Check Point NGFW Room for Improvement

Pushkin Sawhney
Principle Network and Security Consultant at a comms service provider with 10,001+ employees

The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.

The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.

The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.

If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different. 

It seems like they were possibly built by different teams, independent of each other.

View full review »
Steve Vandegaer
Senior Engineer Security at a computer software company with 201-500 employees

The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application control is also not the greatest, but they don't even recommend using those. They're just available if you want.

But the biggest improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal models, and the chassis would all run the same software. Now, while there is central management, everything that has to be configured on the gateway itself works differently on the three kinds of devices. That is a bit hard because you have to update your skills on all three.

A practical example is that I have a client that I run scripts for to get information from 40-plus firewalls. That client is thinking about refreshing and there may be SMB appliances in the roll-out that don't run those scripts. That would make my job a lot harder. So the best improvement would be standard software on all their devices.

View full review »
Senior IT Manager at a mining and metals company with 501-1,000 employees

Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap would help us as we navigate the options.

The VPN setup could be simplified. We had to engage professional services for that. That's not a problem, but compared to other products we've used, it was a little more complex.

View full review »
Learn what your peers think about Check Point NGFW. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
509,820 professionals have used our research since 2012.
Network and Security Specialist at a tech services company with 51-200 employees

The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.

In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time. 

I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point. 

Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.

View full review »
Ifeanyi Onyiaodike
Network security engineer at Fidelity Bank

The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.

It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.

Apart from that, we are coming from something that was not so good to something that is much better.

View full review »
Technical Support Engineer at AlgoSec

Working on Check Point for me looks simple. For the user or anyone else who is using Check Point, they are more into the GUI stuff. Check Point has its SmartConsole. On the console, you have to log into the MDS or CMS. Then, from there, you have to go onto that particular firewall and put in the changes. If the management console could be integrated onto the GUI itself, that would be one thing that I would recommend.

The ability for the multiple administrators to not do changes was fixed in R80.

View full review »
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees

Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement. 

Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.

View full review »
Matt Millen
Network & Systems Administrator I at DMH

I would like there to be a way to run packet captures more easily in the GUI environment. Right now, if we want to read packet captures, we have to do so from the command line.

View full review »
Kamal Khurrana
Network Associate at a wireless company with 1,001-5,000 employees

The level and availability of training should be improved. I have seen people that are not well trained on the Check Point firewall and the reason is simply that the quality of available training is poor compared to that of other firewalls on the market.

The command-line interface (CLI) should be more user-friendly.

View full review »
Security team leader at a aerospace/defense firm with 10,001+ employees

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

View full review »
Security and Platforms Engineer at a educational organization with 201-500 employees

The stability needs improvement for its version releases. They have a feature called Inline Layer as part of the R80.10 release. In the last version, it still had bugs and is not working very well. I would like the developers to release a version that is more stable, because if you start to use the latest release and try to use this newest feature, I'm not 100 percent sure that it will work very well. After six months of development, it might start working better. However, at the beginning, it's not a good choice to implement in your company with your first attempt. But one or two releases later, it might be better. 

If you only have one vendor and they are downgraded or no longer a leader in their industry, then you need to change the entire solution, making it more expensive. For example, Check Point's components are not interchangeable with other vendors.

View full review »
IT Infrastructure & Cyber Security Manager at a retailer with 501-1,000 employees

We just upgraded to the latest software version of Check Point so we have a lot of new stuff to learn. The older version had a little bit of a problem with identity awareness and with HTTPS inspection with the visibility of the logs, and the implementing of rules. But as far as I can see now, with the new version, most of the problems were fixed.

In terms of new features, maybe it would help if we could start to manage all the stuff in the cloud and not in the on-prem servers. The management side could also be faster when you install policies. But other than that, I'm satisfied.

View full review »
Mahendra Pal
Network Security Engineer at a tech services company with 10,001+ employees

There are two major areas that need to be improved.

The study material for Check Point needs to be improved, as well as the cost for certification. One of my friends recently completed the certification and it was costlier than other firewall security certificates.

The reports are generally good but there is not much control. We would like to have more filters. Essentially, we want more granular reporting.

View full review »
System Engineer at a insurance company with 1,001-5,000 employees

The Threat Emulation definitely needs improvement. A couple of years ago, we did a comparison with other companies, e.g., Lastline, offering threat emulation and threat detection functionalities, and Check Point was lacking. 

View full review »
Basil Dange
Senior Manager at a financial services firm with 10,001+ employees

This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.

For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.

Source: User machine
Destination: any
Action: allow (for allowing the user's machine access)

This has to be done along with the below policy:

Source: User machine
Destination: Other Zone created on Firewall
Action: block 

The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.

The firewall throughput or performance reduces drastically after enabling each module/blade.

It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

View full review »
Oswaldo Gimeno
Network Engineer at Getronics

We can virtualize the physical firewall in a virtual environment. However, the virtual environment is not stable at all. We have some customers who are using the virtual environment feature, and sometimes it crashes. We have many tickets open and the response is not as good as expected. We have to wait months for a resolution.

If you use all the features available on the firewall, it's not working. If you keep it simple, then it works. When you try to do cool things, you start to have some problems because that kind of integration is not fully developed.

View full review »
Dheeraj Dexit
Sr. Network Engineer at a tech services company with 1,001-5,000 employees

While the logs are very good and easy to understand, when you want to download these customized logs, they don't have as many features compared to competitive firewalls. 

Check Point has a very good Antivirus feature. However, compared to the competition in the market, it is lacking somewhere. In my last organization, I worked with Palo Alto Networks as well. I found that while they both have an antivirus feature, the Palo Alto antivirus feature is much better. Check Point should improve this feature. It is a good feature, but compared to Palo Alto, it lacks.

View full review »
Rachit Malhotra
Senior Network Engineer at a tech services company with 1,001-5,000 employees

The training for Check Point Firewall should increase, including the number of Training Centers. For most new people in our organization, we have to provide them training from our end, as they are not trained in Check Point Firewalls. So, we have to do the training, from our point of view, to make our engineers able to use Check Point Firewalls. However, with other firewalls, they are already trained, so we are not require to provide them training. This could be improved by the Check Point Community.

View full review »
Sunil Redekar
Security Engineer at Hitachi Systems

We are facing some problems with the management on our Check Point Management Server. There are some issues with R80.20, so Check Point suggested to upgrade. However, we are in lockdown, so we will upgrade after the lockdown. We are coordinating this issue with the Check Point guys. After upgrading, I think these issues will get resolved.

For R80.10 and above, if you want to install a hotfix, then you can't install it through the GUI. I don't know why. In the earlier days, I was able to do the installation of hotfixes through the GUI. Now, Check Point said that you have to install hotfixes through the CLI. If that issue could be resolved, then it would be great because the GUI is more handy than the CLI.

View full review »
Network Administrator at Secretaría de Finanzas de Aguascalientes

Using the tool is somewhat complex when teaching new staff, although after practice it is quite easy to get used to this technology.

One of the improvements that could be included is to have a help menu to obtain advice or help for the different options that are presented in the application.

The equipment is complex, so you need guidance from specialized people or those who constantly work with Check Point. Better forums and information manuals could be provided so that users from different institutions can have more access to the information.

View full review »
Charanjit Bhatia
AGM Cyber Security CoE at Bata Group

I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best.

Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.

View full review »
Ifeanyi Onyiaodike
Network security engineer at Fidelity Bank

The end-user VPN could be improved. It could benefit from some modification. 

The VPN timeout feature needs to be improved. When we try to connect to the VPN, it times out before we can even enter our user name and password. If you can't prove you are who you say you are within seven to ten seconds, it just kicks you out.

View full review »
Manjit Aggarwal
Sr. Network Engineer at a tech services company with 1,001-5,000 employees

The only thing which I think should be improved is that training should be increased. In my position I also interview potential employees and I haven't found many people in the market, nowadays, who are familiar with the Check Point firewall. They are more familiar with Palo Alto and Cisco ASA and they are more comfortable with them. Check Point is one of the good firewalls and training should be increased by the company so that more people are familiar with it and with their switches.

View full review »
Sr. Security Engineer at a financial services firm with 10,001+ employees

The main thing for a normal operations guy who is creating tools and firewalls, it is quite difficult to manage. It requires an expert level of knowledge in Check Point products to manage these scalable platform appliances and the virtual firewall that comes with it. We have to educate our guys and give them training on a regular basis to work on these products. Otherwise, it's fine.

View full review »
Shivani Jethy
Network Security Administrator at a computer software company with 201-500 employees

Check Point has notably fewer tutorials on Google. If I'm facing any kind of issue and I Google it, less stuff is available. 

Apart from that, the antivirus is less effective than its competitors' antivirus. The antivirus is good, but in other firewalls, such as Palo Alto, it's quite effective. Check Point should provide more output. Sometimes it provides comprehensive information and sometimes it doesn't.

View full review »
Amit Kuhar
Network Security Consultant at Atos Syntel

In a VPN setup, we have Internet connection via Check Point. The connectivity is not turnkey like competing devices. We have not yet terminated our site-to-site VPN because things are fluctuating right now and Check Point needs to be upgraded. Also, their troubleshooting needs to be improved for this. 

View full review »
Sathish Babu
Solutions Consultant at a computer software company with 10,001+ employees

It would be great if the access management, the user management features, were improved in terms of the number of users that can be connected, and how users can access the various resources with the help of firewall authentication.

Also, one of the challenges I hear about from customers or engineers who work with and operate Check Point firewalls is not about the technical capabilities of the product but about understanding the product. There should be whitepapers available on the Check Point portal so that people can understand them more easily.

View full review »
Nikhil Dhawan
Associate Consultant at a tech services company with 10,001+ employees

The company should increase the learning platform free of charge. For example, Palo Alto and Cisco ASA have very good platforms that are completely free. Almost everyone in this field has good product knowledge. Therefore, I would like more training and expertise to be available for Check Point NGFWs.

I would like the graphic user interface to be easier to use. For example, the NAT policy should be easier to use. Check Point's NAT policy is somewhat confused compared to other competitors.

View full review »
Rakesh Gupta
Solutions Lead at a tech services company with 1,001-5,000 employees

When I was creating the VPN on it and the client side through the portal, that feature was very annoying. I could not use it. It was much more usable after downloading it to the laptop. That was very good compared to using it directly from the browser.

View full review »
Rohit Gambhir
Sr. Network Engineer at a consultancy with 51-200 employees

Check Point's study materials should be provided by the company directly and be of very good quality. This is not provided right now and something that the company can improve. 

A disadvantage about Check Point is people in the market are not too familiar about its usage and people lack training on it.

View full review »
Rahul Gombhir
Network Security Engineer at a tech services company with 10,001+ employees

The antivirus feature is a little bit weak and should be improved. The updates are not as regular when compared to other firewalls, such as Palo Alto.

The training materials and certification process should be improved. For example, the certificates are more expensive and there's no good training available on the internet right now.

View full review »
Vighnesh Rege
Lead Solution Advisor at a consultancy with 10,001+ employees

Permissions from the client regarding troubleshooting and how well we can packet capture have not been smooth.

Check Point should quickly update and expand its application database to have what Palo Alto has. 

There have been some issues with third-party integrations.

View full review »
Cybersecurity Engineer at Insurance Company

Several of the security modules including IPS, URL Filtering, and Anti-Virus, are based on HTTPS inspection, losing relevant security capabilities if you don't implement it in your network. 

This means that to being able to take advantage of the full security stack, you're going to have to inspect traffic, break the tunnel, and manage different SSL certificates.

Although this is not a limitation of the product itself but the technology, where other vendors are impacted the same way, it is useful to take this into consideration as you can adjust the capacity of the systems adequately.

View full review »
Firewall Administrator at a tech services company with 1,001-5,000 employees

The frequency of the antivirus updates which we get for Check Point firewalls should increase. They should be of good quality compared to the competitive firewalls on the market. They should give us stable antivirus signatures. That is an area in which they can improve.

View full review »
Anthony Hassiotis

I would like to have an improved secure workspace solution for remote access. I hear that the Apache Guacamole solution has been integrated into R81. 

The site-to-site VPN options are numerous, but they can get confusing. Interoperability with other vendors is not the strongest when it comes to setting up VPNs. It's totally different from any other VPN vendors I have come across. 

Improvements are needed in policy backups and reverting to the previous policy. This used to be better in R77.30. 

Policy installation tends to take a long time when the rule base increases in size, which can become frustrating. 

View full review »
Senior Security Analyst at Atos

Check Point fulfills our requirements but it is important that they stay on top of competitors by addressing certain points.

There are issues with stability while upgrading devices with hotfixes. For example, many times, a device will stop giving responses after an upgrade (observed in 80.10 release).

The rule database needs to be improved because when we apply rules for the destination, based on service and application and URL filtering Layer, the parallel lookup fails.

View full review »
Oleg P.
Senior Network and Security Engineer at a computer software company with 201-500 employees

The pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly). 

We also had several support cases opened for software issues (e.g. unstable BGP sessions over VPN tunnels), which, in our opinion, took too long to resolve - up to one month.

Also, even so, the new SmartConsole is declared to be unified starting from version R80.10, there are still some features that have to be configured in the old SmartDashboard (e.g. Mobile Access policy and Antivirus), or on the Gaia OS level (all the routing features).

View full review »
Sr. Network Engineer at a insurance company with 5,001-10,000 employees

The antivirus Check Point offers could be better when compared to competitors' firewalls. Updates should be more frequent. With other firewalls, updates are very frequent, but with Check Point updates are not so frequent. That needs to be improved.

Also, the certification as well as learning about this Check Point is much costlier when compared to the other firewalls. I have recently done certifications in various firewalls and Check Point's certification was more costly.

View full review »
Rajan Arora
AVP - IT Security at a tech services company with 51-200 employees

There is a scope of improvement in detecting zero-day threats using the SandBlast technology, by introducing emulation of Linux-based operating systems. We have also observed issues while using the products with SSL decryption.

There is room for improvement in application-based filtering, as with other firewalls available in the market today. Check Point has improved its application filtering capabilities in the recent past and their latest version, R80, is more capable but still, creating an application-based filter policy is a little cumbersome. 

View full review »
IP LAN and Integrity Specialist at Chevron

There are issues with stability in some specific versions.

The VPN is a little difficult to configure, and sometimes you need help from Check Point professional services.

There are some performance problems with the IPS when the FW is in a high load, but in general, it is working better than in previous versions.

The routing is configured on the gateway, so, you need to remember for migration purposes.

The virtual infrastructure of the central management requires a huge amount of resources to work properly and manage all the logs without problems.

View full review »
User at Johnson Controls, Inc.

The one thing I have been continually asking for is a more robust certification process including self-paced study material similar to Cisco's Security certification track. Not everyone can afford the time and money to attend the official in-person classes offered by Check Point. Even if someone was not interested in fully pursuing a certification, offering certification guides is often a method that IT professionals follow in order to learn about a specific topic and keep for reference.

An area that I sometimes find lacking is the information provided by the system when performing troubleshooting issues such as site-to-site VPN tunnels. The logs provide general information regarding what is happening but often, it leaves you wanting additional details. This also ties back into the lack of training and knowledge required to utilize the more advanced features of the command line.

View full review »
Deputy Manager (Systems) at State Bank of India

Management: Check Point should move away from its current architecture wherein it mandatorily requires a management server to manage the gateways. They should develop A feature in the gateway itself so that no management server is needed for policy and gateway management. They should leave it to the user whether they want to procure a dedicated management server or run the show with the gateway itself. It will also reduce the operation cost.

They should also optimize the packet mode feature like Cisco’s firewall packet tracer wherein it tells administrators which policy or rule is processing the intended traffic.

View full review »
Network Engineer at a legal firm with 1,001-5,000 employees

With the version we're on, it's a bit time-consuming if you have multiple IP addresses to add. But in the later versions, which we're moving to, it makes it a lot easier to add IP addresses with dynamic objects, as they call it.

In the next release, I would like to have the ability to automatically add rules from the tracking log. I've used that in other firewall software whereby you can trace the logs, and from the log, you can add a new rule automatically. That would be a nice feature.

View full review »
Arun Jethy
Sr. Network Engineer at a tech services company with 51-200 employees

I would like the user interface to be more user-friendly. I want the UI to be easier to use than Check Point's competitors. 

View full review »
Network Security Consultant at a energy/utilities company with 5,001-10,000 employees

It would help if they were easier to deploy, without needing more technical people. It would be nice if we could just give basic information, how to connect, and that would be all, while the rest of the setup could be done remotely.

View full review »
Swapnil Talegaonkar
Technology consultant at a tech services company with 501-1,000 employees

Check Point needs to improve their 3 tier architecture. Firstly, gateways cannot be managed without the Management server, which sometimes creates a problem. There is no way to extract policies or other configurations from gateways in case a management server goes down. That is something other companies provide.

Another major issue is the Smart console application is very heavy and cannot install anything other than the Windows operating system. Every time I open Smart console it becomes unresponsive for some time.

Lastly, the stability of R80 is an issue. Regularly we get some issues or bugs that are resolved by custom or new hotfixes. Sometimes it is a tedious task as this has a production impact.  

View full review »
IT Specialist at a tech services company with 10,001+ employees

The Antivirus feature is something that could be improved. We don't get much from the Antivirus update in comparison to their competitor's firewalls. It needs to be more advanced because Check Point is nowadays sent all over the world. Therefore, the Antivirus feature should be of very good quality and cover all virus checks. I would also like the Antivirus updates to be more frequent.

View full review »
Security Analyst at HOST

I hope for product simplification. It would be better to use one security console, instead of many of them (for licensing and monitoring). The solution is hard for newcomers and takes much time to deep in. Also, I want a historical graph for throughput and system resources usage. Maybe it will be great to make easy step-by-step installation and configuration cookbooks as Fortinet did, and integrate the documentation within the solution. In most cases, the solution works great and I recommend it for our customers.

View full review »
Swapnil Talegaonkar
Technology consultant at a tech services company with 501-1,000 employees

Check Point has both GUI (Graphical Interface) & smart dashboard, but it will be better if it sticks to either one of them. 

A threat prevention policy needs to be created in a different tab but instead, if those policies could be related to access policy then it will be easier to apply the threat prevention to our relevant traffic.

One of the most complicated aspects is the VPN Configuration, which should be simplified in future releases. The monitor tab should have a VPN tab, where we can see the current tunnel status.

View full review »
Pammi Jethy
Security Administrator at R Systems

The antivirus is not as effective as it could be because updates are not that frequent.

Another area for improvement is that certifications are quite expensive with Check Point.

View full review »
CTO at a computer software company with 11-50 employees

When first looking into the Check Point offerings, it was fairly confusing trying to determine the differences between the different offerings. Specifically, SMBs versus other models, and which one would work best within my environment for my use case. I think we ended up in a good spot after speaking with a reseller in the area, but it would have been nice to be able to get there independently.

The WatchTower app that can be used to access the SMB appliance remotely is a nice touch, but it doesn't allow for many actions to be taken and therefore is relegated to mostly notifications. At that point, it requires me to gain local access to go further. It would be nice to add more features to the WatchTower app to be able to perform certain administrative functions without the need for local access. 

View full review »
Manager at Kotak Mahindra Bank

The one area that I would like to see a change in is policy installation. Right now, with a larger user database and a high number of rules, it takes a bit of time for policy installation. There is definitely some improvement in the R80 version; however, I believe that it should not take more than one minute to refresh the database. Also, there is a significant spike in gateway resource utilization during policy installation. 

The additional blades have an impact on resource utilization, hence scope of improvement is needed here too.

View full review »
Ümit Güler
Consultant at KoçSistem

Check Point should include additional management choices; for example, Check Point does not offer full management support via browser.

You should use Check Point Smart Console for management, although it is an EXE and is supported only on the MS Windows platform. If you are using Linux or Mac, you cannot manage Check Point. Instead, you need to use a virtual PC with the Windows OS installed, running inside Linux or Mac. Check Point states that this is a decision made for security reasons, but that certain management features can be done through the browser, although not fully.

View full review »
Security Engineer at Gosoft (Thailand)

They have few predefined reports and it would be nice to increase them since the logs are excellent.

They should be quicker to release fixes for known vulnerabilities, including those related to Microsoft products.

If you make a mistake when creating rules, it is time-consuming to fix them. However, there is no problem with traffic processing. 

Sometimes you are forced to interact on several different levels. On the one hand, you put the rules in, and on the other, you put in the route. 

View full review »
Security and Network Engineer at a tech services company with 501-1,000 employees

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, but with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules, why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

View full review »
IT cloud network engineer
Junior Network Specialist - Cloud Operations Engineer at a computer software company with 5,001-10,000 employees

The NAT services part needs improvement. It's not sophisticated. It needs functions like range assignment for NATing. The way you assign a list of IPs for NATing is too simple. It just allows you to use pools.

There could also be improvement to the automation. They should provide a tool for creating and maintaining rules.

View full review »
IT-Infrastruktur at Synthesa Chemie Ges.m.b.H

The Performance on a policy install takes too long for my taste. This might be because, at each policy install, the management pushes the whole policy on the affected gateways.

Without any training, it is very hard to administrate the whole Check Point NGFW.

In our case, the main Check Point gateways are in a cluster configuration. Sadly, the management always shows the standby box as failed. This may be because it is set to STANDBY and not ACTIVE. It would be better to show the standby box as good.

View full review »
Kirtikumar Patel
Network Engineer at LTTS

The unknown category has been a pain point. We cannot understand this category and the Check Point engineers are also stuck with it. If we enable HTTPS inspection then without this category my URL will stop working. This has a huge impact on my business. We are still running without HTTPS inspection even in a monitoring mode.

Our SAM rule is also not working to block the IP address which we don't allow in our organization so we have to create a traditional rule base block which is a time-consuming job for me and my team.

View full review »
Network, Systems and Security Engineer at SOLTEL Group

Check Point products have many places that need to be improved, but they are constantly upgrading.

View full review »
Dmitry Zakharenko
Security product manager at RRC

Their technical support can be better. In addition, when we need to use it in a government environment, we face a lot of legal issues related to different types of certifications. It would be better to improve it for these issues.

Check Point doesn't have a SOAR system. They work with Siemplify, but it is an integration with another vendor. It would be great if Check Point has an integrated SOAR system.

View full review »
Sadiq Abdulwahab
Network Administrator at Nigerian Security Printing & Minting Plc

We're looking at the endpoint because there are some smaller issues with internet connectivity within our country.

Although they have it now, we don't have a license for it, and I think mobile device security should be a standard feature. I cannot control someone bringing their device to my network and what they do.

View full review »
Network Security Engineer at Türkiye İş Bankası

The SmartUpdate interface is a little bit crowded if your company has a lot of software items.

As an administrator, one should know how to troubleshoot by issuing related CLI commands before or after upgrading gateways, or the management server, in case of a problem.

Hardware problems on Check Point devices, such as those related to NIC or disk problems, may occur at times. In cases such as this, the support team is available and does what is needed, including the RMA process if necessary.

View full review »
Security Solution Architect

This solution requires management software that is sold separately; it's actually a different appliance altogether. For smaller customers or smaller environments, this becomes an added entity in the environment. Not to mention, they'll also have to invest a lot in the necessary management stations. If that came built-in, it would really benefit smaller businesses. 

The performance when you enable decryption could be improved. That's a CPU-intensive task. Many customers struggle if they try to implement decryption — it can really hamper the performance. It's probably something to do with the appliance or the hardware design. This needs to be examined further.

View full review »
Pardeep Sharma
Network security engineer at a tech services company with 1,001-5,000 employees

The web filtering and CLI commands need to be improved. 

The CLI command is very difficult to deploy. 

If you are an engineer and considering configuring through the command line, you can't. The command line is very difficult to use, which is one of the biggest drawbacks of this solution.

The initial setup could be simplified.

Technical support is another big drawback and needs to be improved.

In the next release, there should be improvements made to the sandboxing functionality.

View full review »
Senior Security Analyst at Atos

Sometimes the stability related application, URL filtering, and troubleshooting issues take longer than expected. I observed some feature set that is very easy to add from the deployment team but Check Point needs a longer procedure so customers relating those features with Check Point firewall and Palo Alto.

Heavy load causes a higher CPU peek which causes us to need to reboot the device. Malicious activity database corrupts the directory or path and restoring it take a lot of time .

We receive performance but sometimes there are stability-caused issues. 

View full review »
Senior Technical Consultant at Ivalue Infosolution

There is always room for improvement and CP Dev team is on right path.

View full review »
Yamini Kapoor
Network Security Engineer at R Systems

The area where Check Point can improve is the antivirus, as it only provides a small number of updates for it. Updates should be more frequent.

In addition, the certification process is quite expensive. It should be a little cheaper so that everyone can be trained and certified and have better knowledge of Check Point's products.

View full review »
Sreegith Sreedharan Nair
Senior Network Engineer at LTI - Larsen & Toubro Infotech

Configurations can be complex in some situations and need experienced engineers for managing the solution.

Integration with a third-party authentication mechanism is tricky and needs to be planned well.

SmartView monitor can be enhanced to display granular details of gateways with a single click. Also, having the ability to generate alerts from the Smart Monitor would be a nice feature.

View full review »
Manager for Operations, Security and Management at REN - Rede Energeticas Nacionais, S.A.

The speed of technical support is very slow and is something that should be improved.

View full review »
Gerry Moore
Head Of Technical Operations at Boylesports

One of the biggest disappointments is the GUI. I felt it was a little bit more clunky than some competitors. The screens don't flow as easily as they should. Improving user experience will further elevate this product.

The way the management console operates is not user-friendly, either. It needs to become less intrusive. The user experience is not as high as it should be due to the problems with the user interface. The newer products in the range seem to address my concerns, which I have had for even the older products.

View full review »
Viplav Patil
Senior Manager, Information Technology at a financial services firm with 10,001+ employees
  • Offline Sandblast solution, which should send malicious sources to other security solutions.
  • TAC Support level to be enhanced 
  • More details to be included while VPN troubleshooting, using GUI representation 
  • Integrate all blades to use a single policy rather than multiple.
View full review »
ICT-System-Specialist at a insurance company with 5,001-10,000 employees

The Check Point support needs a lot of improvement. We spend a lot of time troubleshooting issues ourselves, create good ticket descriptions, and try to explain in detail what has already been tested. Even so, it takes at least three ticket-updates before support really understands the issue. If you manage to reach the third-level support, you are still forced to be really critical of what kind of suggestions Check Point support is offering you. Running debugs on a test environment is quite different than running them in a heavily used production environment.

View full review »
Pedro Justo
Project Manager at SANDETEL

The number of physical network ports on the device should be increased to allow for greater capacity.

Another point of improvement would be to continue improving the integration line with our current NAC solution in order to exchange more attributes and increase the granularity of the implemented policies.

View full review »
IT Security Manager at a sports company with 10,001+ employees

I would like to see an improvement of built-in monitoring capabilities such as throughput. Practically visualization of CPview outputs into beautiful pink GUI will do it. 

The monitoring of scalable solutions is quite tricky, but it could be relevant for all vendors who possess the same technology.

IPS fine-tuning may require some time to understand the interrelation between IPS protections, core Protections and other IPS profile elements. But in general, Check Point is on the way of great simplification of TP management

View full review »
Sales Engineer at Unistar

Compliance and centralized management can be improved.

View full review »
Security Engineer at Tenece Professional Services

This product has room for improvement in technical support for Africa. There are some problems with African countries. We also need to provide excellent services. 

The additional feature I would most like to see included in the next release of this solution is removal management.

View full review »
Deputy Manager - Cyber Security at a transportation company with 5,001-10,000 employees

We would like to see the following improvements:

  1. Multiple ISP redundancy.
  2. CPU utilization.
  3. VPN traffic.
  4. HA concept, where if we apply the policy in the primary appliance that should be applied to HA appliance automatically.
  5. The number of bugs has to be reduced.
  6. The number of false positives should be reduced. 
  7. Threat emulation has to be improved.
  8. Reporting has to be improved.
View full review »
Network Security Engineer at a consumer goods company with 201-500 employees

This firewall is difficult to manage and use when you first begin using it. However, once you are used to it, the interface is comfortable and easy to use.

The Smart Control feature is hard to install.

In the future, I would like to see more features in the unified security management platform.

View full review »
Network Manager at a retailer with 10,001+ employees

All the advanced features of automation, especially the first installation of tunnels, need improvement. Also, in terms of configuration, in terms of tuning, and fine-tuning the system, I think they do make it a bit hard for users. Right now, we need to teach admins, the network and security admins about system fine-tuning in terms of load balancing between CPUs, assignment of processes. I don't think a network admin or a system admin should deal with it in terms of when we are speaking about the firewall or networking device. It should be automatic.

View full review »
IT Operation Manager at a transportation company with 1,001-5,000 employees

The user interface for management could be improved.

In the future, I would like to see support for SD-WAN capabilities.

View full review »
Network Security Assurance Specialist at Visa Inc.

Debugging could be improved when compared to the competition.

I think the product release lifecycle should be improved.                                                       

View full review »
Project Manager at Junta de Andalucia

There should be better integration with our current NAC solution to increase the granularity of policies that we implement.

View full review »
Learn what your peers think about Check Point NGFW. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
509,820 professionals have used our research since 2012.