Check Point CloudGuard Network Security Room for Improvement

Cyber Security Manager at H2O Power

The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing when you get a new version and you see that it's still using the old dashboard for some of the configuration and some of the stuff that you look at.

They just need to make sure they get all their tools into this one place. It would make it a lot easier for the managers.

View full review »
KW
Advisory Information Security Analyst at a financial services firm with 501-1,000 employees

The room for improvement wouldn't necessarily be with CloudGuard as much as it would be with the services supported by Check Point. A lot of the documentation that Check Point has in place is largely because of the nature of the cloud. However, it is frequently outdated and riddled with bad links. It has been kind of hard to rely on the documentation. You end up having to work with support engineers on it. Something is either not there or wrong. Some of it is good, but frequently it's a rabbit hole of trying to figure out the good information from the bad.

We use the solution’s native support for AWS Transit Gateway and are integrating it with the Auto Scaling piece now, which is a big portion of it. One of the issues with using the AWS Transit Gateway functionality is that setting up the ingress firewall can be more of a logging type function, as opposed to doing pure, classic firewall functionality. This is with the design that we are using with the Auto Scaling. However, AWS announced about two weeks ago that they have a new feature coming out that will effectively enable us to start blocking on the Check Point side, and with our previous deployment before, we weren't able to do that. While the Check Point side is fine, the functionality that AWS allowed us to use was more of the issue. But now that changes are occurring on the AWS side, those will enable us to get the full use out of the things that we have.

View full review »
CISO and Senior Director Technical Operations at a insurance company with 201-500 employees

It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can go without the partnership and enablement of the virtualization platform vendor as it relies on "Service Insertion" to maintain optimal performance. 

We are frequently in contact with Check Point's Diamond Support, Product Development Managers as well as their sales team, as we look to keep apprised of where the product ius and should be going. Most of our requests have been around our physical assets, the physical UTM devices — Check Point Maestro, as an example — as well as their endpoint systems. There has not been anything at this time where we've said, "We wish CloudGuard did X differently." CloudGuard, in my opinion, having recently talked with them, is continously improving and is incorporating some of their recently acquired capabilities, such as Dome9 cloud compliance. Those are areas I have been evaluating and looking to add to my environment. My preference would be that it be included in my CloudGuard subscription licensing, and not an add-on; But that's the only thing that I could say that would be beneficial to us as an enhancement to the system.

View full review »
Learn what your peers think about Check Point CloudGuard Network Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
513,091 professionals have used our research since 2012.
IT Security Manager at a sports company with 10,001+ employees

Clustering has not been perfect from the very beginning. There weren't too many options for redundancy. It was improved in later versions, but that's something which should be available from the very beginning, because the cloud itself offers you a very redundant model with different availability zones, different regions, etc. But the Check Point product was a little bit behind in the past. 

The convergence time between cluster members is still not perfect. It's far away from what we get in traditional appliances. If a company wants to move mission-critical applications for an environment to the cloud, it somehow has to accept that it could have downtime of up to 40 seconds, until cluster members switch virtual IP addresses between themselves and start accepting the traffic. That is a little bit too high in my opinion. It's not fully Check Point's fault, because it's a hybrid mechanism with AWS. The blame is 50/50.

View full review »
Senior System Administrator at a tech services company with 501-1,000 employees

We did not use the AWS Transit Gateway, and that's one of the things that we're currently using. I believe we will be working with Check Point again, in the near future, to implement it, once they start having proper support for a single customer with multiple accounts. When we were using them, we had to install Check Point on each and every single account.

I believe they're working on a solution for that. I know they're utilizing Transit Gateway for it, and that is exactly what we're using right now. I'm excited for them to have that ready, and for us to put it in our system.

In general, cloud infrastructure or a cloud-based environment, is very fast when it comes to technology. Things get developed right away. Check Point just needs to adapt to those changes quicker.

View full review »
JM
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees

CloudGuard functions just like any other firewall. It functions very well. The only thing that could maybe be improved would be to integrate some tools that are not integrated with the SmartConsole, like the SmartView Monitor that we need to open on a different application to access.

View full review »
Assistant Manager IT Projects at Mustafa Sultan

The knowledge base that is available is limited and it is on a closed network where only a customer or certified engineer will know about it. A beginner who wants to learn about the product actually has to enroll in training or get certified and have a valid license or certification to access information. That is something I find strange as most users would like to know about it. The new users would like to be able to see those areas and what type of concerns or any configuration issues they may have before deciding to work with the product. To me, that is a simple open-mindedness. In terms of the availability of the system and functionality of the product, there's no concern. But the problem is that efficient VSX (Virtual System Extension) deployment is complicated. Most of our customers are afraid to deploy any configuration changes because they are afraid something will happen.

It's not the same situation as with other products. I guess the reason behind it is the kind of architecture which they are using. There are more possibilities to crash than other products. That is the feedback I normally get from end-users, but even so, for us, I would say it's one of the best product.

View full review »
OO
DBA Team Lead with 51-200 employees

In terms of what could be improved, we have no support with the current Check Point environment. It ended maybe three or four years ago. Because it's an appliance you have to have support. That's a problem for us because I cannot update it at the moment. We have to have another support. We have to subscribe to another support so I can update it. I think it's a good amount of money and our boss does not want to pay that kind of money for firewall solutions. It's not a hardware solution, which by the way, if it would be up to me, I would migrate it to a hardware FortiGate system because all our customers at the moment are migrating their environments to FortiGate hardware solutions. They say it's a really good improvement from their previous firewall solution because it's easy to manage and they're very happy with it.

But as I said before, my boss does not want to pay a lot of money for a firewall solution since we don't have much data to protect and the data is not very important. It's not a big use for us. So we will just probably try pfSense or OPNsense. I can patch it to an up-to-date version, like the 2021 patch. We have the open source solution because my boss does not want to pay for it. It's my approach to migrate the firewall, actually. If it was up to me, I'd probably migrate it to a FortiGate system.

I'm not very experienced with Check Point. But what I would like to see is a step-by-step initial installation of the firewall. That would be really helpful. Like in Oracle appliances, when you start it asks you, what's your current IP address? An initial setup should be a step by step and intuitive process. You click on "begin," it asks you some simple questions. You fill in the blanks - your current IP address, what you want to do, if you want to set up a site to site VPN, for example, that kind of thing. That would be the smartest thing to have.

View full review »
Senior Network/Security Engineer at Skywind Group

As with other solutions of this kind, you still have to manage basic cloud firewalls and routes for VPC outside of CloudGuard IaaS. There's no 100% integration.

I hope that Check Point continues to improve its technical documentation regarding the Check Point CloudGuard IaaS gateway and management system. For example, the questions on how to scale the instances in the relevant cloud should be covered, and all the High Availability options and switchover scenarios. Without that, users have to open numerous consulting cases to the support team to get it right.

View full review »
Senior Network/Security Engineer at Skywind Group

As an administrator, I can say that among all of the Check Point products I have been working with so far, the Virtual Systems solution is one of the most difficult. You need to understand a lot of the underlying concepts to configure it, like the virtual switches and routers it uses underneath. That leads to additional time needed for the initial configuration if you don't have previous experience.

In addition, there is a list of limitations connected specifically with the virtual systems, like the inability to work with the VTI interfaces in a VPN blade, or an unsupported DLP software blade.

View full review »
AV
Team Lead Manager at a tech vendor with 51-200 employees

This application can be more integrated with web application firewalls. Better integrations would provide more granularity, which would be helpful for focusing on the application itself and preventing attacks.

It would be good to include the cross-domain search. If you have multiple firewalls that are managed on the same platform and you want to check who is using some particular objects or where a specific ID is being used, it should provide an option for this kind of search instead of having to check one by one on each firewall.

View full review »
US
Network Security Engineer at a government

If you compare the GUI with the Palo Alto and Cisco, they're very easy. Check Point, due to its design, is a little bit complex. They should make the GUI easy to use so that anyone can understand it, like Fortinet's GUI. Many companies end up using Fortinet because the GUI is very easy, and there's no need for training. They just deploy the box and do the configuration.

Also, we have to inform customers that with Check Point there's no need to purchase any routing device. Check Point can do that routing as well as the Firewall and the IPS. The marketing should be stronger, to show that customers only need one box to handle all the features. It will be cost-effective and enhance the performance and value, but because of their poor marketing, customers don't realize this.

In the future, a color string would be powerful. Sandboxing should also be offered. Many people want the Trend Sandbox but not on the cloud. In the Middle East, there is a policy for Sandboxing that states it should be on Trend as per the government law. They have Sandboxing solutions on the cloud, but they have to bring the solution onto Trend also. Palo Alto has Wildfire, Cisco has Talos, and Forcepoint has one available as well.

In the future, routing protocols should be more supported like OSPF and BGP. There needs to be integration with the SDN. I don't know if SDN is there or not in Check Point, but SDN is one of the major requirements nowadays.

View full review »
Senior Manager at a financial services firm with 10,001+ employees

System hardening could be improved, as password complexity is not enforced by default on root / command-line passwords.

The documentation provided by Check Point can be rough and needs to have a lot more detail incorporated in order to help the implementor and administrator.

The HA failover time is not as fast as expected and due to this, the convergence time between cluster members is still not perfect. Consequently, there may be an issue in migrating the mission-critical business applications. 

Micro-Segmentation functionality for EAST-WEST traffic is not native and requires integration with a third-party OEM.

View full review »
RT
Senior System Engineer at Gas South

I think they have pretty much mastered what can be done. There are some nuances like when you fail over from one cluster member to the other, the external IP address takes about two minutes to fail over. During this time there is an outage of service. On digging into this further I found that this is more on the cloud fabric and provider side than the actual Checkpoint CloudGuard side. The Cloud provider is taking that long to actually detach the Virtual IP Address (VIP) from one machine and fail it over to the other

View full review »
Senior Security Analyst at Atos

I would like this product to provide functionality like a web application firewall, where we can fully monitor all traffic passing both to and from the cloud.

The latency should be minimized by having multiple entry points all across the world. Nearby requests will have lower latency access to cloud applications.

It would be useful to have AD integration with an on-premises server.

The API integration is complex, which is an area that should be improved.

Onboarding this product takes some expertise because it is complex compared to other services that Check Point provides.

View full review »
AK
Head of Cyber Security Department at NGT Group

The stability of the solution could be improved, but this is the problem of all the solutions in the market. This isn't just a problem specific to Check Point.

View full review »
AG
Team Leader - Security at a tech services company with 10,001+ employees

Easier optimization techniques can definitely help with better performance of the OS, as using the vanilla software doesn't actually showcase the real capability of the software.

While there is a lot of documentation available on Support Center to understand how the solution works, it can become quite confusing. Some free training videos by Check Point would really help the engineers who don't have full access due to restrictions/unseen reasons.

A step-by-step guide for leading CSPs would really help.

Auto Scaling should be given as an option during a first-time installation, as it would be really beneficial and some users might not be aware of it.

View full review »
OP
Electronic Engineer at a tech vendor with 11-50 employees

The capability and the response, in terms of the time of response of the transactions, is very important for my customers. It's something they need to continuously work on to make it better.

The memory and hard disk capability could be strengthened.

The product should integrate next-generation firewall features such as anti-spam and anti-spoofing.

View full review »
RM
CEO at a tech services company with 51-200 employees

We're looking forward to the next Check Point with the solution and CloudGuard and everything on the same single cloud. Right now, that's not yet the case.

We're expecting more new features in the next release, however, I'm not sure precisely what is being added.

Check Point support, beyond CloudGuard, does need some improvement.

View full review »
MW
CTO at a healthcare company with 10,001+ employees

We would like to be able to scale out such that we can increase performance within a cluster with more active nodes.

Our biggest complaint concerns the high resource usage for IDS/IPS, as we cannot turn on all of the features even with a recent hardware upgrade.

A great enhancement for this solution would be an active-active or multi-active scalability.

As we need to fulfill higher bandwidth demands due to increased cloud usage and research-driven data exchange, we might need to look for other vendors with more competitive pricing.

View full review »
Director at InfoGuardian

The management console can be simplified because at the moment, it is a bit of a challenge to use.

I would like to see support for software-defined wirings in the next release of this solution.

View full review »
MK
Dy General Manager at a real estate/law firm with 501-1,000 employees

The solution lacks the capability to scale effectively.

View full review »
LA
Network, Systems and Security Engineer at SOLTEL Group

Throughput is impacted drastically once the security modules are enabled on the firewall.

As it is a software-based firewall, there is no dedicated throughput available for each module.

In case the device is inaccessible due to some issue such as CPU or memory, there is no separate port or hardware partition provided for troubleshooting purposes.

Throughput on the virtual firewall is an issue in case the organization wants to migrate a workload to the cloud, and it becomes a bottleneck.

View full review »
NN
Consultant at a government with 10,001+ employees

Reporting needs improvement. It's difficult to utilize properly. Currently, I'm in a situation whereby a client of ours is looking for reporting on their organizational unit. Check Point has failed to do that. We've been trying to do it for the past month and we haven't been able to. We've also gotten techs from Check Point to call us to help and we just can't get the solution to do what we need it to do.

Sometimes, if you aren't familiar with the solution, it can be a bit complex, but it does become easier to use with time. However, every time they launch a new version, it becomes more complex and you need to take time to get familiar with all the changes. For every version that they upgrade, you need to upskill yourself. 

View full review »
Senior Security Architect at a computer software company with 10,001+ employees

There is definitely some improvement required. We currently use a deployment template provided by AWS each time. If I want to clean up the IaaS I have to use the IaaS template which should not be necessary. Secondly, because it's zero touch, I cannot write up any rules in the firewall. I understand these features might have been built particularly for zero-touch but from the perspective of a network and firewall engineer, some independence to configure something on the firewall would be appreciated. 

An additional feature that could improve the solution would be to enable both automatic and manual control that would allow the engineer complete control over the firewall.

View full review »
JM
Network Consultant Engineer at a tech services company with 11-50 employees

I would like to see an improvement on the zero-day threat detection. It is also not very user-friendly, so it would be great if it could be less complicated and easier to operate. The dashboard needs to be easier to use.

Also, if the solution could be cheaper, it would really help, because it is very expensive. 

I would like to see sand boxing added to the new version.

View full review »
FN
IT Professional at a government with 10,001+ employees

The clustering and HE from the scaling availability could be improved.

The documentation could be much better as well.

View full review »
OM
Business Manager at a tech services company with 11-50 employees

Check Point Virtual Systems is a complete solution, but pricing can be better.

View full review »
MS
Information security officer at a tech services company with 1-10 employees

The initial setup is complex and could be made simpler.

The console could use some improvement.

View full review »
Learn what your peers think about Check Point CloudGuard Network Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
513,091 professionals have used our research since 2012.