Check Point Next Generation Firewall Review
I faced stability issues, both reboots and tunnels needing to be bounced, frequently


Primary Use Case

We leverage it as a next gen firewall, it does all of our IPS, URL filtering. We use it for our remote users, for VPN access. We use it to build VPN tunnels out to remote sites. It handles quite a bit.

Improvements to My Organization

It allows us to be a little bit more diverse in our hiring. We can hire people out in remote areas, that otherwise we wouldn't be able to because they'd have to come into the office without it.

Valuable Features

The VPN side of it. Obviously without the VPN, we'd have tons of end users that wouldn't be able to connect to our environment.

Room for Improvement

Stability issues. I built out this firewall in a cluster, and I had stability issues day one. Needs to be rebooted frequently. Tunnels need to be bounced frequently. Their hardware compatibility guide, when I built out the servers to host them on, was not accurate. And there are compatibility issues and stability issues.

Use of Solution

One to three years.

Stability Issues

We would lose our remote sites, they would just dump. Say we had our site in California, all of a sudden we're not connected to them anymore. Or we have site in AWS, then we can't connect there anymore. So I'd have to go in and reset the IPSec VPN tunnels, in order to regain connectivity, more frequently than I should have to. Obviously that can happen from time to time, but it was pretty frequent with Check Point, to the point where we're going to rip it out the next two weeks, and install Cisco everything.

Scalability Issues

As far as scalability goes, I don't feel we really had to push it. We're not a huge company. It was literally always resolved with a license upgrade. If there were too many users connected, we would just upgrade a license and then have more users connected concurrently. So scalability, not an issue. But we sized it pretty appropriately when we installed.

Customer Service and Technical Support

We had third-party tech support through our contract, and it was okay. I pretty much ended up having to figure everything out if there was a problem. As far as Check Point goes, I haven't really dealt directly with their tech support.

Previous Solutions

When I started at the company, this solution had been in place, and it was failing, the cluster was failing. So I was tasked with rebuilding the entire solution, to make it a little bit more stable. I bought two brand new servers, and spun up a cluster for Check Point. And it improved a little bit, but for what we paid for that solution, it was not really worth it. Because of stability. 

We have migrated some stuff over to Cisco ASA Firewalls. And those seems to be more stable. A lot easier to use, more stable, faster to get going.

Initial Setup

I thought it was pretty straightforward, myself. The issue that I ran into, on their website, when you go to install a solution they have something called the hardware compatibility list. That assures you that if you install their product, you also have the right servers to do it, you have the right NICs card, etc. So I actually bought brand new servers with brand new NIC cards that matched all the specs for the hardware compatibility list. I started getting everything setup, and it turns out the hardware compatibility list was wrong. It was wrought with issues. And I ended up having to pull some old NIC cards to throw in the servers to even get the thing to work.

So they don't have accurate documentation, I guess you could chalk it up to that. Or they didn't test it very thoroughly before they put it on the website. So that caused us a lot of heartache. This was a business-impacting setup. I had to do late-night maintenance windows, so when things don't work, it affects us at a pretty big level.

Pricing, License Cost and Setup

I don't think the product's pricing is a good value. I feel it's very overpriced. 

I feel a lot of the features for a next gen firewall are there. But I feel it's overpriced, because of the stability issues. As far as support goes, I really can't speak to direct Check Point support, but the third-party was pretty terrible. 

I feel you'd get a lot more out of it with Cisco. With Cisco you'd pay about the same. I feel the licensing is a lot more straightforward. It's easier to understand. 

That's another thing about Check Point, I think their licensing model is very confusing. As far as the licensing goes, it's pretty complex. If anybody was to purchase the Check Point product, definitely make sure they have an account rep come on site, and explain it line by line, what each thing is. It's not straightforward. It's very convoluted. There's no way you could just figure it out by looking at it.

Other Solutions Considered

We're halfway there right now, with the Cisco Firewalls we're switching to. They're very capable, they work like you'd expect, simple licensing, simple upgrades. It's been a breeze with those so far. 

Other Advice

I would say avoid it. There are definitely better solutions out there. For the amount of headache that you get with this product, it's not like you're saving yourself any money. It's just as much, if not more, than other solutions.

When it works, it works well. But, like I said, I've never really had a stretch of time where it just worked really well for everyone. It's been a constant pain point for our organization.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

1 Comment

Dan HuangUser

I know how you feel, we have about 500 of CP FWs. Endless issues and endless pain. Their support is the worse ever, might as well fix the issue or apply work around yourself.
We have many nick names for CheckPoint, such as CheckBug, CheckFail, ChockPoint, CheckLeak and so on... Our pain is almost over, because our 5 years license is coming to an end!

Like (0)28 June 18
Guest
Why do you like it?

Sign Up with Email