What is our primary use case?
The main usage of the Check Point CloudGuard IaaS within our company is for the protection of our cloud assets. It is deployed on Google Cloud Platform with the help of the Firewall, Application Control, and Intrusion Prevention System software blades.
In addition, we rely heavily on the GeoIP module to restrict undesired countries from accessing our services, as for now, you can't achieve it with the GCP firewall.
There are about 30 Google Cloud projects of different sizes ranging from 10 to 250 virtual machines, and they are used for development, staging, production, etc. For every project, there is one dedicated scalable instance group of the Check Point CloudGuard IaaS gateways.
How has it helped my organization?
While using the Check Point CloudGuard IaaS gateways in the cloud environment, we had almost the same experience as with other Check Point firewall solutions.
The components of the infrastructure are integrated with each other quite well. All the common Check Point Next Generation Firewall blades are supported including Firewall, IPS, Antivirus, VPN, etc. There is not a big difference with the usual on-premises gateway from this perspective. This provided us a smooth experience while moving our load from on-premises data centers to the Google Cloud environments, and increased the adoption and the speed of the migration process.
What is most valuable?
I find it really useful that CloudGuard supports all the main players on the Public Clouds market including AWS, GCP, and Azure, as well as some exotic ones like Alibaba Cloud, Oracle Cloud, and IBM Cloud. I would say there is about a 95% probability that the platform you are using is supported, and I don't know any other solution for now that can provide the same number. Moreover, it integrates with most of the public cloud management solutions, so you could automate modification of the security policies based on some triggers or changes in your cloud infrastructure.
I also like that different licensing models are supported. For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.
What needs improvement?
As with other solutions of this kind, you still have to manage basic cloud firewalls and routes for VPC outside of CloudGuard IaaS. There's no 100% integration.
I hope that Check Point continues to improve its technical documentation regarding the Check Point CloudGuard IaaS gateway and management system. For example, the questions on how to scale the instances in the relevant cloud should be covered, and all the High Availability options and switchover scenarios. Without that, users have to open numerous consulting cases to the support team to get it right.
For how long have I used the solution?
We have been using Check Point CloudGuard IaaS for less than a year.
What do I think about the stability of the solution?
The Check Point CloudGuard IaaS is stable product, and in fact it runs the same code as the hardware Check Point NGFWs, so no issues were encountered there.
What do I think about the scalability of the solution?
The Check Point CloudGuard IaaS scales well for the Google Cloud Platform with the help of the Instance Groups feature.
How are customer service and technical support?
We have had several support cases opened. Some of the issues were resolved by installing the latest recommended JumoHotfix, whereas some required additional configuration on the OS kernel level.
The longest issue took about one month to be resolved, which we consider too long.
Which solution did I use previously and why did I switch?
We didn't use such solutions before and had to rely on the built-in firewall rules of the Google Cloud Platform infrastructure.
How was the initial setup?
The setup was straightforward, and the configuration was easy and understandable.
What about the implementation team?
Our deployment was completed by our in-house team. We have a Check Point Certified engineer working in the engineering team.
What's my experience with pricing, setup cost, and licensing?
There is flexibility in the different licensing models that are offered.
For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.
This is a flexible approach and we like that.
Which other solutions did I evaluate?
No, since we decided to have a unified firewalling solution across all the infrastructure, and we already had the Check Point firewalls in the on-premises data centers.
What other advice do I have?
You should fully understand the way CloudGuard would be integrated into your cloud from a networking perspective, and it differs from platform to platform. For example, for Google Cloud, the instances of Cloud Guard must have interfaces in several VPCs as a requirement. Think about the subnetting and routing for your project, then implement a PoC with your networking staff.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?