Check Point CloudGuard Network Security Reviews

Our primary use case for this solution is a firewall.

The most valuable Check Point CloudGuard feature is the firewall. I also value the user authentication, IPS, and application control features.

The clustering and HE from the scaling availability could be improved.

The documentation could be much better as well.

I have been using this solution for about a year. 

I would rate stability as average, too. It's not the best, but it's also not the worst. 

I would rate the scalability potential of this solution as average.

Check Point CloudGuard technical support is good.

I have not previously used any solutions. 

Deployment was easy. It took about half a day to do all configure everything how we needed it. 

The first time we deployed it was through a Check Point pre-sales specialist. After that, we deployed on our own. 

If we end up needing to scale, we would have to buy a new license. 

The solution is very easy to use.

The product is quite flexible.

The installation process doesn't take very long.

We've found the stability to be quite good overall.

You can scale the solution if you need to.

Technical support is helpful and responsive.

The user interface is okay, depending on who is using it.

We haven't had any issues with integrations. It seems to handle them quite well.

We're looking forward to the next Check Point with the solution and CloudGuard and everything on the same single cloud. Right now, that's not yet the case.

We're expecting more new features in the next release, however, I'm not sure precisely what is being added.

Check Point support, beyond CloudGuard, does need some improvement.

I've been using the solution for 18 to 24 months at this point. It's been a year or two.

The product is very stable so far. We haven't had any issues. It doesn't crash or freeze. There aren't bugs or glitches. The performance is reliable.

The product can scale quite well. If a company needs to expand it, it can do so. It's not an issue.

We have 5,000 users on the solution in one particular case. They're on one account. It's kind-of a lot.

The CloudGuard technical support has been good so far. We have no complaints. We're quite satisfied with the level of service we receive.

From a firewall perspective, yes, we use some other solution, however, CloudGuard is basically filling a gap in the cloud area. Before them, of course, we didn't use any other thing. We were using something else that wasn't really related and when we moved to Check Point was when we first adopted CloudGuard.

The initial setup is pretty straightforward. It's not overly complex. 

The deployment is fast. We managed it in about 24 hours or so.

We had 12 people that assisted in the deployment process.

We have to pay a licensing fee, however, we haven't really done any comparison shopping, and therefore I can't speak to if it is affordable or expensive.

Mostly, we are satisfied with the cost. We have some discount agreements and that's enough.

The solution always updates automatically, and therefore we are always using the latest.

We do plan to continue to use the product as we've mostly been quite satisfied with it.

I'd recommend the solution to other organizations.

Overall, I would rate the solution at a nine out of ten.

We primarily use the solution as a firewall. It is for the perimeter protection of our products. We use it as a UTM kind of environment.

The solution has good features.

It has good antivirus protection.

The solution has been quite stable.

The installation was straightforward and pretty easy to execute.

The solution lacks the capability to scale effectively.

We had been using the solution for five years. However, we are currently migrating off of it.

We found the solution to be stable when we were using it. It doesn't crash or freeze. It's not buggy and it doesn't have glitches.

The solution isn't scalable. In fact, it cannot be upgraded at all. This is the main reason why we are switching over to a different firewall under a different brand.

We have many users at the perimeter currently. 

The technical support on offer was very good. We were largely satisfied with the level of service provided. We found them to be helpful and responsive when we had issues.

We are currently moving from Check Point to Fortinet. We haven't yet started to use Fortinet, however. It's a work in progress.

The solution is pretty easy to set up. It's not complex. It's rather straightforward. It shouldn't give a company any trouble.

You need two to three people to manage the deployment process. You don't need a big team.

We handled the implementation ourselves using in-house personnel. We didn't need the outside assistance of integrators or consultants.

We're just a customer and an end-user. We aren't a vendor, consultant, or integrator.

I'm not sure if I would recommend the solution to other organizations. It would likely be 50/50. It really depends on the company's requirements. For us, for example, we needed to scale, and that ended up not being possible and so we have to move away from it.

Overall, I would rate the solution six out of ten. Although it has some good aspects, for us, the lack of scalability was impossible to overcome.

We integrate this solution, and we also provide the maintenance of the device. We are using this solution for those sites that are kind of medium in size and require a more complex solution but don't have too much space for big equipment.

It is useful for us for checking services, instead of protocols, because we have some services that are very smart and can change ports. It is also useful for verifying the logs. SmartLog is very practical, and it is easy to identify stuff and make corrections.

The Capsule solution and application filters are the most valuable. 

It is pretty straightforward to implement, and it also has good stability and scalability. Their technical support is also really good.

This application can be more integrated with web application firewalls. Better integrations would provide more granularity, which would be helpful for focusing on the application itself and preventing attacks.

It would be good to include the cross-domain search. If you have multiple firewalls that are managed on the same platform and you want to check who is using some particular objects or where a specific ID is being used, it should provide an option for this kind of search instead of having to check one by one on each firewall.

I have been using this solution for more or less ten years.

It is pretty stable.

With the virtual assistant, its scalability is very good.

Their technical support is really good.

The initial setup is pretty easy. Where it is not that simple is the integration of different blades and the customization of rules, which are really dependent on the policies of a company. When we are dealing with a small company, it is easy, but when we are dealing with global corporations that have previously-defined policies and the integration with the profiles, it is a little bit more tricky and complex.

The deployment takes a couple of days, but when the deployment is more complex and requires assessments, it could take one or two weeks.

We are an integrator. The number of people that are required for the deployment and maintenance of this product depends on the organization. The deployment could be done by one or two people, but for the maintenance of the device, big companies require more people because they are establishing new connections with third parties and so on, which means that it requires many changes.

It is not expensive, but it is a little bit above the middle range. There are other solutions that are a little more expensive than this, but they also have some interesting features.

Our clients also evaluate Palo Alto and Cisco. Palo Alto, Check Point, and Cisco are the top solutions at the moment. In terms of performance, all three are pretty much the same, but it is much easier to check logs on the firewall in Check Point than Cisco or Palo Alto. Check Point is also quicker and more intuitive. Its view is also better than others.

I would recommend this solution. It is pretty straightforward to implement. It is easy, and it doesn't require too much time to make a clean implementation. I am not really sure about using it in a really small company. It depends on the budget.

I would rate Check Point Virtual Systems a nine out of ten.

We mainly used CloudGuard for IPS and IDS in our AWS environment, and we also used it for additional logging to see what was going in and out of our network in AWS. We have very limited visibility, especially when it comes to logging, and AWS does not support IPS and IDS as of now.

The way they implemented their auto-provisioning, where you just change a port or a security setting on AWS and it applies it automatically to all your firewalls, is good. You don't have to go into both of your firewalls, if you have redundancy like we did. You just need to change it on one of them in AWS, and that change applies to both of the firewalls. That saved us a lot of time. Usually, on physical firewalls, if you have to do that, you're going to have to either do command line, or if you don't want to do command line you have to do console and do multiple changes everywhere, from firewall rules to access rules. With Check Point, all you have to do is one change in the AWS console, and it will apply it within your firewall. Without that we would have had to do that in AWS, then go into the SmartConsole for Check Point.

I'm the only one who does security for both our on-prem and our cloud environments. Having Check Point there, I didn't really have to do much. It gave me peace of mind that it would do its job. I did check on it on a daily basis, just to make sure everything was okay and that there was no unwanted traffic during the day or during the night before. I didn't see anything unusual and if I did see something, it was one of those one-offs because another team was doing testing or something like that.

The IPS, IDS and logging were some of the features that I found useful. Also, the automation using AWS CloudFormation, the way we deployed it to our system, was very simple.

The comprehensiveness of CloudGuard's threat prevention security, looking at the logs, was really good. It would tell me if there was any unwanted traffic on our system, it would keep track of that. We checked it to make sure that everything was okay. It gave me the information that I needed to keep our network safe.

It's also pretty user-friendly. I've used multiple firewalls, both physical and virtual, and to me, Check Point is on top when it comes to ease of use and understanding the firewall installation. It's very very simple. And the way they implemented CloudFormation and the auto provisioning, is hands-down one of the best.

We did not use the AWS Transit Gateway, and that's one of the things that we're currently using. I believe we will be working with Check Point again, in the near future, to implement it, once they start having proper support for a single customer with multiple accounts. When we were using them, we had to install Check Point on each and every single account.

I believe they're working on a solution for that. I know they're utilizing Transit Gateway for it, and that is exactly what we're using right now. I'm excited for them to have that ready, and for us to put it in our system.

In general, cloud infrastructure or a cloud-based environment, is very fast when it comes to technology. Things get developed right away. Check Point just needs to adapt to those changes quicker.

We used Check Point CloudGuard IaaS for over two years. We stopped using it about six to eight months ago. Our environment basically expanded to such a large scale that it wasn't feasible for us to use CloudGuard in our multiple-account production environment.

We are definitely planning on redeploying CloudGuard at some point because we always need IPS and IDS and better logging. AWS only has two or three companies that do IPS/IDS. We definitely need those kinds of protection and Check Point, in my opinion, is one of the best so I still want to put it in place. But their solution doesn't really match our requirements. That's the only reason we moved away from Check Point.

Its stability was really good.

They do implement Auto Scaling and that was one of the requirements that I asked them about. One of their southbound firewalls did not have Auto Scaling at that time, so that's why I requested it.

The scalability is very good; again, very user-friendly. I wouldn't even say "user-friendly" because, as long as you deploy it properly, you can kill an EC2 and it will spin up another one right away, within about a minute and a half. And it will be ready for production right away.

Our production environment never decreased, it only increased. Our presence in AWS quadrupled over the time that we used CloudGuard. I'm managing about 32 accounts that, obviously, need protection. Once they implement that particular solution, we'll be very happy to have them integrated within our environment.

The number of users of CloudGuard, because we had deployed it in our production environment, was as many customers as we had. All traffic went through CloudGuard.

I never dealt with tech support. I dealt more with our account manager. We never had issues with Check Point, so I never had a chance to talk to their support.

We were using native AWS protection.

The initial deployment wasn't too complicated because they had CloudFormation. The only thing that I had issues with was having to integrate that within our company's requirements. Our needs kept changing because we were new to AWS. But that was not an issue with Check Point. And once the requirements within the company had been solidified, we deployed the solution to four or five environments in our AWS and it was fine throughout. We even did their second version of CloudGuard, and again, it was easy.

It's pretty straightforward. It's literally just a matter of selecting the right version of Check Point, your VPC, your management, your password, and that's pretty much it. It's pretty simple.

With the way AWS does things, our deployment took about half a day. And that was mainly because there were dependencies on CloudFormation, where it would wait for a task to finish, and AWS depends on the region that you're in. If you pick a very busy region, then it takes longer than usual. So half a day is giving it padding, in terms of time.

Once it was up and running, it required just me for maintenance.

I was the only one from our organization involved with the deployment.

In the initial installation, the first time, I was working with a Check Point engineer, because we were new to AWS and the Check Point integration with AWS. We came from Azure. We needed somebody just to make sure that we were doing the right thing. But after that, we never needed Check Point support. They would check in on us, just to make sure everything was good.

The engineer was really good. He was there to walk us through and to make sure we understood every piece of the deployment. After that, I put together some documentation based on our needs. From then on, future deployment was fairly simple.

The ROI is in the number of people managing it. Technically, you don't need to manage it. If you have an on-prem, you constantly need to manage the firewall. You need to make sure everything is okay, when it comes to hardware, software, and managing the actual firewall. With CloudGuard on the cloud, we eliminated two of the three. We didn't need to care about the hardware or about the software upgrades. If we did need to upgrade, it was just with respect to CloudFormation. We didn't need to do any firmware. The only thing we needed to do was manage an interface, which is what you're going to do anyway. 

You only need just one person to do it. When it comes to return on investment, you don't need to hire a full team to manage your whole network. If you have a firewall team, with Check Point CloudGuard, you don't need it anymore. It's just a single person because, if a Check Point goes down, it gets spun up right away. You don't need to call anybody or order hardware or anything like that.

Pricing of CloudGuard is pretty fair when you have a single account. It's comparable with other cloud providers. But for our use case, it got really pricey when we had to deploy multiple CloudGuards on multiple accounts in different regions, because you can't have CloudGuard protecting multiple regions. That's the big thing.

Before picking Check Point, I checked Cisco, Fortinet, and Palo Alto. At that moment, when we were doing a PoC, Check Point was ahead of them when it comes to implementation, deployment, and ease of use.

Deployment was the big thing for us because we knew that we were going to be deploying this multiple times. We wanted redundancy, and ease of use and deployment. Check Point nailed those top-three requirements, so it was the clear choice for us. The others didn't have the robust capabilities of Check Point or CloudGuard, to do the things that we wanted. Those included ease of deployment using CloudFormation, scalability using Auto Scaling and the auto-provisioning within CloudGuard.

My advice: Get it. It's a great product. It's a great solution.

In terms of CloudGuard's block rate, malware prevention rate, and exploit resistance rate, we didn't really do much testing when it comes to those types of scenarios. But I've used Check Point as a physical firewall before, and it was great. It detected threats and gave me an alert as soon as it detected them. It was really good.

My experience with the solution has mainly been implementing it with an auto-scaling on behalf of my clients. My job was to migrate an on-prem firewall to AWS cloud. I'm a senior security architect. 

I think one of the valuable features is the auto-scaling, which is based on traffic and  automatically spins one more firewall and adds it to the management server. The zero touch is also a valuable feature. After re-tagging the next internal load balancer within Check Point, it automatically writes up a mac rule and an access rule. As long as you're adding a server into the internal load balancer, you won't need to touch anything. In a Check Point firewall, the mac rules and access rules are automatically written up. Zero touch means there is no need to insert rules again when you're adding servers internally. 

There is definitely some improvement required. We currently use a deployment template provided by AWS each time. If I want to clean up the IaaS I have to use the IaaS template which should not be necessary. Secondly, because it's zero touch, I cannot write up any rules in the firewall. I understand these features might have been built particularly for zero-touch but from the perspective of a network and firewall engineer, some independence to configure something on the firewall would be appreciated. 

An additional feature that could improve the solution would be to enable both automatic and manual control that would allow the engineer complete control over the firewall.

The solution is generally stable although it crashed one time while I was implementing. 

The solution is absolutely scalable. 

The technical support is excellent.

My advice to anyone wanting to implement this solution would be to religiously follow the guidelines. 

I would rate this solution an eight out of 10. 

We use this solution as our perimeter firewall. 

The most valuable feature for us is the cluster support. We have been using this for a long time, so it is not a feature from the latest version.

We would like to be able to scale out such that we can increase performance within a cluster with more active nodes.

Our biggest complaint concerns the high resource usage for IDS/IPS, as we cannot turn on all of the features even with a recent hardware upgrade.

A great enhancement for this solution would be an active-active or multi-active scalability.

As we need to fulfill higher bandwidth demands due to increased cloud usage and research-driven data exchange, we might need to look for other vendors with more competitive pricing.

This is a stable solution.

Six months ago, we updated our version to the most recent one.

The scalability of this solution is limited, which is why we have started looking for alternatives. Currently, we have about twenty-thousand users.

Technical support for this solution is good. They have a quick response and the solution was available within a short period.

We did not use another solution prior to this one.

This initial setup of this solution is complex.

The preparation for deployment took two days, and the deployment itself took about two hours.

We have three staff who are responsible for maintaining the firewall, although there are more tasks that they handle, in addition to it.

We enlisted the help of a service provider to assist us with the implementation. 

The price of this solution could be improved. We pay approximately ‎€150,000 ($166,000 USD) per year. We receive four days of support every year from our service provider before we have to contact Check Point. 

We did not evaluate other options before choosing this solution, although we are currently considering alternative solutions from Forcepoint and Fortinet.

My advice for anybody who is considering this solution is to start by identifying high-bandwidth use cases. If you have any, and you have a high-security requirement, then I suggest considering other options.

This is a secure and reliable solution for us, although we are a bit disappointed with the limited scalability and resource consumption.  

I would rate this solution an eight out of ten.

As per the solution's blade design, there are many options. For example, you have to buy a UTM blade and an advanced malware blade, etc. If the blade license is there, we can configure from the firewall GUI. 

The net policy and routing are also great features.

If you compare the GUI with the Palo Alto and Cisco, they're very easy. Check Point, due to its design, is a little bit complex. They should make the GUI easy to use so that anyone can understand it, like Fortinet's GUI. Many companies end up using Fortinet because the GUI is very easy, and there's no need for training. They just deploy the box and do the configuration.

Also, we have to inform customers that with Check Point there's no need to purchase any routing device. Check Point can do that routing as well as the Firewall and the IPS. The marketing should be stronger, to show that customers only need one box to handle all the features. It will be cost-effective and enhance the performance and value, but because of their poor marketing, customers don't realize this.

In the future, a color string would be powerful. Sandboxing should also be offered. Many people want the Trend Sandbox but not on the cloud. In the Middle East, there is a policy for Sandboxing that states it should be on Trend as per the government law. They have Sandboxing solutions on the cloud, but they have to bring the solution onto Trend also. Palo Alto has Wildfire, Cisco has Talos, and Forcepoint has one available as well.

In the future, routing protocols should be more supported like OSPF and BGP. There needs to be integration with the SDN. I don't know if SDN is there or not in Check Point, but SDN is one of the major requirements nowadays.

The solution is very stable.

We just deployed the solution, so scalability I cannot speak to right now. But, as per Gartner and NSS Lab, they're allegedly very good. I don't think there will be an issue with scalability.

I am currently also working on Cisco ASA, Fortinet, and Palo Alto.

I'm an Operation Engineer; I handle the deployments myself. 

Compared to Cisco Firepower Threat Defense, the solution is cheap. However, not as cheap as Fortinet or Palo Alto. If clients have smaller budgets, we would have to advise one of those instead.

There are two deployment model modes in Check Point. One is a gateway level and one is a no gateway all-in-one box solution. With the gateway level, only hardware will be there, all operating systems are stored in a VMware and if there are any issues in the hardware, you just replace the box; all of your policies will be saved into VMware.

The all-in-one box you have the GUI policies and also the gateway so it's secure. If there is an issue in the box - like failure or downtime - all of the networks will be affected.

I would rate the solution eight out of ten. We haven't been using it too long, so we haven't had a chance to look at all aspects of the solution. I would recommend Check Point to customers because it is an affordable option.