Check Point Remote Access VPN Reviews

The Mobile Access VPN is used to provide users with remote access to company resources.

Users can access the system at any time from corporate laptops as well as home PCs.

It is also possible to connect from Android and IOS mobile devices.

We also use the functionality of the secure Capsule Workspace container to securely provide access to corporate Web resources and mailing services from mobile devices.

It is also possible to provide restricted access to partners via SSL VPN using the Check Point Mobile Web Portal fine-tuning.

This solution allows users to connect from any location. The system is very flexible. We can easily control access and view statistics on the usage of this functionality.

We are also happy with the overall stability of the operation, the easy configuration on the gateway side, and the ease of deploying clients to endstations.

The user device verification functionality allows us to prevent connections if a device does not comply with corporate security policies until the device has met all requirements.

When working with different groups of users, we can easily set up both standard authentication by username and password and use two-factor authentication such as SMS + username and password or certificate + username and password. This definitely increases security and allows you to control access.

It is also possible to use third-party tools to customize HTML5 access. For example, the connection is made without the need to install any client on the user side.

Access is browser-based only and requires no additional client installation.

We would like to implement HTML5 (clientless access) in the product without installing any additional software.

It would also be desirable to be able to segregate the different authentication methods by domain user group.

Unfortunately at the moment, the division is only between domain and non-domain users.

What we also miss is control over the workstations for non-domain PCs that the client is installed on.

It would be nice if we could block such connections based on, for example, the machine name or connection ID.

We have been using this solution since 2007 and started with the R65 version.

We've used Check Point VPN to move from an on-premise VPN Cisco product to a VPN built on the cloud. We decided to use Check Point as it was fully integrated with Microsoft Azure and present on the Azure marketplace. We deployed this solution on different subscriptions and used the MEP function to reduce users' latency on the VPN. The implementation has not been very easy, and the implementation of MEP has taken months. There were a lot of hotfixes to install, and the CLI configuration on the files had to be done. The configuration, in fact, can't be implemented using a GUI.

The solution has allowed us to remove the on-premise VPN solution and to remove firewalls from the data center. The solution implemented on the cloud allows us to easily scale in cases of increased users - such as during the pandemic, where all users had been moved to Smart working and to a VPN. In fact, in February of 2020, when we closed all of our offices and gave all users the possibility to work from home, we had licenses and CPU problems on-prem. The Check Point solution offered us an unlimited number of users and that made the solution very scalable.

I found the MEP feature the most valuable. This has improved users' latency allowing the users to connect to the nearest Azure Check Point VM. 

The Multiple Entry Point (MEP) is a feature that provides high availability and load sharing solution for VPN connections. A security gateway on which the VPN module is installed provides a single point of entry to the internal network. It is the security gateway that makes the internal network "available" to remote machines. If a security gateway should become unavailable, the internal network is no longer available as well. An MEP environment has two or more security gateways to both protect and enable access to the same VPN domain, providing peer security gateways with uninterrupted access.

The main problem with Check Point is that some configuration can be done with the smart console in GUI, however, some others need to connect to the firewall via the CLI on SSH and therefore you will need to modify the local file on the firewall with VI. 

ASA is so easy to reserve some static IPs based on users, however, in Check Point, it is really difficult to do so. In addition, you can't reserve as static some IP that you are assigned dynamically to a local pool. 

You have no ability to reserve a total number of licenses. The VPN user licenses are assigned per gateway, and if you enable the MEP function is not so easy to size the gateway licenses. 

The configurations that you do to modify local files are not reflected in the GUI via the smart console. 

We have been using this solution since 2020.

The solution isn't really stable. Maybe the last versions of R80.40 and R81 were more stable, however, the upgrade (if you have another old version) is really difficult and you have to rebuild the solution (if you are on Azure cloud).

The solution is really scalable. You have to know that if you want to scale the solution you will have to configure and rebuild an SMS server with high CPU/memory resources, however.

Unluckily the experience with support, especially in India, is really poor. It's best if you open a case using the Israeli team as that one is better.

Yes, we were using CIsco ASA on-premises. We switched because we were moving our data center infrastructure onto the cloud.

At first, the implementation was not easy to set up. We found many bugs and we had to install different hotfixes and upgrade the version more than one time.

We implemented the solution via a hybrid approach. Check Point professional service is really good, however, our third-party implementation team was not very good.

At the moment, we have not reached the ROI point.

I'd advise users to pay attention to the sizing of the solution. There is not an intermediate number of licenses. It's very easy to go to unlimited users licenses.

We have gone with the Check Point solution due to its cheap price. Other options we considered were Palo Alto with Global Protect, Zscaler with ZPA, and Cisco Firepower implemented on Cloud.

I suggest that if you want to implement this Check Point solution you should have good knowledge of the system as well as a system integrator or direct contacts in Check Point. In case of any issue, the support is poor and it's not easy to solve issues using technical support. 

We use Check Point Remote Access VPN to connect to the back-office applications.

Check Point Remote Access VPN could be more user-friendly.

I have been using Check Point Remote Access VPN for approximately two years.

Check Point Remote Access VPN is a stable solution.

We have approximately 2,000 users using this solution. We have plans to increase the usage of the solution.

My internal team does some technical support for our employees. I have not contacted the support from Check Point Remote Access VPN.

I have used Microsoft Defender Endpoint previously. I found it to be much more user-friendly than Check Point Remote Access VPN.

The installation of Check Point Remote Access VPN is straightforward. The time it takes for the client installation is two minutes. It is a standard installation.

I did the implementation myself. We have our IT department that is supporting and doing the maintenance of the solution.

There is a license required for this solution.

I rate Check Point Remote Access VPN a seven out of ten.

Remote Access VPN is one of those essential items for every organization in order to maintain seamless and highly secured connectivity between the end-user and the organization's local area network to access resources - including Jump server Databases, et cetera.

No matter from which device or from which location users are accessing an organization's local resources, with the help of the Check Point VPN client they can make sure they have connected securely.

Check Point offers a best-in-class encryption algorithm to ensure confidentiality and maintain integrity between the end-user and the Gateway. 

In disaster situations like Covid-19, most users were working from home or in remote locations. In such cases, Check Point Remote Access VPN provides feasibility to everyone to work from home and access an organization's resources remotely.

With a client-less configuration known as SSL VPN users can directly access resources via a browser-like database, share folders, et cetera.

To maintain the authorization of the connected user, Check Point provides multi-factor authentication for an RA VPN client to make sure legitimate users have access to resources.

• Secure connectivity: Guaranteed authentication, confidentiality, and data integrity for every connection and user.
• Straightforward Configuration: Easy to enable blades and define policies.
• Authentication: SAML authentication makes sure the user is legitimate.
• Compliance check: It scans the endpoint machine to detect suspicious/malicious content before connecting to an office network.
• MEP: Multi entry points to make sure there's availability to the LAN network even if the primary gateway goes down.
• A single client can work as sandblast agent.

Check Point RA VPN requires companies to take separate licenses initially so that only 5 connected users licenses are given as subscriptions. Most other competitors, like Palo Alto, provide 1000 connected user licenses for free.

Some configurations, like idle timeout (the requirement came from multiple users), are not possible to configure directly from the Check Point management server. We have to make changes in the local directory of the respective devices.

I've used the solution for more than three years.

The solution is highly stable.

Check Point has an Unlimited License Package for the RA VPN and therefore we can scale it easily.

Customer service has a dedicated team that handles RA VPN cases which ultimately leads to an early resolution.

Migration has taken place such as from Cisco to Check Point and Sophos to Check Point. During that phase, the customer needed to change the VPN client as well.

Browser-based functionality is one of the best things that Check Point provides.

The initial setup is straightforward during the initial configuration.

The setup is very straightforward but subscription-based. It isn't cost-effective.

We did look at Cisco Anyconnect and Palo Alto Global Protect.

We use a Check Point Endpoint Remote Access VPN client along with Check Point SSL VPN, which allows users to connect to our firewall who don't have the client, e.g., if they have a MacBook, then we don't have a client for them. We allow them to connect to the firewall over the browser. That had a bunch of problems, but they have resolved those this year. 

The use case is to allow people to connect to our firewall on-premise. We also have Check Point firewalls in the cloud, which people can connect to as well. Then they can access resources either in our on-premise environment that they need to access, such as, their computers, the Intranet, Salesforce, or our production applications. Also, in AWS, they can access other types of applications, like WorkSpaces, or our production applications there, which allows them to work. It lets them have access to their email, because they're not able to access their email unless they are VPN'd in, etc. 

We keep everything locked down to the VPN. If that's not working, then our company will not be able to work. It was very finicky last year, and it's working now. It has been perfect this year.

We don't use the Endpoint Remote Access VPN client for too much. We use its local firewall, which is valuable, but we don't really use SandBlast. I know you can add the SandBlast module along with all these other modules. We literally just use it so our users can connect on-prem.

Before we used the Check Point Endpoint Remote Access VPN solution, we were using a difficult VPN solution. It made us install a certificate on the user's laptop. That was very difficult to maintain for the IT department. When we gave out a new laptop, we would have to go and manually put the certificate on a laptop so they could then connect back to the on-prem. Where now, Check Point allows us to use an RSA token and PIN. It integrates with RSA, which is another solution that we use. RSA is a random generated key done every minute and another factor of authentication. With Check Point having that feature, it helped us a lot when we initially set it up.

The most valuable part would be allowing users to have a seamless connection to the Check Point firewall, which is what we use for controlling access to our on-premise area. Otherwise, we would have to get some other type of VPN solution that I don't know how well would work with the Check Point firewalls. Keeping it in the same ecosystem is good.

Currently, we're using Check Point Endpoint Remote Access VPN R70.30.03. That's the latest version of R70.30. We haven't upgraded to R80 yet, but all of our firewalls are R80. We've been through many iterations of the Endpoint VPN client. I remember awhile ago, it was very difficult to deploy and not have problems, but they've come a long way. Now, it's a lot better. 

I have worked so much on this in the past with Check Point that they actually had their vice president of product development call me. I remember one of the things that I told him need room for improvement, which I still haven't seen: When you want to deploy a new Check Point agent, it is really a pain in the butt. For example, Windows 10 now has updates almost every couple of months. It changes the versioning and things under the hood. These are things that I don't understand, because I'm not a Windows person. However, I know that the Check Point client is installed on the Windows machine, and if the Check Point client's not kept up-to-date, then it's functionality breaks. It has to be up-to-date with the Windows versions. Check Point has to update the client more often. Now, the problem is that the Check Point client is not easy to update on remote computers and it's not easy to deploy a new client. 

They need to improve deploying a new Endpoint Remote Access VPN client and updating existing Endpoint Remote Access VPN clients. Especially if you want to deploy a new one, it's not an easy process. Their software doesn't really support creating a new Endpoint Remote Access VPN client. There is a lot of manual activity. They need to automate it better. You have to create a generic client, download it to a computer, and install it to the computer. Then, you have to find a file deep inside the directory that it creates. It's like a text file, then you take that text file out and edit the settings in it. For example, I have to tell it to connect to a site which contains our firewalls or else it's like a phone with no phone numbers and I have to put in the phone numbers. This should be done when I download the client the first time from their GUI, but it is not. Instead, I have to install a generic blank version on a computer, find a text file, and edit the text file with the sites of firewalls that the users have to connect to specific to my company. I have to make other setting changes in that version, save it, reboot the computer, find the file again, take that file out of the computer, upload it to GUI, and deploy a new version. Then, I install it after I uninstalled the old one. Of course, all the uninstalls require reboots. So, I am rebooting it like five times now. After that, I have to install it and check the settings. Half the time they don't save the way you want them to save. It is very tedious and terrible. 

Even learning that process was a nightmare, because it's not like they have a nice article that explains it to you. They don't. I was bumping my head up against the wall with support for almost six or seven months trying to figure that out. Half of them didn't even know how to do it. That was miserable. But now that I'm an expert on it, I can probably do it within a half a day to three days depending on if it gives me problems or not. That's still miserable, and it should be as easy as: I upload the new version of the client, put in the information that I want it to have on the settings, click download, and install, then it works. It should be that easy. There's really no reason why it's not, except for they didn't improve that process nor have they developed that area. It makes me think that their interest isn't in VPN solutions, even though it should be because it's something that they offer. Otherwise, their support is great.

About seven or eight years.

Since it was fixed in November, it's been 100 percent solid and stable. It's been solid as far as Endpoint Remote Access VPN is concerned. I would say their SSL VPN isn't always solid, but I don't think it's necessarily their fault. I think it's because companies, like Apple and Google, change their browsers and operating systems. This messes up Check Point's ability to allow the connection as far as Java updates or other types of security features that they enable. They also don't let you run the application without administrative rights or in sandbox. I have seen a lot of things break because of other companies' involvement in their products. 

As far as the connection is concerned, recently it's been stable. If you had asked me that a couple years ago, it was miserable. It was like the bane of my existence. Now, it's working great. 

I manage the solution, though technically it's my team. They don't work on it if they don't have to. If they have to, then they ask me questions.

It is pretty scalable as far as adding more users. I don't see that as being an issue. All we have to do is buy more licenses and it's easy to add the license headcount, then more users can be added just as simply.

We have 200 to 250 users in our company.

We will definitely be increasing to have more users since our company was just purchased by a very large company. This will make us grow.

Their Endpoint Remote Access VPN support team tries to fix whatever problems that are there and incorporate those issues into the next Endpoint Remote Access VPN client that they release for everyone, which is great. I know that last year specifically, I worked with the Endpoint Remote Access VPN support for nine months. We were having disconnects. Some users would get disconnected from their VPN five times in a day. Throughout nine months of working with them, providing logs, providing TCP dumps from the firewall, and all the information they needed, they were able to give us a new client where our users didn't have any more disconnects. They did something where they made it more resilient. So, if there's a problem, the client has more time to talk back to the endpoint or firewall. That is huge since this entire year our whole company has been working from home. 

Last year, we had a few people working from home every week, or maybe a tenth of the company works from home permanently. However, if we hadn't fix that issue by November of last year, then having everyone work from home and getting disconnected five times a day would have been an utter nightmare. It probably would (100 percent) been the end of Check Point at our company, because I know our CIO already doesn't really like Check Point. We keep it around because my team believes in it. But if no one could work, because no one could VPN, that definitely would have been the end of Check Point.

This wasn't something they could just fix or something that I could fix or configure. It literally took nine months of troubleshooting and ongoing fixing with their development team in Israel, where they were making new code for the input client, which we got. It worked and we're still running that client today. That was huge. If I had to say something really good, it would be that their support helped us and fixed that issue.

We did use something else previously. I want to say it was some kind of a VNC Viewer things with a certificate. It's very basic and crappy. 

We switched because we need more features, like the RSA token involvement. We also like that we were using another Check Point solution and could integrate with that.

The initial setup wasn't too complex. I think their documentation is pretty good for the initial setup. It took a little while, but it wasn't difficult. We did the deployment successfully in probably two months on our own, without them doing anything, by just reading the documentation and having other stuff going on too. We didn't just focus on this deployment.

I just wished the upgrade process was easy and the configuration initial process was easier. In the past six months, they did a fix, where if I push out a new install to users, it doesn't reboot their computer. Now, it will install their client and not reboot.

They need to keep up with Windows updates faster. There have been a couple of times where Windows is updated and they didn't have a new version ready for when Windows was ready, which means the clients that are running on the newer version of Windows won't be able to VPN. If they can keep up to speed with that, then it would be good.

I've done this twice already because I know that we didn't upgrade it. I built out two new servers for it. I have a primary and a policy server. We have a primary endpoint server. Then, we have a secondary, which is called a policy server. This is operational because our clients will connect round robin to one, then the other. It's just that one of them has more precedence over the other as far as enforcing policy. We have those in two different environments, and they're virtual. All the standard things that go along with setting up a virtual environment.

We had to create the policy on the new endpoint server, which isn't too complicated. It includes a list of ports that we needed for our users to be able to use certain applications, like their chat and VoIP, because it has a local firewall. That took some time, like a week building that policy out and testing it. It's really about making sure that it can connect to the endpoint server through the main firewall. Then, it gets its policy from the endpoint server that it downloads and enforces on the local firewall, allowing for the connection to the main firewall. I wouldn't say it was too complicated as far as deployment strategy goes.

We have seen ROI. It allows everyone to work from home. If no one could work from home, then we wouldn't have a company, especially now during COVID-19. It's mission-critical, especially since it's currently being used. If there is a problem with it, we would really be screwed. We would be hard-pressed because we would have to figure out what solution we're going to go with, how to deploy it, how long it would take to deploy it, and how we'd even get it on people's computers if we couldn't VPN to them. It would be near impossible to just change to a new VPN solution right now. Without physical access to the machines, it makes things much more difficult.

My understanding is that the pricing and licensing are very competitive, and it's not one of their more expensive products. We buy licenses for the solution and have licenses for the endpoint servers.

I believe we did evaluate other option, but I know that we were leaning strongly towards Check Point.

My advice would be to have patience. Make sure you get a Tier 3 support person. Setting up the servers and everything is easy, but deploying the Endpoint VPN client is not easy. They need to have someone walk them through the process of creating the Trac file that contains the settings for the client. That is hard.

There is the endpoint server, which is on-prem, and easy to set up like any other appliance that any network engineer or systems administrator should know how to do. That is easy. But if you want to deploy the client, which most people want to deploy the client, and have any type of configured settings on it, then know that it is not just a generic client. That's the hard part. My advice would be to reach out to support and have them help you with it.

I remember not knowing how to deploy the Trac file and struggling immensely. I was unable to deploy the client and get people working, which is my job and what I'm supposed to do. Learning how to do that, being familiar with the process, and actually doing what I'm expected to do at work, which is let people be connected to the firewall, that was my biggest lesson.

I would rate it a seven and a half out of 10.

A lot of our clients are complimentary companies, like the electrical company. They need Check Point Remote Access VPN, or even another similar solution. I tell them that I already have the VPN solution in our company.

In terms of improving the service, I think they could add more features, like the security to block off the doors, or create another hatch, something like this. They could make the features safer, add malware to make my mail and the Kryon system safer and to protect data at an earlier stage.

I have been using Check Point for about one year.

I have not heard any complaints from the clients regarding its stability. I think it's stable for them.

Not all of our clients who use Check Point VPN are in Thailand. Some government agencies, like the Electric City Company, are in Thailand. They use it formally. Their IT and telecom departments, those who require a secure network, are using it.

I have not contacted customer support yet because I take care of any issues from here. That's why I don't have their programming disk because I take care of it myself, including the configuration and the DSL in Check Point.

We still use other products.

The initial setup is not complex. Plus, we've got the Kryon system. So these systems make it easier for the user. We have known this product for a while, that's why it's not a problem to configure the system.

I don't have any advice yet.

On a scale of one to ten, I'd give Check Point Remote Access VPN a seven.

The differentiator for this solution is the management interface that we find very good and provides a single view for all endpoints. The solution offers SmartLog that allows quick searches. The compliance modules are also very interesting.

I cannot see the full effect of the antibot solution because it relies on having access to the DNS queries, which might not go through the Check Point firewall when you're using it for perimeter networks. In this case Check Point will not identify the actual source of the DNS queries associated with antibot activity. This may be related to the customer architecture, however, and not due to product limitation. I don't know if it can be improved on the Check Point side or not.

The solution should allow for the automatic identification of destinations. 

We have a URL qualification on the on-premises deployment model; this should also be the case on the cloud. The automatic classification should be done by the cloud team instead of having to specify or subscribe to a RSS for the information, we should be able to have an object that represents such cloud services. It's possible that Check Point already allows for this, but if they don't they should.

We've been using the solution for about 20 years.

The solution is very stable.

The stability depends on the setup. If the solution resides on a specific appliance, it is not scalable. It has a fixed capacity. However, if you move it onto different environments, cloud environments, it will become scalable. Right now, we have about 4,000 users in the current network and about 500 remote access users.

Technical support is reasonable. It depends on the level of support you are willing to pay for, however. You can choose to have a company working for you with intermediate support with Check Point, or you can choose to have direct advanced support.

The initial setup has a moderate amount of complexity. It's acceptable. However, the graphical display of the user chart of network usage, and the ability to zero in on the current graphics could be improved.

We currently only use the on-premises deployment model, although we may extend into the cloud in the future. We're aware of the cloud's capabilities, but we're not using it because we don't have a large infrastructure expression there.

In terms of advice, I'd suggest that others implementing the solution make sure training happens on their teams. Most products can have lots of features, but if you do not have proper knowledge, you will not be able to make use of those features.

I'm very satisfied with this solution; I'd rate it eight out of ten.

The solution is used for the mobile license or the troubleshooting of the VPN client.

The most valuable feature of the solution is its facility to use the command of the customers in the enterprise. The clients of the customers have a facility to access the enterprise network.

Check Point Remote Access VPN's enterprise support could be improved. The principal support is the problem with the operating systems. The customers have a problem with not being able to publish the application.

The solution’s stability is very good.

Check Point Remote Access VPN has good scalability. Microsoft's operating system has a problem with the solution's new version.

The solution's technical support is good. However, I face issues communicating with them as my English is not good.

Positive

The solution’s initial setup is somewhere in the middle, from easy to difficult.

Generally, Check Point Remote Access VPN is a very good solution.

Overall, I rate Check Point Remote Access VPN a nine out of ten.