What is our primary use case?
Our company works in the area of developing and delivering online gambling platforms. The Check Point Next-Generation Firewalls are the core security solution we use for the protection of our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. The Application Control software blade is one of the numerous blades activated on the NGFWs and serves for the security improvement in the application detection, categorization, and filtration.
How has it helped my organization?
The overall security of the environment has been greatly improved by the Check Point NGFWs. Before implementing the Check Point solutions, we relied on the Cisco ACLs and Zone-Based firewalls configured on the switches and routers, which in fact a simple stateful firewall, and currently appear to be not an efficient solution for protecting from the advanced threats. The Check Point Application control-blade significantly increased the security level from the standpoint of application visibility and filtration. The blade was easy to enable and configure, and we don't see any performance penalty after the activation of it.
What is most valuable?
1. The built-in database of the applications, software and the protocols is just amazing - there are more than 8 thousands available just after the blade application. In comparison, the Cisco Network-Based Application Recognition (NBAR) available on the routers provides like 200 applications.
2. The application are categorized into group based on the purpose, like messengers, databases, games etc., and such group objects may be directly use in the Security Policies for the NGFWs.
3. It it really simple to add new custom application definitions and groups if you need so (we use such an option for our own developed software on non-standard ports).
4. The visibility is just great. For any security event of the Application Control blade there is a relevant log entry with all the application details (but don't forget to enable logging for the security rule in the Policy).
What needs improvement?
I think that the pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly), or create some additional bundles of the software blades with significant discounts in addition to the current Next Generation Threat Prevention & SandBlast (NGTX) and Next Generation Threat Prevention (NGTP) offers.
We also had several support cases opened for software issues, but none of them were connected with the Application Control blade.
For how long have I used the solution?
We have been using the Check Point Application Control for about three years, starting in late 2017.
What do I think about the stability of the solution?
The Application Control software blade is stable.
What do I think about the scalability of the solution?
The Application Control software blade scales well with the gateways we use, since it doesn't affect the overall performance much after activation.
How are customer service and technical support?
We have had several support cases opened, but none of them were connected with the Application Control software blade. Some of the issue were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level. The longest issue took about one month to be resolved, which we consider too long.
Which solution did I use previously and why did I switch?
We used the ACLs and Zone-Based firewalls with NBAR on the Cisco switches, routers, and found that this approach doesn't provide sufficient security protection against the modern advanced threats.
How was the initial setup?
The setup was straightforward. The configuration was easy and understandable - we relied heavily on the built-in objects and groups.
What about the implementation team?
In-house team - we have a Check Point Certified engineer working in the engineering team.
What's my experience with pricing, setup cost, and licensing?
Choosing the correct set of the licenses is essential - without the additional software blade licenses purchased the Check Point gateways are just stateful firewall.
Which other solutions did I evaluate?
We didn't evaluate other vendors or solutions.
Which deployment model are you using for this solution?