What is our primary use case?
We've used Check Point VPN to move from an on-premise VPN Cisco product to a VPN built on the cloud. We decided to use Check Point as it was fully integrated with Microsoft Azure and present on the Azure marketplace. We deployed this solution on different subscriptions and used the MEP function to reduce users' latency on the VPN. The implementation has not been very easy, and the implementation of MEP has taken months. There were a lot of hotfixes to install, and the CLI configuration on the files had to be done. The configuration, in fact, can't be implemented using a GUI.
How has it helped my organization?
The solution has allowed us to remove the on-premise VPN solution and to remove firewalls from the data center. The solution implemented on the cloud allows us to easily scale in cases of increased users - such as during the pandemic, where all users had been moved to Smart working and to a VPN. In fact, in February of 2020, when we closed all of our offices and gave all users the possibility to work from home, we had licenses and CPU problems on-prem. The Check Point solution offered us an unlimited number of users and that made the solution very scalable.
What is most valuable?
I found the MEP feature the most valuable. This has improved users' latency allowing the users to connect to the nearest Azure Check Point VM.
The Multiple Entry Point (MEP) is a feature that provides high availability and load sharing solution for VPN connections. A security gateway on which the VPN module is installed provides a single point of entry to the internal network. It is the security gateway that makes the internal network "available" to remote machines. If a security gateway should become unavailable, the internal network is no longer available as well. An MEP environment has two or more security gateways to both protect and enable access to the same VPN domain, providing peer security gateways with uninterrupted access.
What needs improvement?
The main problem with Check Point is that some configuration can be done with the smart console in GUI, however, some others need to connect to the firewall via the CLI on SSH and therefore you will need to modify the local file on the firewall with VI.
ASA is so easy to reserve some static IPs based on users, however, in Check Point, it is really difficult to do so. In addition, you can't reserve as static some IP that you are assigned dynamically to a local pool.
You have no ability to reserve a total number of licenses. The VPN user licenses are assigned per gateway, and if you enable the MEP function is not so easy to size the gateway licenses.
The configurations that you do to modify local files are not reflected in the GUI via the smart console.
For how long have I used the solution?
We have been using this solution since 2020.
What do I think about the stability of the solution?
The solution isn't really stable. Maybe the last versions of R80.40 and R81 were more stable, however, the upgrade (if you have another old version) is really difficult and you have to rebuild the solution (if you are on Azure cloud).
What do I think about the scalability of the solution?
The solution is really scalable. You have to know that if you want to scale the solution you will have to configure and rebuild an SMS server with high CPU/memory resources, however.
How are customer service and technical support?
Unluckily the experience with support, especially in India, is really poor. It's best if you open a case using the Israeli team as that one is better.
Which solution did I use previously and why did I switch?
Yes, we were using CIsco ASA on-premises. We switched because we were moving our data center infrastructure onto the cloud.
How was the initial setup?
At first, the implementation was not easy to set up. We found many bugs and we had to install different hotfixes and upgrade the version more than one time.
What about the implementation team?
We implemented the solution via a hybrid approach. Check Point professional service is really good, however, our third-party implementation team was not very good.
What was our ROI?
At the moment, we have not reached the ROI point.
What's my experience with pricing, setup cost, and licensing?
I'd advise users to pay attention to the sizing of the solution. There is not an intermediate number of licenses. It's very easy to go to unlimited users licenses.
Which other solutions did I evaluate?
We have gone with the Check Point solution due to its cheap price. Other options we considered were Palo Alto with Global Protect, Zscaler with ZPA, and Cisco Firepower implemented on Cloud.
What other advice do I have?
I suggest that if you want to implement this Check Point solution you should have good knowledge of the system as well as a system integrator or direct contacts in Check Point. In case of any issue, the support is poor and it's not easy to solve issues using technical support.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Which version of this solution are you currently using?