2019-08-04T07:38:00Z

What advice do you have for others considering Check Point CloudGuard Network Security?

5

If you were talking to someone whose organization is considering Check Point CloudGuard Network Security, what would you say?

How would you rate it and why? Any other tips or advice?

ITCS user
Guest
2525 Answers

author avatar
Top 5Real User

The combination of NGFW + URL Filtering + Antivirus + Anti Bot, with 8 vCore D4 v2, is able to provide a throughput of 4Gbps. On Azure, the combination of NGFW + URL Filtering + Anit Virus + Anit Bot, with 8vCore c5n 2xlarge, is able to provide a throughput of 4.7Gbps. It is similar to AWS.

2021-05-12T10:55:00Z
author avatar
Top 10Real User

If we end up needing to scale, we would have to buy a new license.

2021-04-01T09:56:17Z
author avatar
Top 10Real User

In summary, this is a good product and I have not found any problems when using it. I can recommend it to others. I would rate this solution a nine out of ten.

2021-03-15T16:32:48Z
author avatar
Top 10Real User

The solution always updates automatically, and therefore we are always using the latest. We do plan to continue to use the product as we've mostly been quite satisfied with it. I'd recommend the solution to other organizations. Overall, I would rate the solution at a nine out of ten.

2021-03-15T06:59:06Z
author avatar
Top 10Real User

In the past, my clients were all using Check Point Systems. When I reviewed it at that time, back 10 years ago, Check Point was number one, as far as I remember, meaning FortiGate wasn't a major solution in Turkey. Nobody was talking about FortiGate then. Now FortiGate, is a major player in the firewall industry in Turkey. Most of our clients are migrating to FortiGate because they say it's cheaper than Check Point. So when I see the Check Point's GUI, it's really complicated. My recommendation would be for Check Point customers to first learn about Check Point's GUI, which is pretty advanced, for me at least. But when I talk to my friends who are managing IT, they are migrating to FortiGate. They say, FortiGate is very easy to manage and I should really think about it now. When I was first introduced to Check Point it was really advanced. I didn't understand when I first looked into it. I just wanted a solution. pfSense has the same problem. By the way, according to your report, some customers said that pfSense needs improvement on the management and the GUI and aspects like that, so maybe I'll need another review of OPNsense versus Check Point and FortiGate etc... We didn't have any problems at all. Just in one case, actually. We have a rule that pops up from nowhere which we didn't create. When we restart our Virtual System firewall, it creates a rule which messes up all our internet connection. So if I were to give a number from one to 10, I would probably say Check Point is a nine out of 10. Other than that, we haven't had any problems. Check Point is pretty reliable. I think it's our company's problem that we couldn't patch it after it froze. Maybe an up to date, patched version doesn't have this problem. Overall, it's really working for us. I don't have any problems other than it's just outdated.

2021-03-08T07:36:00Z
author avatar
Top 5Reseller

We're solutions providers. We're partners with Check Point. We offer integrations and support. This is one of the products we offer to our clients. We're using the latest version of the solution. The platform is R80.40. It's deployed on VMware's virtual environment. I'd recommend the solution to other organizations. The likelihood of running into issues is low. I'd rate the solution at a nine out of ten. We've largely been satisfied with the product.

2021-03-04T23:18:38Z
author avatar
Top 5LeaderboardReal User

We're just a customer and an end-user. We aren't a vendor, consultant, or integrator. I'm not sure if I would recommend the solution to other organizations. It would likely be 50/50. It really depends on the company's requirements. For us, for example, we needed to scale, and that ended up not being possible and so we have to move away from it. Overall, I would rate the solution six out of ten. Although it has some good aspects, for us, the lack of scalability was impossible to overcome.

2021-02-06T10:27:16Z
author avatar
Top 10Real User

I would recommend Check Point as it's an effective tool, and implementation is very easy. On a scale from one to ten, I would give Check Point Virtual Systems a nine.

2021-01-30T04:24:31Z
author avatar
Top 5Real User

I would recommend this solution. It is pretty straightforward to implement. It is easy, and it doesn't require too much time to make a clean implementation. I am not really sure about using it in a really small company. It depends on the budget. I would rate Check Point Virtual Systems a nine out of ten.

2021-01-16T09:07:51Z
author avatar
Top 5LeaderboardReal User

We should have done the Auto Scaling stuff upfront instead of going static. The biggest lesson was that the tools in place let you embrace the good parts of the cloud, which is flexibility and cost savings. The thing that we kind of learned is we just treated it upfront like it was another on-prem device, but you miss out on the whole point of having infrastructure as a service if you're not going to leverage it to its fullest capabilities. Remember that you are doing this in the cloud, so treat it like a cloud device. Don't suddenly try to extend your on-prem network without leveraging the whole capabilities that CloudGuard gives you to scale your network in and out as needed. CloudGuard's false positive rate is acceptable and low. You have pretty granular control over everything that you are doing. Even if you're running into false positives, you can easily tweak them and work with CloudGuard to eliminate them. I would rate it a nine (out of 10). It does everything that we wanted it to. It kind of grows with AWS, where new AWS functionality is now enabling new CloudGuard functionality by virtue of a couple of changes that they have been making. They sort of work hand in hand. The only reason that stops it from being a 10 (out of 10) is just the limitations of AWS end up being the limitations CloudGuard as well. You take the good and the bad of the cloud.

2020-12-06T06:40:00Z
author avatar
Top 5Real User

My advice: Get it. It's a great product. It's a great solution. In terms of CloudGuard's block rate, malware prevention rate, and exploit resistance rate, we didn't really do much testing when it comes to those types of scenarios. But I've used Check Point as a physical firewall before, and it was great. It detected threats and gave me an alert as soon as it detected them. It was really good.

2020-12-02T06:24:00Z
author avatar
Top 5LeaderboardReal User

If you are already a Check Point customer, this is the perfect solution. If you are not used to Check Point products, you should also analyze other solutions and compare them before you buy. The biggest lesson I have learned is that with this product, you can secure the Cloud environment the same way that you secure the on-prem, which helps a lot with people that are new to the Cloud security environment. I would rate Check Point CloudGuard IaaS a ten out of ten.

2020-09-23T06:10:00Z
author avatar
Top 5LeaderboardReal User

The biggest lesson I have learned from using this solution is that network security is moving away from traditional deployments and companies have to adapt themselves to stay competitive. We are fully managing the service. As soon as a new version is released on the Check Point site, they make sure to release it for CloudGuard as well. But so far, we have stayed with our original version. We haven't done any upgrades. The integration process between CloudGuard and AWS Transit Gateway is not straightforward, because we're not talking about traditional networking. There are a lot of different aspects that we are still not used to keeping in mind. For example, routing is completely reworked in AWS. It's just a matter of time to get used to it. Once you get used to it, everything becomes relatively easy. In terms of our workflow when using the integration between CloudGuard and AWS Transit Gateway, we needed to review our operational documentation and prepare additional guides for our operations team on how to do it. We needed to up-skill our team members, and we needed to utilize new technologies or new features, like BGP over VPN, to make communication secure in the cloud. The solution provides security for numerous corporate applications and is under the responsibility of the operations team which consists of about 15 people. For deployment and maintenance of the solution we have one security operations engineer, one network operations engineer, one AWS operations engineer, and one SDWAN engineer.

2020-09-15T11:13:00Z
author avatar
Top 20Real User

Sometimes you've got to pay for what you actually want. We realized that it's an expensive solution, there's no denying that. But we're happy with what we have gotten out of it. Sometimes you just have to fork over the cash out of your budget and work with it. Work hard with it, because you can't just spend money and expect it to work. But with the time that you put into it, you can get something really good out of it for your company. Really do your analysis, which is something anybody should really know if they're going to spend a lot of money like this. They offer up trials. Try it out and see if it actually works for you. One of the biggest reasons it was successful for us was because we already used it in our environment and we used it pretty extensively. We had a variety of different systems in there, but we used the Check Point more. So we were more familiar with it coming into it and that's why we leaned more towards it. We figured, it will be expensive but it will probably have the lowest learning curve for us to get where we want to be. Another company may already use, say, Palo Alto extensively and be very familiar with it. If their decision is that they want their team to be really well versed in what's going on, rather than have to break it all down and study all over again and retrain everybody, maybe their choice will be to stick with their Palo Alto solution rather than flipping over to Check Point. If you're going to change vendors entirely, you're going to have a steep learning curve and that's going to mean it will take time, where you might not be able to fulfill a request, because you have to learn how to do it. I haven't really measured rates like the block rate or malware prevention rate yet. The CloudGuard stuff is the same software running under there that I have run for years. It's just in a cloud environment and it's been extremely effective. It doesn't really paint a picture of how much actually gets through, so I don't know the rates, but I do know that I don't have a lot of problems with things getting through that I didn't know about or didn't want to get through. I don't think there are really any false positives with this solution. Sometimes an investigation that leads me down a path and I follow it so far that I can't quite figure it out, but I attribute that to not having enough visibility into other areas of the environment to actually see what's going on, so I can't paint the whole picture and can't then solve the problem. But I don't have a problem with false positives leading me down a path towards something that just had no relevance at all. The ease of use is good if you have a strong technical background. The intuitiveness of getting in there has a learning curve to it because there's a lot going on there, but with something that takes care of this many things in your environment, it's hard not to make it complex. They've done a pretty good job of trying to make it as uncomplicated as possible, but no matter what, you're going to have a learning curve to be able to use it effectively. The Unified Security Management has made threat hunting a lot easier because we have it all in one view, but managing the environment has become a little bit more complex because we have one ruleset to cross the environment. So we really need to know what we're doing there. We've had to adapt a little bit towards that. Instead of having little rulesets all over the environment, we have one massive ruleset. We have to be a little bit more careful about what we're allowing because it can affect more than just the site you want to change. For example, if you want to change a device in New York, you have to be very careful that you don't affect a device in Boston as well, because it's all in this one unified policy. Overall, Check Point has been a nine-plus out of 10 for me. I'm really happy with it. It's a very expensive solution, but everything has gone really well. There are bumps along the way, like with anything. I don't fault them for that. We've worked with it and we've worked around those problems and have come up with solutions that work for everybody. So everybody's happy in the end.

2020-09-07T05:57:00Z
author avatar
Top 5LeaderboardReal User

You should fully understand the way CloudGuard would be integrated into your cloud from a networking perspective, and it differs from platform to platform. For example, for Google Cloud, the instances of Cloud Guard must have interfaces in several VPCs as a requirement. Think about the subnetting and routing for your project, then implement a PoC with your networking staff.

2020-08-23T20:22:00Z
author avatar
Top 20Real User

My advice to anyone wanting to implement this solution would be to religiously follow the guidelines. I would rate this solution an eight out of 10.

2020-06-14T08:03:11Z
author avatar
Top 20Real User

Intently know and understand the integration points within your environment. It is a great security solution, but understand how integrated it is with, and what level of partnership there is between, Check Point and the virtualization platform that you're looking to add it on top of. The biggest lesson I have learned is that the Check Point CloudGuard features, although good, are only as good as the accompanying virtual platform and its level of integration. I have to be honest: Overall, this is the ideal solution for us and our organization, but it is slightly more complex. There are newer competitive products that take a different stance, that are agent-based. We did not want — and this is another key distinction — a solution that wasn't agent-based in which we had to deploy a piece of software on each and every virtual endpoint. Having this done at the hypervisor level definitely was the right strategy for us. However, the lesson learned, with this type of solution, is that it is very important to understand the nuances of your virtualization platform and what is required on that side to enable the Check Point CloudGuard. You're relying heavily on the partnership and the capabilities of that virtualization platform. Going in, understand the degree of that partnership and the respective road maps of each, because the CloudGuard solution is only as good as the capabilities it has with the virtualization platform. That's especially true for large enterprises that want to constantly move workloads around and have their rule set follow in an event where they're having to ensure that systems are always alive and always protected.

2020-06-10T08:05:00Z
author avatar
Top 20Real User

My advice for anybody who is considering this solution is to start by identifying high-bandwidth use cases. If you have any, and you have a high-security requirement, then I suggest considering other options. This is a secure and reliable solution for us, although we are a bit disappointed with the limited scalability and resource consumption. I would rate this solution an eight out of ten.

2019-09-12T09:01:00Z
author avatar
Real User

There are two deployment model modes in Check Point. One is a gateway level and one is a no gateway all-in-one box solution. With the gateway level, only hardware will be there, all operating systems are stored in a VMware and if there are any issues in the hardware, you just replace the box; all of your policies will be saved into VMware. The all-in-one box you have the GUI policies and also the gateway so it's secure. If there is an issue in the box - like failure or downtime - all of the networks will be affected. I would rate the solution eight out of ten. We haven't been using it too long, so we haven't had a chance to look at all aspects of the solution. I would recommend Check Point to customers because it is an affordable option.

2019-09-11T10:12:00Z
author avatar
Top 20Real User

The web application firewall is commonly used in most firewalls now. If they can add that as a feature, it would be a very strong scenario. When we use Check Point on a perimeter or a DMZ zone, the first thing that clients ask is if there is wireless protection. Check Point has IPS (Intrusion Prevention System) but it does not have wireless protection. So if production is using the cloud if they can integrate mobile app protection, mobile shielding, there's more value for Check Point, but if they include that, Check Point could be the very best firewall option. On a scale from one to ten, when one is the worst and ten is the best, I would rate Check Point as an eight. It needs to do better in pricing and with broader features for mobile. One thing that I learned from multiple installations of Check Point is that you have to train the customer before implementing. Unless the customer is already a highly skilled security engineer so that they know what they can get out of the product, they will not be as satisfied. Otherwise, just before the deployment, we have them go for training so they understand the product and what it can do. They will be happier and they won't choose to go with another product in the future. Even with my engineers who understand many other products, I trained them properly before I send them out for deployments. Check Point is not a product that if you don't know you can just install without knowing anything about it. You have to know the architecture first. You have to know each and every option than work on the product. Then it will be far better and say no to certain features which are not important to use. On the other hand, knowing it is available is fantastic and becomes an option in the right situations.

2019-09-02T05:33:00Z
author avatar
Consultant

For those who want to implement the solution, they should make sure they have a very strong networking background. I would rate the solution eight out of ten.

2019-08-28T09:52:00Z
author avatar
Real User

The solution is the on-premises deployment model which we use in our server environment. We are an integration company, and although we deal with other solutions, we mainly focus on Check Point. The solution is a great mix of user experience, flexibility, security features, and cost. After five years, I believe the total cost ownership will be much cheaper than any competitor. The advice I would give to others interested in implementing is that this solution does have security problems. Not Check Point, per se, but in the network environment. The security recommendation from the Check Point and from us is to use the VSX in the internal network. It should not protect your border because there are some issues around bugs, etc. It could cause vulnerabilities if it's used this way. I would rate this solution eight out of ten.

2019-08-26T06:42:00Z
author avatar
Consultant

I will recommend this program to others and my rating is seven out of ten. I do recommend that users should always use the checkpoints and backup as often as they can.

2019-08-25T05:17:00Z
author avatar
Real User

The biggest lesson that I have learned from this solution is to never assume that something is simple, because there's always a hidden snag that we run into. I would rate this solution a nine out of ten.

2019-08-08T07:02:00Z
author avatar
Real User

I would rate it a nine out of ten and I would recommend this solution. Their support team should be faster because sometimes when we need support their responses are late.

2019-08-04T07:38:00Z
Learn what your peers think about Check Point CloudGuard Network Security. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
535,919 professionals have used our research since 2012.