Check Point Application Control Reviews

Our company works in the area of developing and delivering online gambling platforms. The Check Point Next-Generation Firewalls are the core security solution we use for the protection of our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. The Application Control software blade is one of the numerous blades activated on the NGFWs and serves for the security improvement in the application detection, categorization, and filtration.

The overall security of the environment has been greatly improved by the Check Point NGFWs. Before implementing the Check Point solutions, we relied on the Cisco ACLs and Zone-Based firewalls configured on the switches and routers, which in fact a simple stateful firewall, and currently appear to be not an efficient solution for protecting from the advanced threats. The Check Point Application control-blade significantly increased the security level from the standpoint of application visibility and filtration. The blade was easy to enable and configure, and we don't see any performance penalty after the activation of it. 

1. The built-in database of the applications, software and the protocols is just amazing - there are more than 8 thousands available just after the blade application. In comparison, the Cisco Network-Based Application Recognition (NBAR) available on the routers provides like 200 applications.

2. The application are categorized into group based on the purpose, like messengers, databases, games etc., and such group objects may be directly use in the Security Policies for the NGFWs.

3. It it really simple to add new custom application definitions and groups if you need so (we use such an option for our own developed software on non-standard ports).

4. The visibility is just great. For any security event of the Application Control blade there is a relevant log entry with all the application details (but don't forget to enable logging for the security rule in the Policy).

I think that the pricing for the Check Point products should be reconsidered - we found it to be quite expensive to purchase and to maintain (the licenses and the support services need to be prolonged regularly), or create some additional bundles of the software blades with significant discounts in addition to the current Next Generation Threat Prevention & SandBlast (NGTX) and Next Generation Threat Prevention (NGTP) offers.

We also had several support cases opened for software issues, but none of them were connected with the Application Control blade.

We have been using the Check Point Application Control for about three years, starting in late 2017.

The Application Control software blade is stable.

The Application Control software blade scales well with the gateways we use, since it doesn't affect the overall performance much after activation.

We have had several support cases opened, but none of them were connected with the Application Control software blade. Some of the issue were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level. The longest issue took about one month to be resolved, which we consider too long.

We used the ACLs and Zone-Based firewalls with NBAR on the Cisco switches, routers, and found that this approach doesn't provide sufficient security protection against the modern advanced threats.

The setup was straightforward. The configuration was easy and understandable - we relied heavily on the built-in objects and groups.

In-house team - we have a Check Point Certified engineer working in the engineering team.

Choosing the correct set of the licenses is essential - without the additional software blade licenses purchased the Check Point gateways are just stateful firewall.

We didn't evaluate other vendors or solutions.

On-premises

It is one of the main solutions that we have applied in our offices for the administrative control of access to specific services social networks within the corporation, viewing of videos or services that in some way distract the worker from their activities. It's also facilitated us with the ability to separate the databases by a gateway which makes the administration and the permissions granted to the end-users much easier.

One of the ways it's helped us improve was in the administration and the permissions for specific services. This was very useful to us when making a database per gateway and configuring them through layers to have better visualization, control, and administration of the rules, which allows new administrators to have a better scope and understanding of the organization. This has undoubtedly been the newest thing for us as gateways administrators.

One of the aspects of the solution that has given us more value is the integration of a domain controller with the firewall through the dashboard which allows that through inline layers, LDAP.

The visualization of users, the administration, and the permissions that we can grant to users makes our configuration a more dynamic environment since, as organizational units of an active directory, we can grant permissions to users to specific applications allowed through the URL filtering or application control within the dashboard.

With Check Point we are more protected, however, one of the issues is the cost. They are expensive products due to the fact that we have to buy blades for each solution that we want to integrate into our corporate. Without a doubt, it is worth it, however, it is an important point that could be considered. 

Likewise, nowadays a 2MFA solution could be integrated to Check Point since nowadays remote connections made with remote workers are required to protect the extension from the office to your home through a VPN connection.

I've used the solution for about three years.

The Check Point solution is very stable, however, the installation of JHF at least once a month is somewhat annoying since that could be interpreted as not being a stable solution.

In terms of scalability, my impressions have always been good since there is a lot of scalability in this service. For example, you can integrate several solutions to a centralized administration.

They have an excellent support team. They are fast and it is easy to escalate any situation.

Positive

We did not previously use a different solution.

The setup was straightforward.

We handle the implementation in-house.

We've seen a 40% ROI.

Despite the somewhat high cost, based on the blades, it is a reliable solution.

We didn't evaluate other solutions.

Private Cloud

Other

We have main and branch offices as well as on-premise and cloud data centers. Using Application Control we control the necessary applications instead of creating one or several rules for one application. 

With the AppWiki from Check Point, we can even show users that don't have a log in what applications there are and even see the risks involved at a single glance.

If you use Microsoft services, there are a lot of different applications that the firewall can differentiate and this shows also in the logs.

Using Application Control instead of normal rules and ports helps with ever-changing product versions. In the past, each version could add/remove certain ports which have to be added or removed by the administrators. With automatically updated applications, you don't have to do that continuously.

Enabling Application Control is unbelievably easy as once it is enabled you can use all relevant applications within the rule base.

Seeing applications within the logs also makes troubleshooting easier as you can see if the firewall recognizes the relevant application.

Check Point Application Control offers a wide selection of applications, and even within those, you can configure uploads, downloads, et cetera, on a very granular level. That way, users can use a single application for viewing data but are unable to upload potentially unwanted files. Basic functionality can be provided without decreasing security. In addition, using Check Point Logs we can also see what is allowed/blocked and can act accordingly.

Using APCL within the normal rule base also makes administration easier.

If you want to use Application Control over your whole environment you have to license it for all gateways. Otherwise, you can only work with a subset of it. Therefore, pricing can be quite an issue.

We saw that sometimes APCL stops working and can cause an impact on the rest of the rule base. Therefore, it's advisable to check that the gateway can always update itself with the newest applications.

Sometimes applications are not recognized. This may be due to HTTPS Inspection settings. It's also advisable to fully inspect traffic.

I've used the solution for over two years.

Application and URL filtering is the perfect combination to block unwanted application and web browsing traffic based on the defined policy.

Customers who don't have a dedicated proxy can utilize Check Point's Next Generation Firewall as an Application Control.

It allows users to define policies based on source IP, user role, or group, which can easily identify traffic flow with SAML. You can allow or block traffic coming or going out to the internet for specific applications or websites.

Most organizations take advantage of application control, which provides the most efficient and accurate results to block or allow application traffic.

No organization requires entire access for an application running as that would cause more risk, which is not desirable. If we want to allow certain required applications, with Check Point, application control is possible.

For customers that have database servers and public-facing servers and want to provide access to specific services, Check Point is perfect.

With application control and URL filtering, it becomes possible to block/allow applications and sub-applications the maximum flexibility to allow for policy-based access roles. The solution offers user notifications for blocked access, time-defined policies, and bulk categorization of malicious applications.

With Check Point Application Control, it is possible to mitigate unwanted application traffic even it detects items, and allows traffic for specific ports which can be required to run the specific application successfully while blocking traffic from all remaining ports.

We get a Smart Event Report which clearly shows us how many applications are running under the Check Point Gateway and which applications require more security rules while revealing vulnerabilities.

Customization rules for custom applications help to define rules.

The application layer is the most usable feature Check Point provides to categorize and distribute the different sets of rules which work in a top-down lookup approach. This allows users to define policies separately within that particulate layer.

By default, an implicitly cleanup rule exists.

The product offers easy-to-install policies and makes it simple to troubleshoot application-related traffic.

The solution is integrated with an app wiki to provide a large application database.

Smart Event generates reports which are very useful in order to identify non-required applications running into the environment.

The working principle of Check Point Application Control is far different from all other vendors in the market. It basically works in parallel with security rules. Every time packet must go from policy lookup into security rules. It sometimes leads to a troubleshooting phase for which we can create application traffic.

SD-WAN functionality can be added.

Direct API integration for customized application features can be added.

Load balancer functionality for application traffic might be a better option.

There is no completely stable solution. Even if you consider a competitor solution, you will face some issues from time to time.

The scalability is based on the device throughput.

There is dedicated TAC support for the specific blade in Check Point, which provides for a better resolution.

We did a direct migration from Sophos/Cisco FTD to Check Point. This has been done for many customers and usually leads to changing application control.

The initial setup is straightforward in terms of the policy configuration and licensing.

We are the vendor. We can assist in implementations.

The setup is very straightforward and the licensing works based on a subscription model.

We did look at dedicated proxy servers.

On-premises

Before using this solution, I needed to have other network components that would allow me to block or restrict access to unauthorized sites, which generated a very high cost in terms of licensing and maintenance. Now, I can control authorized and unauthorized access to my end-users, and I can control bandwidth and assign a defined bandwidth to guarantee the operation of my company. 

With this solution, I was able to establish and guarantee the security of my end-users using the categories and definitions within the solution. I'm able to easily identify high-risk sites, as well as sites not allowed for explicit content.

In the beginning, I did not have control of the content that my users had access to, which put the integrity of my company at risk. With this solution, I was able to create explicit policies that would adhere to the rules that we established for access to applications. 

Previously, I had 2 appliances from another brand to control the traffic of applications and to control bandwidth. It is a very simple product to administer with amazing potential endowed within a large database of applications and is constantly updated.

The automatic updates of new applications and signatures guarantee protection at all times without the need to apply a change manually. This has been largely beneficial to my organization and only on a couple of occasions have I had a problem with legacy applications being applied to a filter incorrectly. We've solved this by documenting them in the Check Point portal to ensure they are not listed as a malicious application or IP. There is a large database of applications that have been incorporated together with the traffic control tool assigning a defined bandwidth for certain applications.

It's important that there is the option to validate the policies before applying them since it is very annoying and causes a waste of time to apply a new policy or rule and afterward receive an error that the policy has failed. 

It is important that, if you are being notified of the modifications in the automatic policies that were updated, it's clear in terms of the content that is included as well as the applications that have been modified for being malicious or not. 

Without a doubt, these would be contributions that would greatly benefit the solution's operation within my company.

I've worked with the solution for 5 years.

In some equipment, the scaling is very good, however, it depends on the equipment that is purchased and if there is correct sizing.

Yes, I made the change because I tried a demo and it seemed like a great product.

It is a very safe and stable product.

The licensing is very good. We always rely on an authorized dealer to ensure proper operation and sizing.

Yes, I evaluated Cisco, Palo Alto, and Fortinet.

Not at this time. 

On-premises

The Check Point Application Control blade provides application security and identity control for our organization. It gives us very easy to create policies based on users and groups. We use Critical Risk and Anonymizers, P2P file sharing, Spyware, and Remote admin categories. We use Application Control in two ways, separate rule base and with access policy as well. My all over experience is good.  

With Check Point Application Control we can say we improved our legacy and have made them more secure. Now we are able to allow specific applications on respective service and we are allowed those respective services only. 

With Application Control we have visibility into who is accessing which application but our pain area is still with HTTPS inspection. 

Overall, Application Control is a very good blade and it is very helpful in our complex environment. We can restrict our site to site rule as well.

The Check Point Application control database contains each and every application and category and each of the applications and categories describe the additional category and also a risk level. The database updates regularly. It gives us the updated and latest lists of applications that are widely used. We can filter a search based on risk level, risk level 5 to see all applications with that risk level. We can also see the description of the risk level with the lag line. 

Most of the business applications stopped working, we don't know why and we have already escalated to the top level but we still haven't gotten any corrective action on this. They always take logs but after that, there is no resolution. They need to improve this, this will help us a lot. We have not blocked anything on a rule base we have enabled HTTPS on a monitoring mode but still, we are facing issues, and if we add an unknown category on that respective rule only then does it start working.

I have been using Check Point for four years. 

Stability is good. 

Support is genuinely not good on Application Control.

The initial setup was straightforward.

We initially implemented it with a vendor. 

We have seen ROI.

They have to improve more on the Application Control blade.

On-premises

The main use case is blocking unwanted applications. For example, I want to block Facebook chat while still being able to view posts. I also use granular level control for categories on YouTube, like blocking adult content. This application control is used to block or allow certain traffic based on my organization's needs.

Both granular application control and real-time threat prevention are very useful. In my organization, I initially block everything and then allow only what is required. This approach ensures that only necessary applications like Facebook, YouTube, WhatsApp, Teams, and Microsoft Office 365 are allowed. This method provides precise control over application access.

Check Point Application Control can be improved by offering more granular levels of control. For example, in WhatsApp, there should be deep-level control to manage attachments and ensure that links do not open if they're not allowed by the environment.

I've been using the application control feature for the past two years as part of my operational tasks. This includes setting policies, giving access to specific applications, blocking unwanted applications, and providing granular access at the application level.

On-premises

This software monitors the performance of applications across the company. It provides comprehensive security for all the tools contributing to the company's growth. 

Check Point Application Control has created reliable data management policies that guide employees on how to interact effectively with applications. The software assigns each sector the most suitable working tools to easily implement projects and tasks. 

We were able to customize it and make efficient configurations with data models.

This platform has fully secured our applications with very powerful firewall security upgrades. 

It has taught employees how to protect their work tools from external security threats. The system has a secure database that keeps information on applications in a secure environment. 

It interconnects easily any network platform that faces challenges restoring normalcy. It updates applications for compliance. It unlocks hidden security barriers that affect workflows.

All the features collaborate in the management of application security. Granular control monitors the models that create a given application. 

It tracks down the performance of all the given tools in the system to ensure there is reliable performance. 

Application groupings simplify the work of monitoring operations and checking the security situation of the entire production chain. Next-Generation Firewalls identify any malware attacks that could harm data and slow down operations. 

The Network Security monitoring system has enhanced the safety of the company's cloud-based servers.

The learning curve for new users is challenging since the integrated data models are complicated. 

The system slows down when the company has a lot of applications. 

New versions that are upgraded rarely come with new market updates. 

The cost and deployment capacity is based on the size of the company. The overall performance is excellent when the system administrators from the company work closely with the vendor-customer support team. 

It has enhanced a secure work environment and enabled employees to focus on more productive tasks.

I've used the solution for 12 months.

It is stable and highly productive.

It is highly scalable with perfect performance.

The customer support staff is dedicated to their work, and I will always cherish their great support.

Positive

I have no experience with a similar solution.

We did not experience complications during the setup process.

It was implemented through the vendor, and they provided the required support and guidelines.

The ROI has been positive with increased performance.

The cost is good and flexible for any organization.

We settled on this product the first time.

I highly recommend this software for comprehensive application security enhancement.

On-premises

The Check Point Application Control solution is used by us on two firewall clusters. It is used both on the inside and on the outside.

Analyzing internal traffic helps us to understand which applications are used within our network. It does more than simply allowing or blocking traffic. It provides a report on how much these applications consume on the network and where they are used.

On the foreign side, we only allow applications considered safe and we always use the report to identify external attacks or improper use from the inside out.

Check Point Application Control application I would define it as oxygen: you notice it when it is missing and I say this because we now think it is natural to have this module incorporated in a firewall.

In the beginning, without this module, we were in the dark about everything. We were forced to open internal or external traffic by trusting (sorry for the nonsense) who was doing the traffic: unthinkable today!

Now we know who does what and can give specific permissions based on the user or the group to which the user belongs. The same user can have maximum permits on the professional side but be protected himself from ending up on sites that are improper for his work activity, such as porn sites.

The most important feature, in my opinion, regarding Check Point Application Control is the granularity and the great variety of applications and sub-applications recognized.

Consider that I can make multiple rules for the same user or group of users by detailing what it can do perfectly. The applications are not trivially listed but well-specified. To give an example: the Facebook application is not simple but its features are listed so that I can allow the use of Facebook but not the uploading of a file.

It is hard to say what has to be improved in Check Point Application Control.

Occasionally, we have to identify an application that is not registered. I would like to have a periodic update of the applications, perhaps based on a predefined calendar.

We would like to have the ability to submit new applications for registration, as well as request the recategorization of URLs.

We have been using Check Point Application Control for twenty years.

I have not found any particular malfunctions so I can say that it is well implemented.

Through a firewall cluster, I can increase the power and reliability of the system, and avoid buying a superior model.

Customer service is very competent.

We did not use another similar solution prior to this one.

The initial setup was straightforward.

Setup is made easy by using logs. As a first rule, I put the blocking of applications that come to mind, then a rule of allowed applications specifying all applications. By looking at the logs, I will be able to refine the rule by populating that of blocked applications and creating one of the allowed applications.

For maximum security (but maximum limitation), I can put at the end a rule that blocks everything but will block both applications not previously specified and those not recognized. This rule requires having a team that looks at the logs a lot, otherwise, it is better to put it on permission and analyze it periodically.

We implemented it through a team that lived up to the solution.

The blade has its cost but you can take advantage of the license package to pay less for it.

We did not evaluate other options.

It does not require excessive resources but if you intend to use it massively, do not underestimate the size of the firewall.

On-premises

We use Check Point in our internal network, as well as on the perimeter & we have used the Application control-blade on the internal firewall. All of our user traffic will be terminated at the internal firewall, hence we have done primary filtering of traffic on the internal firewall only.

Basically, on the internal firewall, we are blocking all social networking sites, remote meeting applications, adult content, & torrent applications. This restriction helps us to save our bandwidth as well to ensure that users follow & maintain work ethics at the office premises.

Application control blades help us in two ways. The first is to allow specific applications, where earlier we have to find out all of the URLs needed for each application & then allow them one by one. Now, we now just find the application. The second way is to restrict the user from browsing unwanted websites.

Together, these improved security & help to maintain discipline & focus at work.

The application control-blade also helps us by providing visibility. We have an overview of application traffic & depending upon the content, we can decide to allow or deny the application.

Check Point has its own application database where more than 7,300 applications are known. I am able to see them using the smart console, along with details for each one. Each and every application has an accompanying category, some knowledge about the application, the protocol it uses, & the risk factor associate with it.

Implementing application control is very simple & it is designed in such a way that we can introduce it with access policy. Also, to reduce complexity, we can create an altogether different layer.

This product logs & monitors event traffic for each application, giving us better visibility. Updating the application database is very easy; we just have to schedule the update & the device will automatically fetch it on a regular schedule, such as every two hours.

We expect applications to be updated regularly.

I have been using Check Point Application Control for more than three years.

This is one of the stable modules in Check Point.

Scalability for application control in the Check Point gateways is good & does not take need much processing power.  

Check Point TAC is always helpful, although particularly for application control, we have not yet raised any tickets. For the help that they have given us with other products, I appreciate the effort from the support team, as they always help us when we ask. 

Prior to this, we used FortiGate but the Check Point database is far better.

The initial setup is very simple.

We completed the implementation in-house.

I think application control has become a basic feature and it should be enabled automatically, without having to purchase a separate license for it. Alternatively, it should be available at a minimal cost.

We have not evaluated any other options.

The only thing we expect from a Check Point is to regularly update their database with the new applications. Other than this, specific to the application control-blade, I have not seen any issues or problems.

On-premises

Other