What needs improvement with Check Point NGFW?

The main area for improvement in Check Point Quantum Force (NGFW) is the management interface performance, which can feel a bit slow at peak time. I would also appreciate smoother upgrades and more streamlined reporting. One thing that would help in improving Check Point Quantum Force (NGFW) is having more flexible dashboards that I can tailor without relying on templates.

I don't want to add more about the needed improvements apart from what I have mentioned.

I do not see anything lacking in Check Point Quantum Force (NGFW) for improvement, but I feel the CLI can be improved because it is somewhat complex for new users since it is totally Linux-based commands. If a proper knowledge base is available, it will be very helpful for the engineer to troubleshoot anything.

Check Point Quantum Force (NGFW) could be improved in terms of licensing and product box and deployment complexity.

The initial setup of Check Point Quantum Force (NGFW) is complex and could be improved. The knowledge base documentation could be updated to provide better guidance.

Documentation for Check Point Quantum Force (NGFW) can be improved, especially the KB, knowledge base, for some parts of the configuration.

Check Point Quantum Force (NGFW) can improve its perspective on VPN, as the VPN configuration is tedious compared to other firewalls, and the failover of site-to-site VPN is not robust compared to other competitors. In R82, it has provided enhanced link selection for VPN failover, but it is not working smoothly.

Check Point Quantum Force (NGFW) can be complex for beginner engineers, as sometimes the SmartConsole interface or blade architecture can be complex for them to handle and configure in the initial setup. It can be improved in the initial configuration of a next-generation firewall setup.

We notice a performance impact if we enable all the security blades simultaneously, as the firewall CPU utilization goes high, so that is something that can be improved. The CPU utilization of the device goes high after enabling all the security blades, causing minor performance issues.

Check Point Quantum Force (NGFW) could be improved by making its pricing more reliable since sometimes it feels the price is a little bit high. There are no needed improvements for Check Point Quantum Force (NGFW) right now since everything looks perfect for the security features and the gateway.

While the Smart Console is powerful, I find that it can feel heavy and slow with a large rules base, where a simple policy change sometimes takes longer than expected, impacting agility in a fast-moving environment. The licensing and advanced feature add-ons, like sand blast, require separate licenses, adding complexity to budgeting and license adoption. Additionally, these challenges can lead to slower response times for urgent changes due to extra coordination for licensing procurement and time spent.

Check Point Quantum Force (NGFW) could be improved by streamlining the licensing process a bit. The challenges with the licensing process come from its complexity.

The issues with Check Point Quantum Force (NGFW) are mainly related to reliability. It depends significantly on the hotfix version of the gateway. You could end up with a version that's stable or unstable, or for example, stable for one scenario, but then in certain specific scenarios, it becomes unstable and creates an issue. This requires contacting support, discussing with R&D, and verifying if there is a new version or custom fix to install.

At the moment, I haven't any ideas on how Check Point Quantum Force (NGFW) can be improved.

I find that the licenses are a bit expensive compared to other vendors, and while the price is justified, at times, renewing them becomes a bit painful, so if it could become a bit more budget-friendly, that would work for me. That licensing issue would be the main area regarding needed improvements.

To improve Check Point NGFW, I would suggest that AI features, such as Auto AI autopilot, would be greatly appreciated because they can automate most of the tedious tasks that take a lot of time. Having features such as AI can make the process easier. A specific task I'd like to automate with AI in Check Point NGFW is adding multiple users, users and address group configuration of address groups and addresses, along with exporting firewall addresses in a certain format. That kind of feature should be there, or if we try to export the data from the Check Point firewall, we get only group address group names without seeing whatever members of the address are included. Check Point should provide the feature of exporting group data with address groups, so when I export address books, only the group name is visible in the Excel file. Instead, it should show the actual members of the groups getting exported. That kind of feature would be appreciated.

When using Azure Boards, it's feature-rich, which can be overwhelming at first; there's a learning curve to understanding all the different functionalities and customizing the workflows to fit our processes. The pricing of Azure DevOps can be complex; it's not always easy to figure out exactly how much you're going to end up spending, and occasionally the UI can be slow, but that's not a frequent problem.

Monitoring graphs for Check Point NGFW can be made better, and that is something I wish worked better.

Check Point NGFW deployment in our organization showed that the initial setup and policy design can be complex, especially for teams unfamiliar with Check Point's architecture. Licensing can be confusing and expensive, so segregating it into a simple format would be helpful. Software updates and hot fixes require compatibility checks to avoid disrupting the production environment.

Performance under load : In high traffic environment, we've observed occasional performance bottleneck. Licensing Flexibility : The licensing model can be rigid and expensive, particularly for small to mid-sized organisations.

Check Point NGFW could improve by continuing innovation and enhancing integration with popular SIEMs. More granularity and control for threat prevention, especially on the OT side, would be beneficial.

The product could benefit from improvements in simplifying policy management and minimizing false positives in threat prevention. Future releases would be enhanced by the addition of advanced reporting dashboards and deeper integration with third-party security solutions. AI-driven features would be highly valuable—particularly those that enable bulk operations and efficient handling of large numbers of objects or object groups. These capabilities would significantly reduce manual effort and save time for operational teams. Additionally, the inclusion of an AI-powered co-pilot mode to assist with configuration optimization and support prompt-based configuration would be greatly appreciated.

The initial setup was a little complex, but Nutanix support helped us through the process. Also, licensing can be a bit complicated.

Pricing is high, but it's worth it. That's the main one.

The primary area for improvement would be the configuration process. While Check Point NGFW is not inherently difficult to configure, it might be intimidating for newcomers. Other products, like FortiGate, are perceived as more intuitive because they are easier to configure from the start. This has led to a perception that may affect market share.

Check Point NGFW should concentrate more on the SMB market, as solutions in this space are not as strong in security. In terms of SD-WAN technology, Check Point's offerings are not as mature as competitors. There are some issues during initial setup, particularly with establishing connectivity with the Infinity ( /products/check-point-infinity-reviews ) Portal.

A lot of the other players have a more robust best-of-suite offering versus the best-of-breed offering. Check Point's capabilities are limited from a firewall perspective. Other players are acquiring companies and offering add-ons like CASB or VPN-type capabilities.

Check Point NGFW should improve its user interface to make it more user-friendly and intuitive. Additionally, the issue with link selection on VPNs needs to be addressed.

Technically, there is no need for improvement. That said, they need to be more aggressive and protect more of the channels on the commercial side. Additionally, the user interface could be more user-friendly.

Significant improvements have been made in the product. I started working with the R65 code and then upgraded to R74.40. When they transitioned from R77.30 to R80.x, they made major back-end modifications, switching from a flat file system to Solaris and Postgres. This was a big step that neither customers nor their support staff were fully prepared for. Now, they're adding more features due to the increased flexibility of the new back-end. The main improvement I'd suggest is better preparation when introducing new features. Before releasing, they must train their support staff to troubleshoot these new features. The transition from R77.30 to R80.x was problematic due to a lack of preparation by Check Point, customers, and support.

Service support can be improved.

The product's support is an area of concern where improvements are required. Sometimes, there are bugs in the software, and the speed at which the product resolves those bugs could be improved. The system is quite complex, and you need to be an expert to get the most benefits, making it an area where the tool could be improved. It would be nice if Check Point could update its own agents, for example, VPN clients or identity clients. I think the product has a very large number of features. The product's price is an area of concern, making it an area where I would like to see some improvements.

The system's operation could be enhanced. I recommend developing a management console that can more efficiently handle multiple Check Point devices, as we have multiple appliances across different sites.

They just need to improve the technical support and professional services in India. We have received many complaints about them from clients and also face the same issue ourselves.

Sometimes, the firewall doesn't pick up on certain things. If an attacker is clever and uses a low-profile indicator, the firewall might flag an anomaly but not give enough information to decide if it's worth investigating. The threat intelligence component also has challenges. It doesn't always tie alerts to active campaigns or threat actor groups. We often have to do extra work and use other products to figure these out.

What I like about Meraki is the whole cloud-managed feature, where it can configure gateways in the cloud and preconfigure it as well. So I don't need to have access to the device or create a configuration in the cloud. And as soon as the firewall comes online connected to the internet, then it downloads its configuration from the cloud. I think Check Point does also have such a solution, but I'm not aware that it's as easy as Cisco Meraki. Sometimes it would be nice if they would have the same possibilities.

During my initial level implementation of check Point NGFW, I faced issues troubleshooting. The problem was with its command line. Check Point runs on Linux and its command line is Linux-based. However, at the time, I was not familiar with Linux commands, and I invested lots of time in finding the Linux command and understanding the meaning, then went for troubleshooting. It would be very helpful if the OEM provided all the Linux commands in a way that we could easily understand and follow the steps to configure or troubleshoot the issue using the command line.

We faced many challenges. For example, an issue with the managed view that Check Point has. When clicking on a rule, we are supposed to have a full view of that rule and its log portion. This should show what's passing through the rule, what's coming to the rule, and all of that on a single pane of glass. Currently, the log isn't showing when we click on a particular rule. This might be an issue with an upgrade or something. Because of this, we can't implement anything on the live system; we only have a maintenance window every weekend, and it's hard to troubleshoot within an hour. Another problem is that when we created around two lakhs of Check Point objects on the firewall, it became very slow.

The pricing and UI need to be improved. The enterprise is quite expensive. There are small boxes that are competitive enough.

If you check each and every point from this part, you will find some flow in an area, or you will discover another flow in another area. It's unfortunate, and not a usual situation and it is not just for NGFW but for any other tool, making it a disadvantage where improvements are required. For the next release, I would prefer the tool to be more flexible in terms of general deployments because some additional companies must be deployed as a basic one. For those who have been working with their solutions for a relatively short amount of time, it would be better for the tool to offer an adequate knowledge base, not just very superficial information, or maybe not too much in that spot, something like average stuff. The tool should be more flexible in terms of deployment, and a more adequate knowledge base should be available. About the UI, it is hard to comment because it has been more or less the same for many years. Professionals have already been using the tool's interface for many years. From a contemporary angle, the tool's interface looks a bit outdated from a UI point of view. The UI has been more or less static in terms of changes for the last couple of years. People can get to the UI and work with it in a couple of months, but compared to any other solutions on the market, which are more flexible and more rapidly evolving, I would say that UI should be considered for improvement.

They should improve integration with third-party security tools and software for a more unified security ecosystem. They should enhance compatibility with various network environments and cloud platforms can be valuable. Offer more comprehensive support options, including extended hours and more accessible resources. They should provide more extensive training materials and documentation to help users maximize the appliance's capabilities. Integrate user awareness and training modules within the appliance to educate employees on security best practices.

The upgrade process of Check Point could be simplified to match other products. For some of the MSSP partners, Check Point should personally go and give demos to them. This way, the MSSP can show their clients what Check Point is capable of and what kind of new technologies and features Check Point is coming up with. Adding automation for upgrades and hotfix installation would be a beneficial new feature for administrators from an operations standpoint. Additionally, Check Point should pay more attention to endpoint security; they are currently lacking in that area compared to other competitors.

The setup is a little complex compared to its competitors. That's what makes it stand out. Other than that, it could always be done by another product, but they have a lot of IoT products. This is definitely something like a Check Point Quantum device.

The user interface needs to improve and should be user-friendly. The customer of this solution also needs to undergo training to use the solution dashboards, unlike products like Palo Alto. In the next release, Check Point can try to add the DDoS or web application firewall within the overall firewall. If Check Point is able to implement the aforementioned integration within the firewall module, then people don't need to buy each firewall separately. The comprehensive firewall addition will increase the sales volume of any next generation firewall because TCO (Total Cost of Ownership) will be low.

One area for improvement in Check Point NGFW is the support process. It can be challenging to open a technical support case through the customer portal, often requiring additional steps to open the case.

Check Point could enhance its capabilities further by focusing on global threat intelligence, particularly in addressing zero-day attacks and other unknown threats. If I were to suggest improvements for this firewall, it would involve enhancing its core features. Currently, there are many additional licenses available for purchase, such as DDoS protection, URL filtering, and global threat intelligence. These additional licenses increase the overall cost significantly, as they are add-ons to the base model. It would be beneficial if Check Point included more licenses bundled with the base model, reducing the need for additional subscription charges for essential functionalities.

The cost of add-on features is too high.

A lot of things need to be improved in Check Point NGFW. One, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security. So support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product's technical support services need improvement.

Need to have some options for configuring firewall policy based on Zone. As it allows creating Flat policy and explicit deny policy need to be created in case some policy need to be drop

For e.g

You are having 4 Zone (LAN/DMZ1/DMZ2/INTERNET)

Now you want 1 machine to have full access only to the Internet 

You have to create below policy 

Allow LAN MACHINE TO INTERNET 

DENY LAN MACHINE TO DMZ1

DENY LAN MACHINE TO DMZ2

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, but with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules, why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

The SmartUpdate interface is a little bit crowded if your company has a lot of software items. As an administrator, one should know how to troubleshoot by issuing related CLI commands before or after upgrading gateways, or the management server, in case of a problem. Hardware problems on Check Point devices, such as those related to NIC or disk problems, may occur at times. In cases such as this, the support team is available and does what is needed, including the RMA process if necessary.

The Check Point support needs a lot of improvement. We spend a lot of time troubleshooting issues ourselves, create good ticket descriptions, and try to explain in detail what has already been tested. Even so, it takes at least three ticket-updates before support really understands the issue. If you manage to reach the third-level support, you are still forced to be really critical of what kind of suggestions Check Point support is offering you. Running debugs on a test environment is quite different than running them in a heavily used production environment.

One of the biggest disappointments is the GUI. I felt it was a little bit more clunky than some competitors. The screens don't flow as easily as they should. Improving user experience will further elevate this product. The way the management console operates is not user-friendly, either. It needs to become less intrusive. The user experience is not as high as it should be due to the problems with the user interface. The newer products in the range seem to address my concerns, which I have had for even the older products.

We would like to see the following improvements: * Multiple ISP redundancy. * CPU utilization. * VPN traffic. * HA concept, where if we apply the policy in the primary appliance that should be applied to HA appliance automatically. * The number of bugs has to be reduced. * The number of false positives should be reduced. * Threat emulation has to be improved. * Reporting has to be improved.

All the advanced features of automation, especially the first installation of tunnels, need improvement. Also, in terms of configuration, in terms of tuning, and fine-tuning the system, I think they do make it a bit hard for users. Right now, we need to teach admins, the network and security admins about system fine-tuning in terms of load balancing between CPUs, assignment of processes. I don't think a network admin or a system admin should deal with it in terms of when we are speaking about the firewall or networking device. It should be automatic.

Check Point NGFW needs to run marketing events. They have also to set up a support center in India.

The tool must improve its support. The support provided by partners gets expensive.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration. We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The firewall can improved to make it more user-friendly. The firewall is somewhat not user-friendly as it has many sections and makes it complicated for a layman to understand where to put the policies and rules. The firewall also doesn't save the policies immediately after you save them, which means you need to do one more extra step in order for the new rules or policies to take effect. During my first time handling it, I did not understand why the rules and policies I put in didn't work until I found out that you need to click the install button until it takes effect.

It will be good if the product is rack-mounted. The product must be updated to protect users from the latest firewall threats.

Check Point could improve the time for delivering requested features from customers. It could be delivered much faster. Also, communication and status reporting for such requests have a lot of room for improvement. After the request, we do not get any information on the status or progress until it is implemented. Looking at the trend in the market which aims for vendor consolidation, the strategy to deliver one vendor SASE could be beneficial for Check Point and its customers.

The distributor support capability is quite lacking as the problem/incident is rarely solved on the distributor level and instead escalated to the principal. This makes the troubleshooting process too long and the people involved are too many. Socialization of new licensing or new features can be improved also. Principals and distributors need to work together closely to inform their customers so that we can stay updated about the latest trends and or threats/bugs that might happen in our Check Point gear.

It could be easier to manage the licenses on blades and contracts. If you have a large environment it will take too much time for your team to verify if all the licenses and contracts are correct and work well. Although it is possible to manage licenses using SmartUpate and SmartConsole, if there are issues, you can only fix them using an expert shell. Simplifying the process would help simplify the daily tasks of administrators.

The only thing holding it back is the price. It's too expensive for mid-market companies. There are other platforms that have emerged that have a similar feature set, however, are more difficult to deploy. This is really only a problem for the engineers as the customer doesn't care how many hours the engineer has to put in to make it work in their environment. If the Check Point product came in at a lower price point it would make it easier for the customer to see the value in cost, thus making it easier for us to sell.

Lately, Check Point seems to be pushing new products too early. We have evaluated a few we thought may be useful to us yet were just not ready for enterprise use. Every company goes through this so hopefully, they will slow down and get the products up to speed and working better before trying to bring them to market. The current products that have been around for more than a few years generally do not suffer from this issue, however, their documentation does lag severely when a command changes or says the way to configure it changes. Support generally is up to date, but the KB articles are not always this way.

Maybe the VPN clients could be improved, however, only from a cosmetic point of view. They use a very old GUI and should help remote assistance in case of problems to make it more accessible in terms of getting log/debug information. On this, I suggest an approach like ZOOM US, where is clearly defined the application life cycle, and users warned over time. We're in the process of moving to a cloud hybrid solution based on MS Azure, and on that field, quite common nowadays, it seems that more has to be done, moving from on-premise historical deployment. IoT should be considered in future development.

The tool’s architecture could be improved a bit. It should provide Single-Pass Parallel Processing. Check Point’s interface is quite segregated.

There is a strong demand for security services that can be effortlessly integrated which would ensure that security measures can seamlessly adapt to the cloud infrastructure.

We implemented our firewall in a clustered configuration with two gateways. We faced some limitations with the Security Management Server (SMS) application. The SMS functionality is restricted as it only supports specific deployment modes on virtualization environments like Microsoft Hyper-V and VMware ESX and Open Server mode. Our organization utilizes a different virtualization setup, and we couldn't obtain assurance from the vendor that they would provide support if we deviated from their recommended deployment methods. That is why we had to deploy the SMS on a separate server, which introduced additional complexity. Improvement regarding the expansion of the SMS's compatibility to include various virtualization environments would be beneficial. Also, when attempting to enable SSL offloading mode, we faced functionality issues. This feature should be enhanced to ensure seamless SSL offloading, without negatively impacting the core functionalities such as HTTPS and content filtering.

The support team should be faster.

It's expensive.

They could improve by lowering prices. The source package is a bit more expensive than its competitors. We've had some downtime issues. It could be more generalized and user-friendly in terms of its support portal for raising tickets. Ads management should all just be on a single click. Overall Check Point NGFW is highly scalable and provides end-to-end resolution and a wide range of customized productive services with a huge community and team behind it.

The best improvements to be considered are: * Improvements in the time and attention given to solutions for generated cases. * Licensing that is more comfortable and affordable. Currently, some prices are very expensive. * In terms of language in the application, they could better facilitate the handling of others.

Check Point NGFW Firewall requires frequent updates to build more user-friendly dashboards. They need to begin the implementation of more active VPN support. A few services of Check Point NGFW require immediate improvements, like the customer support portal and the ads management on the platform. These services need to be improved to help ensure mass adoption of Check Point NGFW. Check Point NGFW Protects from all types of internal and external attacks, and it is easy to use.

Check Point Next Generation Firewall requires frequent updates. They need to build a more user-friendly dashboard and have the implementation of more active VPN support. Apart from this, Check Point Next Generation Firewall customer support service needs to be improved. They need to offer quicker resolution and maintenance during downtime. Check Point Next Generation Firewall Protects from all types of internal and external attacks and is a must-have software for professionals and organizations.

One of the problems that must be corrected is the latency that the GUI presents when entering. When the CLI is used, it does not show us all the connections. For beginners of Check Point, the learning curve is quite steep. They should give more material or courses to companies that purchase this product so that they become familiar from the first time they use it. They should also feed more information to the knowledge base and make it more orderly since it is difficult to find didactic material. They must improve the technical support.

The current features have a full set of security models that can protect any organization's information from ransomware attacks. When installed on Windows, the system with low storage space slows down. It is not compatible with all mobile devices and this may be unfair to some users. The next release can be more compatible with Windows and mobile devices for increased efficiency. I have experienced the best environment while working with this platform. All the data across the transactional records is ever secure under Check Point NGFW and I am proud of that great step ahead.

Innovation is one of the most important things they must adhere to. I have liked seeing how innovation evolves and how security teams protect themselves proactively while always being efficient. Hopefully, in the future, these will be much more plug-and-play and orchestrated from a single administration console. Today, I am learning a lot about the cloud. I know that this is one of the solutions that can be placed in any cloud, so we will soon see if it will continue with the virtualization of Web3 equipment.

The study material and training need to be improved and become more accessible to security engineers working with Check Point. There needs to be advanced troubleshooting. The configuration might get a little bit too complex for regular engineers, compared with easy administration. We've encountered a few limitations when trying to accomplish simple tasks required by customers. For example, changing a domain name inside an MDS environment or missing a function in the database which removes the domain object completely from the database. There are plenty of bugs that are not documented, or with too generic error messages.

We have been using CheckPoint NGFW for quite some time now, and the only thing that could be improved is the upgrade procedure and the frequency of the hotfixes we get. We have this deployed in multiple sites globally and managed via the central management server. The upgrade is something we would like to be improved in the future as the frequency of hotfixes is too much, and by the time we finish the one round, we already have the new version released and are required to upgrade. We would like to see some improvement in this area.

The Next Generation Firewall (NGFW) Configuration Guides in XL cluster are very complex and other guides should be reviewed to validate configuration references. They should be updated for new versions. Something worth mentioning is the need for Spanish support and better representation for teams in the Latin American area. There is a growing demand for these IT services and new technologies. Its guides are identical to the existing ones. It would be more pleasing that these guides be updated and improve their design. Give it a try, and it will help you more in these times when users are more remote than local.

This is something that doesn't directly affect us. However, I know VMware is not supported by the platform. Also, it seems that plenty of features you may not know even exist unless you do some extensive, deep digging as they're not coming up in the initial configuration, so you have to go through the documentation to realize their existence. Support is really good, so you may rely on them to learn more about these coded features I'm talking about, also to make the proper calibration for the rules/policies you're applying as they may not turn the results expected from the first config.

There are parts that are still on the SmartDashboard screen and that condemn you to use it, which should be removed and moved to the SamartConsole interface, which is the main screen. In addition, when you want to open the gateway by double-clicking on the interface, sometimes it can cause silly problems such as freezing. To fix these problems, Check Point needs to get rid of the SmartDashboard screen completely. Also, there is a need for performance improvements in the interface so that when the data and rulesets are large, there is a need for performance improvements in the next versions.

The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI. It might be a little bit confusing when an administrator remembers the location of the settings. Also, it is hard to manage the settings by always jumping from GAIA Web-based graphical user interface to Java based Smart Console dashboard. Also, Check Point Next Generation Firewall has a very detailed and well-organized CP view on the console on both CLISH and expert (/bin/bash) shells; which gives an administrator a real-time monitoring option on the console.

It would be best if the security management server console access is simpler for ease of management. System administrators find it really difficult for the management settings to incorporate easily. Most administrators nowadays are looking into something that offers easy access to a management console or GUI. I could not think of other areas for improvement. This is the firewall that I liked the most among other vendors in the market. It's by far the best firewall in the security industry.

The network automation and security automation could be better. We need integration with more third-party security solutions. We need two-factor authentication solutions for the virtual private network solution. We need a firewall or NGAV/EDR with lightweight resources that is still powerful for blocking and preventing attacks and malicious activity. We need enhancement for our perimeter for our security zone, especially for network access control with portal authentication.

Pricing for the gateways is too high as compared to the other vendors. Whenever there is any issue comes checkpoint support ask to keep the gateway on the latest hotfix and OS which is difficult to roll out on all the gateways present in the customer environment.

As a small business, IT expenditures are always a tough call and hard sell. With every business connected to the internet these days, firewalls and threat prevention are very important for any business of any size. Check Point's small business devices are a great fit for most any business. However, including some sort of menu or grouping for VOIP would help the small business area that has limited support. Check Point support is very knowledgeable and can also help in this area as they've helped our business evolve as well.

Check Point NGFW could improve by introducing machine learning and more modeling dividing the way they manage the ports. However, they have evolved over the last year.

I would like to see Check Point add more cloud management features and better integration with LAN software-defined networking.

Check Point should improve services related to the cloud-based solution. Due to these challenging times, most organizations seek to move to cloud-based implementation to minimize the cost and for easy deployment, access, and remote support. The Next-Generation Firewall should also be focused on zero-day threats as attacks have improved the past few years. They need to ensure that all connections and nodes are being protected. Sandblast technology is also a good tool as it offers enterprise solutions on malware detection and prevention.

For the migration for Smart-1, I wish the security policy could allow for a migration per gateway. There needs to be more storage space for reporting. The storage is always full if the reporting feature is on. We need HA for Smart-1. The traffic trekking (logs view) needs to be more accurate. Some traffic is often not in the logs view. We'd like to have more user friendly menu for import vpn users. There needs to be more compatibility with SIEM. It would be great if we could join domains with more than one Active Directory server (active-active). There needs to be an easy menu for export backup configuration (the current menu always has an error). The signature information needs more detail. We need to know current update versions and on running versions.

Sometimes there are security bugs, which is frustrating. Right now, we have a problem with DLP and this problem has become very big. Check Point, our firewall, is not handling data properly. There seems to be some sort of security bug.

It's nearly impossible to add an exception for threat prevention services - like antivirus and anti-bot. You will be stuck with Indicators of Compromise marked as detect only, caching issues, and random effects. There is no clear way to report incorrect classification to support and a business is neither happy nor forgiving when they cannot receive mail from a crucial business partner. The KBs article should also be improved as all the global KB articles do not provide all the activity steps related to every issue.

Sometimes the KB article does not include all the steps. There is a chance for improvement in the content of global KB articles. It's nearly impossible to add an exception for threat prevention services - such as antivirus and anti-bot. You will be stuck with Indicators of compromise marked as detecting only, caching issues, and random effects. There is no clear way to report incorrect classification to support. Sometimes we need to find a resolution by ourselves as the solution's knowledge base is not enough.

We are also working on load balancers. We don't have the option to work more with load balancers, we would like to see what else can come out of this in terms of security. Technical support and scalability both require improvement.

I would like to see better Data Leakage protection options and easier-to-understand deployment models for this. I have been working with DLP for a while now and find that other vendors seem to be doing better at this. That said, having to deploy another solution adds other costs. Some error messages could be better and more specific. The days of generic error messages should be over by now to allow faster, better insights into fixes for any traffic-related problems. Some of the sizings of firewalls for deployment seem not exact and require some tweaking based on real-world traffic and connectivity types (for example, PPPoE).

While not being cheap, their pricing models are competitive. In the pricing structure, however, they need improvement. I would love to see an SSL offloading feature that is not there right now. I am following many forums related to Check Point and it seems like they are going to launch it very soon. SSL Offloading will be very helpful for NBFC and for financial institutes.' The Check Point NGFW OS is a historically grown OS. It has been on the market for a long time and has many releases. It is a very complex system. All features are done in software - no extra hardware chips are installed.

Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software.

Support for customers really needs to improve. Check Point also needs to create a study license that will enable the customer to install a firewall (maybe with reduced connectivity) for a bit longer so that one can simulate scenarios without having to re-install it every 15 days. We had a lot of problems with the VPN blade on the solution. We sometimes have trouble with the performance of the solution. Maybe some performance tuning options could be added in a future release. Check Point needs to create a certification program that involves practical applications.

Product-wise, I have no real complaints. Potential improvements could be made around simplifying VPN functionality and configuration. The main area that the organization can improve is around the lack of local, in-state technical support. Competitor vendors have a strong presence in the Adelaide Market, however, Check Point has always been limited with its commitment to staffing local technical resources. If this focus is made, I could see Check Point returning to the strength that it once had in the Adelaide market.

The anti-spam needs improvement. A weakness with the Check Point solutions is the anti-spam, as they have a partnership with some solutions for anti-spam. They should have their own solution. We have email provided through Office 365 and they have their own way to fight spam and, due to this, we haven't bothered looking into anti-spam options. That said, Check Point is the most adapted to our necessities. I consider the price of this solution high. It is very good, however, the prices are high - it's like buying a car.

In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve. One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations. Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations. One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.

Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications. I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

The SmartEvent blade has a huge number of security events/logs. We are trying to find correlation with the help of the SmartEvent blade, however, it may impact the performance of our Check Point management server. It requires additional licenses for Check Point management servers. It should be inbuilt within the management server. With the increase of volume of traffic, the required resource/hardware to properly run goes up. Therefore, the hardware engineering to architecture flow has to be more efficient.

I think the price of this product could be improved - other solutions are cheaper in comparison. In the next release, I would like to be able to perform sandboxing to check email attachments and information sent through the cloud for viruses.

CheckPoint would do good to add new features such as UEBA(User and Entity Behavior Analytics). They should also improve on the effectiveness of their antivirus. It should be more effective than competitors.

Weaknesses: 

CP NGFW can't create redundant IPsec tunnel with other OEM firewalls.

Log size is too high I believe there is a scope of improvement there.

Difficult to migrate a configuration from other OEM firewalls.

And I feel the licensing is over complex - can be simplified.

Changes in the future version:  Simplified Licensing, Zone-based policy prep options, more flexibility around IPSEC, Connectivity with other OEM firewalls. 

Fix the weaknesses :)

The appliances are quite intuitive and easy to be used. The hotfixes are useful and often released with notifications sent to the client. There have been a few requests/issues about the Identity Awareness feature. The connection to AD, which was a request from the user, required the TAC team's support.

The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading. The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing. Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

Overall, this is a great system, and I'm struggling to come up with things that I think should be improved. I have had some issues in the past with the desktop client being slow to come up for logging in, and then slow to respond to screen changes, however, overall, it really hasn't been too bad. For additional features in the next release, I would like to see more change functions available in the new Web GUI version. This is still a new offering from the company, therefore, I can only assume it will get better as customers make suggestions/requests.

The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. We find the GUI to be wrong and the CLI doesn't always show all of the connections. From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

One area which is still lacking is the site-to-site VPN solution. This is still an area that could be improved, although the features have gotten much broader and I really have seen an improvement over the last 10 years of working with the product. The separation from encryption domains between the tunnels came recently as a new feature to the product. This really helps a lot. Yet, we are still seeing a lack of compatibility with other devices, even though this is the case with many vendors. Especially with IKEv2, we are struggling with many vendors to set up perfectly running tunnels.

One of the things with which we have presented challenges with checkpoint during the COVID pandemic, is that for some reason all our home office workers that connect to a particular FW disconnect them randomly and then it does not allow them to connect again, a One of the ways that we have solved this is by restarting the fw, however and answering the question, it is that when we open a ticket with checkpoint it has not been able to solve that failure and on several occasions they ask us to approve that failure when it no longer exists which It doesn't make sense, because they always connect and get the logs from the server and never find anything, and the only thing they suggest is that we install the JHF or do an upgrade, which doesn't make sense either since we are in the R80.40 version. On some occasion we thought it was the hardware or the internet but we have created reports with the internet and chassis providers (Dell) for being a virtual platform but they have not found anything. We currently have 7 checkpoint firewalls in a centralized way and of all of them only one has presented this problem on several occasions. I think that if checkpoint would work more on those reports or do something more than just ask for the logs and then say that they did not find anything, they would be more complete and they would not have more competition from the product.

The predefined reports are limited and should provide more information. Check Point should provide a greater number of defined reports and produce reports for each division of the organization. Also, historical statistics cannot be obtained from the central console, the data or logs must be exported to another machine and processed from there to obtain this historical information. The number of available physical ports could be increased and Check Point could add support for higher speeds.

In some features, it is not easy to use the Check Point firewall. The IPSEC VPN setup is not easy to configure. In some cases, if the VPN is not established, it is very hard to troubleshoot the configuration. It does not address the problem well. The upgrading process takes too much time.

The product can be improved with fewer hotfixes, and if more generally available jumbo hotfixes were used. We don't often hit bugs. It's perfectly normal for an NGFW device as other vendors are always fixing bugs too. However, when we hit a bug, the support team recommends some hotfix, and if we upgrade to that, we have to uninstall it before we apply some newer jumbo hotfix. If those fixes were included in a fast manner in the jumbo hotfix (as jumbo hotfixes are tested thoroughly for general availability), it would be ideal.

If you have a long ruleset, you may experience performance issues on the GUI, and installing rule changes on gateways can take a comparatively long time. If you use Check Point firewalls for a long time, it is inevitable to have long rulesets over the years. The need for using different GUI applications for different versions can be confusing. A backward compatibility feature for smart console versions could be useful - especially if you are an enterprise customer, you probably need to use different versions at the same time.

It takes a while to install the rules so that if you make a mistake you can only fix it after a few minutes. There's no problem with traffic processing. Sometimes you are forced to interact on several levels: on the one hand, you put in the rules, and on the other, you put in the route. The predefined reports are few and it would be nice to increase them since the logs are excellent. In my work experience, I have been able to use multiple firewall platforms. There are only two valid ones for me and one of them is definitely Check Point. The others charge less but there is a reason for that. It is a good idea to think carefully before rather than after you suffer from a serious attack.

While the solution is good, we wish to have something that is a bit better, as the threats have evolved over time. We have been using Check Point for more than than eight years and are interested in a better solution. We entered a review site which ranks top security firewalls and saw that Palo Alto is ranked number one, followed by Fortinet, with Check Point in the lead. We noticed that Palo Alto was much more expensive than Fortinet, but wished to know which key features differentiated the two. Though we did not take issue with the price of Check Point NGFW, we felt that it was providing us with inadequate support here in Uganda. This is why we decided to switch solutions. I should note that I do not have a technical background and am responsible for procurement. The value we were getting for our money was an issue. I work for a bank for which security is very important, but we were not being assured of the appropriate support. The licensing fees we were paying did not equate with adequate local support. We had already had a bad experience with Check Point, so we did not bother with a quote from it and, instead, got one from several local companies that can support either Palo Alto or Fortinet.

The solution could improve by keeping more up-to-date with technology. For example, if Amazon releases something in the security field, Check Point should have integration or adoption of this feature a bit faster than it is today. Sometimes we can hear a lot of the marketing information about an attractive feature, which we would like to have, but the feature will be released in two years. This timeframe should decrease.

To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture. Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space. I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.

I do prefer to manage everything from only one point of entry/one application. Some things can only be configured from the smart console and others from the smart dashboard. This is the only handicap in this solution. It would be ideal to manage everything from one central place. Instead of using a windows application to manage the equipment, it would be better to use a web app to configure the solution from a browser. I know that it's not as powerful (you can't do everything from there), but then we could manage the solution and troubleshoot from any device. It's faster to see the event logs on a webpage than it is to see them in the smart console.

Check Point solutions have always been more complex to deploy than their competitors. There may be multiple scenarios where we may need to engage support, however, the customer support is very good. There are certain features that are only possible from the command line (e.g. packet captures) and it would be good to integrate everything into the GUI to reduce the learning curve for newer engineers. Finally, it can be a costlier solution - especially for the smaller firewalls as compared to the competition. It would be beneficial to have more training options or documentation as well.

The end-user VPN could be improved. It could benefit from some modification. The VPN timeout feature needs to be improved. When we try to connect to the VPN, it times out before we can even enter our user name and password. If you can't prove you are who you say you are within seven to ten seconds, it just kicks you out.

This solution requires management software that is sold separately; it's actually a different appliance altogether. For smaller customers or smaller environments, this becomes an added entity in the environment. Not to mention, they'll also have to invest a lot in the necessary management stations. If that came built-in, it would really benefit smaller businesses. The performance when you enable decryption could be improved. That's a CPU-intensive task. Many customers struggle if they try to implement decryption — it can really hamper the performance. It's probably something to do with the appliance or the hardware design. This needs to be examined further.

Their technical support can be better. In addition, when we need to use it in a government environment, we face a lot of legal issues related to different types of certifications. It would be better to improve it for these issues. Check Point doesn't have a SOAR system. They work with Siemplify, but it is an integration with another vendor. It would be great if Check Point has an integrated SOAR system.

They have few predefined reports and it would be nice to increase them since the logs are excellent. They should be quicker to release fixes for known vulnerabilities, including those related to Microsoft products. If you make a mistake when creating rules, it is time-consuming to fix them. However, there is no problem with traffic processing. Sometimes you are forced to interact on several different levels. On the one hand, you put the rules in, and on the other, you put in the route.

This firewall is difficult to manage and use when you first begin using it. However, once you are used to it, the interface is comfortable and easy to use. The Smart Control feature is hard to install. In the future, I would like to see more features in the unified security management platform.

The web filtering and CLI commands need to be improved. The CLI command is very difficult to deploy. If you are an engineer and considering configuring through the command line, you can't. The command line is very difficult to use, which is one of the biggest drawbacks of this solution. The initial setup could be simplified. Technical support is another big drawback and needs to be improved. In the next release, there should be improvements made to the sandboxing functionality.

There is a scope of improvement in detecting zero-day threats using the SandBlast technology, by introducing emulation of Linux-based operating systems. We have also observed issues while using the products with SSL decryption. There is room for improvement in application-based filtering, as with other firewalls available in the market today. Check Point has improved its application filtering capabilities in the recent past and their latest version, R80, is more capable but still, creating an application-based filter policy is a little cumbersome.

I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best. Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.

I would like to have an improved secure workspace solution for remote access. I hear that the Apache Guacamole solution has been integrated into R81. The site-to-site VPN options are numerous, but they can get confusing. Interoperability with other vendors is not the strongest when it comes to setting up VPNs. It's totally different from any other VPN vendors I have come across. Improvements are needed in policy backups and reverting to the previous policy. This used to be better in R77.30. Policy installation tends to take a long time when the rule base increases in size, which can become frustrating.

Check Point should include additional management choices; for example, Check Point does not offer full management support via browser. You should use Check Point Smart Console for management, although it is an EXE and is supported only on the MS Windows platform. If you are using Linux or Mac, you cannot manage Check Point. Instead, you need to use a virtual PC with the Windows OS installed, running inside Linux or Mac. Check Point states that this is a decision made for security reasons, but that certain management features can be done through the browser, although not fully.

When first looking into the Check Point offerings, it was fairly confusing trying to determine the differences between the different offerings. Specifically, SMBs versus other models, and which one would work best within my environment for my use case. I think we ended up in a good spot after speaking with a reseller in the area, but it would have been nice to be able to get there independently. The WatchTower app that can be used to access the SMB appliance remotely is a nice touch, but it doesn't allow for many actions to be taken and therefore is relegated to mostly notifications. At that point, it requires me to gain local access to go further. It would be nice to add more features to the WatchTower app to be able to perform certain administrative functions without the need for local access.

The one thing I have been continually asking for is a more robust certification process including self-paced study material similar to Cisco's Security certification track. Not everyone can afford the time and money to attend the official in-person classes offered by Check Point. Even if someone was not interested in fully pursuing a certification, offering certification guides is often a method that IT professionals follow in order to learn about a specific topic and keep for reference. An area that I sometimes find lacking is the information provided by the system when performing troubleshooting issues such as site-to-site VPN tunnels. The logs provide general information regarding what is happening but often, it leaves you wanting additional details. This also ties back into the lack of training and knowledge required to utilize the more advanced features of the command line.

The one area that I would like to see a change in is policy installation. Right now, with a larger user database and a high number of rules, it takes a bit of time for policy installation. There is definitely some improvement in the R80 version; however, I believe that it should not take more than one minute to refresh the database. Also, there is a significant spike in gateway resource utilization during policy installation. The additional blades have an impact on resource utilization, hence scope of improvement is needed here too.

This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access. For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP. Source: User machine Destination: any Port: HTTPS Action: allow (for allowing the user's machine access) This has to be done along with the below policy: Source: User machine Destination: Other Zone created on Firewall Port: HTTPS Action: block The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall. The firewall throughput or performance reduces drastically after enabling each module/blade. It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

There should be better integration with our current NAC solution to increase the granularity of policies that we implement.

The number of physical network ports on the device should be increased to allow for greater capacity. Another point of improvement would be to continue improving the integration line with our current NAC solution in order to exchange more attributes and increase the granularity of the implemented policies.

Check Point products have many places that need to be improved, but they are constantly upgrading.

Using the tool is somewhat complex when teaching new staff, although after practice it is quite easy to get used to this technology. One of the improvements that could be included is to have a help menu to obtain advice or help for the different options that are presented in the application. The equipment is complex, so you need guidance from specialized people or those who constantly work with Check Point. Better forums and information manuals could be provided so that users from different institutions can have more access to the information.

Configurations can be complex in some situations and need experienced engineers for managing the solution. Integration with a third-party authentication mechanism is tricky and needs to be planned well. SmartView monitor can be enhanced to display granular details of gateways with a single click. Also, having the ability to generate alerts from the Smart Monitor would be a nice feature.

Several of the security modules including IPS, URL Filtering, and Anti-Virus, are based on HTTPS inspection, losing relevant security capabilities if you don't implement it in your network. This means that to being able to take advantage of the full security stack, you're going to have to inspect traffic, break the tunnel, and manage different SSL certificates. Although this is not a limitation of the product itself but the technology, where other vendors are impacted the same way, it is useful to take this into consideration as you can adjust the capacity of the systems adequately.

Check Point has both GUI (Graphical Interface) & smart dashboard, but it will be better if it sticks to either one of them. A threat prevention policy needs to be created in a different tab but instead, if those policies could be related to access policy then it will be easier to apply the threat prevention to our relevant traffic. One of the most complicated aspects is the VPN Configuration, which should be simplified in future releases. The monitor tab should have a VPN tab, where we can see the current tunnel status.

There are two major areas that need to be improved. The study material for Check Point needs to be improved, as well as the cost for certification. One of my friends recently completed the certification and it was costlier than other firewall security certificates. The reports are generally good but there is not much control. We would like to have more filters. Essentially, we want more granular reporting.

The antivirus feature is a little bit weak and should be improved. The updates are not as regular when compared to other firewalls, such as Palo Alto. The training materials and certification process should be improved. For example, the certificates are more expensive and there's no good training available on the internet right now.

There are issues with stability in some specific versions. The VPN is a little difficult to configure, and sometimes you need help from Check Point professional services. There are some performance problems with the IPS when the FW is in a high load, but in general, it is working better than in previous versions. The routing is configured on the gateway, so, you need to remember for migration purposes. The virtual infrastructure of the central management requires a huge amount of resources to work properly and manage all the logs without problems.