Check Point NGFW Review

Enabled us to virtualize multiple firewalls on one machine


What is our primary use case?

We use it for VSX virtualization and we use it for normal firewall functions as well as NAT. And we use it for VPN. We don't use a mobile client, we just use the VPN for mobile users.

How has it helped my organization?

We are able to virtualize about four firewalls on one machine. Before, we needed to have four firewall hardware devices, physical devices, from Cisco. We had four appliances, but now, with Check Point, we just have one. We can manage them, we can integrate them, and we can increase connections using one and the other. It has broken down connection complexities into just a GUI.

Also, previously we had downtime due to memory saturation with our old firewalls. We were using Cisco ASA before. During peak periods, CPU utilization was high. Immediately, when we switched to Check Point, that was the first thing we started monitoring. What is the CPU utilization on the device? We observed that CPU utilization stayed around 30 percent, as compared to 70 percent with the Cisco we had before, although it was an old-generation Cisco. Now, at worst, CPU utilization goes to 35 percent. That gives us confidence in the device. 

In addition, the way Check Point built their solution, there is a Management Server that you do your administration on. You have the main security gateway, so it's like they broke them down into two devices. Previously, on the Cisco, everything was in one box: both the management and the gateway were in one box. With Check Point breaking it into two boxes, if there's a failure point, you know it's either in the management or the security gateway. The management is segmented from the main security gateway. If the security gateway is not functioning properly, we know that we have to isolate the security gateway and find out what the problem is. Or if the management is not coming up or is not sending the rules to the security gateway, we know there's something wrong with it so we isolate it and treat it differently. Just that ability to break them down into different parts, isolating them and isolating problems, is a really nice concept.

And with the security gateway there are two devices, so there's also a failover.

What is most valuable?

  • The most valuable feature for us is the VSX, the virtualization.
  • The GUI is also better than what we had previously.
  • The third feature is basic IP rules, which are more straightforward.
  • And let's not forget the VPN.

The way we use the VPN is usually for partners to connect with. We want a secure connection between our bank and other enterprises so we use the VPN for them. Also, when we want to secure a connection to our staff workstations, when employees want to work from home, we use a VPN. That has been a very crucial feature because of COVID-19. A lot of our people needed to work remotely.

What needs improvement?

The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.

It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.

Apart from that, we are coming from something that was not so good to something that is much better.

For how long have I used the solution?

I have been using the Check Point Next Generation Firewall for 10 months.

What do I think about the stability of the solution?

The stability of Check Point's firewall, for what we use it for now, is pretty good. Especially, with the licensing of blades and the way they script it down into different managers. You have a part that manages blades, you have the part that manages NAT, and you have the part that manages identity. The VSX is another one on its own. So it is very stable for us.

When we add more load to it, when we go full-blown with what we want to use the device for, that will be a really good test of strength for the device. But for now the stability is top-notch.

What do I think about the scalability of the solution?

They scale well.

All information passes through the firewall. We have about 8,000-plus users, including communicating with third-party or the networks of other enterprises that we do business with.

How are customer service and technical support?

We've not used technical support. We asked our questions of the vendor that deployed and he was quite free and open in providing solutions. Anytime we call him we can ask. He was like our own local support.

There is also a Check Point community, although we've not really been active there, but you can go and ask questions there too, apart from support.

How was the initial setup?

The initial setup was pretty straightforward.

It took a while about a month, but it was not because of the complexity. It was because we gave them what we already have on the ground. We were on Cisco before and they had to come up with a replica of the configurations for Check Point. When they got back to us we had to make some corrections, and there was some back-and-forth before everything finally stabilized.

Four our day-to-day administrative work, we have about four people involved.

What about the implementation team?

We used a Check Point partner for the installation. I was involved in the deployment, meaning that while they were deploying I was there. They even took us through some training.

What was our ROI?

We have surely seen ROI compared to the other vendors I mentioned, in terms of costs. And we tested all the firewall features to see if it is doing what it says can do. And so far so good, it's excellent. It's a good return.

What's my experience with pricing, setup cost, and licensing?

Check Point offers good solutions, but it won't kill your budget.

Going into Next-Generation firewalls, you should know what the different blades are for, and when you want to buy a solution, know what you want to use that solution for. If it's for your normal IP rule set, for identity awareness, content awareness, for VPN, or for NAT, know the blades you want. Every solution or every feature of the firewall has license blades. If you want to activate a feature to see how that feature handles the kind of work you give, and it handles it pretty well, you can then move to other features.

Which other solutions did I evaluate?

We evaluated Palo Alto, Fortinet FortiGate, and Cisco FirePOWER.

Check Point was new to the market so we had to ask questions among other users. "How is this solution? Is it fine?" We got some top users, some top enterprises, that said, "Yes, we've been using it for a while and it's not bad. It's actually great." So we said, "Okay, let's go ahead."

What other advice do I have?

I would recommend going into Check Point solutions. Although Check Point has the option of implementing your firewall on a server, I would advise implementing it on a perimeter device because servers have latency. So deploy it on a dedicated device. Carry out a survey to find out if the device can handle the kind of workload you need to put through it.

Also, make it a redundant solution, apart from the Management Server, which can be just one device. Although I should note that up until now, we have not had anything like that.

Which version of this solution are you currently using?

R80.30
**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Check Point NGFW reviews from users
Learn what your peers think about Check Point NGFW. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
534,299 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest