Deputy Manager at a retailer with 501-1,000 employees
Real User
Top 5
Dec 2, 2025
I feel that Check Point SandBlast Network could be improved with slight delays in cleaning the file delivery. Additionally, I think it requires proper tuning to avoid unnecessary notifications.
The KB knowledge of Check Point SandBlast Network can be updated, and there are some feature configurations in the knowledge base that can be improved. The knowledge base of Check Point SandBlast Network contains some confusing context, which might be confusing while configuring and designing.
Everything looks perfect with Check Point SandBlast Network. However, sometimes when we enable a feature in our security gateway, the CPU of the device goes high, so that can be improved.
It has some performance overhead, as sandboxing takes time and real-time delivery depends on threat extraction, requiring high performance. This represents a limitation. Additionally, some sophisticated malware may attempt to detect sandboxing. While Check Point uses multiple techniques to minimize this, there are still some limitations. Users need proper training before using this solution. I rated it 9 out of 10 because of the performance overhead and because evasive techniques can detect whether sandboxing is deployed in our organization. Check Point needs to minimize this detection possibility to zero.
Security Engineer at a tech vendor with 51-200 employees
Real User
Top 5
Aug 22, 2025
Check Point SandBlast Network could be improved as sometimes the cost can be limiting even if the feature is very nice, and the UI can be optimized. The customer support for Check Point SandBlast Network could be improved as they are sometimes late with their responses.
Learn what your peers think about Check Point SandBlast Network. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.
Principal Cybersecurity Architect at a tech vendor with 10,001+ employees
Real User
Top 10
Apr 28, 2025
Check Point SandBlast Network ( /products/check-point-sandblast-network-reviews ) can be improved by adding more integration capabilities, such as integration with third-party firewalls, third-party EDR solutions, and SIEM ( /categories/security-information-and-event-management-siem ).
Head of IT Department at AS Attīstības finanšu institūcija Altum
Real User
Top 5
Aug 9, 2024
The cost is a little bit high-end, and you need to get precise performance metrics in order to get the correct size. Improvements are required in both areas of the tool.
Check Point offers three types of support: Gold, Platinum, and Diamond. The level of support you receive should be based on the criticality of the issue, not solely on your client's support tier. While there are established support levels, I have experienced instances where the support provided was not categorized as Gold, Platinum, or Diamond but rather a standard support level. In such cases, the response times were slower, and getting support personnel on the call was more difficult.
The configuration could be optimized. The usability could improve. They need to make the guides more specific with images, as it is very complicated to guess where each option is located. The management of alerts could improve them a bit - especially in event management. In terms of performance, at some point, I have come to feel that it drops during certain hours. Some additional features that can be added may be the use of Artificial Intelligence (AI) and Machine Learning (ML).
We have found a need for the application to be a bit more elastic, bringing it to SAS services and not IAS. We need to understand where to find edge analytics in Edge. Right now, it's a bit sparse and not available for some of the products that we have in the services suite. I'd like to see it integrate with more third-party services so that we would have the ability to be an edge service and have high emulation in functionality.
The Check Point SandBlast Network, like any technological tool, must apply some changes. The tool has a high cost and is not accessible to all types of markets. They must also change the type of integration with the cloud in the part of the SIEM that is not necessary to use. In the administrative part, they must improve the database of the guides since they are not all in one place and often are not updated. They must also improve the technical support they provide. Sometimes the response time is not ideal.
Perimeter Security Administrator at a security firm with 51-200 employees
Real User
Top 20
Nov 14, 2022
We do take advantage of the year we get for free from Check Point. In the future, this solution can be added under licensing for consumption per user. Today, we have it as part of a solution or a package. However, we'd like there to be a way where we can have the solution's features available to us in a cheaper way in the future.
We would like to see this solution reach mobile devices more efficiently, through apps or more specific products. For the moment, the solution adapts efficiently to corporate environments as technological demands evolve. It is for this same reason that I hope that these innovations will be integrated into SandBlast and in other Check Point products, as it is one of the best that I have tried. It offers us a competitive advantage and efficient security.
There is a limit on the number of files that can be scanned in real-time, which could lead to us being found with our guard down on a high-traffic day. We knew that from the beginning, so there is more than one device integrated. Not all file types are scanned, so we had to limit the type of files that could be shared. We've detected slower performance in older equipment, sometimes forcing the replacement of it since we can't proactively downgrade the security standards on an endpoint for better performance, knowing this causes a threat to the organization.
When you have to scan emails that come with attachments, it takes a long time to examine them, which causes other emails not to be scanned, which can cause some danger to our organization. Another problem is that some PC with minimum characteristics makes them slow, causing slowness in computers where we have to invest in PCs to increase their performance or change them Another point to improve is the support since they do not give an effective and fast solution to the clients when they have problems with any tool or feature.
We use the infinity portal of Check Point to manage our services through smart cloud to manage our gateway and our SandBlast blade, however, sometimes the service has performance problems which generates some delays in administration. It would be very good for Check Point to improve its support. They can improve a lot in providing more effective and faster solutions and sessions with customers to validate the problems that are usually generated. For the rest, Check Point does not have so many problems to improve.
Deputy Manager of IT Security Infrastructure at Türkiye İş Bankası
User
Oct 5, 2021
EDR and EPM solutions like Carbon Black or CyberArk have integrations with the cloud version of Sandblast, however, there must be on-premise Sandblast options also (due to the fact that there are regulations for cloud usage restrictions in some countries). Also, some of the military standards might force you to not send a whole file to the cloud for examination. The thread extraction part has very good capabilities to remove all executables from a document, and, if the user wants to download the original file, it gives link for it. This page needs more customization options or files could be stored on third-party device and could be shared by a third-party product.
The file types that can be scanned are limited, which means that if the file type is not listed or enabled for the sandbox, they are bypassed and it can lead to a security issue. The maximum number of files that can be scanned by the higher sandbox appliance (TE200X) on-premises is 5K per hour. Hence, a bigger organization needs to have multiple devices along with integration between them. Enabling a module on the same NGFW firewall impacts performance, which adds delay/latency. Encrypted and password-protected files are not getting detected, and are bypassed. Exceptions are for files that have a dictionary-based password. Currently, this solution is supported only for Windows and Linux for Threat Emulation/Extraction.
CTO at a computer software company with 11-50 employees
Real User
May 5, 2021
We have noticed a slight performance hit when the Threat Emulation and Extraction features were enabled, but the protection trade-off is worth it for us. If the performance could be improved in the next release, that would be beneficial. We have had a few instances where the firewall has seemed to stop checking for updates and gets behind on the updates, forcing us to go in and manually check for and install updates. Maybe there is something going on here that could be improved even though it is not specific to the SandBlast feature.
Technology consultant at a tech services company with 501-1,000 employees
Real User
Mar 25, 2021
In Check Point SandBlast, improvement has to be made with respect to the GUI. The problem we face is due to log queue files, which were being delivered with a delay. All details should be provided on the smart dashboard and made easier to use. For example, it should display what file it is currently emulating, how many files are currently in the queue, and how much time each file is taking. There should be an option to flush the queue in case of any issues. Similarly, we should be able to remove particular files from the queue on demand. Also, policy creation can be more simplified or we can say more specific to particular traffic.
In our setup we don't use any SandBlast Physical or Virtual Threat Emulation Appliances, so all the sandboxing is performed on the hardware Check Point NGFWs. The Threat Emulation software blade significantly affects the performance of the NGFWs, we have a significant increase in the CPU and memory consumption. In addition, some of the end-users complain that it takes too long to transfer the files to the servers in the data center since the Threat Emulation adds delays to the transfer used for the emulation. I hope these issues will be fixed in the next release.
I would like if it could emulate bigger files and somehow improve this usability. I don't know if this would be possible. However, if it was able to scan or emulate bigger files, then it would be safer for a company using it.
I think Check Point provides standard time which ideally most other vendors take to identify behaviors of a file by sending them into a sandbox environment for inspection. Apart from policy creation and the number of supported files which is also the same as other vendors in the industry so probably as per me, there is no need to improved other things except if they want to make something different than making sure on-prem devices support almost all type of file inspection so even customers who don't have Check Point firewalls can buy Check Point on-prem device for sandbox technology.
Technology consultant at a tech services company with 501-1,000 employees
Real User
Jul 29, 2020
Firstly, performance in our case daily many emails were queued for scanning & among that 30% emails were getting skipped means delivered without scanning. Some times queue was so large that we need to flush or dump emails. Many Important controls are only available in CLI & very very complicated. All tecli command features should available on GUI so that it will become easy for normal users to monitor & control queue. Threat Emulation device HA Configuration is also CLI based. Monitoring Queues and related operations are very complex as it needs to check on CLI.
Check Point’s evasion-resistant technology maximizes zero-day protection without compromising business productivity. For the first time, businesses can reduce the risk of unknown attacks by implementing a prevent-first approach. Learn More about Check Point Sandblast
I feel that Check Point SandBlast Network could be improved with slight delays in cleaning the file delivery. Additionally, I think it requires proper tuning to avoid unnecessary notifications.
The KB knowledge of Check Point SandBlast Network can be updated, and there are some feature configurations in the knowledge base that can be improved. The knowledge base of Check Point SandBlast Network contains some confusing context, which might be confusing while configuring and designing.
If any file is more than 15 GB, the inspection takes some time, so that can be reduced to make real-time protection much faster.
Everything looks perfect with Check Point SandBlast Network. However, sometimes when we enable a feature in our security gateway, the CPU of the device goes high, so that can be improved.
It has some performance overhead, as sandboxing takes time and real-time delivery depends on threat extraction, requiring high performance. This represents a limitation. Additionally, some sophisticated malware may attempt to detect sandboxing. While Check Point uses multiple techniques to minimize this, there are still some limitations. Users need proper training before using this solution. I rated it 9 out of 10 because of the performance overhead and because evasive techniques can detect whether sandboxing is deployed in our organization. Check Point needs to minimize this detection possibility to zero.
Check Point SandBlast Network could be improved as sometimes the cost can be limiting even if the feature is very nice, and the UI can be optimized. The customer support for Check Point SandBlast Network could be improved as they are sometimes late with their responses.
Check Point SandBlast Network ( /products/check-point-sandblast-network-reviews ) can be improved by adding more integration capabilities, such as integration with third-party firewalls, third-party EDR solutions, and SIEM ( /categories/security-information-and-event-management-siem ).
The cost is a little bit high-end, and you need to get precise performance metrics in order to get the correct size. Improvements are required in both areas of the tool.
Check Point offers three types of support: Gold, Platinum, and Diamond. The level of support you receive should be based on the criticality of the issue, not solely on your client's support tier. While there are established support levels, I have experienced instances where the support provided was not categorized as Gold, Platinum, or Diamond but rather a standard support level. In such cases, the response times were slower, and getting support personnel on the call was more difficult.
The configuration could be optimized. The usability could improve. They need to make the guides more specific with images, as it is very complicated to guess where each option is located. The management of alerts could improve them a bit - especially in event management. In terms of performance, at some point, I have come to feel that it drops during certain hours. Some additional features that can be added may be the use of Artificial Intelligence (AI) and Machine Learning (ML).
There should be some improvement in the solution's stability and scalability.
We have found a need for the application to be a bit more elastic, bringing it to SAS services and not IAS. We need to understand where to find edge analytics in Edge. Right now, it's a bit sparse and not available for some of the products that we have in the services suite. I'd like to see it integrate with more third-party services so that we would have the ability to be an edge service and have high emulation in functionality.
The Check Point SandBlast Network, like any technological tool, must apply some changes. The tool has a high cost and is not accessible to all types of markets. They must also change the type of integration with the cloud in the part of the SIEM that is not necessary to use. In the administrative part, they must improve the database of the guides since they are not all in one place and often are not updated. They must also improve the technical support they provide. Sometimes the response time is not ideal.
We do take advantage of the year we get for free from Check Point. In the future, this solution can be added under licensing for consumption per user. Today, we have it as part of a solution or a package. However, we'd like there to be a way where we can have the solution's features available to us in a cheaper way in the future.
We would like to see this solution reach mobile devices more efficiently, through apps or more specific products. For the moment, the solution adapts efficiently to corporate environments as technological demands evolve. It is for this same reason that I hope that these innovations will be integrated into SandBlast and in other Check Point products, as it is one of the best that I have tried. It offers us a competitive advantage and efficient security.
There is a limit on the number of files that can be scanned in real-time, which could lead to us being found with our guard down on a high-traffic day. We knew that from the beginning, so there is more than one device integrated. Not all file types are scanned, so we had to limit the type of files that could be shared. We've detected slower performance in older equipment, sometimes forcing the replacement of it since we can't proactively downgrade the security standards on an endpoint for better performance, knowing this causes a threat to the organization.
Check Point SandBlast Network can improve the integration with third-party vendors, such as EDR or CRM products. For example, IBM Curator.
When you have to scan emails that come with attachments, it takes a long time to examine them, which causes other emails not to be scanned, which can cause some danger to our organization. Another problem is that some PC with minimum characteristics makes them slow, causing slowness in computers where we have to invest in PCs to increase their performance or change them Another point to improve is the support since they do not give an effective and fast solution to the clients when they have problems with any tool or feature.
We use the infinity portal of Check Point to manage our services through smart cloud to manage our gateway and our SandBlast blade, however, sometimes the service has performance problems which generates some delays in administration. It would be very good for Check Point to improve its support. They can improve a lot in providing more effective and faster solutions and sessions with customers to validate the problems that are usually generated. For the rest, Check Point does not have so many problems to improve.
EDR and EPM solutions like Carbon Black or CyberArk have integrations with the cloud version of Sandblast, however, there must be on-premise Sandblast options also (due to the fact that there are regulations for cloud usage restrictions in some countries). Also, some of the military standards might force you to not send a whole file to the cloud for examination. The thread extraction part has very good capabilities to remove all executables from a document, and, if the user wants to download the original file, it gives link for it. This page needs more customization options or files could be stored on third-party device and could be shared by a third-party product.
The file types that can be scanned are limited, which means that if the file type is not listed or enabled for the sandbox, they are bypassed and it can lead to a security issue. The maximum number of files that can be scanned by the higher sandbox appliance (TE200X) on-premises is 5K per hour. Hence, a bigger organization needs to have multiple devices along with integration between them. Enabling a module on the same NGFW firewall impacts performance, which adds delay/latency. Encrypted and password-protected files are not getting detected, and are bypassed. Exceptions are for files that have a dictionary-based password. Currently, this solution is supported only for Windows and Linux for Threat Emulation/Extraction.
We have noticed a slight performance hit when the Threat Emulation and Extraction features were enabled, but the protection trade-off is worth it for us. If the performance could be improved in the next release, that would be beneficial. We have had a few instances where the firewall has seemed to stop checking for updates and gets behind on the updates, forcing us to go in and manually check for and install updates. Maybe there is something going on here that could be improved even though it is not specific to the SandBlast feature.
In Check Point SandBlast, improvement has to be made with respect to the GUI. The problem we face is due to log queue files, which were being delivered with a delay. All details should be provided on the smart dashboard and made easier to use. For example, it should display what file it is currently emulating, how many files are currently in the queue, and how much time each file is taking. There should be an option to flush the queue in case of any issues. Similarly, we should be able to remove particular files from the queue on demand. Also, policy creation can be more simplified or we can say more specific to particular traffic.
In our setup we don't use any SandBlast Physical or Virtual Threat Emulation Appliances, so all the sandboxing is performed on the hardware Check Point NGFWs. The Threat Emulation software blade significantly affects the performance of the NGFWs, we have a significant increase in the CPU and memory consumption. In addition, some of the end-users complain that it takes too long to transfer the files to the servers in the data center since the Threat Emulation adds delays to the transfer used for the emulation. I hope these issues will be fixed in the next release.
I would like if it could emulate bigger files and somehow improve this usability. I don't know if this would be possible. However, if it was able to scan or emulate bigger files, then it would be safer for a company using it.
I think Check Point provides standard time which ideally most other vendors take to identify behaviors of a file by sending them into a sandbox environment for inspection. Apart from policy creation and the number of supported files which is also the same as other vendors in the industry so probably as per me, there is no need to improved other things except if they want to make something different than making sure on-prem devices support almost all type of file inspection so even customers who don't have Check Point firewalls can buy Check Point on-prem device for sandbox technology.
Firstly, performance in our case daily many emails were queued for scanning & among that 30% emails were getting skipped means delivered without scanning. Some times queue was so large that we need to flush or dump emails. Many Important controls are only available in CLI & very very complicated. All tecli command features should available on GUI so that it will become easy for normal users to monitor & control queue. Threat Emulation device HA Configuration is also CLI based. Monitoring Queues and related operations are very complex as it needs to check on CLI.