Check Point CloudGuard Network Security Reviews

For the Azure platform, especially Azure endpoint protections and other network aspects, we utilize CloudGuard Network Security to secure the egress connection. This includes configuring and maintaining express route connectivity between on-premises and Azure.

The Identity Awareness blade and dynamic tagging in Azure are valuable because they make access management automatic. Instead of manually setting up access for each new resource, it happens automatically based on the same access policy. This dynamic setup is scalable. 

The tool is cloud-based and scalable. As our resources scale up or down, the system automatically adapts. This reduces the need for manual work, allowing us to manage the entire cloud infrastructure with a smaller workforce. It helps with automation. 

Regarding CloudGuard Network Security's integration with various resources like application gateways and application-based security groups, there's room for exploring dynamic access in those areas. A significant concern is the upgrade process. Unlike an in-place upgrade, upgrading the tool in Azure requires deploying a new resource, which can be hectic and less reliable. We have to spend something new to have the tool's latest version. 

I have been using the product for four years. 

Stability is generally good, and I don't have many complaints due to its scalability. When there are hardware issues, it automatically sets up a new, healthy instance. Overall, it contributes to a stable environment for us.

The solution's scalability is excellent, but we do encounter some restrictions with the API on the cloud platform. This occasionally causes issues with the frequent pulling up of new resources.

Our deployment model involves VM scale sets. We have set up instances across three environments: production, staging, and development. This structure allows for easy testing in the development environment before moving on to the production environment. We utilize Check Point's professional services to integrate, deploy, and build a cloud platform for CloudGuard Network Security.

We have seen a return on investment from CloudGuard Network Security. As more workloads shift from on-premises to the product, the costs associated with on-premises infrastructure decrease. Additionally, its dynamic and scalable nature in Azure allows us to maintain control. 

The solution's licensing is based on the number of users of the VMs. We follow a pay-as-you-go model. Its pricing is competitive. 

CloudGuard Network Security can manage security for both our hybrid cloud and on-premises systems. Currently, we have separate solutions for on-premises and the cloud. We also use Smart-1 Cloud from the Infinity portal. We haven't integrated the tool with both Azure and on-prem environments. 

I have about an eight out of ten confidence level in our cloud network security with the product. It is because of Azurre's robust and dynamic nature. It is easy to incorporate anything new that comes up. We can integrate any new steps in Azure concerning the blades, CloudGuard Network Security, and Check Point. 

Cloud-native firewalls lack functionalities such as IPS, which are exclusive to products like Check Point or other vendor-specific solutions. This is why we opted for CloudGuard Network Security as an additional layer, complementing the limitations of Azure's native or any cloud-native firewalls.

We are already using Check Point for our on-prem environment. The cloud solution was easy to integrate with our existing infrastructure. 

I rate the overall product a six out of ten. Due to certain limitations in the integration between Azure and CloudGuard Network Security, I currently rate the experience as a six. However, I'm hopeful that Check Point is working on its new release. 

Our need was to be able to provide centralized security governance and control of our "Microsoft Azure" public cloud environment as well as wanting all of the new security checkpoint capabilities that are included in this solution.

With checkpoint Cloud Guard Network security we have been able to provide our infrastructure with many improvements and good practices in network architecture, automatic deployments and alerts to ensure that our infrastructure is without vulnerabilities and with all the best practices.

Checkpoint CloudGuard Network security is a network enhancement capability of our public cloud, which has given us recommendations, implementations in new subscriptions to avoid many of the most modern vulnerabilities in an infrastructure.

In addition to the fact that this solution brings us closer to having a better security score, which helps us a lot in complying with information regulations based on security.

It also provides a fairly complete and easy to use dashboard environment that has helped us a lot with the administration of the security department.

We really liked almost everything about checkpoint CloudGuard network security, for example the ease of managing this service through the checkpoint infinity portal is a great relief, it is accessible from anywhere, MFA can be enabled to provide security in the administrative identity to avoid problems of loss of credentials.

In addition, this tool is complemented by the other checkpoint cloud security features, making it a very robust tool.

Also its reports, its recommendations and its automatic applications for architectures with the best practices provide the help that is required to improve an existing subscription or to start one with all the best practices.

Points of improvement for checkpoint cloudguard network security would be partly the cost, which is currently quite expensive.

The documentation to be able to implement the multicloud or link it with Azure is difficult to do or it is not always as indicated, for this you must ask support or the partner for help.

The support for all the checkpoint functions is not the best, since it provides too slow a response to inconveniences, or the support service hours are not the same as in Latin America, which generates latency in the contact between the client and support.

This is an excellent Check Point cloud tool, we have been using it since the beginning of 2022. It is a really good tool for cloud environments.

We evaluated using the Microsoft Defender for Cloud tool for a while, however we needed to centralize our security environment and not have portals for different sites.

My recommendation is to try to always look for the best practices of implementation and administration of the product.

In addition to correctly validating the costs before purchasing.

Of course, we always make evaluations of existing tools, we verify Microsoft Defender for Cloud, we also carry out research with Fortinet solutions, however we wanted Checkpoint for all the improvements, virtues and prestige.

This is an expensive but recommended tool, it is very good for cloud environments.

We use it for security in public cloud implementations, specifically in AWS and Azure. 

For my customer's organization, it's important because they can work with the same kind of solution. They don't need many different solutions in many different use cases. And then they have better management of the solution in general.

CloudGuard Network Security provides unified security management across hybrid clouds as well as on-prem. It's very important because when I have unified security, I have better control of the situation. 

If there's an attack or something like that, we can react faster. It's easier for everyone in the organization to work with the Infinity platform.  

The integration in the Infinity portal. It's very important for someone to consider the solution if you need to work through a purchase partner. Because they can manage the entire solution consistently with the on-premise Quantum solution and the cloud solution in Azure or AWS without that integration, it's valuable.  

It needs to cover additional kinds of infrastructure, like containers and serverless options. It's somewhat limited in that area.

I have been using it for six months. 

It is a stable product. I haven't heard any problems or complaints from my customers. 

It's quite scalable because we scale by compute units. It's very easy for us to make a new deployment.

We used to replace cloud-native solutions from Azure directly or AWS. We don't implement those originally.

It's important for us because we have had a lot of traditional customers. Then, it's a good way to extend this security to the new deployments in public clouds. It's very important for us. 

Additionally, the customer is going to find another choice in the market.

The deployment is easy.  

The price is fair for most of the customers. We don't find the price excessive. It's okay. We can sell it. It's not really hard.

So, the pricing is good. 

I would recommend using it. 

Overall, I would rate the solution a nine out of ten. It is very good. Because it's very well integrated with the traditional platform, especially the Infinity portal part. The unified security concept is very sound for that.

However, there is always room for improvement, we always have to extend the capabilities to other use cases.

I use CloudGuard Network Security to enhance our cloud exchange points' security. Our customers can seamlessly connect across multiple clouds within the region, and CloudGuard provides next-generation firewall services to ensure their data and applications are protected.

CloudGuard Network Security has significantly improved our organization by helping us tap into the Check Point customer market.

The VPN features in CloudGuard Network Security have been the most valuable for us. It allows us to scale securely within our infrastructure, providing both strong security and VPN capabilities.

In the next release, including VRF support would be highly beneficial. Many customers have been requesting this feature, as it is currently lacking in Check Point's offerings, which can make architectural designs more cumbersome compared to competitors.

I have been working with CloudGuard Network Security for two and a half years.

As for scalability, it could be even better with VRF support, as it would allow for more efficient scaling without the need to deploy separate firewalls for different workloads.

CloudGuard Network Security has been quite stable.

I would rate technical support for CloudGuard as an eight out of ten.To make it a ten, I would expect more proactive assistance and smoother transitions between support levels.

Positive

When comparing CloudGuard Network Security to other solutions like Fortinet and Palo Alto Firewalls, they are similar in terms of identifying security threats. They all offer robust features such as antivirus, deep packet inspection, and IPS. Some of our customers have transitioned from Palo Alto to Check Point. While I don't have specific reasons, it could be related to factors like pricing.

We deployed it across multiple locations, utilizing AWS for SMS management. The environment was designed to ensure security and privacy, with all deployments being private despite being in the public cloud. Our implementation strategy was flexible, depending on the customer's needs, focusing on workload security first and then gradually migrating workloads. The initial deployment was straightforward.

One significant difference between CloudGuard Network Security and other solutions is the lack of VRF support. This means that when dealing with customers who have multiple segments and exchange points, deploying new firewalls becomes necessary. Competitors' solutions typically include VRF support, making scaling much easier and eliminating the need for additional firewall purchases.

We chose CloudGuard over other vendors because it allows us to provide unified security across multiple cloud providers like AWS, Azure, and Google Cloud. Unlike native cloud firewalls, CloudGuard offers scalability and the ability to expand across different platforms, meeting our customers' needs for consistent security across diverse cloud environments.

We implemented CloudGuard Network Security to meet our customers' demands for enhanced security features and centralized management. They specifically requested Check Point CloudGuard for its robust capabilities, including SMS and MDS for global management.

Using CloudGuard Duo Security has provided us with the ability to manage globally through MDS, which has been a valuable capability. It is convenient to have multiple pockets of global management from UniFi OS.

We realized the benefits of CloudGuard Duo Security quickly after deployment. Understanding the architecture, especially the MDS setup for higher-level organization control, allowed us to establish multiple pockets of management efficiently.

Unified security management allows us to streamline our security operations significantly. With centralized management through SMS and MDS, we can efficiently oversee not only the firewalls within our cloud exchange points but also on-premises devices, enabling a cohesive and unified security architecture across all environments.

I'm very confident in CloudGuard Network Security because it helps us secure our global network. With CloudGuard, we can set up rules to protect against risks from on-premises traffic and ensure security through various measures like single sign-on integration and VPN restrictions.

CloudGuard Network Security is a great product that fulfills firewall needs effectively and provides detailed insights. However, in multi-segment environments requiring multiple VRFs, it can be cumbersome and costly due to the need for separate firewalls.

The best lesson I have learned from using CloudGuard Network Security is to carefully consider the scalability requirements of each environment. While Check Point offers robust features, the lack of VRF support can lead to increased costs and complexity, especially in multi-segment setups where separate firewalls are needed for each segment.

Overall, I would rate CloudGuard Network Security as an eight out of ten.

We use the product to protect Azure workloads. 

The solution's most valuable feature is scalability. We can increase the number of CPUs, memory, and firewalls throughout easily. Using CloudGuard Network Security for managing cloud firewall rules is considered easier than using the normal security groups provided by Azure or AWS.

The solution needs to support more hypervisors. 

I have been using the product for two years. 

The solution's stability is good. 

The tool's scalability is good. 

Sometimes Check Point's technical support takes a long time when you need assistance with developing or fixing issues.

Positive

CloudGuard Network Security's deployment is straightforward. 

It took around a year to see the benefits of using CloudGuard Network Security. If you have CloudGuard Network Security managed by the same management server used for on-premises, you can control all policies in one management tool. I am confident in using the product. 

We are a Check Point partner, hence we trust the product and the company. I rate the overall product a nine out of ten. 

Check Point CloudGuard Network Security helps to ensure the security and protection of IT systems. We have many API integrations and want to ensure its protection. 

The product gives analytic reports. 

Check Point CloudGuard Network Security should give productive reports as per business requirements. It needs to improve support since the time-limit extended beyond a day. It should include more seamless API integrations. 

I have been using the product for four years. 

The product's stability is good. 

Check Point CloudGuard Network Security is very much scalable. My company has 1000 users. 

Check Point CloudGuard Network Security's deployment is easy and takes one day to complete. You need four resources to handle it. 

The product's licensing costs are yearly. 

I rate the product an eight out of ten. 

It is building the network infrastructure for our cloud environment around it. Primarily, the functionality that we are using it for is the firewall piece in the cloud.

We have three different things going on right now. I think Dome9 is considered a part of the whole CloudGuard thing. We have AWS and Azure environments behind just straight up Check Point Firewalls. We are in the midst of deploying a new network in AWS that fully leverages the whole IaaS that they offer. Primarily, it's the firewall main piece. However, we are transitioning into using the scale-up, scale-down gateways, which are mostly the network security piece of it.

The granularity and visibility that we are able to get into logging and data going into our AWS environment is significantly more than we could get purely out of the native AWS tools. That is big for alerting and incident response.

The Auto Scaling functionality is the most valuable feature. Our cloud environments are growing to the point where we need to be able to expand and contract to the size of the environment at will. They pull you to the cloud. With the static environment that we currently have stood up, it works well. However, it would be more efficient having the Auto Scaling even bigger. We are in the middle of that now, but I can already tell you that will be the most impressive thing that we're doing.

CloudGuard's block rate, malware prevention rate, and exploit resistance rate are tremendous. CloudGuard is functionally equivalent to what we are doing on-prem. It's easy to manage CloudGuard from on-prem and offers the same protection that we're able to give the rest of our environments, which is a big plus for us.

The comprehensiveness of the CloudGuard’s threat prevention security is great, especially once they integrate Dome9 in the whole thing. That really ties the whole thing together, so you can tie your entire cloud environment together into one central location, which is nice. Previously, we had three or four different tools that we were trying to leverage to do the same stuff that we are able to do with CloudGuard.

I might be a little skewed because I have been working with Check Point for so long that a lot of the same logic and language that the rest of Check Point uses becomes intuitive, but I haven't had any issues. Anything we need to get done, we are able to do it relatively easily.

The room for improvement wouldn't necessarily be with CloudGuard as much as it would be with the services supported by Check Point. A lot of the documentation that Check Point has in place is largely because of the nature of the cloud. However, it is frequently outdated and riddled with bad links. It has been kind of hard to rely on the documentation. You end up having to work with support engineers on it. Something is either not there or wrong. Some of it is good, but frequently it's a rabbit hole of trying to figure out the good information from the bad.

We use the solution’s native support for AWS Transit Gateway and are integrating it with the Auto Scaling piece now, which is a big portion of it. One of the issues with using the AWS Transit Gateway functionality is that setting up the ingress firewall can be more of a logging type function, as opposed to doing pure, classic firewall functionality. This is with the design that we are using with the Auto Scaling. However, AWS announced about two weeks ago that they have a new feature coming out that will effectively enable us to start blocking on the Check Point side, and with our previous deployment before, we weren't able to do that. While the Check Point side is fine, the functionality that AWS allowed us to use was more of the issue. But now that changes are occurring on the AWS side, those will enable us to get the full use out of the things that we have.

We have been using it since before it was even called CloudGuard, which has probably been five years now.

The stability is great. There are no real issues with it. Even when half of AWS went down last week at some point, our stuff stayed up. Check Point is actually fine, it's more of just whether or not AWS is going to stay alive.

The scalability is great. That is the big thing. We went from our existing not-that-scalable network to a full scale-up, scale-down. I feel like it's inherently scalable because of that. It gives you as much power or as little power as you need.

Currently, there are about 150 users in our organization. When the new deployment is done, there will be about 700 users. Right now, it is primarily software development. These are the people who are in there now spinning up and down servers, building out environments, etc. It's just going to be that on a larger scale once the new deployments are out there. We need to have the guardrails in place with CloudGuard and Dome9 to ensure that they don't wreck the company, but it's mainly software development and the various roles inside of that, like architecture. There are a hundred different teams in the company that do dev, so they each have their little functions that they would have to do in there.

Right now, the solution is lightly used, given the fact that most of our development is taking place on-prem. However, we are eventually moving everything to the cloud. By virtue of that fact, it will be heavily used for the next two to three years.

Support has been great. They will get you through any issue.

The documentation has been rough. Being able to do it yourself can be hit or miss given the constraints of the documentation.

We deployed our AWS environment in tandem with our CloudGuard deployment. There were individual pieces of AWS that we were using that we've replaced with CloudGuard, but those pieces were more on the Dome9 side than anything, like flow log exports, that we were able to consolidate back into Dome9 and CloudGuard.

The initial setup is generally complex. I have been doing cloud and Check Point stuff for a while. Therefore, when we deployed this stuff, I had a good understanding of how to negotiate both of them. That being said, I can see how a user who doesn't have this level of experience may see it as being difficult. I just have a lot of experience with this stuff and was able to get it stood up relatively easily. But, if you're not in the weeds with Check Point and AWS, then I can definitely see it being complex to set up, especially given the issues with documentation, etc.

The first deployment without Auto Scaling was probably about a month. It was kind of in tandem with building out the cloud environment. Our latest deployment was about two months, but it has been a significantly more complex design that we were doing, so it was sort of expected. It was not a full-time thing that we're doing. We were working on it a little at a time. If a team already had their AWS environment fully designed and operational, then they could have it up in a week. A lot of our challenges have been just tied to the organization and changing what it wanted out of the deployment, which has been more an internal issue for us.

Initially, our implementation strategy was a multicloud deployment. Then, it switched to a single cloud. After that, it shifted to the number of environments that we had to get stood up. So, it has been a bit all over the place internally. We know we have to do it, it was just a question of how many networks did we need to stand up, how many environments, etc. From a managerial leadership perspective, it was just telling us what they want.

Largely because we are a large Check Point shop who used on-prem going into it, most things are identical between the cloud and on-prem deployments. So, the things that we were able to do on-prem, we were then able to easily extend those out to the cloud.

We use Check Point’s Unified Security Management to manage CloudGuard in multiple public clouds and existing on-premises appliances. We had it in place before we had CloudGuard. Therefore, it was an easy transition to integrate that stuff. It wasn't that we had something else in place, then we brought in CloudGuard. We had the Smart Management Suite already set up on the internal end, and we were able to integrate that pretty easily.

99 percent of the time, we are doing the deployment ourselves. Here and there, we will have a one-off, but we do the deployment ourselves.

There are three of us who were involved in the deployment, which are the same people who are doing the maintenance.

The ROI is significant. We definitely would need more people on this team to manage this stuff if we were not using Check Point. The cost of having more security engineers and cloud engineers, in particular, is expensive. It prevents us from having to blow money on people who are just staring at the cloud all day.

The use of Check Point’s Unified Security Management to manage CloudGuard in multiple public clouds and existing on-premises appliances has freed up our security engineers to perform more important tasks. If we were tied down using four or five different tools, that would be a nightmare for us because we are just a small team. There are about three of us managing the cloud environments right now. If not for this solution, we would easily double or triple our team size. The number of different tools needed to manage (without CloudGuard) would be too much for just three of us.

The pricing and licensing have been good. We just had to do a license increase for our portion of it. We had that done within a couple of days. Given the fact that it's purely a software-based license, it ends up being even quicker than doing it for an on-prem firewall.

The only other thing that might come up is if we ever decided to do any managed services type of thing or bring in consultants. Outside of that, their cost is what it is upfront. This is outside of whatever you will end up paying AWS to run the servers. It is all pretty straightforward.

We kind of always knew it was going to be Check Point because of our extensive on-prem deployment. It just seemed easier for us to just stay with them instead of having multiple firewall providers. The only other real option for us at the time was just going with native AWS firewalls, but we would rather keep that managed ourselves with Check Point.

The only thing that we ever looked at or compared CloudGuard to is just native AWS tools and whether it makes more sense to use them than CloudGuard. By and large, we just kind of stuck with CloudGuard for the most part. There are definitely more menus that you can navigate over than AWS. Check Point's tools are good and powerful, but given what our deployment looks like, that just complicates things.

Favorable results of its security effectiveness score from third-party lab tests were very important to us. We didn't evaluate too many other options. Just knowing that it wasn't a piece of garbage was a good indicator upfront that it was worth sticking with Check Point down the road. If you are given more things that you have to look at, then there are more possible threats capable of penetrating an environment. So, if you're able to centralize things as much as possible, then you're on the right foot to catch any issues.

With the integrated nature of the Check Point suite, you can have everything under a single pane of glass, which is huge. You can do a lot of the things that you can do with Check Point if you had four or five different other vendors, but being able to do it all in one place is convenient and cost-effective.

In our decision to go with this solution, it was absolutely important that Check Point has been a leader for many years in industry reviews of network firewalls.

We should have done the Auto Scaling stuff upfront instead of going static. The biggest lesson was that the tools in place let you embrace the good parts of the cloud, which is flexibility and cost savings. The thing that we kind of learned is we just treated it upfront like it was another on-prem device, but you miss out on the whole point of having infrastructure as a service if you're not going to leverage it to its fullest capabilities.

Remember that you are doing this in the cloud, so treat it like a cloud device. Don't suddenly try to extend your on-prem network without leveraging the whole capabilities that CloudGuard gives you to scale your network in and out as needed.

CloudGuard's false positive rate is acceptable and low. You have pretty granular control over everything that you are doing. Even if you're running into false positives, you can easily tweak them and work with CloudGuard to eliminate them.

I would rate it a nine (out of 10). It does everything that we wanted it to. It kind of grows with AWS, where new AWS functionality is now enabling new CloudGuard functionality by virtue of a couple of changes that they have been making. They sort of work hand in hand. The only reason that stops it from being a 10 (out of 10) is just the limitations of AWS end up being the limitations CloudGuard as well. You take the good and the bad of the cloud.

Most security solutions traditionally have been protecting physical assets within an environment, or reliance on an inline hardware appliance. CloudGuard takes the security controls that were previously packaged with physical appliances in mind and extends them to the virtual infrastructure.

It's an add-on capability to an existing virtual infrastructure, such as an AWS, Azure, or even on-premise solutions. It adds a security layer on top of your existing infrastructure with zero latency.

We're hosting it ourselves on our hypervisors, as well as starting to do so in some of our private cloud instances. It's solely managed by us with a pair of consolidated management servers.

This virtual platform is unique in the way that it augments our existing physical controls through a centralized management system. When many organizations, like ours, went from physical servers to virtual servers and desktops, there was a blind spot there. We no longer had visibility into what was happening within our environment, and that extended to the cloud as well where it's difficult, if not impossible, to introduce hardware — firewalls and other security protection. This solution takes what is still required around intrusion detection/prevention, anti-malware, and other threat protection capabilities and extends it to all of our virtual assets, regardless of where they live, in a private or public cloud.

CloudGuard has closed a significant gap that we had in our environment. We were searching for the right solution for many years, to gain visibility into, and protection of, all of our virtual asset servers, desktops, and workloads. There have been other products throughout the years that provided a similar type of technology, but had we purchased and move forward with those, we would have seen a degradation of performance within our environment, as traffic would have to be what's considered "hair-pinning" and going in and out of the virtual environment to another either virtual or physical appliance. We intentionally delayed our purchase of this kind of solution because we were not satisfied with that architecture. We weren't willing sacrifice performance degradation on our network. That's really the big benefit of the CloudGuard, it is able to live within the same virtual instances as the other virtual assets and workloads.

What's most valuable to me is that it's a contiguous solution that aligns well with the components that we've relied on and trusted from a traditional hardware, firewall, and unified threat management system. My engineers and analysts don't have to learn another platform. We have already entrusted our security controls to Check Point for perimeter and physical security, and now we can do so at the virtual layer as well, which is key to us. It really augments their current stack of capabilities. It all aligns well under their umbrella of their Infinity architecture, which we have adopted.

It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can go without the partnership and enablement of the virtualization platform vendor as it relies on "Service Insertion" to maintain optimal performance. 

We are frequently in contact with Check Point's Diamond Support, Product Development Managers as well as their sales team, as we look to keep apprised of where the product ius and should be going. Most of our requests have been around our physical assets, the physical UTM devices — Check Point Maestro, as an example — as well as their endpoint systems. There has not been anything at this time where we've said, "We wish CloudGuard did X differently." CloudGuard, in my opinion, having recently talked with them, is continously improving and is incorporating some of their recently acquired capabilities, such as Dome9 cloud compliance. Those are areas I have been evaluating and looking to add to my environment. My preference would be that it be included in my CloudGuard subscription licensing, and not an add-on; But that's the only thing that I could say that would be beneficial to us as an enhancement to the system.

We've been using Check Point CloudGuard IaaS for about three years.

The stability has been great. There has been no concern at all. We have not had any known downtime or issues to speak of.

Scalability was well thought out and designed. I've spoken about this at several Check Point CPX events. Throughout the instances that we have, if a single Check Point CloudGuard instance is overloaded due to event load, it will intelligently redirect that workload to another service on a different host, so that it's not delaying the interrogation of the traffic.

It's being used throughout our environment. We will increase usage only when we augment our cloud offerings.

Users, in this case, are the IT security and networking folks that support it and rely on these controls being effective. They analyze the output of the event interrogation. Right now, I have three resources supporting CloudGuard. I don't have dedicated staff for maintaining the solution. They're shared resources who work on other network and security devices. From an operational standpoint, it's a fraction of an FTE that is required.

Check Point's technical support for this solution, overall, is very good. Check Point has architected this solution well enough that it has similar, if not the same, code base as the physical devices. It doesn't appear to be a big lift and can leverage the same support engineers for CloudGuard as we would have for our physical devices.

We never found a solution we were satisfied with, and which would not affect our overall operational performance.

I was not personally involved in the initial deployment, as I'm the CISO of the organization, but I was closely engaged with my engineers. The CloudGuard portion of our installation and setup was extremely simple, in comparison to the integrated component on the virtualization side of things. Check Point made it extremely easy to deploy and configure, especially because it's done from our consolidated management devices that we're already familiar from our physical unified threat management devices.

The delays in deployment were mostly due to the virtualization side of things. If it was just CloudGuard alone, we probably could have had that done in about six to eight weeks. But there were several starts and stops due to the accompanying VMware component, which has really extended, I hate to say it, over 12 months.

In terms of our implementation strategy, the intent is that every host in our environment that serves up virtual assets and workloads would have an instance of CloudGuard installed on it. And then all respective HTTP/HTTPS traffic would be routed through Check Point for visibility and interrogation, so that if any of its threat controls determined that an asset was rogue or infected due to some malicious insider or outsider, it would automatically quarantine that device. We have tested that and it worked successfully.

We installed it with the help of Check Point-badged engineers. To be honest, we had to ask for a new lead engineer. And once that occurred, the project implementation went very smoothly.

ROI is a very difficult metric in the security space. We've been fortunate that we haven't had an event in which we would say that because of CloudGuard our MTTD and MTTR was low and we quickly identified and stopped a malicious adversary.

However, we are now more confident in our security controls and visibility. CloudGuard plays a significant role in our SOAR (Security Orchestration Automation and Response) initiative. We can now automate the isolation of an infected machine with the help of CloudGuard.  This in itself is the best ROI as it doesn't require manual intervention to detect and respond.

The pricing and licensing of this is much more digestible than that of its hardware equivalent. I've found, in times past, especially on the hardware side of things, that the licensing support and maintenance could be very daunting to understand. If that has scared folks away in the past, CloudGuard is much simpler. 

Licensing is simply by the number of hosts that you are looking to protect within your environment. It makes it much easier to ensure that you are covering your environment.

If you are not already a Check Point customer for the UTM and the SmartEvent, there likely would be an additional cost, beyond the standard CloudGuard licensing, if you wanted the reporting. It's a unique instance where we already had an established infrastructure of Check Point devices on our network, and then we added CloudGuard to it. Had we started with CloudGuard, and only had virtual assets to protect, it is possible that there would be additional cost. I would urge folks to look into what it would cost to add the reporting capabilities and log event management.

We looked at offerings from Cisco (ACI), Illumio and Gigamon. This was about three-and-a-half years ago.

The main differentiator, and the reason we selected Check Point, is how it integrated with our virtualization platforms. It lived there natively. It had the least amount of overhead to interrogate the traffic within our environment. It also aligned well with our consolidated reporting and management solutions that we have come to rely on from our Check Point physical UTM devices.

Intently know and understand the integration points within your environment. It is a great security solution, but understand how integrated it is with, and what level of partnership there is between, Check Point and the virtualization platform that you're looking to add it on top of.

The biggest lesson I have learned is that the Check Point CloudGuard features, although good, are only as good as the accompanying virtual platform and its level of integration. I have to be honest: Overall, this is the ideal solution for us and our organization, but it is slightly more complex. There are newer competitive products that take a different stance, that are agent-based. We did not want — and this is another key distinction — a solution that wasn't agent-based in which we had to deploy a piece of software on each and every virtual endpoint. Having this done at the hypervisor level definitely was the right strategy for us. However, the lesson learned, with this type of solution, is that it is very important to understand the nuances of your virtualization platform and what is required on that side to enable the Check Point CloudGuard.

You're relying heavily on the partnership and the capabilities of that virtualization platform. Going in, understand the degree of that partnership and the respective road maps of each, because the CloudGuard solution is only as good as the capabilities it has with the virtualization platform. That's especially true for large enterprises that want to constantly move workloads around and have their rule set follow in an event where they're having to ensure that systems are always alive and always protected.