We just raised a $30M Series A: Read our story

Check Point IPS OverviewUNIXBusinessApplication

Check Point IPS is the #4 ranked solution in our list of top Intrusion Detection and Prevention Software. It is most often compared to Darktrace: Check Point IPS vs Darktrace

What is Check Point IPS?

Check Point IPS (Intrusion Prevention System) combines industry-leading IPS protection with breakthrough performance at a lower cost than traditional, stand-alone IPS software solutions. IPS delivers complete and proactive intrusion prevention – all with the deployment and management advantages of a unified and extensible Next Generation Firewall solution. Learn more about IPS Software.

Check Point IPS is also known as Check Point Intrusion Prevention System.

Check Point IPS Buyer's Guide

Download the Check Point IPS Buyer's Guide including reviews and more. Updated: October 2021

Check Point IPS Customers

Morton Salt, Medical Advocacy and Outreach, BH Telecom, Lightbeam Health Solutions, X by Orange, Cadence, Nihondentsu, Datastream Connexion, Good Sam, Omnyway, FIASA, Pacific Life, Banco del Pacifico, Control Southern, Xero, Centrify

Check Point IPS Video

Pricing Advice

What users are saying about Check Point IPS pricing:
  • "I think that the price of support is around $40,000 USD or $50,000 USD per year."
  • "The module has a considerable cost but you can save by purchasing a package with several modules instead of making a single purchase."
  • "Enabling IPS does not require any additional license purchase from OEM, as it comes by default with the NGFW bundle."
  • "The pricing for Check Point IPS is competitive and brings good value for the money."

Check Point IPS Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
ITCS user
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Protects us against hundreds of different attack vectors

Pros and Cons

  • "The most valuable feature is that it protects us against hundreds of different attack vectors, like ransomware. The protection is always being triggered. People try to access websites that are categorized as malware, so when the users do a DNS request for the IP of those malware websites, the IPS Blade replaces the real IP of the website that is malware with a bogus IP. The user gets an IP that doesn't exist and when he tries to access, it won't work."
  • "The only thing they could maybe improve is that we notice right away that the performance decreases when we enable the IPS, especially beyond the CPU and memory usage. If you want to enable the IPS and you have a lot of traffic, it can have an impact. The performance could be improved."

What is our primary use case?

We use Check Point IPS to protect our infrastructure against threats. It internalizes different attack buttons. We started by deploying it only on the on-prem firewalls, but now we are also rolling out to the internal firewalls, the ones that segregate environments, the production, and the corporate environment.

How has it helped my organization?

Check Point has improved my organization by stopping almost 100% of the attacks we see. It also protects us from SQL injection and other injections. When people try to attack our websites, I see protection for that. I also see SSH over non-standard ports. 

Some IPs in the United States try to attack our exposed websites. It is very important to protect our hosting infrastructure with our website for these kinds of attacks.

What is most valuable?

The most valuable feature is that it protects us against hundreds of different attack vectors, like ransomware. The protection is always being triggered. People try to access websites that are categorized as malware, so when the users do a DNS request for the IP of those malware websites, the IPS Blade replaces the real IP of the website that is malware with a bogus IP. The user gets an IP that doesn't exist and when he tries to access, it won't work. This is the protection that triggers the most on our infrastructure. For example, if a user tries to access malware.com, the DNS response gets changed by the IPS Blade to an IP that doesn't exist.

What needs improvement?

In my opinion, IPS is one of the better Check Point products because it's very easy to configure. You don't need to go protection by protection to check which ones you want to enable. You can enable the ones that are medium or higher severity and all those protections are immediately enabled. 

When you deploy this on an existing firewall that is already working, it's always better to set it on detection mode before you put it on prevention mode. It's very easy to detect a profile and then check for a month if there are some false positives that you want to filter before you put it on prevention. It's very easy to work with.

The only thing they could maybe improve is that we notice right away that the performance decreases when we enable the IPS, especially beyond the CPU and memory usage. If you want to enable the IPS and you have a lot of traffic, it can have an impact. The performance could be improved.

For how long have I used the solution?

We have been using Check Point IPS for four years. 

What do I think about the stability of the solution?

It's very stable. We never had any issues of it stopping to work. It's been very stable. 

What do I think about the scalability of the solution?

It's very scalable in the way that you can create a profile and a Blade throughout your firewalls. When you create an exception, it will apply to all your firewalls, if you want it to. 

Three network security engineers work with Check Point IPS currently. It's used on all our permitted firewalls and most of the internal firewalls. We aim to deploy it on all our firewalls next year. It's deployed in 10 clusters.

How are customer service and technical support?

At one point, we had an issue where we had some firewall Blade logs that were empty. They didn't have any information and we didn't know why. We had some remote sessions, but we couldn't find the root cause. We gave up on it because we couldn't find a solution. Support could be better.

This issue sometimes happens on a daily basis but we started to ignore it because we had a lot of sessions and we couldn't find the problem. It doesn't impact service. It's just one log in each 1,000 or more.

Which solution did I use previously and why did I switch?

We also use Cisco Firepower. At first, we only had Cisco Firepower and then we started enabling IPS on the Check Point firewalls. At the moment, Check Point IPS is the only one that is in prevention mode. Cisco Firepower is only on detection. I think the biggest difference is that the advantage is that we already had the Check Point firewall. It was only a matter of enabling the new feature, the traffic was already going through it. We didn't need to add another appliance for doing the IPS on the Check Point port. Firepower has different hardware, so we need to do batching and put the traffic going through it. The biggest advantage of Check Point IPS is that it's integrated into a product that has other features. It's just a matter of enabling the Blade on the firewalls that are already receiving the traffic. I think it's the biggest use.

It's better to have everything in the same place. You can configure the firewall rules for allowing traffic and then you can also enable IPS protection on the traffic. It's better in that sense, but on the other hand, it will consume more resources on the firewall which is also doing other stuff. 

Check Point has some advantages and some disadvantages when you compare it with Cisco Firepower. With the protection itself, both of them are very useful. We don't have complaints about Firepower. The idea is to compliment one product with the other. The idea is to have both vendors with different kinds of protections.

How was the initial setup?

My advice would be that if the firewall is already in place, you should also always put it in detection mode to see the report and see if you need to put any kind of exceptions before you put in prevention. You should also make sure that the hardware is capable of running the IPS for the amount of traffic that you want to analyze.

The initial deployment was very easy. You just need to buy the license, enable the Blade, and create a profile. It's easy when you create a profile because you just need to select which kind of protections you want to enable. You can select in terms of severity and performance impact. There are some protections that if you enable them, they have more impact than others. You can, for example, enable only the protections that have a medium or lower impact on the firewall performance and the medium or higher severity on the severity attacks. It's very intuitive and very quick to create the profiles.

The first deployment took three or four hours to add the license but then we waited for a month to create a new profile for the prevention mode. We deployed it ourselves. 

What was our ROI?

Our return on investment is that we feel that our infrastructure is protected. Especially for our web hosting infrastructure, where we have our websites and our portals, which are always under attack.

What's my experience with pricing, setup cost, and licensing?

Compared to Firepower, the pricing for IPS is competitive. It's in line with Firepower and I think it's even a bit cheaper. Pricing is competitive. 

Licensing is per-device. When we renew the firewall content, we buy the IPS license for each firewall where we want to deploy it.

What other advice do I have?

My advice would be to always have it with the latest database because you want to be protected against the latest attack vectors. It's very important to have it doing automatic updates so that when Check Point reviews an update of an attack that is currently happening, you always get it first before you get the effect.

I would rate Check Point IPS a nine out of ten. Not a ten because of the logging issues we've experienced. 

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
KK
IT Department manager at AS Attīstības finanšu institūcija Altum
Real User
Top 20
Easy to set up and use, has good reporting with lots of detail

Pros and Cons

  • "The reports are well written so that you can understand what type of attack has occurred, the originating IP address, and other details."
  • "Occasionally there are glitches and errors like false positives, which would be a nice area of this solution to improve upon."

What is our primary use case?

We are using Check Point IPS for securing our internal networks and our website, as well as all of the traffic that goes through us. The traffic is analyzed by the IPS, which checks for things like malicious files and different attack patterns.

We are using the virtualized version.

How has it helped my organization?

Our old IPS was much more difficult to administer so the adoption of Check Point has helped us in this regard.

What is most valuable?

The most valuable feature is ease of use.

Check Point IPS has quite a decent database of attacks.

The reports are well written so that you can understand what type of attack has occurred, the originating IP address, and other details.

What needs improvement?

It is always possible to improve the speed of an IPS, although there is always a performance penalty when using additional security software.

Occasionally there are glitches and errors like false positives, which would be a nice area of this solution to improve upon.

The pricing could be improved.

For how long have I used the solution?

I have been using Check Point IPS for six or seven years.

What do I think about the stability of the solution?

The stability is quite good. The product itself is quite good and although we had some issues, they were usually hardware related. Since we upgraded to the virtual edition two or three years ago, we have had almost no incidents. 

What do I think about the scalability of the solution?

We do not have a very big scale so I cannot comment on scalability. The performance is enough for us and to test scale, you would need a bigger connection speed. We have a 500 megabit internet connection and it is almost never saturated. We have tested ours and it works well. The only time we hit a bottleneck is when we are transferring large amounts of data or creating many connections, but that is not our typical use case.

We have 205 employees and they are all protected by Check Point IPS. They are all end-users except for our one system administrator. We do not plan on increasing our usage at this point.

How are customer service and technical support?

With Check Point, we have had quite good support. They usually respond within two or three days with some kind of resolution or at least they collect logs and analyze them.

Most of our cases are solved with first-level support, which is local. They are our partner who sells this product and they have their own technical people who know our infrastructure. We generally do not need to escalate our issues to Check Point.

Which solution did I use previously and why did I switch?

Prior to using Check Point IPS, we were using a solution by IBM. It was much more difficult to administer. However, we had already been using the Check Point Firewall product and moving to Check Point IPS was a logical choice. It was easier in terms of administration because it is the same console and we did not need additional servers. In fact, our infrastructure got a little bit smaller and the performance, I would say, is better.

With respect to the performance, having the solutions on the same machine means that the traffic is analyzed once instead of twice. There are fewer hops.

How was the initial setup?

The initial setup was quite straightforward. We had to add the license and enable the policies, which was done within two days. After that, of course, we had some fine-tuning but I wouldn't say that it's a headache. In total, it took about a month before we had the configuration ready and it was in production.

One person was responsible for the deployment and one person is enough to take care of maintenance.

What about the implementation team?

We had some trouble doing all of the troubleshooting and setting up some of our rules, so we had assistance from technical support during this part of the setup. We took care of the main deployment but they guided us when necessary.

What was our ROI?

It is difficult to calculate ROI for an IPS or a firewall because you can actually live without fancy security if you don't have any data to protect.

What's my experience with pricing, setup cost, and licensing?

This is an expensive solution. I am not exactly sure of the pricing because we have a package deal that has the licenses included. I think that the price of support is around $40,000 USD or $50,000 USD per year.

How it works is that we license a pair of virtual CPU cores, as well as the firewall, and then the IPS is included along with the antivirus and additional products.

Which other solutions did I evaluate?

We did evaluate several IPS products by different vendors but they all had trouble integrating with our Check Point Firewall. We made the decision that even if the other products were cheaper to buy, they would need additional integration and custom development, so ultimately it was not worth it.

What other advice do I have?

My advice for anybody who is researching this type of solution is that they need to choose the product carefully. Most importantly, I would look from a performance perspective. Secondly, I would consider it from a pricing perspective because there are cheaper solutions available like Sophos and Fortinet, and they are good at what they do. If there is no firewall in place at all and this is their first project with protecting the enterprise, then it is reasonable to look at all of the vendors and look at what features are needed. The most important part is what your administrators are used to using because if you need to train them then it's additional costs.

The next thing that I would suggest is to make sure that you get a good partner because it is important to have good first-level support.  

The biggest lesson that I have learned from using Check Point IPS is to be quite careful about which features you enable with it, and which protections to use. You need to balance performance with security, finding exactly the right configuration for your environment and requirements.

Overall, I would say that this is a decent product. If the pricing were cheaper then I would say that it was perfect.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Check Point IPS. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,608 professionals have used our research since 2012.
VN
System and Network Administrator at Auriga - The banking e-volution
Real User
Top 5Leaderboard
Helpful alerts and reporting, granular rule options, and the update schedule is flexible

Pros and Cons

  • "The Check Point IPS module allows me granularity in creating rules."
  • "Having additional reports available would be helpful."

What is our primary use case?

The Check Point IPS module is applied to both internal and external traffic.

Many times, we only think about protecting ourselves from what comes from the Internet but it is also good to analyze what passes inside between one network and another and what goes out to the Internet.

I'll never forget the first backdoor report. We immediately activated email alerts for the most important reports and it was an email that indicated the compromised server. There were three of us and it took two hours to discover that through the image upload form, there had been an attempt to upload a backdoor. This IPS module had blocked this attempt.

How has it helped my organization?

The Check Point IPS module certainly is of great support in ensuring the security of every organization. You cannot say that users only surf the internet and you do not need this type of protection because the danger does not come only from the internet, but also from within. 

We immediately implemented the module on internal traffic and if there is any server or user that does something that should not be done, it is immediately identified. 

Valid support also comes from applying, before their official publication, the protections inherent to server and application updates. In this way, we are not forced to install updates on the servers as soon as they are published. Rather, we can also schedule updates and incorporate a delay. This protects us from the possible publication of incorrect updates that are withdrawn immediately afterward.

What is most valuable?

The Check Point IPS module allows me granularity in creating rules. I can specify which definition to apply and to which scope or network.

I can create multiple profiles, which is helpful. Profiles are the set of rules and I can choose which one to apply. Having more profiles and more options, we have not always moved in a guaranteed way with respect to internal traffic, and rigorously with respect to external traffic.

From the outside, we block directly without waiting to look at the logs. If anything, then we will allow this traffic. From the inside, we allow traffic by default and maybe we will block it after looking at the logs.

These decisions were also supported by the degree of reliability declared by Check Point itself. If we are talking about a high degree of reliability combined with a dangerous vulnerability then you can immediately block traffic with greater confidence in not having false positives

The logs and related functionality are done very well.

What needs improvement?

To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically.

If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability.

Having additional reports available would be helpful.

For how long have I used the solution?

I have been using Check Point IPS for twenty years.

What do I think about the stability of the solution?

This has always scared me because it is known that activating this module in an inconsiderate way causes malfunctions of the firewall. However, Check Point tells you to apply only the IPS definitions that are useful in your environment and warns with specific pop-ups when you want to activate a definition that requires a lot of resources.

What do I think about the scalability of the solution?

In case of high volumes of traffic, it is possible to balance the same by adding other nodes to the cluster.

How are customer service and technical support?

It was certainly a good experience, a daily challenge to overcome oneself and compete with the world.

Which solution did I use previously and why did I switch?

Prior to this product, we did not use a similar solution.

How was the initial setup?

The initial setup is complex and must be done by a team, necessarily also made up of internal staff, who are highly skilled.

In the beginning, it is good to evaluate the single definitions in order to reduce the false positives and to avoid a waste of firewall resources. Subsequently, the new definitions released must be reviewed daily.

What about the implementation team?

We implemented it with the support of an external team that proved to be up to the task entrusted to it.

What's my experience with pricing, setup cost, and licensing?

The module has a considerable cost but you can save by purchasing a package with several modules instead of making a single purchase.

The implementation has a high initial and management cost.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

In summary, this is a well-made product and I don't feel like I would suggest improvements other than having more reports. I recommend its adoption to those who have the availability of a team, internal or external, that has the ability to manage it and the knowledge of the company.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Oleg P.
Senior Network and Security Engineer at a computer software company with 201-500 employees
Real User
Top 5
New protections can be automatically activated in the "Staging mode", which only detect the possible threat and alerts them

Pros and Cons

  • "The number of the IPS protections is amazing - after the latest update I see more than 11000 in the SmartConsole."
  • "In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so we are cherry-picking only the profiles that we really needed."

What is our primary use case?

Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. 

The Clusters serve as the firewalls for both inter-VLAN and external traffic. We have the Intrusion Prevention System (IPS) blade activated on both Check Point HA Clusters as the counter-measure against advanced threats and malware. The IPS blade mostly used for ingress traffic from the Internet to the DMZ VLAN.

How has it helped my organization?

I think that the security of our DataCenter has been increased to a large extent by activating of the Check Point Intrusion Prevention System software blade. Before that, we used the Cisco ACLs and Zone-Based firewall configured on switches and routers, which currently not an efficient solution for protecting from advanced threats. Now we have state-of-the-art, true, and efficient Next-Generation firewall, and the IPS blade is the heart of it. The security profiles activated in the IPS blade check the traffic not just by TCP/UDP port of the connection, but by traffic patterns and the application behaviour. 

What is most valuable?

The number of IPS protections is amazing - after the latest update, I see more than 11000 in the SmartConsole.

All the protections are tagged and categorized by the vendor/type/product, the severity of the threat, confidence level, and performance impact of the activation, which helps in finding and enabling only he profiles that we really need (e.g. we don't have any Microsoft Windows servers in our environment, so decided to disable such protections by default).

The protections are updated based on the schedule - we used the default once-a-day approach.

I also like that the new protections may be automatically activated in the "Staging mode", which only detect the possible threat and alerts them, but doesn't block the actual traffic, thus minimizing the impact of the false positives. 

What needs improvement?

In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed.

Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.

For how long have I used the solution?

We have been using this solution for three years, starting since late 2017.

What do I think about the stability of the solution?

The solution is reliable and stable, we didn't have any software or hardware issue while using it.

What do I think about the scalability of the solution?

The Check Point software blade is activated on the HA Clusters in Active-Standby mode. There's a space to grow with the current setup, but eventually, we may switch to the Active-Active mode and add additional appliances to the clusters.

How are customer service and technical support?

Even so we had a number of the support cases opened with the Check Point team, none of them was connected with the IPS blade. In general, there are professionals in the support team, but some cases took surprisingly long time to be resolved. 

Which solution did I use previously and why did I switch?

Before the Check Point IPS, we relied on the simple stateful firewalls configured on Cisco switches and routers and moved to Check Point to get improved security against the modern threats.

How was the initial setup?

The initial setup was easy, as was the configuration. Now the solution almost doesn't require the time for managing it.

What about the implementation team?

The implementation was done by the Certified Check Point Expert we have in the in-house team - the Check Point solutions are popular, so there are such engineer available on the job market.

What's my experience with pricing, setup cost, and licensing?

The overall cost of the solution is really high. You should properly scale the setup you are planning to purchase. 

The licensing model is simple, but some of the software blades are not included into the default bundles and should be purchased separately - pay attention to that.

Which other solutions did I evaluate?

We didn't evaluate the other solutions.

What other advice do I have?

The correct performance sizing is essential for this kind of software - use the tools provided by the vendor, and consult the sales if you are still not sure.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PRAPHULLA  DESHPANDE
Associate Consult at Atos
Real User
Top 5Leaderboard
Great updates, good out-of-the-box configuration and very good reporting

Pros and Cons

  • "There's an automatic update after every 2 hours which makes sure that the database is up to date and providing zero-day vulnerability protection."
  • "After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market."

What is our primary use case?

Intrusion prevention and detection are the most valuable pillars in the security system, which detects and prevents exploits or weaknesses in vulnerable systems or in applications and protect against threats not only based on signatures but also based on anomalies, behavioral analysis, etc.

IPS is already integrated and comes as a security license in Check Point NG Firewalls and NGTX Firewalls.

Every defense system must have a feature set that provides complete security for Network IPS and Check Point has very powerful high throughput - almost at terabyte speed - with the help of a hyper-scale approach.

How has it helped my organization?

Organizations can scan for vulnerabilities know as VAPT, which many prefer as one-step closure for maximum security for the entire network. Check Point IPS plays a leading role in patching those vulnerabilities based on CVE IDS.

Based on updates received from the Check Point Threat Cloud, CVE IDs get updated or we can manually add those signatures.

It helps organizations to get a complete report for vulnerabilities in applications, the host running in the network (which helps to fixed to vulnerabilities based on CVE IDs), and gives reports for the compromised host, C&C host, DNS tunneling attempts, and protects against vulnerability in SNMTP HTTP POP, etc.

What is most valuable?

There's a good out-of-the-box configuration for recommended security based on severity levels, confidence levels, and network impact - also known as an IPS Profile.

For better security, we can edit options based on requirements and we can keep actions as detect-only which gives us alerts but allows traffic to flow without stopping anything.

There's an automatic update after every 2 hours which makes sure that the database is up to date and providing zero-day vulnerability protection.

Check Point IPS provides reports for running vulnerabilities which help enable SOC teams to respond to the highest-priority events first to patch them.

What needs improvement?

After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market.

Most customers take an IPS license but they don't take a SmartEvent license and when this happens, they will not be aware of the report parts such as current threats in the network open ports/protocol, vulnerabilities in a system, or detected/prevented attacks. For such cases, Check Point should provide a bundled license with IPS. 

For how long have I used the solution?

I've been using the solution for more than four years.

What do I think about the stability of the solution?

The solution is highly stable for this particular blade.

What do I think about the scalability of the solution?

Scalability can depend on throughput and if we use Maestro Hyperscale, we can distribute load across multiple Check Point Firewalls to get the maximum (in TPS) throughput.

How are customer service and technical support?

Most of the time there is no need to take support for this,  but the CVE closure technical support team helps lot.

Which solution did I use previously and why did I switch?

Customers may have had different NGFW solutions, however, after, they migrated over to Check Point NGFW.

How was the initial setup?

The installation was straightforward in terms of configuration and onboarding.

What about the implementation team?

We are service providers and provide services to customers.

What was our ROI?

Attacks are getting prevented and detected based on severity which helps our organization to get rid of compromising attacks.

What's my experience with pricing, setup cost, and licensing?

Check Point IPS license is a must-have, and users need to make sure the database gets updated on daily basis after every 2 hours as per the defined configuration (which helps to get maximum protection).

The configuration is very simple and effective if you refer to the configuration guide properly.

Which other solutions did I evaluate?

We did not look at any other solution.

What other advice do I have?

The solution is best in class.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Basil Dange
Senior Manager at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
Good visibility and reporting, helpful support, but it can lead to performance degradation

Pros and Cons

  • "It protects against specific known exploits but also, with SandBlast integration, it is able to protect against unknown or zero-day attacks at the perimeter level."
  • "There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic."

What is our primary use case?

We use this solution to secure the organization against any attack coming into the network via the internet, a third party, or any other connected network. It is used to detect and prevent identified threats at the perimeter level so attacks do not penetrate the network.

With so many access points present on a typical business network, it is essential that we have a way to monitor for signs of potential violations, incidents, and imminent threats.

We also use it to provide flexibility for the SOC admin to identify any suspicious activity and either detect and allow (IDS) or prevent (IPS) the threat. It logs and reports any such incident to the centralized logger so the required action can be taken by the SOC team.

How has it helped my organization?

This IPS device is protecting the organization's assets from any know vulnerability or threats that are coming from the network and vice versa.

It protects against specific known exploits but also, with SandBlast integration, it is able to protect against unknown or zero-day attacks at the perimeter level. An example of this is C&C communication, which is getting trigger by compromised systems.

It's able to detect and prevent any tunneling attempt that is happening via compromised systems, thereby avoiding data leakage.

It provides the capability to enable security policy based on templates, which can be enabled by the organization, depending upon their need. For example, enabling the highest security with the lowest performance impact is a matter of selecting templates accordingly.

What is most valuable?

IPS can be enabled on the same security gateway and does not require any additional hardware purchase or additional network connectivity.

It provides complete visibility and reporting on a single dashboard for the entire NG firewall, including the IPS blade on the Smart Console.

Signatures are constantly updated and it also provides virtual patching protection up to a certain extent. 

It provides a detect-only mode for IPS Security policy that the admin can enable on a required segment for monitoring, giving an opportunity to observe prior to blocking.

What needs improvement?

There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic. 

There is no separate, dedicated appliance for IPS.

In the case of the IPS blade enabled on the NG firewall, it does not provide flexibility to monitor specific segments as easily as the IPS policies that are applied on the security gateway. There is lots of configuration and exclusion policy that need to be configured to bypass traffic from IPS Policy. 

IPS gets bypass in case performance goes above certain limit. This is the default setting that is provided.

For how long have I used the solution?

I have been using Check Point IPS for more than six years.

What do I think about the stability of the solution?

This is a stable product.

What do I think about the scalability of the solution?

Most of the organization is deployed on the NGFW and it has scaled accordingly, with most devices in HA mode.

How are customer service and technical support?

Technical support is excellent.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

This is a blade/module that needs to be enabled, selected, and applied across the security gateway.

What about the implementation team?

Our in-house team was responsible for deployment.

What's my experience with pricing, setup cost, and licensing?

Enabling IPS does not require any additional license purchase from OEM, as it comes by default with the NGFW bundle. This blade/module can be enabled based on the requirement and can be pushed to the security gateway.

Which other solutions did I evaluate?

We did not evaluate other options.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Kirtikumar Patel
Network Engineer at LTTS
Real User
Top 5Leaderboard
Helps prevent unwanted and unknown attacks

Pros and Cons

  • "IPS can protect our organization with any old vulnerabilities or if any vulnerability detected minutes ago IPS can protect us as per our configured policy."
  • "I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good."

What is our primary use case?

I work in MNC company and we have 6 GEO locations in India and all of our locations are using Check Point as a perimeter firewall. I sit in our HO Office and I am maintaining all the location firewalls with my team, except for 1 location. We regularly monitor the security alerts on our perimeter and based on that we will align our location IT to check and update us. IPS is our core blade for network security, it is provide the details that some suspicious activities happen on our network as per the IPS signature database, and based on that we will work on that.

As our primary use case with IPS blade we are daily receiving non-compliant IKE alert, and we know if we prevented it then what impact will happen, our all site to site tunnel will stop working which is running with noncompliant IKE and we are not forcing our client to update that noncompliant IKE protocol. 

How has it helped my organization?

We have configured the IPS daily report on our Check Point Gateway so we get daily reports with details of IPS related alerts. Based on the report we will check whether it is in prevention or detection mode and based on that we will check with the internal team and work on that. This is a very useful blade to prevent unwanted and unknown attacks. We can also create strict policies in the IPS blade to prevent high and critical severity but in our organization, we follow the same but in some cases, we have created exceptions.

Overall with the IPS blade we can say we are secure with unknown attacks. 

What is most valuable?

The default category (Low, Medium, High, Critical) is the most valuable feature because we don't know what type of attack will happen, but with this category, we can create a policy to prevent any high and critical severity behavior. With this, we can protect our organization from weakness exploit of vulnerable systems.

IPS can protect our organization with any old vulnerabilities or if any vulnerability was detected within a few minutes. IPS can protect us as per our configured policy.

What needs improvement?

I strongly agree that with IPS blade we can protect our organization vulnerabilities. I would like to have the ability to virtually patch our application or vulnerable machine that is talking ourside our network. If it is there then we can protect our application and systems to any unknown attack if our system or application has a weakness or vulnerability. 

I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good.  

For how long have I used the solution?

I have been using Check Point IPS for the last four years. 

What do I think about the stability of the solution?

Sometimes it will not connect to the threat cloud.

What do I think about the scalability of the solution?

This is a fully salable blade.

How are customer service and technical support?

Overall okay.

How was the initial setup?

Straightforward.

What about the implementation team?

Vendor team

What was our ROI?

Priceless.

What's my experience with pricing, setup cost, and licensing?

Reg. cost and licensing part out procurement team taking care.

What other advice do I have?

The IPS is a very good blade in Check Point NGFW.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
JC
CTO at a computer software company with 11-50 employees
Real User
Top 5
Easy to configure, helpful notifications, and provides good value for the money

Pros and Cons

  • "I can easily monitor all of our connected devices and I get instant notification of reconnections and new connections, which removes some of the monitoring burden."
  • "It is generally good, but improving the performance would be the one thing I'd take a look at right now."

What is our primary use case?

We make use of Check Point IPS to protect our corporate network against incoming threats of all varieties. We have a very minimal intranet/network and this is installed and configured on our firewall that monitors all incoming/outgoing traffic.

We felt it was necessary to have this in place as part of our security hardening in preparation for a third-party penetration test of our corporate network. Their goal was to access our network undetected and exfiltrate information. They were unsuccessful.

How has it helped my organization?

Once we installed our Check Point firewall and activated and configured the various software blades and services, we successfully locked down our network with a near 100% success rate in preventing security threats.

I can easily monitor all of our connected devices and I get instant notification of reconnections and new connections, which removes some of the monitoring burden.

The biggest improvement is that it protects us against many different potential attacks like ransomware and malware coming from malicious IPs.

What is most valuable?

The most valuable features of Check Point IPS are the protection it provides against the various attack vectors out there with ransomware and other malware. Once we had Check Point IPS up and running, which was really quite easy and straightforward to do, we noticed a surprising number of times that it was getting triggered.

It was a little scary thinking back to how vulnerable we were prior to having Check Point IPS in place and simply relying on our users, albeit not that many, to be safe and responsible.

What needs improvement?

Really, the only thing we noticed once it was running in prevention mode (we started out in detection mode just to get a feel for how it worked and how often protections were getting triggered) was that there was a little bit of a slowdown in performance. It is generally good, but improving the performance would be the one thing I'd take a look at right now.

For how long have I used the solution?

We have been using Check Point IPS for two years.

What do I think about the stability of the solution?

This solution has been extremely stable with no issues.

What do I think about the scalability of the solution?

We're small and haven't had to deal with scaling, but I would think it should scale fine.

Which solution did I use previously and why did I switch?

We did not use another similar solution prior to Check Point.

How was the initial setup?

The initial setup and configuration was easy and straightforward.

What was our ROI?

Our return, in terms of peace of mind that our network is protected, is well worth the cost of implementation.

What's my experience with pricing, setup cost, and licensing?

The pricing for Check Point IPS is competitive and brings good value for the money.

What other advice do I have?

In summary, since we have installed Check Point IPS, we really have not had any major complaints or requests for improvement. It was pretty easy to get up and running and configured to protect our environment.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate