Check Point CloudGuard Network Security Reviews

I use the product to secure the Azure environment. 

The tool's most valuable features are firewalls and IPS. 

There is room for improvement, especially concerning the integration with the management center. It would be beneficial if tasks that currently require scripts could be performed directly from the GUI. 

I have been using the product for a year. 

The product is stable. 

We faced issues with scalability. 

The solution's support is good but can be improved. 

Neutral

The product is too expensive. 

We have moved our security level from on-prem to the cloud. The security posture is consistent. We can use the same storage system, monitoring system, and objects both on-prem and in the cloud. 

I am quite confident with CloudGuard Network Security. The primary reason for choosing the product over other cloud firewall vendors was to maintain the same solution as on-premises. Additionally, it offered a good level of security functionalities. 

I rate the overall product an eight out of ten. You should define your requirements before choosing the product. 

My clients were different small businesses, and they were migrating to the cloud. We've been using it as a general cloud security tool. 

The interface in terms of being able to have access for myself and the client so that we can easily observe and watch what is going on, has really improved the organization. 

We have seen time to value with this solution. We will continue to use more Check Point solutions in the future.

The versatility is the solution's most valuable feature. 

There are some usability issues we'd like to see improved. 

We're going to be switching to XDR and would like integration with XDR. 

I've used the solution for only about a year. 

The solution is good. I'd rate the stability a nine out of ten. 

I'd rate the scalability a nine out of ten. 

The support is good. 

Positive

We did not previously use a different solution. 

I'm involved with the integration and was involved in the setup of specific areas.

The initial setup was alright. I wasn't the architect of the whole thing. In my area, the implementation seemed to be pretty straightforward.

We did not use an integrator, reseller, or consultant for the deployment. 

We do not yet have enough of a baseline to calculate ROI. 

The pricing is fair. It's the client who is paying for it, not me directly. However, they seem satisfied. 

We previously evaluated a few other options. 

The usability is moderate. 

The product has helped us free up some time. It's a complicated situation, however. 

I'd rate the solution an eight out of ten. 

We use a hybrid environment, so we have an on-premise data center and branch offices as well as resources in the cloud. On-premise is secured with different Check Point Gateways while for our security in the cloud we use Check Point Cloud Guard.

Depending on the traffic, we use different Cloud Guard firewalls. External traffic is handled by using a scale-set that can adapt on the fly to increase/decrease the number of firewall instances.

Internal traffic is handled by a normal Cloud Guard HA cluster with a certain amount of cores.

We used the Cloud Guard technology quite early on and used Check Point's Blueprint for our Cloud Datacenter design. By being able to use real firewalls instead of the cloud's own IP tables/inferior IPS we're able to maintain security across the whole environment (on-premise and cloud).

With the possibility to administer the cloud firewalls within the same management as on-premise firewalls, we can use the same objects/networks instead of having two sets of object databases or scripting something to have both of them synched.

Having the whole environment be under the same management is definitely is a plus.

Using a scale set to increase/decrease the amount of firewalls in the cloud helps with saving costs in the long run, as they will only increase if traffic increases and therefore saving us on licensing costs. For a normal Cloud Guard you pay for each core, so using the SS you don't have to fully size and pay for the maximum amount of traffic.

It's possible to sync the Check Point Management with the cloud portal, therefore allowing automated rules to be set in place whenever creating a new VM.

In the first phase, Cloud Guard Firewalls didn't allow minor and major upgrades. Fortunately, now you can install normal hotfixes and minor upgrades (JHF) on the Cloud firewalls. For major upgrades, it's still necessary to destroy the VMs and re-create them again. Doing that would mean new public IPs as well. We created a script for that. I still hope that major upgrades will be possible in the near future too, otherwise, you still have to script a lot for basic maintenance, instead of using tools like CDT.

The product is very scalable due to using the scale-set.

The main usage of the Check Point CloudGuard IaaS within our company is for the protection of our cloud assets. It is deployed on Google Cloud Platform with the help of the Firewall, Application Control, and Intrusion Prevention System software blades. 

In addition, we rely heavily on the GeoIP module to restrict undesired countries from accessing our services, as for now, you can't achieve it with the GCP firewall.

There are about 30 Google Cloud projects of different sizes ranging from 10 to 250 virtual machines, and they are used for development, staging, production, etc. For every project, there is one dedicated scalable instance group of the Check Point CloudGuard IaaS gateways.

While using the Check Point CloudGuard IaaS gateways in the cloud environment, we had almost the same experience as with other Check Point firewall solutions.

The components of the infrastructure are integrated with each other quite well. All the common Check Point Next Generation Firewall blades are supported including Firewall, IPS, Antivirus, VPN, etc. There is not a big difference with the usual on-premises gateway from this perspective. This provided us a smooth experience while moving our load from on-premises data centers to the Google Cloud environments, and increased the adoption and the speed of the migration process.

I find it really useful that CloudGuard supports all the main players on the Public Clouds market including AWS, GCP, and Azure, as well as some exotic ones like Alibaba Cloud, Oracle Cloud, and IBM Cloud. I would say there is about a 95% probability that the platform you are using is supported, and I don't know any other solution for now that can provide the same number. Moreover, it integrates with most of the public cloud management solutions, so you could automate modification of the security policies based on some triggers or changes in your cloud infrastructure.

I also like that different licensing models are supported. For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.

As with other solutions of this kind, you still have to manage basic cloud firewalls and routes for VPC outside of CloudGuard IaaS. There's no 100% integration.

I hope that Check Point continues to improve its technical documentation regarding the Check Point CloudGuard IaaS gateway and management system. For example, the questions on how to scale the instances in the relevant cloud should be covered, and all the High Availability options and switchover scenarios. Without that, users have to open numerous consulting cases to the support team to get it right.

We have been using Check Point CloudGuard IaaS for less than a year.

The Check Point CloudGuard IaaS is stable product, and in fact it runs the same code as the hardware Check Point NGFWs, so no issues were encountered there.

The Check Point CloudGuard IaaS scales well for the Google Cloud Platform with the help of the Instance Groups feature.

We have had several support cases opened. Some of the issues were resolved by installing the latest recommended JumoHotfix, whereas some required additional configuration on the OS kernel level.

The longest issue took about one month to be resolved, which we consider too long.

We didn't use such solutions before and had to rely on the built-in firewall rules of the Google Cloud Platform infrastructure.

The setup was straightforward, and the configuration was easy and understandable.

Our deployment was completed by our in-house team. We have a Check Point Certified engineer working in the engineering team.

There is flexibility in the different licensing models that are offered.

For testing/evaluation/PoC projects, you could go with the Pay-as-you-go (PAYG) license without wasting a lot of money in case the solution somehow doesn't suit you. On the other hand, for production, you could use the Bring-your-own-license (BYOL) way, applying the license bought earlier.

This is a flexible approach and we like that.

No, since we decided to have a unified firewalling solution across all the infrastructure, and we already had the Check Point firewalls in the on-premises data centers.

You should fully understand the way CloudGuard would be integrated into your cloud from a networking perspective, and it differs from platform to platform. For example, for Google Cloud, the instances of Cloud Guard must have interfaces in several VPCs as a requirement. Think about the subnetting and routing for your project, then implement a PoC with your networking staff.

We use it to protect Internet access from our AWS environment.

Before we implemented CloudGuard, we had no filtering on what was accessed on the internet from our AWS environment. 

Now, we can filter which websites users can access and block categories that are a risk. For example, we can block social media and gambling sites. This has helped to decrease the risk of access to malicious content on the internet.

It allows us to filter what the servers on AWS can access on the Internet and allows us to filter in terms of IPS, antivirus, and so on, for the contents that are accessed on the Internet.

The complexity to deploy should be decreased. 

I have been using this solution for about five years. 

It is a stable solution. It has been pretty stable for us. We haven't faced any problems since it rolled out. 

I would rate the stability a nine out of ten.

I would rate the scalability a nine out of ten. We have around 200 end users using this solution in our company. 

The customer service and support from the vendor take a lot of time. 

The first line of support is not very good. They usually start with junior engineers when you open a case, which can be time-consuming.

Neutral

I would rate my experience with the initial setup an eight out of ten, where one is easy and ten is difficult to setup. 

For the deployment, we work with the vendor. So, the deployment took two weeks.

We need to provision the firewall, deploy the manager, and understand where the firewall needs to connect, which AWS area, and so on.

We just needed more than two people for the deployment. We worked with the security network security architect and called them engineers.

With ten being very expensive, I would rate the pricing an eight out of ten. 

It is expensive.

It's worth it in the sense that it can protect your network, and it's very scalable.

Overall, I would rate the solution an eight out of ten.

We had a big problem with how to protect our host services, which are directly accessed via the cloud. We wanted to protect our organization tenant and workload from any next-generation attack. For this protection, we implemented the Check Point solution named CloudGuard Network.

This NGFW is provided by Check Point and has all of the capabilities that are required to protect against next-generation attacks at the perimeter level.

The modules or security features that we use are provided as part of the base license. These include VPN, IPS, Application Control, and Content Awareness. Together, these are strong and help to protect the organization.

This solution effectively protects us against any next-generation attack.

The most valuable feature is the centralized dashboard, which is used for managing all of the Check Point Security Gateways.

Whether it is hosted on-premises or on the cloud with the NGTX license, it provides additional security capabilities such as SandBlast, which is able to extract and emulate file execution in a virtual sandbox. It will identify activity and actions, and the system can be configured accordingly.

It provides hyperscaling capabilities for both on-premises and cloud-based security gateways. An on-premises security gateway can be configured for hyperscaling using the Maestro 140 or Maestro 170. In the cloud, on AWS it can be hyper-scaled using the AWS gateway load balancer.

It's able to protect against advanced threats and prevent zero-day attacks using both SandBlast and IPS signatures.

Throughput is impacted drastically once the security modules are enabled on the firewall.

As it is a software-based firewall, there is no dedicated throughput available for each module.

In case the device is inaccessible due to some issue such as CPU or memory, there is no separate port or hardware partition provided for troubleshooting purposes.

Throughput on the virtual firewall is an issue in case the organization wants to migrate a workload to the cloud, and it becomes a bottleneck.

We have been using the Check Point CloudGuard Network for between two and five years.

The combination of NGFW + URL Filtering + Antivirus + Anti Bot, with 8 vCore D4 v2, is able to provide a throughput of 4Gbps.

On Azure, the combination of NGFW + URL Filtering + Anit Virus + Anit Bot, with 8vCore c5n 2xlarge, is able to provide a throughput of 4.7Gbps. It is similar to AWS.

We utilize CloudGuard Network Security for internet surfing and handle inter-sector traffic between VPCs. Specifically, we have over 200 accounts in AWS, each with its own VPC. The solution interconnects all the regions. 

The tool's most valuable feature is its scalability. You will only have to pay less for scaling up. Its notable benefit is deployment complexity. Regional deployment is simpler compared to on-premise setup. 

When upgrading the firewall, the old VPC containing the firewalls needs to be destroyed. After that, a new firewall is redeployed in the setup. Additionally, there's a need to separate the routing, and the routing from the old VPC has to be recreated in the new one.

I have been using the product for two years. 

We had issues with stability. We have an open ticket at the support regarding this. 

CloudGuard Network Security is scalable. 

The tool's support is good. 

Positive

CloudGuard Network Security is not too cheap. 

I don't see any difference in user experience between on-prem and the cloud setup. We have an MDS environment where we can manage the whole country. The tool enables us to manage policies on the same platform for branches and regions in the country. I rate the product an eight out of ten. 

We are integrators and implemented this product for a customer to monitor traffic and secure a network on cloud. This is a threat prevention solution and I'm the enterprise security lead. Our company is based in the Philippines and we are customers of Check Point. 

Deploying this solution has made it easier for our security analysts to monitor the network on cloud. Based on compliance, we can easily give evidence to different auditors or regulators on how to protect our cloud infrastructure. 

Advanced check prevention is a great feature that provides threat intelligence at speed. We can easily identify malicious activity and check for any vulnerabilities. The solution has great functionality and we can see the movement of data. If there's any malicious activity, we can easily stitch or make a story out of that data. I think when it comes to functionality, it's a good monitoring tool. 

The cost is a little high, it doesn't suit every budget. I'd like to see the ability to integrate with other security solutions which is not currently possible. If you need to integrate, you have to buy a Check Point product as well so you're paying for features. 

The solution is stable. 

The solution is scalable and I think they might increase their scope on different virtual, private clouds or private subnets. Monitoring involves anywhere from three to five people. 

When it comes to Check Point support, we just file a ticket on the portal. They respond based on the severity of the problem. They've been very responsive on inquiries and issues that we encountered although we haven't had any major issues.

The initial setup was pretty straightforward. It's like running our VM on cloud, just speeding it up. When it comes to implementation strategy, we need to list all the assets or the traffic VLANs or network segmentation we want to monitor. From there, we assess how many nodes CloudGuard Network Security needs to monitor all those VLANs. It then takes two to three weeks to implement, given the likelihood of some challenges along the way. Deployment is carried out using a mix of Check Point engineers and in-house IT people. 

In terms of security solutions and return on investment, it's really about the total assets you're protecting.

If you're managing a large cloud infrastructure this is an expensive solution. Check Point has different bundles when it comes to CloudGuard and it's a modular system.

Before purchasing it's important to assess the size of your cloud infrastructure. You need to have a concrete plan for which virtual or private network or clouds you have to scope and to do that before deciding which solution you want and what functionality you need. 

I rate this solution eight out of 10 since there has been some improvement with regard to integrations.