Please share with the community what you think needs improvement with Check Point NGFW.
What are its weaknesses? What would you like to see changed in a future version?
Need to have some options for configuring firewall policy based on Zone. As it allows creating Flat policy and explicit deny policy need to be created in case some policy need to be drop
You are having 4 Zone (LAN/DMZ1/DMZ2/INTERNET)
Now you want 1 machine to have full access only to the Internet
You have to create below policy
Allow LAN MACHINE TO INTERNET
DENY LAN MACHINE TO DMZ1
DENY LAN MACHINE TO DMZ2
The SmartUpdate interface is a little bit crowded if your company has a lot of software items. As an administrator, one should know how to troubleshoot by issuing related CLI commands before or after upgrading gateways, or the management server, in case of a problem. Hardware problems on Check Point devices, such as those related to NIC or disk problems, may occur at times. In cases such as this, the support team is available and does what is needed, including the RMA process if necessary.
The Check Point support needs a lot of improvement. We spend a lot of time troubleshooting issues ourselves, create good ticket descriptions, and try to explain in detail what has already been tested. Even so, it takes at least three ticket-updates before support really understands the issue. If you manage to reach the third-level support, you are still forced to be really critical of what kind of suggestions Check Point support is offering you. Running debugs on a test environment is quite different than running them in a heavily used production environment.
One of the biggest disappointments is the GUI. I felt it was a little bit more clunky than some competitors. The screens don't flow as easily as they should. Improving user experience will further elevate this product. The way the management console operates is not user-friendly, either. It needs to become less intrusive. The user experience is not as high as it should be due to the problems with the user interface. The newer products in the range seem to address my concerns, which I have had for even the older products.
One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, but with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules, why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.
We would like to see the following improvements: * Multiple ISP redundancy. * CPU utilization. * VPN traffic. * HA concept, where if we apply the policy in the primary appliance that should be applied to HA appliance automatically. * The number of bugs has to be reduced. * The number of false positives should be reduced. * Threat emulation has to be improved. * Reporting has to be improved.
All the advanced features of automation, especially the first installation of tunnels, need improvement. Also, in terms of configuration, in terms of tuning, and fine-tuning the system, I think they do make it a bit hard for users. Right now, we need to teach admins, the network and security admins about system fine-tuning in terms of load balancing between CPUs, assignment of processes. I don't think a network admin or a system admin should deal with it in terms of when we are speaking about the firewall or networking device. It should be automatic.
This product has room for improvement in technical support for Africa. There are some problems with African countries. We also need to provide excellent services. The additional feature I would most like to see included in the next release of this solution is removal management.
We're looking at the endpoint because there are some smaller issues with internet connectivity within our country. Although they have it now, we don't have a license for it, and I think mobile device security should be a standard feature. I cannot control someone bringing their device to my network and what they do.
Their support is completely useless. They need to improve that and the stability. The main reason we are moving on from Checkpoint is because of their stability and their support. There are way too many bugs. You just can't get things to work properly. They don't need to bring any more features. They need to focus on stability. They should stop trying to be funky and stop trying to develop new things to catch people's attention. Just focus on what they already have and make it work. It would be a good product. Just make sure it works.
I would like for them to develop the ability to manage a cloud firewall with the same console. That would be very helpful. Another thing I would like to see improved is that when I start policies in Check Point's console, it takes a few minutes. It could be better and faster.
The presentation of the reports need to be more user-friendly.
We looked very closely at ArcSight's solution because it's a multi-vendor solution. With ArcSight we could have Check Point, we could have RSA, we could have any brand and integrate several brands, from a security point of view. With Check Point, you cannot do so, you can integrate with Check Point products. Check Point forces the customer to buy only one vendor's solution but the trends of the market are not to work with only one vendor. If Check Point could work with other vendor solutions, that would an improvement. It would also help if they had solutions for the SMB market. Check Point is only useful for customers that have a big IT budget. If they don't have the IT budget, the customer has to buy a solution that from another vendor.
Check Point Smart Dashboard does not support my Apple MacBook Air. It only supports Windows versions. Checkpoint does not support captive portal in IPv6. We had a big issue. Not solved yet by Checkpoint experts.