Check Point NGFW Room for Improvement
Principal Network and Security Consultant at a comms service provider with 10,001+ employees
The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.
The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.
The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.
If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different.
It seems like they were possibly built by different teams, independent of each other.
The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.
But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.
A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.View full review »
Senior IT Manager at a mining and metals company with 501-1,000 employees
Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap would help us as we navigate the options.
The VPN setup could be simplified. We had to engage professional services for that. That's not a problem, but compared to other products we've used, it was a little more complex.
Network and Security Specialist at a tech services company with 51-200 employees
The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.
In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time.
I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point.
Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.View full review »
The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.
It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.
Apart from that, we are coming from something that was not so good to something that is much better.View full review »
Working on Check Point for me looks simple. For the user or anyone else who is using Check Point, they are more into the GUI stuff. Check Point has its SmartConsole. On the console, you have to log into the MDS or CMS. Then, from there, you have to go onto that particular firewall and put in the changes. If the management console could be integrated onto the GUI itself, that would be one thing that I would recommend.
The ability for the multiple administrators to not do changes was fixed in R80.View full review »
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees
Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement.
Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.View full review »
I would like there to be a way to run packet captures more easily in the GUI environment. Right now, if we want to read packet captures, we have to do so from the command line.
Network Associate at a wireless company with 1,001-5,000 employees
The level and availability of training should be improved. I have seen people that are not well trained on the Check Point firewall and the reason is simply that the quality of available training is poor compared to that of other firewalls on the market.
The command-line interface (CLI) should be more user-friendly.View full review »
Security Expert at a aerospace/defense firm with 10,001+ employees
Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc.
Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward.
The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.View full review »
Security Engineer at a tech services company with 1,001-5,000 employees
The stability needs improvement for its version releases. They have a feature called Inline Layer as part of the R80.10 release. In the last version, it still had bugs and is not working very well. I would like the developers to release a version that is more stable, because if you start to use the latest release and try to use this newest feature, I'm not 100 percent sure that it will work very well. After six months of development, it might start working better. However, at the beginning, it's not a good choice to implement in your company with your first attempt. But one or two releases later, it might be better.
If you only have one vendor and they are downgraded or no longer a leader in their industry, then you need to change the entire solution, making it more expensive. For example, Check Point's components are not interchangeable with other vendors.
IT Infrastructure & Cyber Security Manager at a retailer with 501-1,000 employees
We just upgraded to the latest software version of Check Point so we have a lot of new stuff to learn. The older version had a little bit of a problem with identity awareness and with HTTPS inspection with the visibility of the logs, and the implementing of rules. But as far as I can see now, with the new version, most of the problems were fixed.
In terms of new features, maybe it would help if we could start to manage all the stuff in the cloud and not in the on-prem servers. The management side could also be faster when you install policies. But other than that, I'm satisfied.View full review »
The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of.
We find the GUI to be wrong and the CLI doesn't always show all of the connections.
From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.View full review »
Network Security Engineer at a tech services company with 10,001+ employees
There are two major areas that need to be improved.
The study material for Check Point needs to be improved, as well as the cost for certification. One of my friends recently completed the certification and it was costlier than other firewall security certificates.
The reports are generally good but there is not much control. We would like to have more filters. Essentially, we want more granular reporting.View full review »
System Architekt at a financial services firm with 1-10 employees
The Threat Emulation definitely needs improvement. A couple of years ago, we did a comparison with other companies, e.g., Lastline, offering threat emulation and threat detection functionalities, and Check Point was lacking.View full review »
This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.
For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.
Source: User machine
Action: allow (for allowing the user's machine access)
This has to be done along with the below policy:
Source: User machine
Destination: Other Zone created on Firewall
The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.
The firewall throughput or performance reduces drastically after enabling each module/blade.
It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.View full review »
We can virtualize the physical firewall in a virtual environment. However, the virtual environment is not stable at all. We have some customers who are using the virtual environment feature, and sometimes it crashes. We have many tickets open and the response is not as good as expected. We have to wait months for a resolution.
If you use all the features available on the firewall, it's not working. If you keep it simple, then it works. When you try to do cool things, you start to have some problems because that kind of integration is not fully developed.View full review »
Sr. Network Engineer at a tech services company with 1,001-5,000 employees
While the logs are very good and easy to understand, when you want to download these customized logs, they don't have as many features compared to competitive firewalls.
Check Point has a very good Antivirus feature. However, compared to the competition in the market, it is lacking somewhere. In my last organization, I worked with Palo Alto Networks as well. I found that while they both have an antivirus feature, the Palo Alto antivirus feature is much better. Check Point should improve this feature. It is a good feature, but compared to Palo Alto, it lacks.View full review »
Senior Network Engineer at a tech services company with 1,001-5,000 employees
The training for Check Point Firewall should increase, including the number of Training Centers. For most new people in our organization, we have to provide them training from our end, as they are not trained in Check Point Firewalls. So, we have to do the training, from our point of view, to make our engineers able to use Check Point Firewalls. However, with other firewalls, they are already trained, so we are not require to provide them training. This could be improved by the Check Point Community.View full review »
IT System Operations Manager at Hamamatsu Photonics KK
The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading.
The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing.
Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.View full review »
The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI. It might be a little bit confusing when an administrator remembers the location of the settings. Also, it is hard to manage the settings by always jumping from GAIA Web-based graphical user interface to Java based Smart Console dashboard. Also, Check Point Next Generation Firewall has a very detailed and well-organized CP view on the console on both CLISH and expert (/bin/bash) shells; which gives an administrator a real-time monitoring option on the console.View full review »
We are facing some problems with the management on our Check Point Management Server. There are some issues with R80.20, so Check Point suggested to upgrade. However, we are in lockdown, so we will upgrade after the lockdown. We are coordinating this issue with the Check Point guys. After upgrading, I think these issues will get resolved.
For R80.10 and above, if you want to install a hotfix, then you can't install it through the GUI. I don't know why. In the earlier days, I was able to do the installation of hotfixes through the GUI. Now, Check Point said that you have to install hotfixes through the CLI. If that issue could be resolved, then it would be great because the GUI is more handy than the CLI.View full review »
TitleNetwork Manager at Destinology
Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release.
The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek.
Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software.View full review »
Using the tool is somewhat complex when teaching new staff, although after practice it is quite easy to get used to this technology.
One of the improvements that could be included is to have a help menu to obtain advice or help for the different options that are presented in the application.
The equipment is complex, so you need guidance from specialized people or those who constantly work with Check Point. Better forums and information manuals could be provided so that users from different institutions can have more access to the information.View full review »
I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best.
Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.View full review »
The end-user VPN could be improved. It could benefit from some modification.
The VPN timeout feature needs to be improved. When we try to connect to the VPN, it times out before we can even enter our user name and password. If you can't prove you are who you say you are within seven to ten seconds, it just kicks you out.View full review »
IT Manager at a comms service provider with 51-200 employees
I do prefer to manage everything from only one point of entry/one application. Some things can only be configured from the smart console and others from the smart dashboard. This is the only handicap in this solution. It would be ideal to manage everything from one central place.
Instead of using a windows application to manage the equipment, it would be better to use a web app to configure the solution from a browser. I know that it's not as powerful (you can't do everything from there), but then we could manage the solution and troubleshoot from any device.
It's faster to see the event logs on a webpage than it is to see them in the smart console.View full review »
Sr. Network Engineer at a tech services company with 1,001-5,000 employees
The only thing which I think should be improved is that training should be increased. In my position I also interview potential employees and I haven't found many people in the market, nowadays, who are familiar with the Check Point firewall. They are more familiar with Palo Alto and Cisco ASA and they are more comfortable with them. Check Point is one of the good firewalls and training should be increased by the company so that more people are familiar with it and with their switches.View full review »
Network Security Administrator at a computer software company with 201-500 employees
Check Point has notably fewer tutorials on Google. If I'm facing any kind of issue and I Google it, less stuff is available.
Apart from that, the antivirus is less effective than its competitors' antivirus. The antivirus is good, but in other firewalls, such as Palo Alto, it's quite effective. Check Point should provide more output. Sometimes it provides comprehensive information and sometimes it doesn't.View full review »
Senior System Administrator at Seminole Electric Cooperative, Inc.
The improvement could come from better monitoring of traffic data in and out of the firewall. I'd also like to see more built-in automation in regards to activity against the firewall to trigger an automatic response for a period of time.
There is currently no way to allow a user to have access for X period of time. I also find that keeping up with the IPS additions to be a three-stage process which includes having to go to email to see new updates, reviewing those updates on the firewall, and then making necessary changes. I would like to see these new IPS updates shown as a notification when I log in (as an alert) so I can review and modify from one pane.View full review »
IT Manager at a transportation company with 501-1,000 employees
I would like there to be a way to run packets that capture more easily in the GUI environment. Right now, if we want to read packet captures, we have to do so from the command line.
The biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices.View full review »
Consultant at firstname.lastname@example.org Systemhaus
Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better.
For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).
The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.
Since attackers also use these clouds, there is a problem in getting your security definitions to work.
Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.
There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.View full review »
Overall, this is a great system, and I'm struggling to come up with things that I think should be improved.
I have had some issues in the past with the desktop client being slow to come up for logging in, and then slow to respond to screen changes, however, overall, it really hasn't been too bad.
For additional features in the next release, I would like to see more change functions available in the new Web GUI version. This is still a new offering from the company, therefore, I can only assume it will get better as customers make suggestions/requests.View full review »
Integration engineer at S21sec
In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve.
One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations.
Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations.
One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.View full review »
It would be great if the access management, the user management features, were improved in terms of the number of users that can be connected, and how users can access the various resources with the help of firewall authentication.
Also, one of the challenges I hear about from customers or engineers who work with and operate Check Point firewalls is not about the technical capabilities of the product but about understanding the product. There should be whitepapers available on the Check Point portal so that people can understand them more easily.View full review »
Several of the security modules including IPS, URL Filtering, and Anti-Virus, are based on HTTPS inspection, losing relevant security capabilities if you don't implement it in your network.
This means that to being able to take advantage of the full security stack, you're going to have to inspect traffic, break the tunnel, and manage different SSL certificates.
Although this is not a limitation of the product itself but the technology, where other vendors are impacted the same way, it is useful to take this into consideration as you can adjust the capacity of the systems adequately.View full review »
The company should increase the learning platform free of charge. For example, Palo Alto and Cisco ASA have very good platforms that are completely free. Almost everyone in this field has good product knowledge. Therefore, I would like more training and expertise to be available for Check Point NGFWs.
I would like the graphic user interface to be easier to use. For example, the NAT policy should be easier to use. Check Point's NAT policy is somewhat confused compared to other competitors.View full review »
Solutions Lead at a tech services company with 1,001-5,000 employees
When I was creating the VPN on it and the client side through the portal, that feature was very annoying. I could not use it. It was much more usable after downloading it to the laptop. That was very good compared to using it directly from the browser.View full review »
Check Point's study materials should be provided by the company directly and be of very good quality. This is not provided right now and something that the company can improve.
A disadvantage about Check Point is people in the market are not too familiar about its usage and people lack training on it.View full review »
Network Security Engineer at a tech services company with 10,001+ employees
The antivirus feature is a little bit weak and should be improved. The updates are not as regular when compared to other firewalls, such as Palo Alto.
The training materials and certification process should be improved. For example, the certificates are more expensive and there's no good training available on the internet right now.View full review »
Permissions from the client regarding troubleshooting and how well we can packet capture have not been smooth.
Check Point should quickly update and expand its application database to have what Palo Alto has.
There have been some issues with third-party integrations.View full review »
As such, the tool provides what is expected in its security functionality. However, some points must be improved, such as the latency in the GUI entry. It takes a while to register and allow access to the administrative panel.
Another point where customer service should be improved, both in the administrative and technical fields. Support cases have been generated several times, and it takes time for the case to be resolved. In addition to that, the solutions need to attend to us. It takes a long time to coordinate a call since they do not handle a comprehensive schedule.View full review »
Senior Linux Administrator at Cartrack
It takes a while to install the rules so that if you make a mistake you can only fix it after a few minutes. There's no problem with traffic processing.
Sometimes you are forced to interact on several levels: on the one hand, you put in the rules, and on the other, you put in the route. The predefined reports are few and it would be nice to increase them since the logs are excellent.
In my work experience, I have been able to use multiple firewall platforms. There are only two valid ones for me and one of them is definitely Check Point. The others charge less but there is a reason for that. It is a good idea to think carefully before rather than after you suffer from a serious attack.View full review »
Senior Infrastructure Technical Lead at a financial services firm with 10,001+ employees
It is common for any network device to compromise on stability when more and more features are packed into it. It may work for small organizations when they want a single device to do everything for security. However, it is a big issue for us as a large financial institution when even a small outage costs dearly. Check Point, being our perimeter firewall, has failed quite a few times mainly when handling BGP. I would like less CPU-intensive features to be introduced to replace the existing heavy-duty processes. They may already have a lot of features, so the enhancement of existing features could focus on robustness rather than introducing new features.View full review »
Firewall Administrator at a tech services company with 1,001-5,000 employees
The frequency of the antivirus updates which we get for Check Point firewalls should increase. They should be of good quality compared to the competitive firewalls on the market. They should give us stable antivirus signatures. That is an area in which they can improve.View full review »
Network and Security Engineer at BIMBA & LOLA, S.L.
We try to not depend of the SMS application and leave it as a web application. Sometimes it takes a long time to authenticate and open correctly. It's a windows application, so you need a machine to install the application on.
If you have the standard support level, sometimes they take a long time to understand or even give you a solution or good workaround to a problematic situation. We had a problem in the past with a VPN blade that lead some devices to flap the VPN up and down. That case lasted 6 months as we were jumping between Check Point's internal departments in order to find a solution on our problem.View full review »
President at NGA Consulting, Inc.
I really want to see geo-blocking as a feature of NGFW. Way too many hacking attempts from other countries are coming from where we don't travel. In addition, would like to see the VPN use MFA easily, just as another layer of protection.
Another area of improvement would be a click to block when there are attempted hacks. While the infected device blocking is a good start, you should block traffic from the originator of the traffic; it would be great to be able to do that with any traffic.
Also, it would be helpful to set thresholds on attempts and then autoblock that traffic for X amount of time, or permanently.View full review »
I would like to have an improved secure workspace solution for remote access. I hear that the Apache Guacamole solution has been integrated into R81.
The site-to-site VPN options are numerous, but they can get confusing. Interoperability with other vendors is not the strongest when it comes to setting up VPNs. It's totally different from any other VPN vendors I have come across.
Improvements are needed in policy backups and reverting to the previous policy. This used to be better in R77.30.
Policy installation tends to take a long time when the rule base increases in size, which can become frustrating.View full review »
Check Point fulfills our requirements but it is important that they stay on top of competitors by addressing certain points.
There are issues with stability while upgrading devices with hotfixes. For example, many times, a device will stop giving responses after an upgrade (observed in 80.10 release).
The rule database needs to be improved because when we apply rules for the destination, based on service and application and URL filtering Layer, the parallel lookup fails.View full review »
IT Security Engineer at PricewaterhouseCoopers
Identity Awareness has been a massive source of problems for our deployment and the ability to debug it has been lacking.
The VPN setup is definitely way harder than it should be. The wizard or anything surrounding it doesn't allow for a quick setup without having to read documentation or actually getting a project with an external company
Our gateways have not felt like a day older than when we first got them, on the other hand, our physical management server Smart-1 has been definitely showing its age as it is sometimes quite long to do anything on SmartConsole when it decides to act up.View full review »
Systems Architect at PHARMPIX CORP
Check Point Firewalls haven't failed me during the past six years that I have been using them.
If I had to mention anything that I would like to see some improvement on, it’s on the internet load balancing options. Internet load balancing provides either active/passive or active/active load balancing, however, I would like to see more options that provide SD-WAN capabilities while also allowing for more than two links. I know this can be performed with other network devices, however, adding the option as part of the NGFW would be awesome.View full review »
Senior Network Engineer at Arvest Bank Group
Check Point's support, at all levels, needs a complete overhaul. The Check Point support staff aren't even shy about telling you how understaffed, underpaid, and underappreciated they are. Any engineer with a hint of talent is pulled from general support to higher tiers, and then, once they reach a level of competency above that of your average acorn, they leave for better-paying jobs elsewhere.
My organization witnessed this first hand fighting through the lower tiers of support and working frequently with the scalable platform team. When we switched to Diamond Support we saw no significant improvement in support save for shorter hold times.View full review »
President at NGA Consulting, Inc.
Geo-blocking would be very useful. There are too many attempts to infiltrate by non-country users. I can block access by IP address or IP network, however, a country-level blocking would be more useful and much quicker to implement.
It would also be nice to have a smaller home user device that could automatically contact the main firewall and establish a VPN connection. This would be great for remote users to secure their work PC at home.
On the front page of the appliance, it lists current threats identified. It would be helpful if clicking on the threat took you to the exact logs instead of showing all host logs as you still have to scroll through the host logs to find the information you are looking for.View full review »
Network Engineer II at Baptist Health
Check Point could improve its products by working on stability. Overall, it is a stable platform, however, at times we have issues with 'quirks' and bugs that cause issues for our end users and typically are not straightforward to fix.
Another issue that presents itself is upgrading. Small hot fixes are not problematic. That said, updating to a new version of the OS has been an absolute nightmare and caused significant downtime and a number of issues - not to mention wasted engineering time. Simplify the upgrade process and they may regain confidence in this area!
I'd like to see more use of applications and URLs in security policies moving forwards.View full review »
Sr. Network Engineer at a insurance company with 5,001-10,000 employees
The antivirus Check Point offers could be better when compared to competitors' firewalls. Updates should be more frequent. With other firewalls, updates are very frequent, but with Check Point updates are not so frequent. That needs to be improved.
Also, the certification as well as learning about this Check Point is much costlier when compared to the other firewalls. I have recently done certifications in various firewalls and Check Point's certification was more costly.View full review »
There is a scope of improvement in detecting zero-day threats using the SandBlast technology, by introducing emulation of Linux-based operating systems. We have also observed issues while using the products with SSL decryption.
There is room for improvement in application-based filtering, as with other firewalls available in the market today. Check Point has improved its application filtering capabilities in the recent past and their latest version, R80, is more capable but still, creating an application-based filter policy is a little cumbersome.View full review »
Senior Information Security Specialist at a tech vendor with 10,001+ employees
Unfortunately, the API is not fully complete and also it is not an API which I would refer to as a RESTful API as there are different endpoints for the same entity. For me, a restful API would use one endpoint to handle, for example, host objects and use different HTTP methods to distinguish between different operations.
I would expect to use the PATCH method to update an object and the PUT method to create one. Currently, there are separate endpoints for these operations and all of them use the POST method. The most important issue with the API is, that there are some endpoints we are missing (for example for managing VPN users).View full review »
System Administrator at Grant Thornton
There are some GUI features in Check Point's SmartConsole that are still from the old versions and are in separate/duplicated interfaces; it would be most useful if it is integrated and not on different menus.
We would like to have a better search engine on the checkpoint.com site. Right now, it is difficult to find, for example, a newer version of the Check Point VPN Mobile client. The search engine shows most visited sites and the newer version won't be the most recently viewed site page. As it is right now, you have to find the general VPN page form, and from there you have to look at what version of the product you need and then go to the page of the latest version.View full review »
There are issues with stability in some specific versions.
The VPN is a little difficult to configure, and sometimes you need help from Check Point professional services.
There are some performance problems with the IPS when the FW is in a high load, but in general, it is working better than in previous versions.
The routing is configured on the gateway, so, you need to remember for migration purposes.
The virtual infrastructure of the central management requires a huge amount of resources to work properly and manage all the logs without problems.View full review »
Technology Architect at BearingPoint
One area which is still lacking is the site-to-site VPN solution. This is still an area that could be improved, although the features have gotten much broader and I really have seen an improvement over the last 10 years of working with the product. The separation from encryption domains between the tunnels came recently as a new feature to the product. This really helps a lot. Yet, we are still seeing a lack of compatibility with other devices, even though this is the case with many vendors. Especially with IKEv2, we are struggling with many vendors to set up perfectly running tunnels.View full review »
Ingeniero de Infraestructura at E-Global S.A.
It could be easier to access the installation of the Hostfix for VSX solutions. The CLI commands help us understand how virtual firewalls behave in terms of processor, memory, and other aspects. More graphic visualizations of CPUSE commands would be a welcome improvement, and Check Point could expand scripts to run within the solution for multiple tasks.View full review »
The API support is good. However, Check Point needs to focus on more prepared scripts for some tiresome actions. Other vendors provide this, including Palo Alto). We are in a big organization now, and we need good tools to maintain stability and get rid of the objects and rules that we don't use.
If you are working within a big organization, you may have some CPU and memory utilization problems. Most of the time, we are encountering these kinds of problems, and due to that, we can't use other features and blades other than the firewall or threat prevention.
I find Check Point's log experience a little tiresome as it does not provide information with limited blades enabled. We'd like to see information around session time, sent and received bytes, etc. Even if you manage to get some data, you may find it not very reliable.View full review »
The one thing I have been continually asking for is a more robust certification process including self-paced study material similar to Cisco's Security certification track. Not everyone can afford the time and money to attend the official in-person classes offered by Check Point. Even if someone was not interested in fully pursuing a certification, offering certification guides is often a method that IT professionals follow in order to learn about a specific topic and keep for reference.
An area that I sometimes find lacking is the information provided by the system when performing troubleshooting issues such as site-to-site VPN tunnels. The logs provide general information regarding what is happening but often, it leaves you wanting additional details. This also ties back into the lack of training and knowledge required to utilize the more advanced features of the command line.View full review »
Senior Infrastructure Service Specialist at a financial services firm with 10,001+ employees
Although the GUI is simple to use and fairly comprehensive, more support via CLI would be beneficial for bulk operations. Repetitive tasks can surely be explored via API, however, oftentimes, tasks that are not worth automating can take longer than expected via GUI, while it could be easily tackled via CLI.
There should be better and more comprehensive reporting. This would also bring a lot of value to the platform by enhancing its capability of bringing transparency to the network.View full review »
It would be best if the security management server console access is simpler for ease of management. System administrators find it really difficult for the management settings to incorporate easily. Most administrators nowadays are looking into something that offers easy access to a management console or GUI.
I could not think of other areas for improvement. This is the firewall that I liked the most among other vendors in the market. It's by far the best firewall in the security industry.View full review »
Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications.
I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser.View full review »
We would like to see constant improvement in anti-malware functionality and anti-threat protection.
Various functions affect our organization's traffic performance.
They need more focus on the stability of IP security.View full review »
TitleManager - Datacenter IT at a manufacturing company with 10,001+ employees
Check Point solutions have always been more complex to deploy than their competitors. There may be multiple scenarios where we may need to engage support, however, the customer support is very good. There are certain features that are only possible from the command line (e.g. packet captures) and it would be good to integrate everything into the GUI to reduce the learning curve for newer engineers. Finally, it can be a costlier solution - especially for the smaller firewalls as compared to the competition. It would be beneficial to have more training options or documentation as well.View full review »
Sr. Network Engineer at a tech services company with 51-200 employees
I would like the user interface to be more user-friendly. I want the UI to be easier to use than Check Point's competitors.View full review »
The exterior of the physical device can be improved with the use of a display and not just simple lights.
All the physical devices located in the rack are similar, Just a box with some small lights that does not provide too much information.
For. me as a final user I will be happy if I can get a display that can show the error code when is a failure and not a simple red led (This is the common practice).
I just want more information when I'm on front the device. i know always can walk to my desk and check the GUI with the documentation and the information required.
View full review »
Logical Security Deputy Manager - IT at a financial services firm with 1,001-5,000 employees
As a firewall, Check Point is a great solution and in my experience, there is little that I could indicate how to improve.
That said, a point where it could improve is in the redundancy of the ISP. It should allow more than two internet providers in its configuration of "ISP Redundancy". This redundancy could be managed from variables such as the automatic calculation of the load level between internet lines or load distribution between internet lines in periods of pre-established hours, etc. All could be handled from the same graphical interface.View full review »
It would help if they were easier to deploy, without needing more technical people. It would be nice if we could just give basic information, how to connect, and that would be all, while the rest of the setup could be done remotely.View full review »
Innovation Consultant at KPN
The world is changing rapidly, and even though Check Point is delivering security solutions on many levels such as endpoints, cloud, and on-premise.
A more centric solution would be preferable. They should take all existing products and make them a part of a suite that is easily manageable from one platform. This would leverage the use of the different products since no administrator wants many interfaces to manage the complete environment.
Pricing needs to be lowered from start, this would be more effective than lowering it during negotiations.View full review »
User at a financial services firm with 10,001+ employees
To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture.
Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space.
I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.View full review »
Service Manager at a construction company with 10,001+ employees
The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.View full review »
System Administrator at System Administrator
Unfortunately, as is the case with many big companies, new features seem to always be more important than fixing the last little bugs that affect only a minor customer base.
The command line, for instance, is still needed regularly if you want to dive deeper into debugging certain issues.
While it certainly has improved over the years, it still doesn't feel like a polished product. Some features (e.g. super netting VPN connections) need to be enabled by editing a configuration file, which is sometimes lost upon upgrading to a new version. I'd really like to see more easily manageable debugging solutions.View full review »
In terms of what could be improved, we have a cluster with two nodes and usually we have some problems when process gets really high and it has to choose which services it keeps going. I would like to have a better solution here, like if instead of just one we could use both at the same time. It would be good if it could work together. Then when one has a failure or something like that, the other one is there to transfer, to take all the services and keep working. They have an integration between the nodes but I would like to use both of them working together. In the solution they could both be active, instead of active and passive. I would like them to add backup features to Check Point Firewall.
Many companies are going to the cloud. In future releases, it would be nice to have a cloud integration so we could work in a hybrid form for some years, like some services in the cloud and others on-premises. So it would be nice to have some features in this sense.View full review »
The product could provide an easier user interface and management, by combining all functions (network and policy configuration) into one single application rather than splitting it into different applications.
Users will also really appreciate it if Check Point provides a free management and logfile analysis module. In the existing setup, a user must pay an extra subscription fee to have access to the firewall management module. It makes the user without a subscription unable to fully gain insight from the firewall log file so they are unable to fully utilize the deviceView full review »
Systems Engineer at HarborTech Mobility
Configuration using the command line is not that simple and user-friendly.
There is no email security.
It's a bit confusing to configure at first. An example is having to set up separate source and destination NAT rather than a simple static mapping. Some configurations require accessing multiple different sections rather than being consolidated in one area. License subscriptions are a bit confusing as well for additional features.
The CLI is not very useful.
There's no option to import bulk address objects.
The firewall default rule 0 blocks rule matches to allowed traffic, even though allow rule is written.
Networking engineer at Hewlett Packard Enterprise
The SmartEvent blade has a huge number of security events/logs. We are trying to find correlation with the help of the SmartEvent blade, however, it may impact the performance of our Check Point management server. It requires additional licenses for Check Point management servers. It should be inbuilt within the management server.
With the increase of volume of traffic, the required resource/hardware to properly run goes up. Therefore, the hardware engineering to architecture flow has to be more efficient.
Senior Systems Engineer at Upper Occoquan Service Authority
The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.View full review »
IT Specialist at a tech services company with 10,001+ employees
The Antivirus feature is something that could be improved. We don't get much from the Antivirus update in comparison to their competitor's firewalls. It needs to be more advanced because Check Point is nowadays sent all over the world. Therefore, the Antivirus feature should be of very good quality and cover all virus checks. I would also like the Antivirus updates to be more frequent.
IT Security Administrator at a tech services company with 51-200 employees
Sometimes there are security bugs, which is frustrating.
Right now, we have a problem with DLP and this problem has become very big. Check Point, our firewall, is not handling data properly. There seems to be some sort of security bug.View full review »
Senior Network Security Engineer at a tech services company with 1,001-5,000 employees
It took so many weeks to migrate our old firewall to Check Point after we did internal and external assessments on earlier setups and enabled multiple security features.
We had difficulty configuring the NAT. For example, instead of following A-B-C, we need to do A-C-B
Initially, we faced a few challenges with firmware. Later this was addressed with jumbo hotfixes.
We tried to create a single management software to manage the policies, view the logs, have a mobile access VPN, and do reporting.
Please concentrate on local services enablement for faster resolutions.View full review »
Technology at Partswerx
As a small business, IT expenditures are always a tough call and hard sell. With every business connected to the internet these days, firewalls and threat prevention are very important for any business of any size. Check Point's small business devices are a great fit for most any business. However, including some sort of menu or grouping for VOIP would help the small business area that has limited support. Check Point support is very knowledgeable and can also help in this area as they've helped our business evolve as well.View full review »
Although very efficient, the product could be developed in a way that does not take a lot more system resources. It would be very useful if the Check Point NGFW was able to learn the environment and its user's real-time activities and automatically send only logs of interest to the security admin to actually force the security admin to review these logs since the logs are useless if not reviewed. Implementation and setup should be made as easy as possible. At times a misconfigured NGFW because of its complexity will be more of a vulnerability than protection.View full review »
Check Point has both GUI (Graphical Interface) & smart dashboard, but it will be better if it sticks to either one of them.
A threat prevention policy needs to be created in a different tab but instead, if those policies could be related to access policy then it will be easier to apply the threat prevention to our relevant traffic.
One of the most complicated aspects is the VPN Configuration, which should be simplified in future releases. The monitor tab should have a VPN tab, where we can see the current tunnel status.View full review »
Snr Information Security Analyst at The Toronto Star
Support for customers really needs to improve.
Check Point also needs to create a study license that will enable the customer to install a firewall (maybe with reduced connectivity) for a bit longer so that one can simulate scenarios without having to re-install it every 15 days.
We had a lot of problems with the VPN blade on the solution. We sometimes have trouble with the performance of the solution. Maybe some performance tuning options could be added in a future release.
Check Point needs to create a certification program that involves practical applications.View full review »
Security Administrator at R Systems
The antivirus is not as effective as it could be because updates are not that frequent.
Another area for improvement is that certifications are quite expensive with Check Point.View full review »
The appliances are quite intuitive and easy to be used. The hotfixes are useful and often released with notifications sent to the client.
There have been a few requests/issues about the Identity Awareness feature. The connection to AD, which was a request from the user, required the TAC team's support.
Solutions Architect, Cyber Security & Networking team at Expert Systems Ltd
Under the same capacity requirements, Cheak Point is a bit higher than Fortinet yet much cheaper than Palo Alto. Although using Quantum Maestro to enhance scalability expansion is very helpful to cut down the total cost, it is still an issue for most of the company. Check Point is not a cheap solution and it's always painful to see exactly how much we need to spend on this.
The upgrade process is not as easy as may be expected. If there is something that goes wrong, it causes the internet service to go down for the whole campus network. I am not happy with that situation since the upgrade process is a very common process. The outcome is not acceptable.View full review »
Senior Consultant at Integrity360
Error logs can be more specific. Sometimes the error shows only a general error and the solution could be hard to find or difficult to apply.
Documentation can be improved. It has been improved, however, when you search for errors, in relation to documentation and how to solve it, sometimes it is not that simple to find the right solution. Troubleshooting errors could be sometimes difficult and some tools are only available for the Check Point support team.
The price is also a factor to take into account. Other competitors offer low prices in relation to Check Point and the executive team may opt for the cheapest vendor (if you have to compare to another good one yet note a cheaper price).View full review »
CTO at a computer software company with 11-50 employees
When first looking into the Check Point offerings, it was fairly confusing trying to determine the differences between the different offerings. Specifically, SMBs versus other models, and which one would work best within my environment for my use case. I think we ended up in a good spot after speaking with a reseller in the area, but it would have been nice to be able to get there independently.
The WatchTower app that can be used to access the SMB appliance remotely is a nice touch, but it doesn't allow for many actions to be taken and therefore is relegated to mostly notifications. At that point, it requires me to gain local access to go further. It would be nice to add more features to the WatchTower app to be able to perform certain administrative functions without the need for local access.View full review »
Principal Associate at Eurofins
The smart consoles could be improved. Many times we have seen that smart console lags or has issues during the change. It also closes sometimes. Otherwise, the overall experience was great until now.
As we are still exploring more features, we need more time to provide more reviews in the future. I would like to explore more with Check Point and would like to provide improvement review as we go into using the MDMS. It will be in our organization here by year-end.View full review »
The one area that I would like to see a change in is policy installation. Right now, with a larger user database and a high number of rules, it takes a bit of time for policy installation. There is definitely some improvement in the R80 version; however, I believe that it should not take more than one minute to refresh the database. Also, there is a significant spike in gateway resource utilization during policy installation.
The additional blades have an impact on resource utilization, hence scope of improvement is needed here too.View full review »
System Engineer at Infosys
While not being cheap, their pricing models are competitive. In the pricing structure, however, they need improvement.
I would love to see an SSL offloading feature that is not there right now. I am following many forums related to Check Point and it seems like they are going to launch it very soon. SSL Offloading will be very helpful for NBFC and for financial institutes.'
The Check Point NGFW OS is a historically grown OS. It has been on the market for a long time and has many releases. It is a very complex system. All features are done in software - no extra hardware chips are installed.View full review »
Network Security Engineer at Fujairah Port
Check Point updates and upgrades are in a timely manner. There is nothing more that I need in terms of improvement.
Additionally, they have an excellent support team working around the clock. Check Point engineers have excellent knowledge and have provided us with the resolution in a timely manner.
I have been using Check Point technology since 2011 and recently I have deployed the new NGFW. It's the upgraded version and we have it in a cluster along with the management box.
Check Point should include additional management choices; for example, Check Point does not offer full management support via browser.
You should use Check Point Smart Console for management, although it is an EXE and is supported only on the MS Windows platform. If you are using Linux or Mac, you cannot manage Check Point. Instead, you need to use a virtual PC with the Windows OS installed, running inside Linux or Mac. Check Point states that this is a decision made for security reasons, but that certain management features can be done through the browser, although not fully.View full review »
They have few predefined reports and it would be nice to increase them since the logs are excellent.
They should be quicker to release fixes for known vulnerabilities, including those related to Microsoft products.
If you make a mistake when creating rules, it is time-consuming to fix them. However, there is no problem with traffic processing.
Sometimes you are forced to interact on several different levels. On the one hand, you put the rules in, and on the other, you put in the route.View full review »
Security Engineer at Netpoleons
One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.View full review »
Cyber Security Consultant at Capgemini
Sometimes the KB article does not include all the steps. There is a chance for improvement in the content of global KB articles. It's nearly impossible to add an exception for threat prevention services - such as antivirus and anti-bot. You will be stuck with Indicators of compromise marked as detecting only, caching issues, and random effects. There is no clear way to report incorrect classification to support.
Sometimes we need to find a resolution by ourselves as the solution's knowledge base is not enough.View full review »
Senior infrastructure technical lead at Westpac Bank
To combine CLI routing and GUI application in a way that both interact together would be ideal.
The pricing could be better. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.
In the CLI, while viewing configs, there is no easy way to snapshot configs.View full review »
Senior Solutions Architect at Maersk
The perimeter antivirus can be improved. It's not as good as other leaders.
Additional features that could be good to have/improved include:
- Modular capabilities
- Integration with VMware and NSX products per client requirement
- 3rd Party support product is very limited
The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.
The licensing part is a bit tricky. The product can simplify this further for ease of use.
They need to work on log size optimization.
Antivirus signatures should be updated in real-time.View full review »
From a stability standpoint, sometimes when upgrading to a new version, there are some stability issues. The device occasionally may stop responding.
It would be beneficial if they offered better load balancing.
They could make the licensing a bit easier to deal with, especially for enterprise-level options.View full review »
The NAT services part needs improvement. It's not sophisticated. It needs functions like range assignment for NATing. The way you assign a list of IPs for NATing is too simple. It just allows you to use pools.
There could also be improvement to the automation. They should provide a tool for creating and maintaining rules.View full review »
Of the areas of improvement that I want to see in this product, without a doubt, one is the technical support. In this time of globalization, with so many cyberattacks and risks, the Check Point support staff take a long time to attend to incidents due to the high demand.
Another change that I would like to see is the ability to be able to test the policies before launching a change. It is somewhat annoying to apply a change and then notice that, after a while, the message appears that the installation of policies has failed, either due to some duplicate rule, some duplicate port, duplicate service or IP, et cetera.View full review »
Network at financial sector
For the migration for Smart-1, I wish the security policy could allow for a migration per gateway.
There needs to be more storage space for reporting. The storage is always full if the reporting feature is on.
We need HA for Smart-1.
The traffic trekking (logs view) needs to be more accurate. Some traffic is often not in the logs view.
We'd like to have more user friendly menu for import vpn users.
There needs to be more compatibility with SIEM.
It would be great if we could join domains with more than one Active Directory server (active-active).
There needs to be an easy menu for export backup configuration (the current menu always has an error).
The signature information needs more detail. We need to know current update versions and on running versions.
The product could always be even more stable and secure, as it would improve protection.
As we aren't using the very latest iteration, it's hard to say which features are lacking, as some might have been added in the latest releases we haven't yet migrated over to.
The pricing could always be more competitive.
Technical support needs to be more helpful.View full review »
Project Manager at a financial services firm with 10,001+ employees
The product or services can be improved from the cost and the pricing perspective. There are a lot of other competitors in the market providing similar solutions with more low-cost options. There is no doubt that the great three-tier architecture of Check Point is great, however, when the cost is considered, it proves to be a bit expensive as compared to other products in the market. Also, the licensing and maintenance costs are quite high. Maintaining these solutions proves to be a bit costly to organizations from a day-to-day perspective.View full review »
L A D
Cloud Support - Security Admin at a tech company with 1-10 employees
The tool is somewhat more expensive than its competitors. It could equalize the costs a little to be able to be more competitive.
On the other hand, Check Point documentation does not always help easy implementation for new users or amateurs in the security field.
Finally, the support must be improved. They need to improve times and schedules and solve both in local applications and in the cloud. Sometimes a solution is extended in the newest tools. Sometimes it is better to investigate one on your own than to wait for a Check Point solution.View full review »
The Performance on a policy install takes too long for my taste. This might be because, at each policy install, the management pushes the whole policy on the affected gateways.
Without any training, it is very hard to administrate the whole Check Point NGFW.
In our case, the main Check Point gateways are in a cluster configuration. Sadly, the management always shows the standby box as failed. This may be because it is set to STANDBY and not ACTIVE. It would be better to show the standby box as good.View full review »
Senior Infrastructure Technical Analyst at https://www.linkedin.com/in/robchaykoski/
I would like to see better Data Leakage protection options and easier-to-understand deployment models for this. I have been working with DLP for a while now and find that other vendors seem to be doing better at this. That said, having to deploy another solution adds other costs.
Some error messages could be better and more specific. The days of generic error messages should be over by now to allow faster, better insights into fixes for any traffic-related problems.
Some of the sizings of firewalls for deployment seem not exact and require some tweaking based on real-world traffic and connectivity types (for example, PPPoE).View full review »
The predefined reports are limited and should provide more information. Check Point should provide a greater number of defined reports and produce reports for each division of the organization. Also, historical statistics cannot be obtained from the central console, the data or logs must be exported to another machine and processed from there to obtain this historical information. The number of available physical ports could be increased and Check Point could add support for higher speeds.View full review »
It is possible to improve not so much the product but the support provided by Check Point. They need to improve the SLA. There are other companies that have improved their service before and during the pandemic, I would like Check Point to improve this performance as well.
Another problem is understanding the licensing. It is not always achieved without the help of a Check Point partner to help clarify details. It can cause problems in the acquisition of a security product. Either it is missing some features or it exceeds the scope of the project.View full review »
Check Point should add additional management choices. For example, Check Point doesn't fully have management support via browser. You need to use Check Point's SmartConsole for management. SmartConsole is .exe and it is supported only on the MS Windows platform. If you are using Linux or a Mac you can not manage Check Point. You should be able to use a virtual PC whose OS is Windows inside the Linux or MAC. Check Point states that this is a decision made for security reasons, however, certain management features can be done through the browser, yet not fully.View full review »
I would like to see more integration with other infrastructures. We are considering Cisco because it is more integrated, and the network limits of the solution are better.
Recently, we experience a problem with the hardware because it was too old, it was blocked. The hardware failed, but the software did not. With older hardware, it is a problem because our network is growing every year. The solution is not at maximum performance.
It does not have the performance that we require. The network is not the same as it was 12 years ago. There are several logs.
We are looking for a cheaper product that is more integrated than our Cisco Network appliance.
It may also need to support other types of architecture.
The only reasons we are looking at other solutions are price and integration.View full review »
Senior Technical Specialist at NTT Security
Almost all organizations are using cloud computing, and the vast majority are using a hybrid cloud deployment. Private and public cloud deployments have different security requirements, and it is necessary for an organization to be able to enforce consistent security policies across cloud-based environments hosted by multiple vendors.
The firewall should be easily deployable and scalable in any major cloud environment and enable an organization’s security team to manage all of its security settings from a single console.View full review »
Firewall Engineer at a logistics company with 1,001-5,000 employees
The policy installation length is still too long. It was promised that the time would be severely reduced in newer versions, but it is still too long. R81 promises at least parallel policy installations, which help in larger environments.
Check Point's advantage (to be able to configure everything) is also a disadvantage. The environment is quite complex. Troubleshooting is not always easy as there are a lot of possible debugs that can be taken, and the support will not always send the right or necessary debugs. Some debugs also can cause a heavy load, so you have to keep an eye on what you troubleshoot.View full review »
Check Point doesn't warn us when rules are about to expire. It was also inconvenient that we had to change hardware when we upgraded. It would be nice if they made the new version compatible with current hardware or if it only required a minor upgrade.
I would also like it if Check Point cut the number of steps needed to upgrade from R77 to R81. They should also make it possible to convert access control policies from the firewall to the management server and to downgrade from a higher version to a lower one.View full review »
IT Consultant/Engineer at a computer software company with 11-50 employees
You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.View full review »
Jr. ISO at BancNet, Inc.
Check Point should improve services related to the cloud-based solution. Due to these challenging times, most organizations seek to move to cloud-based implementation to minimize the cost and for easy deployment, access, and remote support.
The Next-Generation Firewall should also be focused on zero-day threats as attacks have improved the past few years. They need to ensure that all connections and nodes are being protected.
Sandblast technology is also a good tool as it offers enterprise solutions on malware detection and prevention.View full review »
Network, Systems and Security Engineer at SOLTEL Group
Check Point products have many places that need to be improved, but they are constantly upgrading.
Service Manager Datacenter LAN
Administration of the routing and system settings should be moved to the central dashboard. It's not good to go to all GAIA Interfaces to change settings there.
The client for the central tools is very big - maybe using web access in future releases, similar to other vendors should be possible.
The firmware for the Check Point Firewalls is very big. It takes a long time when we are using small lines for data transfers. Other vendors have updates lower than 100MB. For Check Point often we need a minimum of 2GB.View full review »
Network administrator at IHSS
The anti-spam needs improvement.
A weakness with the Check Point solutions is the anti-spam, as they have a partnership with some solutions for anti-spam. They should have their own solution. We have email provided through Office 365 and they have their own way to fight spam and, due to this, we haven't bothered looking into anti-spam options. That said, Check Point is the most adapted to our necessities.
I consider the price of this solution high. It is very good, however, the prices are high - it's like buying a car.View full review »
Security product manager at RRC
Their technical support can be better. In addition, when we need to use it in a government environment, we face a lot of legal issues related to different types of certifications. It would be better to improve it for these issues.
Check Point doesn't have a SOAR system. They work with Siemplify, but it is an integration with another vendor. It would be great if Check Point has an integrated SOAR system.View full review »
Check Point could do better to include acceleration technologies like SD-WAN in an integrated or embedded way to provide these new features that Check Point never had and is of great importance in the market.
Its competitors have this SD-WAN technology, if it were not for the fact that Check Point has been more stable historically, this value would weigh negatively for Check Point when choosing a solution.
If Check Point includes this feature, they will be able to cover those architectures where traffic between sites must be protected and accelerated.View full review »
System administrator at BINDER GmbH
Sometimes, the firewall has its peculiarities which you have to know especially when you want to set up a Site2Site VPN with a third-party vendor - specifically if you want to set up IKEv2.
The debugging of VPN tunnels is very stressful. Sometimes you don't know what the firewall negotiates with the other site, so you have to use the command-line for the VPN debugging. However, if you use both sites, the setup is very easy.
The speed could be better when installing policy changes. In the beginning, we didn't have all features active. Now, it is all active and it takes some time to install. This is sometimes annoying if you forget a small change.
Pricing for the gateways is too high as compared to the other vendors.
Whenever there is any issue comes checkpoint support ask to keep the gateway on the latest hotfix and OS which is difficult to roll out on all the gateways present in the customer environment.
Cyber Security Consultant at Capgemini
It's nearly impossible to add an exception for threat prevention services - like antivirus and anti-bot. You will be stuck with Indicators of Compromise marked as detect only, caching issues, and random effects.
There is no clear way to report incorrect classification to support and a business is neither happy nor forgiving when they cannot receive mail from a crucial business partner.
The KBs article should also be improved as all the global KB articles do not provide all the activity steps related to every issue.View full review »
Security Solution Architect
This solution requires management software that is sold separately; it's actually a different appliance altogether. For smaller customers or smaller environments, this becomes an added entity in the environment. Not to mention, they'll also have to invest a lot in the necessary management stations. If that came built-in, it would really benefit smaller businesses.
The performance when you enable decryption could be improved. That's a CPU-intensive task. Many customers struggle if they try to implement decryption — it can really hamper the performance. It's probably something to do with the appliance or the hardware design. This needs to be examined further.
Senior Solution Architect at a comms service provider with 51-200 employees
Check Point NGFW could improve by introducing machine learning and more modeling dividing the way they manage the ports. However, they have evolved over the last year.
Security Manager at FPT
It could be more stable and scalable. Check Point price and support could be better.View full review »
The interface can be more user-friendly in terms of the design and location of critical and commonly used icons.
They could add a web user Interface.
The web filtering and CLI commands need to be improved.
The CLI command is very difficult to deploy.
If you are an engineer and considering configuring through the command line, you can't. The command line is very difficult to use, which is one of the biggest drawbacks of this solution.
The initial setup could be simplified.
Technical support is another big drawback and needs to be improved.
In the next release, there should be improvements made to the sandboxing functionality.View full review »
ANDRES FELIPE GONZALEZ LUGO
PROFESIONAL GESTIÓN TIC at GOBERNACIÓN DEL TOLIMA
At the product and service level, I consider that it is within all the expectations that every organization has and each version includes functionalities that you may not have imagined, however, I do believe that they could improve in two aspects:
1. Administration Console. We need to be able to transfer the administration console to a web environment that does not require the installation of a client. On some occasions it is possible, due to specific needs, to have to do it from another computer or from a cell phone.
2. Protection of Web Applications. In our particular case, we have different web applications developed by the same organization, however, that requires a specialized protection element such as a WAF. Having this service or feature within the same solution would be very valuable.View full review »
Information Technology Security Specialist at AKBANK TAS
There are parts that are still on the SmartDashboard screen and that condemn you to use it, which should be removed and moved to the SamartConsole interface, which is the main screen.
In addition, when you want to open the gateway by double-clicking on the interface, sometimes it can cause silly problems such as freezing. To fix these problems, Check Point needs to get rid of the SmartDashboard screen completely. Also, there is a need for performance improvements in the interface so that when the data and rulesets are large, there is a need for performance improvements in the next versions.View full review »
In terms of what could be improved, I'd like granularity where you can have all the levels of policies that are defined.
In additional feature that could be added to this solution in the future is micro-segmentation, like Palo Alto has on the firewall itself.
Network Security Engineer at R Systems
The area where Check Point can improve is the antivirus, as it only provides a small number of updates for it. Updates should be more frequent.
In addition, the certification process is quite expensive. It should be a little cheaper so that everyone can be trained and certified and have better knowledge of Check Point's products.View full review »
Configurations can be complex in some situations and need experienced engineers for managing the solution.
Integration with a third-party authentication mechanism is tricky and needs to be planned well.
SmartView monitor can be enhanced to display granular details of gateways with a single click. Also, having the ability to generate alerts from the Smart Monitor would be a nice feature.
Senior Security Specialist at Tech Mahindra Limited
The URL objects take significant time in processing compared to other products like Cisco FTD; it would be better if they could improve it.
We have seen that whenever we configured URL objects, the CPU percentage went higher. Therefore, we started using IKP-based objects, however, in today's cloud world where every application is in the cloud and they change IPs on a random basis, whenever each new IP change happens, it's too risky to allow the whole cloud subnet (like Google or Azure). They need to therefore fix URL processing times.View full review »
Network Security Administrator at a financial services firm with 10,001+ employees
The product can be improved with fewer hotfixes, and if more generally available jumbo hotfixes were used.
We don't often hit bugs. It's perfectly normal for an NGFW device as other vendors are always fixing bugs too. However, when we hit a bug, the support team recommends some hotfix, and if we upgrade to that, we have to uninstall it before we apply some newer jumbo hotfix. If those fixes were included in a fast manner in the jumbo hotfix (as jumbo hotfixes are tested thoroughly for general availability), it would be ideal.
Director at TechPlayr
We are also working on load balancers. We don't have the option to work more with load balancers, we would like to see what else can come out of this in terms of security.
Technical support and scalability both require improvement.View full review »
IT Manager at a tech services company with 5,001-10,000 employees
Sometimes debugging is a hassle. We've had issues with VPN debugging in the past. In the more recent versions, later than R80.10, this seems not to be an issue anymore.
This year we tried to debug performance issues of the gateways, which was cumbersome. When we finally found the performance bottleneck, it was a licensing issue.
Check Point uses CPU-based licensing for OpenServer, and buying more licenses helped. However, this is the reason we're upgrading to Check Point appliances next year, as OpenServer becomes pricier every year, and Check Point pushes their customers to use their appliances.View full review »
Network Engineer at Fujairah Port
The list of site-to-site VPN configuration options is long. They can become confusing and communication with other vendors when deploying VPNs is not the strongest. It's totally different from any other VPN vendor I've encountered.
It lists the current threats identified on the appliance's front page. It would be easier to find information by clicking on the threat and clicking the exact logs, rather than all host logs.
The smart console is heavy. It would be better if it was like the web-based consoles that Palo Alto and Fortigate FW offer.View full review »
Solutions Architect Infrastructure and Security at a retailer with 1,001-5,000 employees
It should be user-friendly from an implementation point of view. Its setup is a little bit difficult.View full review »
This is something that doesn't directly affect us. However, I know VMware is not supported by the platform.
Also, it seems that plenty of features you may not know even exist unless you do some extensive, deep digging as they're not coming up in the initial configuration, so you have to go through the documentation to realize their existence.
Support is really good, so you may rely on them to learn more about these coded features I'm talking about, also to make the proper calibration for the rules/policies you're applying as they may not turn the results expected from the first config.View full review »
The network automation and security automation could be better. We need integration with more third-party security solutions.
We need two-factor authentication solutions for the virtual private network solution. We need a firewall or NGAV/EDR with lightweight resources that is still powerful for blocking and preventing attacks and malicious activity.
We need enhancement for our perimeter for our security zone, especially for network access control with portal authentication.View full review »
Head of Technology at African Alliance Plc.
Project Manager at SANDETEL
The number of physical network ports on the device should be increased to allow for greater capacity.
Another point of improvement would be to continue improving the integration line with our current NAC solution in order to exchange more attributes and increase the granularity of the implemented policies.
IT Security Officer at a tech services company with 1,001-5,000 employees
The SmartConsole to manage Checkpoint Next Generation Firewalls takes a long time to load and gets stuck sometimes. It could be due to a lot of rules and policies defined on the firewalls. However, SmartConsole software needs to be improved by having some more functions to make an admin's life easier.
Log queries are slow and take time to load.
Query functions need to be improved and should be quick to give the required information.
There should be filters having drop-down options to use and select during log analysis.View full review »
Chester at Iocane
Product-wise, I have no real complaints.
Potential improvements could be made around simplifying VPN functionality and configuration.
The main area that the organization can improve is around the lack of local, in-state technical support. Competitor vendors have a strong presence in the Adelaide Market, however, Check Point has always been limited with its commitment to staffing local technical resources. If this focus is made, I could see Check Point returning to the strength that it once had in the Adelaide market.View full review »
System Analyst at a comms service provider with 51-200 employees
The UI could use some improvement. It's not as clean or seamless as it could be.
It's my understanding that the initial setup is a bit complex. There's a bit of a learning curve if you're trying to set it up for the first time and you aren't familiar with the product.
Older versions were a bit unstable.View full review »
Engineer at a manufacturing company with 10,001+ employees
Check Point, of course, has flaws. As a Check Point Engineer, you must also be a Junior Linux Engineer as many things are happening on the command line in daily operation and almost all the time during troubleshooting. This makes learning Check Point a little bit harder than other firewall brands. The licensing was always a pain and is still a pain to deal with.
For the next release, we would like to have better ruleset cleanup tools that are already included. It would make security management tools obsolete.View full review »
The only thing I would like to improve is the updates. Sometimes when they bring on new upgrades, they affect something else. That happens sometimes. For example, something that was working well might have a new issue after an update. It's understandable as they do have like to add innovations. When you are innovative, you face some risks.
They have already announced that they will be adding SD-WAN as a new feature.View full review »
Senior Cyber Security Consultant at Yapi Kredi
If you have a long ruleset, you may experience performance issues on the GUI, and installing rule changes on gateways can take a comparatively long time.
If you use Check Point firewalls for a long time, it is inevitable to have long rulesets over the years. The need for using different GUI applications for different versions can be confusing. A backward compatibility feature for smart console versions could be useful - especially if you are an enterprise customer, you probably need to use different versions at the same time.View full review »
IT Security Manager at a retailer with 10,001+ employees
The solution could improve by keeping more up-to-date with technology. For example, if Amazon releases something in the security field, Check Point should have integration or adoption of this feature a bit faster than it is today. Sometimes we can hear a lot of the marketing information about an attractive feature, which we would like to have, but the feature will be released in two years. This timeframe should decrease.View full review »
Analista de suporte at NTSec
The Check Point could use more time to upgrade the VPN configurations console. At the moment it is not easy to configure some VPN S2S in Check Point. You need to keep opening several groups, objects, and options to configure one simple VPN.View full review »
This firewall is difficult to manage and use when you first begin using it. However, once you are used to it, the interface is comfortable and easy to use.
The Smart Control feature is hard to install.
In the future, I would like to see more features in the unified security management platform.View full review »
System Security Engineer at Ziraat Teknoloji
In some features, it is not easy to use the Check Point firewall.
The IPSEC VPN setup is not easy to configure. In some cases, if the VPN is not established, it is very hard to troubleshoot the configuration. It does not address the problem well.
The upgrading process takes too much time.View full review »
While the solution is good, we wish to have something that is a bit better, as the threats have evolved over time. We have been using Check Point for more than than eight years and are interested in a better solution. We entered a review site which ranks top security firewalls and saw that Palo Alto is ranked number one, followed by Fortinet, with Check Point in the lead. We noticed that Palo Alto was much more expensive than Fortinet, but wished to know which key features differentiated the two.
Though we did not take issue with the price of Check Point NGFW, we felt that it was providing us with inadequate support here in Uganda. This is why we decided to switch solutions. I should note that I do not have a technical background and am responsible for procurement.
The value we were getting for our money was an issue. I work for a bank for which security is very important, but we were not being assured of the appropriate support. The licensing fees we were paying did not equate with adequate local support. We had already had a bad experience with Check Point, so we did not bother with a quote from it and, instead, got one from several local companies that can support either Palo Alto or Fortinet.View full review »
Co-Founder at a tech services company with 51-200 employees
The reporting needs to be improved. I still don't have access to the reporting service.View full review »
Executive at a computer software company with 11-50 employees
The complexity could be fixed. It's a bit complex to set up, for example. They could make it a streamlined and easier process.
In a future release, it would be nice if they added web administration capabilities.View full review »
The interface could be better. There is much equipment that is involved in the monitoring of many clients in a single interface.
With other platforms, such as WatchGuard, it is very simple to manage four, five or six of these. We are talking about a lot of clients. The platforms for doing monitoring should be addressed.View full review »
Technical support could be improved. It's hit or miss in terms of the level of service and getting the answers you need.View full review »
Executivo de NegÃ³cios de TiC at a comms service provider with 10,001+ employees
The price is middling. It's much more expensive than Fortinet, although not so expensive when compared with Palo Alto.View full review »
Engineer at CENACE
I think the price of this product could be improved - other solutions are cheaper in comparison. In the next release, I would like to be able to perform sandboxing to check email attachments and information sent through the cloud for viruses.View full review »
We need east/west Check Point firewalls in order to do micro-segmentation. A good solution for us is a solution that can be installed on différent systems (Linux, Windows K8S, bare metal, etc.) and can have centralized management.
Troubleshooting is also a big feature that will be necessary in this use case.View full review »
Co-founder & CTO at a tech services company with 11-50 employees
I think third-party integration could be improved. We have also faced some performance-related challenges and there is some work to do in that area too.
Chief Information Security Officer and Founder at a insurance company with 201-500 employees
I'd like to see more integration with other solutions.View full review »
General Manager with 51-200 employees
The whole solution has room for improvement.View full review »
Sales Specialist-Network Solutions at a tech vendor with 51-200 employees
My customers complain that the interface isn't user-friendly.View full review »
Senior Cluster Manager at Bajaj Finserv
Tech support should be improved. There are times when the technical team fails to understand things at the ground-level.
The dashboard can stand improvement.
The solution is overly expensive.
The initial setup is a bit complex.View full review »
Technical Architect at a computer software company with 10,001+ employees
I would like to see Check Point add more cloud management features and better integration with LAN software-defined networking.View full review »
Business Development Manager - Security at a computer software company with 201-500 employees
Check Point is a bit difficult to use and manage so it would be nice to see some improvement in those areas.View full review »
There should be better integration with our current NAC solution to increase the granularity of policies that we implement.View full review »