What is our primary use case?
In my previous company, one of the clients was a big chocolate company. They had this payment card infrastructure (PCI), where they needed to have auditors from PCI check the firewalls to see if everything was okay. So, they had web-based authentication.
I'm working with the 5800, 5600, and 5200 models. I work with the UTMs as well. These are physical appliances as well as open servers.
How has it helped my organization?
It helped clients get through big audits for PCI, which has been very cost-effective for them. In one hour, they make 30,000 to 40,000 pounds worth of sales. A PCI audit has actually threatened them, "If you don't do it by this date, you will have to stop taking payments." Even if the audit is delayed about an one hour or so, they'll have thousands of pounds worth of losses. The previous company may have spent a lot of money on Check Point, but they save a lot as well. So, they were quite happy with that.
What is most valuable?
The most valuable feature is definitely the logs. The way you can search the logs and have the granularity from the filter. It's just very nice.
I love the interface of R.80.30. The R.80 interface is very nicely thought out with everything in one place, which makes Check Point easier to use. When I started in 2014, I was just confused with how many interfaces I had to go on to find things. While there are quite a few interfaces still in the older smart dashboard versions, most things are consolidated now.
What needs improvement?
The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.
In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time.
I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point.
Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.
For how long have I used the solution?
What do I think about the stability of the solution?
It is very stable.
The headache with these firewalls is when they failover. The client will ask us why. We have a separate service desk and Tier 2 guys who monitor these firewalls. But, in these cases, they can't tell why, because you have to deep dive. The reason was unclear on R77.30, so I had to find it in the logs. However, in R.80, it's quite clear. We will just use a cphaprob stat to tell us the failover reason for the last time.
Sometimes, it is very difficult to find something in Check Point Firewalls when you are stuck. Therefore, you need to know exactly what you are doing.
What do I think about the scalability of the solution?
They do scale well as long as a company is not scaling rapidly. This is the reason we have a CPSizeMe tool. With normal growth, they will easily go for five to 10 years. Normal growth means setting up a few offices, not doing big mergers.
We have about four to five Check Point users out of 20 network engineers.
In my new job, we have 80 clients in user center.
How are customer service and technical support?
I would rate the support as a three out of 10. It seems like they are all Tier 2 guys. If there is a problem, you search everything and read all the articles, then you contact their support center who forward you to the same articles. It is very difficult to work with their support guys, unless you work with the guys in Israel.
From my last job, I had a web UI issue on one of my firewalls. It's been a year now, and it's not been resolved. Although it's been to the Israel as well, It's still been delayed. We couldn't live with the issue, so we decided we would buy a new open server, as the previous open server was quite old, then we did a fresh install of R.30 on it.
if you buy the appliances or licenses through partners, they will try to resolve your issue or talk in a way that makes sense.
Which solution did I use previously and why did I switch?
My previous company used to have Junipers that used to send all the credentials via HTTP. Because all Juniper SRXs didn't do that, since they were quite old (version 570), they had to buy new firewalls. I tried to do it, but I couldn't do it on the Junipers, especially since they were out of support and nobody would help me from Juniper.
I told my previous company, "Check Point would be the best solution for them. In the long run, while you might have a lot of issues with auditors, we will actually be able to combat this using Check Point firewalls if you get the proper licensing." Then, we did web bots on Check Points.
About five years later, an auditor said that we needed to do a RADIUS Authentication, not a clear text password nor the Check Point local password. So, we implemented that as well. This was a bit tricky because they didn't want the local guys to have RADIUS Authentication, but anybody coming from the outside would have to go through RADIUS. This was a bit tricky with Check Point because I had to involve Check Point support in the process as well, but we were able to do it. This was one of the client use cases.
How was the initial setup?
The initial setup was straightforward. I told one of my colleagues in my last job, "Just follow the prompts and you should be able to install it. It is a very simple, basic thing. Just do it as a gateway, then that's it. You are done".
Before, on R77.30, there were cluster IDs and people needed to know what they were doing. In the R80 cluster, the cluster ID is gone, so it is very straightforward and you don't have to be an expert to install it.
A new installation on the VMs (about a week ago) took me around 20 minutes or less. This was a lot faster than I imagined, and I've created quite a lot of resources to their management and Gateway as well.
What was our ROI?
If the firewalls go down, then the employees' car payments would stop. This would be a disaster.
What's my experience with pricing, setup cost, and licensing?
There are three types of licensing: Threat Prevention, NGTP, and Next Generation Threat Extraction. Before, it used to be you would just enable the license of whatever blade you wanted to buy. Nowadays, Threat Prevention would be sufficient for most clients, so I would think people would go for the NGTP, license which includes all the blades.
Which other solutions did I evaluate?
All sorts of councils in London use the solution. In my new job, there are quite a lot of councils and schools as well. They need to know the web traffic from their users, e.g., what they are searching and looking for and where they are going. Therefore, its application and URL filtering comes in quite handy. I've seen the application and URL filtering on Palo Alto, and it is a pain to get those details from it and create a report for users. Whereas, the user report is very easy to get with Check Point.
I have not seen another firewall offer the same level of logs that Check Point offers. I have worked on ASA and Juniper SRX. While they are a bit similar, they are not exactly what Check Point has to offer.
What other advice do I have?
This is not day-to-day firewall work, where maybe a node can do it. If you get into a trouble, you can't actually involve Check Point support all the time, especially when you won't get a response. You need to employ people who are certified. Check Point has a lot to sink in, and it's not an easy thing. You might just expose your environment, even after spending a lot of money.
It is future-proof. I would rate this solution as a nine out of 10.