Check Point NGFW Reviews

Check Point NGFW is a critical component of our security infrastructure. It provides comprehensive next-generation firewall (NGFW) security for our perimeter and DMZs, protecting us from a wide range of cyber threats, including malware, viruses, ransomware, phishing attacks, and zero-day threats.

Check Point NGFW uses a variety of advanced technologies to protect our network, including intrusion prevention, application control, and threat intelligence. It is also able to detect and block sophisticated cyberattacks that traditional firewalls cannot.

Check Point NGFW has helped us to significantly reduce our risk of cyberattacks by providing comprehensive protection against a wide range of threats, including malware, viruses, ransomware, phishing attacks, and zero-day threats. 

It has also improved our network performance and reliability by optimizing traffic flow and reducing latency. 

We are confident that Check Point NGFW will continue to protect our network from the latest cyber threats due to its advanced security features and its team of experts who are constantly monitoring and updating the product.

As a security professional with over ten years of experience, I've seen firsthand the devastating impact that cyberattacks can have on organizations of all sizes. That's why I'm so passionate about using the best possible security solutions to protect my clients.

One of my favorite security solutions is Check Point NGFW. It provides comprehensive protection against a wide range of cyber threats, including malware, viruses, ransomware, phishing attacks, and zero-day threats. It is also designed to deliver high performance even in the most demanding environments, and it can be scaled to meet the needs of organizations of all sizes.

I've also found Check Point NGFW to be very easy to use and manage, even for users with limited IT expertise. This is important to me because I want to make sure that my clients can focus on their business without having to worry about complex security solutions.

Overall, I highly recommend Check Point NGFW to any organization that is looking for a comprehensive and effective security solution.

There are a few areas where Check Point NGFW could be improved. First, it can be expensive, especially for small businesses. Second, it can be complex to configure and manage, especially for users with limited IT expertise. Finally, its licensing model can be complex and confusing.

Despite these areas for improvement, I still highly recommend Check Point NGFW to any organization that is looking for a comprehensive and effective security solution. I am confident that Check Point will continue to improve its products in the future, and I am excited to see what new features and capabilities they come up with next.  

One thing I would like to see in the next release is an AI-powered threat detection and prevention system that can automatically identify and block new and emerging threats.

We've been a Check Point customer for over 21 years, and we've always felt that they are a trusted partner in our cybersecurity efforts.

Overall, I'm very impressed with the stability of Check Point NGFW. It's a powerful security solution that can meet the needs of organizations of all sizes.

One of the things that I appreciate most about Check Point NGFW is its flexibility. It can be deployed in a variety of ways, including physical appliances, virtual machines, and cloud-based instances. This makes it easy to scale your security infrastructure up or down as needed.

I've always been impressed with the responsiveness and expertise of Checkpoint's customer service and support team.

Positive

We have never used a different solution. We have been using Check Point NGFW since we first launched our network 21 years ago, and we have been very satisfied with its performance and reliability.

The complexity of the initial setup of Check Point NGFW depends on the size and complexity of your network, as well as the features and capabilities that you need.  

If you have a large enterprise with a complex network or need to configure all of the features and capabilities of Check Point NGFW, I would highly recommend that you engage Check Point Professional Services to help you with the setup process.

We have always used Check Point Professional Services to assist with our implementation.  They are very knowledgeable and can save you a lot of time and frustration.

To maximize the ROI of Check Point NGFW, it is important to choose the right deployment model, use Check Point's security services, and keep the software up to date.

There are a few areas where Check Point NGFW could be improved. First, it can be expensive, especially for small businesses. Second, it can be complex to configure and manage, especially for users with limited IT expertise. Finally, its licensing model can be complex and confusing.

Despite these areas for improvement, I still highly recommend Check Point NGFW to any organization that is looking for a comprehensive and effective security solution. I am confident that Check Point will continue to improve its products in the future, and I am excited to see what new features and capabilities they come up with next.

We evaluated Cisco ASA Firewall before choosing Check Point NGFW.

A few months ago, one of my clients was targeted by a sophisticated ransomware attack. Check Point NGFW was able to detect and block the attack before it could cause any damage. My client was very grateful for Check Point NGFW's protection, and I was relieved that I was able to help them avoid a costly and disruptive attack.

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.

We use five NGFWs for four of our sites, with our primary site having an active/backup HA pair. All sites are running anti-virus/malware/bots as well as HTTPS Inspection, IPS/IDS, threat emulation, application filtering, and identity awareness. These are our first line of defense at the perimeter of our network and we have seen a decrease in the number of detections on our endpoints. We've also implemented these firewalls to handle our external VPN connections from remote clients. We've had a few small hiccups, however, there was nothing Check Point support wasn't able to resolve.

This solution has improved our organization by allowing us to use one management point where everyone can see the current state, future changes, and logging for our perimeter. We've been able to streamline our staff to use one primary and two backup users for support. Previously, we did not have a good way to allow Remote Users to VPN directly to our network. Once we implemented and worked with Check Point, they showed us what their solution was capable of and worked with us to allow 300 remote workers to connect to our network and share policies. 

We've found threat emulation, application control (with identity awareness), and HTTPS inspection to be the most valuable aspects. It allows managers the flexibility to grant access to high-risk sites based on groups/roles and yet still be protected with threat emulation and HTTPS inspection. We've seen the rate of detection on our endpoints plummet. 

I've found that, over the last 4 years, they have constantly improved the user interface (SmartConsole) as they have moved away from four Control panels for different functions and are constantly adding new features with no impact on our availability during upgrades.

The improvement could come from better monitoring of traffic data in and out of the firewall. I'd also like to see more built-in automation in regards to activity against the firewall to trigger an automatic response for a period of time.

There is currently no way to allow a user to have access for X period of time. I also find that keeping up with the IPS additions to be a three-stage process which includes having to go to email to see new updates, reviewing those updates on the firewall, and then making necessary changes. I would like to see these new IPS updates shown as a notification when I log in (as an alert) so I can review and modify from one pane.

I have been using this solution for four years, however, they've been installed for six years at our company.

In the four years I have worked on the five firewalls we have not had any downtime caused by stability issues. We've had more issues with our ISP/people hitting the ISP equipment, for example there have been three accidents at the near by intersection that has damage the network cabinet or digging has cut the line.

We haven't had any issues where the Firewall has had a memory leak, rebooted, corrupted or had a NIC fail. 

Our team didn't account for a vast increase in workload as new features were added to our firewall (HTTPS inspection, threat emulation, etc.) and therefore we bought the lowest tier for what we thought we would need. We've found that this is a little too strenuous on our gateway and are working on purchasing more powerful firewalls based on the recommendation of our local Check Point engineer.  

I've always been able to get in contact with Check Point at the right level within their SLA. Everyone has been helpful with tickets requiring escalation.

Positive

I have not been here while a different solution has been used. We do use a separate brand of firewall internally to prevent an exploit against Check Point, allowing someone to penetrate the perimeter and the internal firewall containers.

I was not involved with the initial setup. That said, I have brought up three new sites, and adding a new firewall to our infrastructure has gone off without a hitch.

We handled the implementation in-house.

Check Point Firewalls are more expensive from what I have seen compared to the competition and the yearly licensing does periodically increase. We've seen an increase of 8% over one year (new features were wrapped into the license). 

I was not involved with the evaluation process; I was told that Cisco Firewalls and SonicWall were evaluated at that time.

You're paying a premium price, for what is a premium product and support. I have opened several tickets with their support team and have had excellent service each time.  

Several enterprises, from financial institutions to hospitals, use this product mainly as edge solution. In most cases, the setup was based on a redundant configuration. Other cases which have been rolled out are based on smaller devices in office locations and larger devices in the central datacenter of the customer. As an MSSP we trust the reliability of the solutions, since we cannot risk having our reputation being harmed. Our team is perfectly able to manage the devices on a day by day basis using the central management solution.

The tension of being well protected from the outside world has decreased due to the sturdiness and reliability of the solution. 

Results are predictable and managing everything is easy with the right tooling. The management solutions are easy to use and make it possible for our administrators to manage numerous amounts of devices in one console. 

Software updates/upgrades contain valuable additions and it is clear that Check Point has the right focus on the requirements of what should be added as functionality.

Trustworthiness and stability are the key aspects when looking at these products. 

The up to date-ness of the threat intelligence and the underlying network of devices adding value to it is good. 

With many of their own investigators adding their findings to the threat database, Check Point has become a leader in having their product in the higher ranks of the spectrum of efficiency. 

The different hardware models focus on a wide spectrum of the market, so any company can choose a model that makes sense for them from the range.

The world is changing rapidly, and even though Check Point is delivering security solutions on many levels such as endpoints, cloud, and on-premise. 

A more centric solution would be preferable. They should take all existing products and make them a part of a suite that is easily manageable from one platform. This would leverage the use of the different products since no administrator wants many interfaces to manage the complete environment. 

Pricing needs to be lowered from start, this would be more effective than lowering it during negotiations.

We've used the solution for more than 10 years products and have been delivering the solution to our customers.

The product is very stable.

The solution is less scalable when using hardware-based solutions. Especially the smaller models have limited possibilities to expand on port / performance level. Both issues can be resolved using the Maestro solution, but that is limited to specific models.

Technical support is very good and easily accessible.

Positive

We previously used Cisco and Fortinet. Check Point is a long-lasting vendor that we use, based on trust.

The initial setup is pretty straightforward, especially when working with preset best practice profiles.

We handled it on our own. 

In the end, the ROI is good once a company knows the protection level on offer.

Pricing and licensing are not the best within the market. That said when you get to know the products they offer you will be happy to pay a bit more.

We also looked at Palo Alto previously.

The primary use is to protect the organization from any kind of attack. It is able to isolate, secure, and control every device on the network at all times. Solutions should have the ability to block infected devices from accessing corporate data and assets.

It provides access to the Internet for corporate resources in a secure manner. Our resources are used to host applications and services that are accessible to end-users over the Internet.

It is used to provide required/limited access for third parties who want to connect to our corporate network. Access is granted based on application type and should be independent of port or protocol.

It provides next-generation protection including IPS/Web Filtering/SSL decryption and more. 

It offers centralized policy management capabilities for all firewalls.

This solution was able to provide access to our internet-based resources using our application/FQDN.

The license offers different modules for NGTP and SNBT. It provides multiple functionality or blades, which can be enabled on the firewall depending upon organizational requirements.

Other than stateful packet filtering with the NGTP license, it provides blades such as IPS/URL/VPN/Application Control/content awareness/Anti-Bot/Anti-Virus/Anti-Spam. With SNBT, it provides additional security using the SandBlast Threat Emulation and SandBlast Threat Extraction for Zero-day attacks in real-time.

Any file, before it reaches an endpoint, is executed in a virtual environment for analysis. Based on the verdict and configured policy, a decision will be made as to whether it should be delivered to the endpoint or not.

It provides the flexibility to use any module with the NGTP and SNBT license. Depending upon the requirements, the blades/module can be enabled on the firewall security gateway and it can be deployed easily.

In case SSL decryption or IPS need to be enabled on any security gateway, it is simple to do. We can go ahead and enable the module/blade and then create a policy, deploy it, and it will start to work.

It has a default five-user license for Mobile/SSL VPN, so the organization can check the solution any time or can even provide access to critical users on an as-needed basis, without getting the OEM involved, all on the same box.

For smaller organizations with the correct sizing of the appliance, they can use the full security solution on a single box. It will provide financial benefits along with reducing the cost of purchasing additional solutions or appliances. 

For example:

• URL Filtering Module: It can replace the proxy solution for on-premises users with integration of application control and the Identity module. Active Directory access can be provided based on the User ID and the website or application.
• SSL VPN or SSL decryptor, and more. 
  
• Core assignment for each interface, which can be done using the CLI. If the administrator determines that a particular interface requires more compute, he can manually assign additional cores accordingly. This is done by enabling hyperthreading on the firewall. 
• The policy can be copied from any security gateway and pasted onto another one.

This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.

For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.

Source: User machine
Destination: any
Port: HTTPS
Action: allow (for allowing the user's machine access)

This has to be done along with the below policy:

Source: User machine
Destination: Other Zone created on Firewall
Port: HTTPS
Action: block 

The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.

The firewall throughput or performance reduces drastically after enabling each module/blade.

It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

I have been using the Check Point NGFW for more than eight years.

This solution is very much stable and does not require frequent changes in architecture. The patch frequency is limited and it does not require frequent maintenance windows in terms of downtime.

This firewall is very much scalable. The introduction of Maestro has changed the concept of hyperscaling.  

The technical support is excellent. The center is located in major cities in India along with the Check Point presales team.

We did not use another solution prior to this one. We have been using Check Point for a long time.

During the initial setup, support is excellent. It is a well-known OEM and they have people ready to resolve any issue that should arise.

Our in-house team deployed it with support from the OEM.

Cost-wise, it cheaper than industry leaders such as Palo Alto. The licensing is straightforward; there are only three types of licenses that include NGFW, NGTP, and SNBT, so the organization can choose its license according to their requirements.

We have evaluated solutions by Juniper, Cisco, and Palo Alto.

Before implementing the security gateway, you need to be sure about the license and modules that you are going to enable. This includes determining the proper size, as it can affect throughput drastically after enabling each module. This is especially true for SSL decryption.

The architecture needs to be studied before finalizing, as the configuration is done remotely using the centralized smart console. All of the security gateways need to be connected to the management server for any policy configuration, and they should be available at all times.

We use Check Point firewalls to secure our internal network from the outside world and to provide a good, comfortable, and secure environment for our employees.

We have various models from the R80 series, such as the R80.10 and the R80.30.

Before, we were using firewalls from Palo Alto. The benefit of the Check Point firewall is that it has more security features. It has antivirus signatures and additional features for which we should require additional hardware devices in the firewall. It also gives us a central management system, which was not present in the Cisco ASA.

Check Point's Next Generation Firewall has many good features. It has a central management system, and that means we do not have to go to each and every firewall to configure it. We can manage them with the central device. 

There are also additional features, compared to a Layer 4 or Layer 3 firewall, such as AV signatures and devices, which are very helpful for securing the company's network.

The only thing which I think should be improved is that training should be increased. In my position I also interview potential employees and I haven't found many people in the market, nowadays, who are familiar with the Check Point firewall. They are more familiar with Palo Alto and Cisco ASA and they are more comfortable with them. Check Point is one of the good firewalls and training should be increased by the company so that more people are familiar with it and with their switches.

I have been using Check Point's firewalls for the last three-and-a-half years.

The stability is very good. The updates we get for the antivirus and the URL filtering sites are also very nice and happen very often. That is a good thing because there are various new attacks coming out but we get their updates on time. 

In terms of the scalability, it is very easy to extend the utilization of Check Point firewalls. We did so in the past. We extended our environment in our organization and it was very easy to extend it.

We have around 4,000 to 5,000 people who are using the Check Point firewalls directly or indirectly. They are passing their traffic through it. Expansion of our usage completely depends on the organization. If they want to do so they will tell us and, if that happens, we will definitely go for Check Point firewalls.

We have used Check Point TAC to resolve our issues. We have had good support. They have good engineers there.

We were using Palo Alto and Cisco before and we replaced them with Check Points.

We used Palo Alto in a  few of our sites, but we found Palo Alto was more expensive and its updates and services were also more expensive compared to the Check Point firewall.

Cisco is a very basic firewall in the market, and it has a limited set of features, compared to Palo Alto and Check Point. Palo Alto has rich features, but it is one of the more expensive firewalls in the market. The Check Point firewall is not too expensive, but it is also a third-generation firewall.

The drawback of the Check Point firewall is the lack of training materials. That should be increased.

We have a team of seven to eight people who have all installed and configured environments so the initial setup, for us, was a very straightforward process. And these are the people who handle maintenance of the firewall and manage it, during different shifts. They are all network engineers.

It took us between nine and 12 months to do the implementation. We have Check Point hardware so we followed the recommended, three-level architecture, in which there is a SmartConsole, the hardware security gateway firewall, and the central management device.

The pricing is good. It is less than Palo Alto's firewalls. Check Point has the same features as Palo Alto, but the licensing and cost of these firewalls are not too expensive. It is one of the best firewalls in the market in this range.

Check Point firewalls have many features. Before configuring it in an environment, you should know each and every feature of the firewall. You should also follow the three-level hierarchy which is recommended by Check Point.

There are a few add-on features for Check Point firewalls. I only learned that by using the firewalls. I'm very happy with the way Check Point is progressing. They continue to work on their firewalls even after making their name. That is something we should follow in our lives as well: Once we have made our name, we should not stop there. We should further build the reputation of the company and product.

We are very happy with the Check Point firewalls. The only thing missing, as I mentioned earlier, is that training should be increased for the firewall by the organization. Otherwise, we are very happy with investment in this solution.

*Perimeter Firewalls - to protect regional hubs and local offices from public space and provide L3-L7 filtering

*Internal Segmentation Firewalls - to secure company's internal network from movement of malicious actors and reduce traffic flows only to authorised ones

*Public and Private Cloud - to secure hybrid environment either onprem or in the cloud while achieving micro segmentation per host

*Cloud Compliance - to get a visibility into cloud environment and and related vulnerabilities 

*Data Center

*SaaS

Check Point is able to satisfy almost any security tool for enterprise clients. This allows us to deploy complex changes from a single management interface, get better visibility, and significantly reduce operational complexity.

I have to emphasize the value of Diamond support here where most senior engineers can provide great support with any challenges. Thinking out of the box, sense of responsibility, professionalism and much more - such an attitude helps to provide resolution to any crisis in the shortest term

With the new capabilities embedded into R80.XX flavor it is possible to achieve great flexibility while defining your security policy. It is possible to utilize a variety of objects to define static or dynamic criteria for inspection and reduce general rule base size and complexity, while not giving up on security

The security research team is doing a great job staying on top of ongoing threats and releasing fixes for ongoing attacks within days or sometimes hours.

Check Point always actively listens to its customers trying to identify emerging needs and satisfy them pro-actively

I would like to see an improvement of built-in monitoring capabilities such as throughput. Practically visualization of CPview outputs into beautiful pink GUI will do it. 

The monitoring of scalable solutions is quite tricky, but it could be relevant for all vendors who possess the same technology.

IPS fine-tuning may require some time to understand the interrelation between IPS protections, core Protections and other IPS profile elements. But in general, Check Point is on the way of great simplification of TP management

Check Point products are being in use for the last 6 years.

I've been dealing with the Check Point environment for over eight years, ever since SPLAT, the R75 versions, and mainly with a multi-domain management (former Provider1) set-up. I also use the Smart Management Server, with a standalone/distributed deployment.

I'm currently engaged in the design, implementation, and maintenance of a large-scale Check Point firewall environment (~100 GWs).

Presently, the customer is using Check Point for perimeter security, IPS, threat prevention, encrypted traffic, as well as access to the internet, and multi-domain server architecture.

The Check Point solution has improved the way the customer organization functions.

People are working within the organization all over the world, across NALA, APAC, and EMEA regions. Having Check Point as a security vendor made it easy to assure people they could access the resources everywhere, from offices, homes, and across the globe, especially during the pandemic, safely.

One of the last implemented projects was replacing an obsolete Client Auth solution with Identity Awareness, including integration to AVD.

The solution plays an important role in preventing security incidents from happening and preventing malicious attempts to infiltrate into the organization while quickly adapting and reacting to any attempts. For example, it protected us against Log4J vulnerability a few months ago.

It is easy to administrate and maintain.

The product is very granular in the Logs & Monitor section and also intuitive to use.

It offers good control and visibility over users' identities and actions.

It provides central policy management, which is easy to manage and maintain.

The product offers great performance tuning features like SecureXL, CoreXL, HyperThreading, and Multi-Queue.

The study material and training need to be improved and become more accessible to security engineers working with Check Point.

Needs serious skills for advanced troubleshooting. The configuration might get a little bit too complex for regular engineers, compared with easy administration.

We've encountered a few limitations when trying to accomplish simple tasks required by customers. For example, changing a domain name inside an MDS environment or missing a function in the database which removes the domain object completely from the database.

There are plenty of bugs that are not documented, or with too generic error messages.

I've used the solution for eight years.