I do not think much needs to be improved in Check Point IPS currently, as I prefer it the way it is. If I had to pick one thing that could be better or something I would see added in the future, I cannot recall any specific features, but if there is anything in the roadmap, I would definitely use that particular feature.
One area that could be improved in Check Point IPS is the user interface for managing IPS policies, which can be a bit complex for new users, along with the need for faster signature updates for emerging threats and more seamless integration with third-party tools. A simpler policy setup and faster updates would enhance the experience.
Security Engineer at a tech vendor with 51-200 employees
Real User
Top 5
Aug 22, 2025
For the product itself, there is nothing that I wish worked better or was easier, but it can become complex to manage all the rules if the infrastructure is very big. I do not want to add more about the needed improvements.
Check Point IPS could be improved with more automation and focus on removing false positives. At least 60% of all the alarms generated by the IPS are false positives or something that's not important to look at, and this generates a significant workload for my team. That is my main concern about the needed improvements.
Senior Network Engineer at a healthcare company with 10,001+ employees
Real User
Top 5
Jul 27, 2025
An area of improvement for Check Point IPS would be simplified configuration and performance optimization. The initial setup and tuning can be complex, and more guided wizards or templates would help streamline deployment.
I believe Check Point IPS can be improved by making it more proactive and predictive and fine-tuning the false positives. When I say more proactive and predictive, I believe they can improve on the algorithms to better identify and predict attacks, and they can also add its binaries to reduce false positives.
Improvements could include more attractive dashboards, visual analytics, and automated attack path correlation in SmartEvent to enhance situational awareness and attack identification.
Improvement suggestions include more attractive dashboards, enhanced visual analytics, and automated attack path correlation in SmartEvent to improve situational awareness.
Telecommunication Team Leader at a financial services firm with 201-500 employees
Real User
Top 20
Nov 20, 2024
Currently, the solution is good for my needs, so I don't have any particular improvements to recommend. However, a reduction in price would always be welcome.
It's hard to specify areas for improvement without a deeper investigation. However, usually, IPS does its job. Some challenges might exist with integration depending on the environment.
Student at a university with 5,001-10,000 employees
Real User
Top 5
Sep 6, 2024
From the product perspective, there have been instances where the signature download caused issues. However, it happened only once, and some QA is needed on signatures. Overall, the product is robust.
To overcome the tool's shortcomings, the signature-based protection that the product offers needs to be more effective and regularly updated. Some of the configurations and management should be easy in the product. Signature tuning should be more user-friendly in the tool because, as per my experience, signature tuning is tough in Check Point IPS.
Security Operations Manager at Network International
Real User
Top 5
Apr 26, 2024
The area with certain shortcomings where improvements are required consist of support availability. The tool's complete operating system architecture is being designed in such a way that it looks a little complicated compared to the tool offered by its competitors. The tool's complete operating system architecture needs to be simplified for the users, especially from an administrative and troubleshooting perspective, so that it can be used quickly or with speed whenever there is a crisis. If the aforementioned areas are considered, the product will be much stronger. The tool's support is a major issue because it has not been quick in certain areas compared to the ones offered by Check Point's competitors. The product's scalability has certain shortcomings where improvements are required. The product should be able to handle and compete with competitors and their services as well as updates, which are much faster than Check Point.
ICT Security Consultant at National Treasury of the Republic of South Africa
Consultant
Dec 21, 2023
Enhancements are necessary for the proficiency of notifications in the event of a Social Security incident, whether through email or alternative channels such as SMS.
Netwroking and Security Operations at a consultancy with 11-50 employees
Real User
Oct 13, 2023
The support could be improved. We need quality information on the new products and solutions. We are implementing new solutions for Check Point, but these solutions are not thoroughly tested, which might lead to problems. If we had a lot of information and knowledge about the solution, it would be easier for us to implement it.
Based on what I hear from my full-time firewall administrators, the upgrade process or the maintenance of the devices for each firmware upgrade requires one to break the cluster and run a specific moment at a time, a single node concept. I hear from my admin that the firmware upgrade process is quite cumbersome. Our company has made Check Point very well aware of the cumbersome firmware upgrade process, including the other customers as well. The aforementioned details can be considered for improvement. The price of the product needs to be improved since it is an expensive solution. All the components of Check Point IPS are expensive, while licenses of the product exceed all its other expenses. If you have a data center without infrastructure, you will suffer from losses on a monthly and yearly basis due to DDoS attacks, which we know about since we have the data for ourselves. It is up to each customer to determine how long he can lose his data center, and then you count if it is possible to lose it for that amount of time, and if you don't, then pay the price for the firewall.
There is room for improvement in the pricing model, and it can be more competitive. Moreover, another area of improvement is in the maintenance of the solution because it requires a lot of people to maintain the solution. Some tasks can be automated, and I would like to see a feature where we can automate the tasks.
Sometimes Check Point documentation is not always updated, which is why when some implementations change, it generates confusion about details. In addition to extending some implementations, it would be good for Check Point to keep its documentation public and updated. This product, as a blade, does not include the license with the Check Point gateway. Some errors are generated in the implementation of the Smart Cloud in the Infinity Check Point Portal. When that happens, cases of withdrawal must be carried out without embargo for a long time in response.
I would like to have the possibility of adding features to this IPS solution in the future. It allows us to reach and integrate with other solutions that we have in the same portfolio of this security provider. It has the possibility of achieving and integrating the detection and analysis of this equipment against the integration and analysis that is done in the final devices, generating a correlation and installation of agent propagation from an internal security center.
Check Point must take into account several improvements for the next updates of the tool. They should improve the cost so that it is more accessible and more companies can acquire it. Optimizing the resources requested and sending more specific alerts regarding blockages would be useful. They need to improve integration with SIEM. VMs should not be used as information bridges. The documentation should be accessible. They need to improve the knowledge database and ensure everything is unified. They need to improve technical support and customer service.
The service that we want to see in the future is a capacity to segment the IPS services by equipment. We'd like to see the integration of the communication of the services in the next-generation firewall and the other solutions that it has, such as Harmony. It would be great if they could start creating interoperability with both technologies. Integrating these solutions with the lighthouses could generate more complex and complete interoperability. That said, we'd want the solutions to be acquired and administered as one solution.
What I want as a new feature is to be able to bring these solutions to public clouds. However, today, we can do this. We are taking our datacenters, these next-generation places. These technologies evolve at an unparalleled pace. This solution will soon be in mobile services, and it is here that the new equipment management lines will be managed in the future. We want the solution to continue to move towards cloud-based and portability focused for telecommuting users.
When exceptions need to be done for certain profiles, it is easy to get them done, however, implementation on some general ones may cause some extra work as the IPS is not easy to overwrite. There are updates that have been scheduled that have been delayed more than expected, which impacts the performance of the firewall when the traffic is high. This can cause false positives and release alerts for harmless traffic, which results in a deviation of the attention from the security administrator when it's not relevant.
Cloud Support at a tech company with 1-10 employees
User
Top 5
Jul 29, 2022
Generally, a point that should be improved at the manufacturer level is the help it provides with its support staff. It is somewhat slow in its resolution of problems, even if the problem is with one of its new tools. It would be good to update the public documentation of Check Point so that we can generate improvements and best practices based on the documentation. However, sometimes it is not so easy to implement.
I am pleased with it as it seems to be in order. I don't have much to say, however, there were a few things I noticed about the behavior of the Check Point IPS. First, sometimes I have issues with scheduled IPS updates. The impact on performance when opening the IPS blade is challenging while the firewall is operating under severe demand is the second, which is pretty common. I only note it here. There is no standalone IPS appliance available. Only the IPS blade needs to be enabled on the security gateway that Check Point provides.
Out of the box, the number of built-in reporting and dashboards related to the IPS logs and events has room for improvement. The dashboard reports can be easier to generate and customize. It would also be nice if the system would allow some form of alerting when specific signatures have been triggered X number of times within Y amount of time. This would allow us to be better notified when there is a security attack going on, without too much of false-positive alerts. Another would-be-nice request is to have more details information about how the signatures would detect the specific security vulnerability. This allows us to make a judgment about how useful a particular signature is in our specific environment.
The Check Point tools or features are quite complete and secure; they are at the forefront in addition to having thousands of reports worldwide where they are highlighted. However, they are also among the most expensive. For many, it is worth the cost for their functionalities, and for some companies they prefer to sacrifice a little to obtain a more licensing cost. In general, the case system is a bit slow. Sometimes it is difficult to resolve quickly. It's not really a problem that stands out, however.
Information Technology Operations Manager at a computer software company with 51-200 employees
User
Jan 31, 2022
Support is the biggest area for improvement. Check Point is responsive, however, their support agents seem to be very siloed in their ability and/or product knowledge. It takes time and escalation to get through most tickets as they are passed from one group to another and then back again. We are able to navigate our support issues with the aid of our account team, so I want to underscore that support is indeed responsive. However, the processes support techs have to follow seem to be the root cause of the support response issues.
Sometimes protections are 'aggregated' into a single threat name when you look at the logs. I would prefer to see all protections named individually (for example, right now, 'web enforcement' is a category that contains several signatures). I also wish there was an option to run reports of the individual signature 'usage'; it's not easy to generate views based on the number of 'hits' a signature has generated. (it is possible, however, there could be an easier option). For example, if you have a signature activated, for instance, a MS issue then patch your environment, it's 'hard' to identify if the individual signature has been 'hit'.
Firewall Engineer at a logistics company with 1,001-5,000 employees
User
Sep 30, 2021
You can't turn off IPS completely as there are some signatures that are set even without activated IPS. If you know that, you can act accordingly. But sometimes you have to do a general exception instead of a granular one. There are always some false positives with non-RFC traffic. This is good for security, however, it will cause some effort in day-to-day business as there will have to be exceptions for certain applications. Threat Prevention policies are not very easily manageable as there are several profiles/policies/etc. Therefore, there are several ways to add exceptions and check the configuration.
After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market. Most customers take an IPS license but they don't take a SmartEvent license and when this happens, they will not be aware of the report parts such as current threats in the network open ports/protocol, vulnerabilities in a system, or detected/prevented attacks. For such cases, Check Point should provide a bundled license with IPS.
System and Network Administrator at Auriga - The banking e-volution
Real User
May 8, 2021
To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically. If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability. Having additional reports available would be helpful.
CTO at a computer software company with 11-50 employees
Real User
May 6, 2021
Really, the only thing we noticed once it was running in prevention mode (we started out in detection mode just to get a feel for how it worked and how often protections were getting triggered) was that there was a little bit of a slowdown in performance. It is generally good, but improving the performance would be the one thing I'd take a look at right now.
There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic. There is no separate, dedicated appliance for IPS. In the case of the IPS blade enabled on the NG firewall, it does not provide flexibility to monitor specific segments as easily as the IPS policies that are applied on the security gateway. There is lots of configuration and exclusion policy that need to be configured to bypass traffic from IPS Policy. IPS gets bypass in case performance goes above certain limit. This is the default setting that is provided.
There are several technological points that could use improvement. We have a lot of false positives and the list of IPs are not up to date in terms of their location. For example, we recently blocked traffic from both North and South Korea because we have no relationship with these countries. The problem is that the list of IPs is not up to date, and we had a problem where regular traffic was blocked but malicious traffic was not. The proxy should be improved. The documentation should be easier to read. When you want to block according to the signature, you have to do them one by one. You cannot create a group.
In my opinion, IPS is one of the better Check Point products because it's very easy to configure. You don't need to go protection by protection to check which ones you want to enable. You can enable the ones that are medium or higher severity and all those protections are immediately enabled. When you deploy this on an existing firewall that is already working, it's always better to set it on detection mode before you put it on prevention mode. It's very easy to detect a profile and then check for a month if there are some false positives that you want to filter before you put it on prevention. It's very easy to work with. The only thing they could maybe improve is that we notice right away that the performance decreases when we enable the IPS, especially beyond the CPU and memory usage. If you want to enable the IPS and you have a lot of traffic, it can have an impact. The performance could be improved.
I strongly agree that with IPS blade we can protect our organization vulnerabilities. I would like to have the ability to virtually patch our application or vulnerable machine that is talking ourside our network. If it is there then we can protect our application and systems to any unknown attack if our system or application has a weakness or vulnerability. I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good.
Senior Network and Security Engineer at a computer software company with 201-500 employees
Real User
Jul 23, 2020
In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed. Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.
Head of IT Department at AS Attīstības finanšu institūcija Altum
Real User
Top 5
Mar 4, 2020
It is always possible to improve the speed of an IPS, although there is always a performance penalty when using additional security software. Occasionally there are glitches and errors like false positives, which would be a nice area of this solution to improve upon. The pricing could be improved.
The detection needs improvement. We fear that it doesn't detect everything that we want to see. The solution needs enhanced reporting. The reporting on Cisco Stealthwatch and Darktrace is much bigger. The visibility that they grant for the filtering capabilities over large infrastructures are far superior.
Check Point IPS is an intrusion prevention system that aims to detect and prevent attempts to exploit weaknesses in vulnerable systems or applications. The solution provides complete, integrated, next-generation firewall intrusion prevention capabilities at multi-gigabit speeds with a low false positive rate and high security. It helps organizations secure their enterprise network, and protect servers and critical data against known and unknown automated malware, blended threats, and other...
I do not think much needs to be improved in Check Point IPS currently, as I prefer it the way it is. If I had to pick one thing that could be better or something I would see added in the future, I cannot recall any specific features, but if there is anything in the roadmap, I would definitely use that particular feature.
One area that could be improved in Check Point IPS is the user interface for managing IPS policies, which can be a bit complex for new users, along with the need for faster signature updates for emerging threats and more seamless integration with third-party tools. A simpler policy setup and faster updates would enhance the experience.
For the product itself, there is nothing that I wish worked better or was easier, but it can become complex to manage all the rules if the infrastructure is very big. I do not want to add more about the needed improvements.
Check Point IPS could be improved with more automation and focus on removing false positives. At least 60% of all the alarms generated by the IPS are false positives or something that's not important to look at, and this generates a significant workload for my team. That is my main concern about the needed improvements.
An area of improvement for Check Point IPS would be simplified configuration and performance optimization. The initial setup and tuning can be complex, and more guided wizards or templates would help streamline deployment.
Check Point IPS could be improved as the deployment is complex.
I believe Check Point IPS can be improved by making it more proactive and predictive and fine-tuning the false positives. When I say more proactive and predictive, I believe they can improve on the algorithms to better identify and predict attacks, and they can also add its binaries to reduce false positives.
Improvements could include more attractive dashboards, visual analytics, and automated attack path correlation in SmartEvent to enhance situational awareness and attack identification.
Improvement suggestions include more attractive dashboards, enhanced visual analytics, and automated attack path correlation in SmartEvent to improve situational awareness.
Currently, the solution is good for my needs, so I don't have any particular improvements to recommend. However, a reduction in price would always be welcome.
It's hard to specify areas for improvement without a deeper investigation. However, usually, IPS does its job. Some challenges might exist with integration depending on the environment.
From the product perspective, there have been instances where the signature download caused issues. However, it happened only once, and some QA is needed on signatures. Overall, the product is robust.
To overcome the tool's shortcomings, the signature-based protection that the product offers needs to be more effective and regularly updated. Some of the configurations and management should be easy in the product. Signature tuning should be more user-friendly in the tool because, as per my experience, signature tuning is tough in Check Point IPS.
The area with certain shortcomings where improvements are required consist of support availability. The tool's complete operating system architecture is being designed in such a way that it looks a little complicated compared to the tool offered by its competitors. The tool's complete operating system architecture needs to be simplified for the users, especially from an administrative and troubleshooting perspective, so that it can be used quickly or with speed whenever there is a crisis. If the aforementioned areas are considered, the product will be much stronger. The tool's support is a major issue because it has not been quick in certain areas compared to the ones offered by Check Point's competitors. The product's scalability has certain shortcomings where improvements are required. The product should be able to handle and compete with competitors and their services as well as updates, which are much faster than Check Point.
The tool's pricing could be better.
Enhancements are necessary for the proficiency of notifications in the event of a Social Security incident, whether through email or alternative channels such as SMS.
The support could be improved. We need quality information on the new products and solutions. We are implementing new solutions for Check Point, but these solutions are not thoroughly tested, which might lead to problems. If we had a lot of information and knowledge about the solution, it would be easier for us to implement it.
Based on what I hear from my full-time firewall administrators, the upgrade process or the maintenance of the devices for each firmware upgrade requires one to break the cluster and run a specific moment at a time, a single node concept. I hear from my admin that the firmware upgrade process is quite cumbersome. Our company has made Check Point very well aware of the cumbersome firmware upgrade process, including the other customers as well. The aforementioned details can be considered for improvement. The price of the product needs to be improved since it is an expensive solution. All the components of Check Point IPS are expensive, while licenses of the product exceed all its other expenses. If you have a data center without infrastructure, you will suffer from losses on a monthly and yearly basis due to DDoS attacks, which we know about since we have the data for ourselves. It is up to each customer to determine how long he can lose his data center, and then you count if it is possible to lose it for that amount of time, and if you don't, then pay the price for the firewall.
I would like the product to provide us with intelligence to understand what we really have in our environment.
There is room for improvement in the pricing model, and it can be more competitive. Moreover, another area of improvement is in the maintenance of the solution because it requires a lot of people to maintain the solution. Some tasks can be automated, and I would like to see a feature where we can automate the tasks.
Sometimes Check Point documentation is not always updated, which is why when some implementations change, it generates confusion about details. In addition to extending some implementations, it would be good for Check Point to keep its documentation public and updated. This product, as a blade, does not include the license with the Check Point gateway. Some errors are generated in the implementation of the Smart Cloud in the Infinity Check Point Portal. When that happens, cases of withdrawal must be carried out without embargo for a long time in response.
I would like to have the possibility of adding features to this IPS solution in the future. It allows us to reach and integrate with other solutions that we have in the same portfolio of this security provider. It has the possibility of achieving and integrating the detection and analysis of this equipment against the integration and analysis that is done in the final devices, generating a correlation and installation of agent propagation from an internal security center.
Check Point must take into account several improvements for the next updates of the tool. They should improve the cost so that it is more accessible and more companies can acquire it. Optimizing the resources requested and sending more specific alerts regarding blockages would be useful. They need to improve integration with SIEM. VMs should not be used as information bridges. The documentation should be accessible. They need to improve the knowledge database and ensure everything is unified. They need to improve technical support and customer service.
Most complaints for Check Point relate to licensing fees. You need to be prepared to pay extra for implementing this product.
The service that we want to see in the future is a capacity to segment the IPS services by equipment. We'd like to see the integration of the communication of the services in the next-generation firewall and the other solutions that it has, such as Harmony. It would be great if they could start creating interoperability with both technologies. Integrating these solutions with the lighthouses could generate more complex and complete interoperability. That said, we'd want the solutions to be acquired and administered as one solution.
What I want as a new feature is to be able to bring these solutions to public clouds. However, today, we can do this. We are taking our datacenters, these next-generation places. These technologies evolve at an unparalleled pace. This solution will soon be in mobile services, and it is here that the new equipment management lines will be managed in the future. We want the solution to continue to move towards cloud-based and portability focused for telecommuting users.
When exceptions need to be done for certain profiles, it is easy to get them done, however, implementation on some general ones may cause some extra work as the IPS is not easy to overwrite. There are updates that have been scheduled that have been delayed more than expected, which impacts the performance of the firewall when the traffic is high. This can cause false positives and release alerts for harmless traffic, which results in a deviation of the attention from the security administrator when it's not relevant.
Generally, a point that should be improved at the manufacturer level is the help it provides with its support staff. It is somewhat slow in its resolution of problems, even if the problem is with one of its new tools. It would be good to update the public documentation of Check Point so that we can generate improvements and best practices based on the documentation. However, sometimes it is not so easy to implement.
I am pleased with it as it seems to be in order. I don't have much to say, however, there were a few things I noticed about the behavior of the Check Point IPS. First, sometimes I have issues with scheduled IPS updates. The impact on performance when opening the IPS blade is challenging while the firewall is operating under severe demand is the second, which is pretty common. I only note it here. There is no standalone IPS appliance available. Only the IPS blade needs to be enabled on the security gateway that Check Point provides.
Out of the box, the number of built-in reporting and dashboards related to the IPS logs and events has room for improvement. The dashboard reports can be easier to generate and customize. It would also be nice if the system would allow some form of alerting when specific signatures have been triggered X number of times within Y amount of time. This would allow us to be better notified when there is a security attack going on, without too much of false-positive alerts. Another would-be-nice request is to have more details information about how the signatures would detect the specific security vulnerability. This allows us to make a judgment about how useful a particular signature is in our specific environment.
The Check Point tools or features are quite complete and secure; they are at the forefront in addition to having thousands of reports worldwide where they are highlighted. However, they are also among the most expensive. For many, it is worth the cost for their functionalities, and for some companies they prefer to sacrifice a little to obtain a more licensing cost. In general, the case system is a bit slow. Sometimes it is difficult to resolve quickly. It's not really a problem that stands out, however.
Support is the biggest area for improvement. Check Point is responsive, however, their support agents seem to be very siloed in their ability and/or product knowledge. It takes time and escalation to get through most tickets as they are passed from one group to another and then back again. We are able to navigate our support issues with the aid of our account team, so I want to underscore that support is indeed responsive. However, the processes support techs have to follow seem to be the root cause of the support response issues.
Sometimes protections are 'aggregated' into a single threat name when you look at the logs. I would prefer to see all protections named individually (for example, right now, 'web enforcement' is a category that contains several signatures). I also wish there was an option to run reports of the individual signature 'usage'; it's not easy to generate views based on the number of 'hits' a signature has generated. (it is possible, however, there could be an easier option). For example, if you have a signature activated, for instance, a MS issue then patch your environment, it's 'hard' to identify if the individual signature has been 'hit'.
You can't turn off IPS completely as there are some signatures that are set even without activated IPS. If you know that, you can act accordingly. But sometimes you have to do a general exception instead of a granular one. There are always some false positives with non-RFC traffic. This is good for security, however, it will cause some effort in day-to-day business as there will have to be exceptions for certain applications. Threat Prevention policies are not very easily manageable as there are several profiles/policies/etc. Therefore, there are several ways to add exceptions and check the configuration.
After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market. Most customers take an IPS license but they don't take a SmartEvent license and when this happens, they will not be aware of the report parts such as current threats in the network open ports/protocol, vulnerabilities in a system, or detected/prevented attacks. For such cases, Check Point should provide a bundled license with IPS.
To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically. If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability. Having additional reports available would be helpful.
Really, the only thing we noticed once it was running in prevention mode (we started out in detection mode just to get a feel for how it worked and how often protections were getting triggered) was that there was a little bit of a slowdown in performance. It is generally good, but improving the performance would be the one thing I'd take a look at right now.
There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic. There is no separate, dedicated appliance for IPS. In the case of the IPS blade enabled on the NG firewall, it does not provide flexibility to monitor specific segments as easily as the IPS policies that are applied on the security gateway. There is lots of configuration and exclusion policy that need to be configured to bypass traffic from IPS Policy. IPS gets bypass in case performance goes above certain limit. This is the default setting that is provided.
There are several technological points that could use improvement. We have a lot of false positives and the list of IPs are not up to date in terms of their location. For example, we recently blocked traffic from both North and South Korea because we have no relationship with these countries. The problem is that the list of IPs is not up to date, and we had a problem where regular traffic was blocked but malicious traffic was not. The proxy should be improved. The documentation should be easier to read. When you want to block according to the signature, you have to do them one by one. You cannot create a group.
In my opinion, IPS is one of the better Check Point products because it's very easy to configure. You don't need to go protection by protection to check which ones you want to enable. You can enable the ones that are medium or higher severity and all those protections are immediately enabled. When you deploy this on an existing firewall that is already working, it's always better to set it on detection mode before you put it on prevention mode. It's very easy to detect a profile and then check for a month if there are some false positives that you want to filter before you put it on prevention. It's very easy to work with. The only thing they could maybe improve is that we notice right away that the performance decreases when we enable the IPS, especially beyond the CPU and memory usage. If you want to enable the IPS and you have a lot of traffic, it can have an impact. The performance could be improved.
I strongly agree that with IPS blade we can protect our organization vulnerabilities. I would like to have the ability to virtually patch our application or vulnerable machine that is talking ourside our network. If it is there then we can protect our application and systems to any unknown attack if our system or application has a weakness or vulnerability. I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good.
In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed. Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.
It is always possible to improve the speed of an IPS, although there is always a performance penalty when using additional security software. Occasionally there are glitches and errors like false positives, which would be a nice area of this solution to improve upon. The pricing could be improved.
The detection needs improvement. We fear that it doesn't detect everything that we want to see. The solution needs enhanced reporting. The reporting on Cisco Stealthwatch and Darktrace is much bigger. The visibility that they grant for the filtering capabilities over large infrastructures are far superior.