and bugs that cause issues for our end users and typically are not straightforward to fix.
Another issue that presents itself is upgrading. Small hot fixes are not problematic. That said, updating to a new version of the OS has been an absolute nightmare and caused significant downtime and a number of issues - not to mention wasted engineering time. Simplify the upgrade process and they may regain confidence in this area!
I'd like to see more use of applications and URLs in security policies moving forwards.
I've worked with the solution for seven years across two different companies.
The stability is good, yet it could use some improvement.
The scalability is very good.
It has always been slow and difficult to use technical support. It depends on a case-by-case basis, however, you have to chase and manage the case yourself or it will go nowhere. This likely comes down to a lack of experienced agents.
Neutral
We previously used Cisco ASA. We switched due to the fact that Cisco's product was very hard to manage and lacked any real intelligence.
The initial setup is complex. A very large and multifaceted environment will always be complex to configure.
We used vendor support and account teams and in-house technical engineering.
It's expensive, however, compared to the cost of not protecting the network properly, it's worth the cost.
We looked at Palo Alto, Fortinet, and Cisco.
Carefully consider the vendor before making a leap. It's very difficult and costly to change vendors at a later date.
We use Check Point's firewall to provide network security to our organization as well as to other, third-party vendors.
The Check Point firewall is providing advanced-level security. Compared to before, our company is more secure now. It is not only securing the users working within the LAN environment, but also to the end-users or remote users in the company.
The most valuable features are its
The central management makes it easier, and is a time-saver, when implementing changes. We can do all the changes within Check Point and not use any third-party device.
The antivirus Check Point offers could be better when compared to competitors' firewalls. Updates should be more frequent. With other firewalls, updates are very frequent, but with Check Point updates are not so frequent. That needs to be improved.
Also, the certification as well as learning about this Check Point is much costlier when compared to the other firewalls. I have recently done certifications in various firewalls and Check Point's certification was more costly.
I have been using Check Point's NGFW for the last six years.
The Check Point firewall is very stable. It is one of the oldest firewalls in the market. It has all the advanced features, according to the security features we have. It's quite a stable firewall.
It is very good and scalable. We have recently expanded the usage of Check Point and it was not a very tough process to scale this firewall.
Right now it's protecting around 3,000-plus employees.
It has been a very good experience every time we call Check Point. We usually get them on a phone call and they are very informative people. They always provide us the solution.
We had another solution. We switched because Check Point gave us more advanced features and there was market demand for network security.
The initial setup was a little complex. The training from Check Point should be increased. It was a little complex, but with the help of their TAC and the help of other engineers, we installed it.
The deployment has taken about eight months. We have deployed it in a three-way architecture. We have installed a security gateway, an SMS (security management system) and we have installed the console.
We have a team of four people, all network engineers, for deployment and maintenance of the solution. We take care of all the firewalls for the organization, including Check Point's.
We had help from a Check Point integrator. It was a good experience. They were very helpful.
We are happy with our investment in Check Point's firewall. Per our standards, and for our environment, it is a very good firewall. It is protecting us well.
Pricing is a little high compared to competitive firewalls, but it is easy to go through the licensing steps.
We evaluated other options, including Cisco ASA. The difference was that Check Point provides advanced features, such as threat prevention and antivirus. Apart from those, it also provides us with IPS. Also, for Cisco ASA, we had to take extra services to install it, so we went for Check Point.
Make sure you get good training on Check Point's firewall, and it would be good if you have working experience on the device.
Using Check Point, I have learned that we need to serve our remote users as well, and Check Point is a firewall which is capable of doing that.
We use this product for providing perimeter security, as well as advanced threat protection capabilities to critical infrastructure. The solution is expected to deliver high-performance throughput for voluminous traffic continuously.
We are using these gateways for multiple functionalities such as:
All of our solutions are expected to run in high availability and have good resiliency.
Check Point NGFW is the first perimeter security solution used in our environment and it is able to deliver the expected results. Specifically, it supports high-performance throughput for voluminous traffic.
The vendor has proven capability of identifying known threats, which can be seen while managing the firewall. The OEM has identified a roadmap in line with the emerging threat landscape and evolves the product to counter these threats.
The central management console has helped with segregation, where planned interventions with management consoles do not have any impact on production or critical business traffic.
Next-Generation Threat Prevention capabilities provide security in a high-traffic load, ensuring detection and prevention of known threats by AME, AV, and Sandblast technologies.
We are also using the system to create VPN gateways for our multiple partners and we haven't faced any issues with them.
Check Point gateways are a stable product that can run without any issues until a major upgrade or vulnerability mitigation is required.
The support has been reasonable and they were able to minimize the impact during critical incidents.
There is a scope of improvement in detecting zero-day threats using the SandBlast technology, by introducing emulation of Linux-based operating systems. We have also observed issues while using the products with SSL decryption.
There is room for improvement in application-based filtering, as with other firewalls available in the market today. Check Point has improved its application filtering capabilities in the recent past and their latest version, R80, is more capable but still, creating an application-based filter policy is a little cumbersome.
We have been using the Check Point NGFW for the past four years.
This solution is very much stable and does not require frequent changes in architecture. The patch frequency is limited, which reduces the downtime requirements.
This NGFW is very much scalable; however, I am not sure about other components such as PTC, etc.
Technical support is a mixed experience. Most of the time, issues are handled well in a timely manner but some issues have lingered for a very long time, causing multiple iterations.
We did not use another similar solution prior to this one.
As we use a lot of components from Check Point, the setup was a little complex in terms of deployment and traffic handling.
We had assistance from the vendor's professional services team to ensure smooth deployment. It was a green field project so the deployment was easy. The team deployed on implementation had expertise with the solution.
The ROI for security is the confidence that the solution is able to deliver the expected outcome. This includes stability, Threat Prevention capabilities, Granular policies, etc.
Licensing is pretty straightforward and is based on the blades available, such as NGFW, NGTP, and NGTX. Generally speaking, the pricing is in line with other players in the industry.
We evaluated products by Fortinet and Palo Alto.
In summary, this is a good solution that is stable, and I recommend it.
