Check Point Quantum Force (NGFW) Reviews

I support multiple clients within the UK, the EMEA region, the US, and now in Asia Pacific as well. I specialize in Check Point firewalls. I design and secure their data centers, their on-premises solutions, or their businesses security.

The firewalls are mostly on-premise because most of our clients are financial organizations and they have strict compliance requirements. They feel more secure and have more control when things are on-premise in the data center. However, there are use cases where I have helped them to deploy Check Point solutions in the cloud: AWS, Azure, and in Google as well. But cloud deployments are very much in the early stages for these clients, on a development or testing basis. Most of the production workloads are still on-premise in data centers.

Most of my customers are still using R77.30, and they are on track to upgrade from that to R80, which is the current proposed version by Check Point.

One of our customers has just recently been attacked by malware and internal DoS attacks, and they have a multi-vendor, multi-layer firewall approach. The internal firewalls are Check Point. The great thing about Check Point is that because of its central architecture, you can very quickly pinpoint where the attacks are coming from. It gives you comprehensive reporting when the attacks start and when they've stopped, so you can see the complete, end-to-end picture: where the point of attack is, at what time, and what host. They can track all of that.

However, in parallel, that customer is using other firewalls which have no visibility. One of the main advantages of having Check Point firewall is definitely that it gives you absolute in-depth visibility.

Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features.

One of the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use.

The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.

The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.

The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.

If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different. 

It seems like they were possibly built by different teams, independent of each other.

I've been using Check Point firewalls for about 16 years. I am the main network or security lead and I have four other engineers who report to me. They also do design and deployment.

I work with approximately 40 companies that utilize Check Point.

Check Point firewalls are very stable. One good thing about Check Point is that they do rigorous testing internally before releasing updates, which is something I have not found with any other firewall products. With most of the other firewall products, when they release something, it's like the customer becomes the guinea pig for that particular version, whether a minor or a major update. However, with Check Point, you can see all the white papers and what ways they have tested a minor or major upgrade of the software version, and what the performance was like. What are their known issues and is somebody working on them or not?

So the software releases are very stable and you have visibility into how they operate and what the known issues are, so you know whether you should go ahead with them or not. And in case there is a problem, the support is excellent. You can reach out to Check Point and say, "Look, I've done the software upgrade and I'm experiencing these problems. How can I deal with them?" They are there to help you out.

There are times when we have problems in terms of software or hardware defects. We have sustained downtime, but most of the architecture I design is resilient, so if one device is down, the other one is working fine. Then in the background, I or my support team will deal with Check Point directly, to get a replacement. They're definitely quick to respond and very efficient. 

In the past, we had a lot of problems with licensing, specifically, but Check Point has redone the whole way they do licensing. It's very quick now, and very efficient.

Check Point firewalls are extremely scalable. Recently, I deployed Check Point in an AWS cloud solution for one of my clients, and it's been absolutely excellent in handling growth. They've grown from 10,000 users to a million users. The way Check Point has advertised the product, it is supposed to be highly scalable, which means it grows as your demand grows, and that has been the case. 

Recently we have set up a test case where we are moving over management servers from on-premise to a Check Point-provided Infinity cloud solution. We are still at the testing phase but, overall, it's been a great experience so far.

The teams we deal with within Check Point are extremely knowledgeable. They know how to understand the background of the problem, and they're very good about articulating how we deal with the issue, whether it's a minor software upgrade issue or it's a major failure of the hardware itself. They know where to look for the right stuff. The key point is they're very knowledgeable and very technical. And if somebody doesn't have the technical capability, they will definitely help you out to make sure you get to the bottom of the problem.

In the past, most of the customers I've worked with have used different firewall vendors, such as Cisco, Palo Alto, and Juniper.

I've recently seen deployments where customers have tried to move from Cisco ASA to Cisco Firepower and the deployment has gone horribly wrong because the product has not been tested by Cisco very well and is not a mature product. I've gone in and reviewed their business requirements and technical requirements and, based on that, I've recommended Check Point and done the design and deployment. They've absolutely been happy with the solution, how secure and how capable it is.

We use Check Point across multiple types of customers, such as financials, retail, and various other public and private sector organizations. I review their security architecture, which is firewall specific and, based on that, I have recommended Check Point. In most cases, I've managed to convince them to go ahead with Check Point firewalls as a preferred secure firewall solution.

The main reason is that Check Point is far ahead in the game. They're definitely the market leader. They are visionaries when it comes to security. Another reason is that a lot of firewall architecture starts from the firewall itself, which is the local firewall. It can easily be hacked and manipulated. However, the Check Point architecture, out-of-the-box, is very secure. They have a central Management Server and all of the firewalls are managed through that one central point. So in case somebody breaks into your firewall, the firewall is encrypted; they will delete the database. The architecture is secure by default. The good thing is that other firewall vendors have realized this and they've started to copy the same system that Check Point has used for the past 20 years now.

When working with the Check Point team on deployment, they're really helpful and very talented people. When you speak to other firewall vendors, they just think about the firewall from their point of view. The good thing about Check Point engineers, or technical staff, or even management staff, is that they understand what the requirements of business are and how they can improve or align the proposed solution. Overall, Check Point staff are very knowledgeable, they understand different industries, and they understand the product very well. That's definitely a competitive edge compared to other firewalls.

Once the design is done, for something simple the deployment can take half a day, whereas for a complex deployment in a data center it can take about five days.

Our implementation plan is divided into different phases. Phase One might be the physical cabling of the firewall device itself. Phase Two would be the logical setup, which means defining the interfaces and the virtual setup of the firewall itself. The final phase would be to bring it online in parallel with production, in a non-prod service, and test it to ensure it works as per the design.

A customer I'm working with right now was running with Check Point and they wanted to move to Fortinet firewalls. However, when I worked with them on the design to upgrade the existing Check Point firewalls, what we worked out was that even though the Fortinet might have seemed like a cheaper option, it didn't have the security capabilities that Check Point is offering. On that basis, the customer signed off on a project for upgrading their existing firewalls, on-premise and cloud, from R77.30 to R80.10.

It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point you get all of that.

With Juniper, one of the biggest downsides is support. The support portal is slow and I won't say the staff is competent in terms of understanding. They're very disconnected internally. What I mean is that the team working on the software development of the firewall has no interface with the support teams that are handling day-to-day TAC cases. They definitely struggle when it comes to understanding challenges, problems, and incidents with the firewalls.

In the past, Juniper firewalls were good, but recently the security offering has just not been there. They don't have anything like SandBlast from Check Point. They don't have up-to-date Zero-day attacks control. They're still running a very old architecture. They can do things like antivirus and URL proxy, but those are very simple features. They have none of the advanced feature set that Check Point has.

Palo Alto is very competitive with Check Point when it comes to security. However, one of the challenges with Palo Alto is that, overall, the solution can be extremely complex and expensive. That is one thing I've heard from customers again and again. Either they have existing Palo Altos or they plan to go to Palo Alto, but when they do a comparison with Check Point, what they find is that the overall value with Check Point is much greater than with Palo Alto firewalls.

If you're looking to implement Check Point as a security solution, definitely do your homework. Do some research, not just in terms of firewalls, but overall security architecture. Which ones are the leaders in the field? Which ones are there to deliver what they promise? And overall, how does the architecture work? Is it secure or not? And does it come from a team that understands how to support the solution itself? Are they consistent? Look at their track record for the past 10 or 15 years, or are they a new player? If they are, you don't know whether they're going to stay in the game or not. A good thing about Check Point is that its core product is security. They've been doing it day in and day out. You know they're there to stay in the game. You can trust them.

Check Point is a proven solution. A lot of customers and clients already rely on it. And for the Next Generation Firewalls, they're coming up with new features as security threats become known.

If somebody wants a secure and stable environment, Check Point is definitely the leader to go to; definitely the number-one choice. It's not only what it says on the box. In reality, I've worked with hundreds of banks and they're happy with the product because it works; in practice, it works. That's the main thing.

We use it for VSX virtualization and we use it for normal firewall functions as well as NAT. And we use it for VPN. We don't use a mobile client, we just use the VPN for mobile users.

We are able to virtualize about four firewalls on one machine. Before, we needed to have four firewall hardware devices, physical devices, from Cisco. We had four appliances, but now, with Check Point, we just have one. We can manage them, we can integrate them, and we can increase connections using one and the other. It has broken down connection complexities into just a GUI.

Also, previously we had downtime due to memory saturation with our old firewalls. We were using Cisco ASA before. During peak periods, CPU utilization was high. Immediately, when we switched to Check Point, that was the first thing we started monitoring. What is the CPU utilization on the device? We observed that CPU utilization stayed around 30 percent, as compared to 70 percent with the Cisco we had before, although it was an old-generation Cisco. Now, at worst, CPU utilization goes to 35 percent. That gives us confidence in the device. 

In addition, the way Check Point built their solution, there is a Management Server that you do your administration on. You have the main security gateway, so it's like they broke them down into two devices. Previously, on the Cisco, everything was in one box: both the management and the gateway were in one box. With Check Point breaking it into two boxes, if there's a failure point, you know it's either in the management or the security gateway. The management is segmented from the main security gateway. If the security gateway is not functioning properly, we know that we have to isolate the security gateway and find out what the problem is. Or if the management is not coming up or is not sending the rules to the security gateway, we know there's something wrong with it so we isolate it and treat it differently. Just that ability to break them down into different parts, isolating them and isolating problems, is a really nice concept.

And with the security gateway there are two devices, so there's also a failover.

• The most valuable feature for us is the VSX, the virtualization.
• The GUI is also better than what we had previously.
• The third feature is basic IP rules, which are more straightforward.
• And let's not forget the VPN.

The way we use the VPN is usually for partners to connect with. We want a secure connection between our bank and other enterprises so we use the VPN for them. Also, when we want to secure a connection to our staff workstations, when employees want to work from home, we use a VPN. That has been a very crucial feature because of COVID-19. A lot of our people needed to work remotely.

The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.

It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.

Apart from that, we are coming from something that was not so good to something that is much better.

I have been using the Check Point Next Generation Firewall for 10 months.

The stability of Check Point's firewall, for what we use it for now, is pretty good. Especially, with the licensing of blades and the way they script it down into different managers. You have a part that manages blades, you have the part that manages NAT, and you have the part that manages identity. The VSX is another one on its own. So it is very stable for us.

When we add more load to it, when we go full-blown with what we want to use the device for, that will be a really good test of strength for the device. But for now the stability is top-notch.

They scale well.

All information passes through the firewall. We have about 8,000-plus users, including communicating with third-party or the networks of other enterprises that we do business with.

We've not used technical support. We asked our questions of the vendor that deployed and he was quite free and open in providing solutions. Anytime we call him we can ask. He was like our own local support.

There is also a Check Point community, although we've not really been active there, but you can go and ask questions there too, apart from support.

The initial setup was pretty straightforward.

It took a while about a month, but it was not because of the complexity. It was because we gave them what we already have on the ground. We were on Cisco before and they had to come up with a replica of the configurations for Check Point. When they got back to us we had to make some corrections, and there was some back-and-forth before everything finally stabilized.

Four our day-to-day administrative work, we have about four people involved.

We used a Check Point partner for the installation. I was involved in the deployment, meaning that while they were deploying I was there. They even took us through some training.

We have surely seen ROI compared to the other vendors I mentioned, in terms of costs. And we tested all the firewall features to see if it is doing what it says can do. And so far so good, it's excellent. It's a good return.

Check Point offers good solutions, but it won't kill your budget.

Going into Next-Generation firewalls, you should know what the different blades are for, and when you want to buy a solution, know what you want to use that solution for. If it's for your normal IP rule set, for identity awareness, content awareness, for VPN, or for NAT, know the blades you want. Every solution or every feature of the firewall has license blades. If you want to activate a feature to see how that feature handles the kind of work you give, and it handles it pretty well, you can then move to other features.

We evaluated Palo Alto, Fortinet FortiGate, and Cisco FirePOWER.

Check Point was new to the market so we had to ask questions among other users. "How is this solution? Is it fine?" We got some top users, some top enterprises, that said, "Yes, we've been using it for a while and it's not bad. It's actually great." So we said, "Okay, let's go ahead."

I would recommend going into Check Point solutions. Although Check Point has the option of implementing your firewall on a server, I would advise implementing it on a perimeter device because servers have latency. So deploy it on a dedicated device. Carry out a survey to find out if the device can handle the kind of workload you need to put through it.

Also, make it a redundant solution, apart from the Management Server, which can be just one device. Although I should note that up until now, we have not had anything like that.

I had 3200 appliances deployed in my company where we had two CMSs. We had multiple VSXs on those appliances due to the main firewall that we had on the VLAN. We also had an external firewall on the VLAN, which were used to monitor and allow the traffic within the network. That is how we were using it.

They have a new R81 in place. Currently, they also have R75 deployed in the environment, but they are planning to upgrade to R80.20 because that particular firewall has very high CPU utilization and there is no more support for R75. 

I like that it first checks the SAM database. If there is any suspicious traffic, then you can block that critical traffic in the SAM database instead of creating a rule on the firewall, then pushing that out, which takes time. 

The Anti-Spoofing has the ability to monitor the interfaces. Suppose any spoofed IP addresses are coming from an external interface, it won't allow them. It will drop that traffic. You have two options with the Anti-Spoofing: prevent or detect. If any kind of spoof traffic is coming through the external interface, we can prevent that. 

I like the Check Point SandBlast, which is also the new technology that I like, because it mitigates the zero-day attacks. I haven't worked on SandBlast, but I did have a chance to do the certification two years back, so I have sound knowledge on SandBlast. We can deploy it as a SandBlast appliance or use it along with the Check Point Firewall to forward the traffic to the SandBlast Cloud.

Working on Check Point for me looks simple. For the user or anyone else who is using Check Point, they are more into the GUI stuff. Check Point has its SmartConsole. On the console, you have to log into the MDS or CMS. Then, from there, you have to go onto that particular firewall and put in the changes. If the management console could be integrated onto the GUI itself, that would be one thing that I would recommend.

The ability for the multiple administrators to not do changes was fixed in R80.

I just changed companies six months back. I have been using Check Point for around two and a half years. I was working on the Check Point technologies in my previous company. I did the implementation of Check Point and was also monitoring the Check Point Firewall in my last company during firewall upgrades.

We had two Check Point Firewalls deploy in the HA. There was one particular change that we did regarding the FQDN objects. However, after deploying this new change, which already had multiple FQDN objects, the behavior of the firewall was changed in terms of the live traffic. Because after deploying the critical chain, the users were facing intermittent Skype and Office 365 issues. We checked the performance of the Check Point, which also decreased due to the FQDN objects that were pushed onto the firewall. Therefore, we had to reverse back the change in order to increase the performance, because it was utilizing 80 or 90 percent of it. Once we reversed that particular change, then it was working fine.

These firewalls are stable. The customer is looking forward to upgrading to the latest version of Check Point.

It is scalable.

The entire company network resides behind these particular firewalls. All of the users, if they wanted to go out onto the Internet, have to go through this firewall.

There are around five to eight people who worked for my team. We monitored the firewall. In case of issues, we would then go a call with the customer and troubleshoot that issue.

Sometimes, I faced issues while troubleshooting. In those cases, I did have to contact Check Point's technical support because some of those issues were complex. 

I would give the technical support a four out of five. They would get on the call and try to resolve that issue as soon as possible. 

Initially, I was working on the Cisco ASA Firewall, then I got an opportunity to work on the Check Point Firewall. The main difference is regarding the architecture. Check Point has three-tier architecture, whereas ASA doesn't have that architecture so you have to deploy every rule on the firewall manually. With Check Point, you have a management server and you can have that policy package pushed onto the other firewall, which is one of the key features of Check Point: You don't have to deploy every tool on the firewall manually. We can just push that particular policy package onto the new firewall based on global rules that we have Check Point. 

Every time, I had to deploy all of the rules and basic connectivity, SSH and SNMP management, on the ASA Firewall. Whereas, in Check Point, I can just go onto the global rules and put that policy onto the Check Point Firewall, then it will have all those global rules required in the company.

Check Point also has the Identity Awareness feature, which is using a captive portal. This is something good which I like. 

It was pretty easy and straightforward for me to deploy these firewalls.

It took around the 15 days to do the initial deployment and get the basic connectivity to the Check Point Firewalls. We had to send a field engineer to do the cabling and everything, like the data connectivity. It takes time to do all the network, cabling, etc. Once the basic connectivity is established, then we can move ahead with the implementation of the rules on the firewall. The company had an initial set of rules to follow for the setup.

We initially opened a case regarding the upgrade. Check Point's technical support was there on the call because the upgrade was going from version R77 to R81.10. This was a major update for the entire network, and they were there supporting us in case of any issues.

The customer feels more secure because they have two layers of security and comfortable working with this particular Check Point Firewall because they previously used Check Point R75. 

Pricing is fine. 

We had to get separate licenses for the different blades. It would be nice to have a feature where we can get the multiple licenses all-in-one instead. 

The licensing feature is good for the Check Point. It attaches to the management IP address of the central management server. So, you can remove that particular IP and then use that license on another device on some other firewall, if you want.

Compared to the Cisco ASA Firewall, the Check Point Firewall makes your work easier because you're not deploying the firewall, then pushing the policy, which takes time. Initially, when I was working with the ASA Firewall, we used to implement the firewall, then we used to hand it over to operations for the maintenance. So, I had to manually implement all of these rules, etc. 

When I learned about Check Point and had basic training for it, I got to know the architecture was different for the Check Point Firewall. You can just have a policy package and deploy that policy package on any of the firewalls that you want. It already has that particular set of rules, which makes your life easier while implementing the rules on the firewall, e.g., if there are multiple firewalls on the network that should have the same policy.

Anyone who is new to Check Point Firewalls should have the basic understanding and training so it becomes easy to deploy and implement. You can go onto YouTube and find various training videos regarding Check Point, where you can get a basic understanding of the Check Point Firewall.

I would rate this solution as an eight out of 10.

For the SMB appliances, the use case is tricky because I don't actually like them too much. If you have a very small branch office, you could use one of them, but in that case I would just go for the lowest version of the full GAiA models. But for small locations that are not that important, it is possible to use one of the SMB appliances, the 1400 or 1500 series. 

The full GAiA models, starting with the 3200 and up to the chassis, are the ones we work with the most, and you can use them in almost every environment that you want to secure, from Layer 4  to Layer 7. The only reason to go higher is if they don't perform well enough, and then you go to the chassis which are for really big data centers that need to be secure.

About a year or a year-and-a-half ago, they introduced the Maestro solution, which gives you the flexibility of using the normal gateways in a way that you can extend them really easily, without switching to the chassis. You can just plug more and more gateways into the Maestro solution.

It's difficult to say how these firewalls have improved our clients' companies because a firewall isn't meant to improve things, it's meant to make them more secure. Nine times out of 10, it's going to give you something that the end-users aren't so happy with. But Check Point Next Generation Firewalls improve security and, indirectly, they improve the way users work. They can access practically everything on the internet without being concerned about what's going to happen. They give users more confidence when doing something, without having to worry about the consequences because the gateway is going to help them out where needed, preventing malicious stuff.

The feature I like the most is their central management, the Smart controller which you can use to manage all the firewalls from one location. You can get practically all information — but not all the information, because not everything has been migrated from the previous SmartDashboard version into the SmartConsole. Being able to access almost everything in one location — manage all your gateways and get all your logs — for me, is the best feature to work with. 

As for the security features, that depends a bit on what you're doing with it, and what your goal is. But they're all very good for application URL filtering. Threat Prevention and Threat Extraction are also great, especially the Threat Extraction. It's very nice because your end-user doesn't have to wait for the file that he's downloading to see if it's infected, if it's malware or not. It gives him a plain text version without active content, and he can start working. And if he needs the actual version, it will be available a few minutes later to download, if it isn't infected. That's a great feature. 

Anti-Bot also is also very nice because if a PC from an end-user gets infected, it stops it from communicating with its command and control, and you get notification that there is an infected computer.

It's difficult to distinguish which feature is best, because they're all good. It just depends on what your goals are. As a partner, we are implementing all of them, and which ones we prioritize depends on the client's needs and which is the best for them. For me, they're all very good.

The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.

But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.

A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.

I started working with Check Point firewalls in 1999, so it's been about 20 years. In the last year I have worked with all the SMB appliances, through the full GAiA and up to the 64000 series.

There's not much difference between a Check Point 3200 and a 5200 because they're running the same OS. There are just performance differences. So I can't say I've worked on every model, because I don't always check the model when I come to a client. But I've worked on every model that runs different software. I've worked with all three kinds of software that are used by Check Point.

The SMBs have room for improvement in stability. They're not as stable as they could be.

The chassis are great, but they are running behind. Maybe "running behind" is an overstatement, but the roll-out of new features on them is really slow because they want them to be tested and tested and tested. The clients installing these chassis are large banks or very large customers that can't have any downtime whatsoever, so it's normal that they test them more thoroughly. 

For the mainstream models, we do run into bugs on a regular basis, but they're mostly not showstoppers. You can run into a bug, but either there's a possible work-around or it doesn't impact things so much that there are huge problems for the client.

The SMBs are not scalable. New devices come out from time to time that are more performant. The mainstream devices are also not scalable except if you go with the Maestro version, and then you can just plug in an extra firewall and it scales up. With the chassis you just plug in an extra blade and it scales up also. So the Maestro and the chassis are very scalable, but for the other models it comes down to buying new boxes if the current ones aren't sufficient anymore.

Check Point support is a very difficult question because not so long ago I had a major complaint with Check Point about their support. Now, they give us much better support because we have the highest level of partnership. They recognize that the people from our team, in particular, are very skilled, so we don't go to first-level support anymore. The moment we open a ticket, we get tier-three support, and that is good.

But we haven't had this privilege for that long and, in the past, support could be a bit tricky. If we got a tier-one engineer it could be okay for support that wasn't urgent but if we were doing an implementation, especially since we had a lot of experience, they were mostly asking questions about things that we had already checked. Often, we had more knowledge than they did.

For us, it's great that we now immediately get access to tier-three. I just wrote an email to the support manager this morning about an issue we had last night, and I told him the support was great; no complaints anymore. It took a while, but now it's good. I can't complain anymore.

It depends on the partnership you have with Check Point. If you're a lower-level partner, you have to go through the steps and it takes a bit of time. If you're working in a company that has a good partnership and you can negotiate some things, then support is good and you get very good people on the line.

The initial setup of these firewalls is fairly straightforward for me, but they're not the easiest ones to learn and to set up. But I've been working with Check Points for 20 years. So if you're a new user, I wouldn't say it's easy. If you have experience, it's not really that difficult. But the learning curve is higher than some of the competitors.

The time for deployment depends on the features you want to enable on the firewall and the environment you want to put it in. If it's a branch office with a small network, a DMZ and an internet connection, that would take half a day or a day. It also depends though on if it is a completely new installation where you also have to install a Management Server. On average, we count on about one day per gateway and one day for the management, but it depends on the complexity of the environment, of course.

Our implementation strategy differs per client, and it even differs by the engineer who does it because everyone has his own skills and tricks from the past that they're using. But a uniform implementation approach, especially for different clients, is very difficult to do because every firewall is a complex product. You can't do for client A what you're going to do for client B.

If it's an installation we go the standard route, with a high-level design and get it approved by the clients. Then we go for the low-level design and implementation. A standard implementation is a clustered environment with a separate Management Server. We almost never deploy one gateway, so one cluster with a separate Management Server is the most basic level. We usually set up the management on a virtual system, not an appliance, and we try to go for appliances for the gateways, depending a bit on the customer's needs; it could be virtual.

Make sure you get the correct license. For instance, I did an audit for one of our clients recently and I saw that they always were buying the most expensive license and not using the features that were included in it. That's one thing to look at: If you're not going to use some features, don't buy the license related to those and go for a cheaper license. 

Also, negotiate. There's always room for discounts.

You get licensing bundles, so depending on which features you want to activate, your license is going to be more expensive. Some things, like Threat Extraction and Threat Emulation, require subscriptions. They don't come with a standard firewall. 

I'm not a licensing expert, but as far as I know there's the standard firewall, the Next Generation Firewall, and then the Next Generation Threat Prevention license. The price goes up in those bundles.

Another vendor I work with and have the most knowledge about, when compared to Check Point, is Palo Alto. They force you to work a bit more with applications instead of ports, although that's not something Check Point cannot do. 

The central management is different for Palo Alto. You can install it, but it doesn't work the way it works with Check Point. I like both. I like that with the Palo Alto you just go to a web browser and can configure the firewall all the way, but it's also easy to have the SmartConsole from Check Point where you can manage multiple devices. Palo Alto doesn't really have that. They have a central manager where you can get logs and where you can distribute some policies, but it doesn't work the way Check Point's central management does.

Both have their pros and cons. It depends on how you like to work. I like working with both of them. It's a bit different, but in terms of security and features, I don't think they're that different. It's just another way of working.

Make sure you have a good partner doing Check Point work for you because, as a direct client, it's very hard to get the necessary skills in-house, unless you're a very big company. Contact Check Point and ask them which partner they recommend and go that route. Don't try to do it yourself. The firewall is too complex to set up and maintain yourself, without the assistance of people who do it every day.

Learn and get experience with it. Don't be overwhelmed. When you start with it all the features and all the tips and tricks that you need to know to maintain it, it can be overwhelming. Like I said, the learning curve is very steep, and when you start with it, it's going to look like, "Whoa, this is impossible." But stick with it and when you get some experience it's going to be okay. It's a difficult product, but once you get the hang of it, it's one that's really nice to work with. We still run into issues from time to time, but Check Point products are very manageable and fun to work with. Check Point is my favorite vendor. I like working with it a lot.

I would rate Check Point's mainstream solutions at eight or nine out of 10, and the same for the chassis. I would rate the SMBs around a six. I don't really like those too much. Overall, Check Point is an eight, because most people are going for the mainstream solutions and those are very good.

We use several of the blades. We use it for regular access control, but we also use the application control. We use HTTPS inspection and threat prevention. We use the Mobile Access blades as well IPS.

We have a Smart-1 205 as our management server and for the gateway we've got 3200s.

Over time, we've enabled different blades on the firewall. We started off with the access control policy, and since then we enabled the HTTPS inspection and the IPS blade. That's helped reduce our risk landscape as a whole.

The simplicity of the access control is the most valuable feature for us. It gives us the ability to easily identify traffic that is either being allowed or denied to our network. The ease of use is important to us. The more difficult something is to use, the more likely it is that you'll experience some type of service failure. When we do have issues, with the Check Point SmartConsole being as simple as it is to navigate, it makes it easy for us to identify problems and fix them, to minimize our downtime.

I would like there to be a way to run packet captures more easily in the GUI environment. Right now, if we want to read packet captures, we have to do so from the command line.

We have been using Check Point's NGFWs for as long as I've been with the Department of Mental Health, so it's three years that I've personally been using them.

Based on other networking hardware that I've used, I would say the Check Point NGFWs are just as stable, if not more so. We rarely have any issues. In the past, I've experienced networking hardware often needing to be rebooted. That's not something that happens with these devices. They're on 24/7 and we have next to no downtime. I can't think of a time in my three years here that one of the devices has gone down and caused us any downtime.

We've already purchased a new management server from Check Point, and it will be replacing our 205 appliance. They make it easy. These devices inter-operate together, so if we need more resources, for example, on the management end, we're able to buy that server and replace our old one and scale up as needed.

As far as users are concerned, we have 70 locations throughout the State of South Carolina with a total of 400 to 500 devices that can be connected at any point in time.

I would think we have plans to increase our usage. We work in tele-psychiatry, for the State of South Carolina, and telemedicine right now is a hot topic. I see it very likely that our usage could double and triple in the coming years.

We've had an issue with licenses not populating to a new device, but that is the only thing we've ever called them for in relation to replacing or adding in a new device.

They're very helpful. They're easy to get in touch with. It's not like you're sitting there on hold for hours at a time, and they're quick to get back to you. It might be that they're taking packet captures and analyzing them and then getting back to you. It's a quick turnaround. I can't think of any time we've ever had to wait more than 24 hours to get an answer on an issue we've had.

I have set up replacements and it's very straightforward. It's very easy. It's much easier than some of the other network equipment that I've had to deal with. Check Point provides a wizard that walks you through the process and that streamlines the entire process. They also provide instructions on how to go about getting to the wizard and the process that we needed to take to complete that configuration. It was relatively painless.

The replacement was configured in one day and deployed the next, with no issues.

There are five of us in our company who have management access. I'm the network administrator, and I've got four IT technicians who work under me and assist in the firewall configuration and deployment.

I don't believe we've ever had to actually call Check Point to assist with anything. It's pretty straightforward. The wizard does most of the work and we have all the instructions we need. It's pretty much all done in-house.

I definitely feel it's been worth our investment. Check Point is there to help when we need them. Our downtime has been very minimal, and when we do have issues, they're there to help us. They're there to get us back up and running as quickly as possible. It's definitely been worth its weight.

One of the main reasons that we went with Check Point is that they provide a good solution for a firewall but at an affordable price. As a state agency, we can't afford Cisco Firepower. It's just out of our budget to be able to pay for something where licensing and hardware are so expensive. Check Point has really met our needs for a budget-friendly solution.

We pay a yearly support fee in addition to the standard licensing fees with Check Point.

I've worked with Cisco routers and firewalls. I've worked with Ruckus switches and routers, and Aruba access points.

A drawback with these products is their stability. Almost all other networking devices I've seen need to be rebooted over time. If they're left unattended for extended periods of time, we experience some sort of downtime. That is not an issue with our Check Point products.

Do your research and look into cloud solutions. Check Point offers many cloud services, and that's where everything's moving, towards the future. Research the different appliances and solutions that Check Point offers and find out what works best for your particular situation.

The biggest lesson I have learned from using Check Point's firewalls is not to be afraid to call for help. There are times where I may be trying to figure something out myself, when in all reality, all I need to do is call Check Point customer support. They'll explain to me why something is configured a certain way, or if there's a better way that I could go about configuring something, and things of that nature. They have been very helpful and have saved me time, anytime I've called.

I can't think of any additional features their NGFW needs that we don't already have access to. I know there are features such as moving the dashboard toward the cloud, and I think that's beneficial, but it's something they already offer. We just don't take advantage of it right now.

The reason we have the Check Point Next Generation Firewall is that it's our main perimeter firewall in all our branches around the world. It secures the IT infrastructure in all of our environments and our subsidiaries. We also use it to set up tunnels between all our sites.

We have multiple versions from the legacy R77 to the latest R80.40.

In today's world, there are a lot of risks related to infrastructure security, malware and more. The Check Point has multiple blades in the same product, which improve security in IPS, application control, and URL filtering. You don't need to buy multiple, separate products to achieve the best security.

The basic most valuable feature is the firewall itself.

The management platform, dashboard, graphical user interface, are one of the best, if not the best, in the business. It's the most intuitive and it's really user-friendly in day-to-day operations.

The VPN means you can communicate in an encrypted manner between sites. 

The application control and URL filtering are also very beneficial. They enable you to tighten security and decide which applications or websites you want to grant access to. In our company, we don't allow anyone to freely access the internet to surf all websites. Some sites may be sensitive and some of them may be inappropriate. It allows us to control the traffic.

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

I have been using Check Point's NGFW for approximately 10 years.

One of my issues with Check Point is the stability. There have been too many bugs, over the years, when I compare them with other vendors. Their QA team should do better work before releasing their GA versions.

If you're looking for scalability and you need to add more power and performance and to scale up, they have a new solution, but I haven't used it yet.

In terms of the extent of our use, it's our main firewall. Everything flows through it.

We currently have four direct users and all of them are security engineers. I'm doing most of the deployment and the others are responsible for the day-to-day operations. In the overall company there are more than 10,000 users, and the traffic throughput is around 10 Gb.

They have a very extensive Knowledge Base on their website, which is very helpful. But if you contact their technical support, not all of them have all the skills. If you open a ticket it may take a while to be resolved. It can take more than a month until they finally escalate it several times internally and then, finally, find a solution. But the first tier is not too technical.

The previous solution, Contivity, was before my time in this company and I don't think it even exists anymore. The Contivity was only a firewall and our company wanted more features and benefits. It didn't have next-generation firewall options, like URL filtering, user identity, and IPS. As risks evolved in the data security field, our company needed to adapt.

The complexity of the setup depends on which branch we're setting it up for. If it's a new branch, we can spin up a new firewall in less than an hour or so, do all the configuration, and it's ready for production. But if we're replacing an existing solution, the migration process may take some time and the people involved need more extensive knowledge, compared to spinning up a new firewall.

If it's a complex environment and you're migrating from one solution to another one, or even from an older version to a new version within the Check Point platform, I would recommend not to do it by yourself. In those cases you should use a third-party partner or Check Point Professional Services.

I did most of my deployments by myself, but in our headquarters, where there was an older version of a Check Point version, and they wanted to migrate to a new one, I used a partner. The partner I used was SafeWay, a company in Israel. They have quite extensive knowledge and they are very professional.

It's hard to measure ROI in financial terms, but our productivity has gone up with the new version of the R80 because we don't need to wait for one administrator to log out of the management system for another to be able to log in. Multiple administrators can now work simultaneously on the platform. That productivity increase can be seen as a form of ROI.

Use the basic sizing tool to do the correct sizing so you don't waste too much money, because it's not a very cheap solution when compared to other vendors. There are other vendors that are more affordable.

There are no costs in addition to the standard licensing fees, except maintenance.

We have not evaluated any other options.

My best advice would be, if you are not as skilled, that while you don't really need to use the Check Point Professional Services, you should use a partner that has good knowledge of the device. If it's just a straightforward deployment without all the features, it may look simple but there are too many options. Eventually, you may use 30 percent of them. I don't think you will use 100 percent of all the features that are available.

Overall, I'm a little bit disappointed because of the numerous bugs that there are.

I would rate it at seven out of ten because their management platform and the dashboard. It's the most intuitive and user-friendly in day-to-day operations, as long as you're not dealing with the bugs.

We primarily use the product to block traffic at the application layer, limiting access to YouTube and social media during busy periods while allowing it during lunchtime or office hours.

The product's primary benefits include effective intrusion blocking and improved network management. 

I appreciate the support provided as well. It is highly reliable and has a prompt response time. 

The system's operation could be enhanced. I recommend developing a management console that can more efficiently handle multiple Check Point devices, as we have multiple appliances across different sites. 

We have been using Check Point NGFW since 2016 for approximately eight years.

There are occasional issues, but they are typically resolved with subsequent updates. I rate the stability a six out of ten. 

We have three sites where we use Check Point NGFW. The first site has about 1000 users, the second site has between 800 and 900 users, and the third site has approximately 100 to 200 users.

I rate the product scalability as two out of ten. Improvement is needed as it could be more convergent, particularly for on-premises solutions.

We are currently using Check Point, Palo Alto, and Cisco.

Check Point's advantages include its lower cost than Palo Alto. However, it requires maintenance of many parts, as it is only partially GUI-based. In contrast, Palo Alto is mostly GUI-based, simplifying operations for our IT security team.

The setup process was straightforward. Some aspects in terms of maintenance are easier due to the GUI-based interface.

We took help from a consultant for implementation. 

I recommend Check Point Firewalls. It is a solid product with reliable support and frequent updates.

I rate it an eight.

In our logistics setup, we employ Check Point NGFW across various critical areas. For instance, we use it to secure different database applications within our systems, ensuring robust protection for our operations. Whether it is managing updates, maintaining standby reliability, or enhancing system performance, Check Point NGFW plays a vital role in safeguarding our logistics infrastructure.

Using Check Point in our system has provided several benefits. Firstly, it ensures secure access for authorized users while preventing unauthorized access from public users. Secondly, it enables us to monitor application usage closely, identifying any suspicious activity such as repeated failed login attempts. 

Check Point NGFW provides essential security, featuring no-obligation access for secure connections, strong intrusion prevention, and comprehensive antivirus protection.

One area for improvement in Check Point NGFW is the support process. It can be challenging to open a technical support case through the customer portal, often requiring additional steps to open the case.

I have been working with Check Point NGFW since 2015.

We have not experienced any major stability issues with Check Point NGFW.

Check Point NGFW is fairly scalable.

The technical support is decent. I would rate them as an eight out of ten.

Positive

Setting up a new Check Point NGFW is generally straightforward for us. With our experience and familiarity with the process, we can handle it without encountering any significant issues. We are used to creating simulations and implementing improvements, which facilitates the setup process, even at an intermediary level. We usually require two engineers for the deployment process, along with additional resources like network switches, PCs, and testing equipment.

The pricing for Check Point NGFW tends to be higher compared to other options in the market, especially for high-end models. In comparison with enterprise-grade firewalls like Palo Alto, Check Point is among the more expensive choices.

My recommendation for organizations considering implementing Check Point NGFW is to prioritize selecting high-end models for optimal performance and security. Check Point NGFW offers robust protection for networks and data, allowing businesses to maintain their operations with confidence. Overall, I would rate Check Point NGFW as an eight out of ten.