Check Point CloudGuard WAF Reviews

The main use case of Check Point CloudGuard WAF is for application protection.

Check Point CloudGuard WAF provides protection from OWASP threats, and secures web applications from common vulnerabilities, such as SQL injection, cross-site scripting, cross-site request forgery, and remote file inclusions.

The best feature of Check Point CloudGuard WAF is advanced threat prevention integrated with Check Point threat cloud intelligence, which provides real-time protection against web application attacks including zero-day threats, automatically receiving updates from the threat cloud and analyzing millions of indicators of compromise daily.

Cloud intelligence means that Check Point CloudGuard continuously collects threat data from global resources such as firewalls and sandboxes, analyzing billions of IPs, URLs, and behaviors using machine learning, distributing updates, security signatures, and threat profiles to CloudGuard WAF in real-time, automatically applying updated protection without manual interventions.

We have been using Check Point CloudGuard WAF for the last two years, and this is a very useful product.

I monitor the volume of the type of traffic our web applications receive and understand the types and threats targeting our environment.

Check Point CloudGuard WAF effectively detects or blocks malicious SQL queries in real-time, protecting our web application from exploitation. To block SQL injection in Check Point CloudGuard WAF, I access the CloudGuard WAF console, log into the Check Point CloudGuard WAF management console using administrative credentials, then navigate to the security policies or application security section of the console, where the firewall rules of the protection are configured. In the web security policy setting, I verify that the SQL injection protection is enabled, which is typically a predefined feature within the WAF rule set activated to detect and block SQL injection attacks. Check Point CloudGuard WAF comes with predefined SQL injection attack signatures based on known patterns and payloads commonly used in SQL injection attacks, and I ensure the SQL injection signature set is enabled so that CloudGuard can detect and block common SQL injection techniques.

I find no issues in software testing details with our predefined feature-rich template, providing automated security incident handling with real-time visibility and control across multi-cloud environments.

My main use case for Check Point CloudGuard WAF is protecting the public-facing web applications in my company because I need to show different webs to different clients, and I need to protect these web apps.

In addition to protecting public-facing web apps and APIs, I also use Check Point CloudGuard WAF for different purposes, such as providing protection to non-production environments, ensuring that vulnerabilities are caught early during deployment and testing, which helps identify misconfiguration or insecure code before it reaches production.

Check Point CloudGuard WAF has positively impacted my organization by significantly improving both security and operational efficiency, with a noticeable reduction in web-based threats, especially automated attacks and vulnerability exploits, thanks to its real-time prevention and reputation filter that has streamlined my workflow through automatic policy updates and integration smoothly with my CI/CD pipelines, allowing my DevOps teams to deploy security without delays.

AI-based threat detection and contextual machine learning to block known and zero-day attacks, according to Check Point, have led to a notable decrease in successful web-based attacks.

The best features that Check Point CloudGuard WAF offers in my experience include advanced threat detection with blocking OWASP Top 10 threats such as SQL injection, XSS, and CSRF with high accuracy, along with granular access controls such as geo-blocking and IP reputation filter.

The reputation filter has helped me significantly. For example, I was once notified of a spike in traffic targeting one of my login portals, which at first glance looked like normal user activity, but the reputation filter flagged the source IPs as part of a known botnet associated with credential stuffing attacks, leading to those IPs being blocked before they could even reach the authentication layer.

Check Point CloudGuard WAF is a strong solution, but there are a few areas where it could be improved, particularly the user interface for managing custom rules and exceptions, which could be more intuitive and streamlined to reduce the learning curve for new users, especially when deploying for the first time.

I think the documentation could be better. People need more intuitive documentation and easier steps for the first deployment.

I have been using Check Point CloudGuard WAF for around three years.

Check Point CloudGuard WAF is stable in my experience with no downtime or reliability issues.

Check Point CloudGuard WAF is very scalable and has handled growth or increased traffic well.

The customer support for Check Point CloudGuard WAF is great. I have had great response time, and it has been very helpful for me.

Positive

I did not previously use a different solution.

The experience with pricing, setup cost, and licensing for Check Point CloudGuard WAF is straightforward, with the service being available as a fully managed service, and the pricing depending on traffic volume, number of protected applications, and cloud provider. I do not have a problem with this area.

I have seen a return on investment, having more time in the department, which is the relevant metric of time saved.

The experience with pricing, setup cost, and licensing for Check Point CloudGuard WAF is straightforward, with the service being available as a fully managed service, and the pricing depending on traffic volume, number of protected applications, and cloud provider. I do not have a problem with this area.

Before choosing Check Point CloudGuard WAF, I compared it with Azure WAF, but I had to select Check Point CloudGuard WAF.

I compare Check Point CloudGuard WAF with Azure WAF, noting that I need to centralize the security products, preferring different tools in Check Point Infinity Portal since they are from the same company.

If you are considering using Check Point CloudGuard WAF, my top advice is to take full advantage of its automatic learning and threat intelligence features right from the start. Begin with the detect learning mode to observe traffic patterns and fine-tune policies before switching to full prevention, which helps reduce false positives and ensure a smoother deployment.

I do not utilize Check Point CloudGuard WAF alongside any other Check Point products.

Check Point CloudGuard WAF helps me block specific web-based attacks such as SQL injections or cross-site scripting with threat prevention.

Check Point CloudGuard WAF has helped me reduce my false positive rate to approximately fourteen percent, thanks to its adaptive threat prevention and machine learning capabilities.

The breach reduction capabilities of Check Point CloudGuard WAF are impressive, especially in how it proactively blocks zero-day threats and bot-driven attacks before they reach critical systems. For example, it stopped a credential stuffing attempt on my login portal using the reputation filter and input validation. I would rate this review a nine.

Protecting our websites or our customers' websites is our top priority. We transitioned to Check Point WAF from on-premises WAF to safeguard our external perimeter. Essentially, I am focused on protecting our external infrastructure and web services.

It helps me sleep at night, providing peace of mind. It saves time, money, troubleshooting, and maintenance and reduces the need to hire people to manage the technology because it is so easy to use.

The WAF is the best feature. The application firewall's ability to block and recognize all attacks in real-time, such as DDoS, is invaluable. Identifying attacks and integrating with the rest of the ecosystem are features I am very fond of.

It's a pretty robust product.

CloudGuard protects against threats without relying on signatures. This is one of the best features. As an engineer, I don't have to review signatures one by one by one. 90% of the other players use signatures. So you have to review the attack, the signature, and how to mitigate it, etcetera. Removing the signatures from the equation removes a lot of time required for an engineer to review signatures, apply signatures, verify that these are applied to the infrastructure, etcetera. So removing that from the equation and protecting the infrastructure at all times is very cost-effective. 

Signature-based also causes a lot of false positives. So having no signature also helps remove a lot of the false positives. 

I cannot think of any needed features.

Pricing is high, although possibly justified by the service received. Reducing prices would be welcome. 

Integration with more technologies or Check Point products, or on-prem products, could improve robustness. Many organizations are moving to the cloud. Some cannot fully transition and require solutions similar to on-prem devices. 

I have used the solution for the past two years.

Support is the same with on-premise devices, and it is very good. Since it is cloud-based, I do not need them as much. 

Positive

I have used CloudGuard, Imperva Cloud WAF, and Barracuda Cloud WAF. I have experience with all of the major players.

I have seen what we were used to before and how much time we spent. We used to manage on-prem devices for other partners that could run from other vendors. When you migrate to the cloud, it feels like saving 90% of your time.

If the price could come down, I would be very happy with the product.

I will not disclose which vendor is the best. In specific cases, some vendors perform well, while others are competitive at the high end. Check Point is one vendor that I really appreciate, and I will not mention the other, however the competition is very close.

I would rate the solution nine out of ten. Nobody is perfect. 

My main use case for Check Point CloudGuard WAF is to protect web applications and APIs from OWASP Top 10, and it has helped to secure cloud workload and prevent unauthorized access to data leaks.

I use Check Point CloudGuard WAF to block SQL injection and cross-site scripting attacks, and we protect the API by enforcing strict access, automatically applying a security policy to new applications before deploying in the cloud.

The best features Check Point CloudGuard WAF offers in my experience include automated policy upgrade with threat coverage intelligence, flexible deployment, and zero-day protection, which stand out to me the most.

The automated policy creation and threat intelligence have helped my team by reducing manual configuration and saving time, and the threat intelligence updates ensure immediate protection against new threats, simplifying daily operations and improving response speed.

Check Point CloudGuard WAF has positively impacted my organization by strengthening overall application security and data security, and it reduces manual workload for the security team while improving compliance in securing cloud workloads.

It has improved compliance and manual workflows through automated updates and reports, making it easier to meet compliance, with faster audits and readily available security evidence in reports, and it reduces time spent on manual rule creation and log reviews by automating policy enforcement.

Check Point CloudGuard WAF could be improved by simplifying the initial setup for a faster deployment, making the dashboard and reporting more customizable, and offering a more accessible pricing model.

I have been using Check Point CloudGuard WAF for the past one year.

Check Point CloudGuard WAF is definitely stable in my experience.

It has a user-friendly interface that makes monitoring and management easier with smooth integration with other Check Point and third-party security tools, and it provides a clear dashboard for visibility into attack and traffic patterns.

I would rate customer support as eight out of ten.

I chose this rating because sometimes the response will be delayed more than expected.

Customer support is good, but sometimes it takes longer than expected.

Positive

I have seen a return on investment from using Check Point CloudGuard WAF, considering both time and money.

My experience with pricing, setup cost, and licensing was good.

The experience with pricing, setup cost, and licensing is straightforward without any challenges.

My advice for others looking into using Check Point CloudGuard WAF is to plan deployment with clear policies to maximize protection from the start and take advantage of automated updates and threat intelligence to reduce manual work, ensuring proper integration with your cloud environment.

We have been looking for a solution to protect most of our web applications, especially because we have a couple of them available on the Internet. 

We are not looking at just the web application but also APIs because as a Telco company, we have a mobile money service and some other services that are API-based. We needed a solution that does not only look at our web applications but also our APIs. When I found out about CloudGuard WAF, it was a perfect match. It could not only protect our web application, but we were also able to protect our APIs. We have a couple of APIs on the Internet.

CloudGuard WAF has been great. We had no visibility when it came to our web application because, back then, we only had the next-generation firewall. We were able to protect some network-level attacks, but we had no visibility into what was happening at the application level. What we see now is unbelievable. We are talking about 800,000 attacks that we could not prevent before or were not even aware of, whereas now, we get them every day, and it is CloudGuard WAF that protects us against most of them.

CloudGuard WAF has reduced our false positive rate. That was one of the advantages of the solution itself. False positives are one of the main issues that we have with most security solutions, especially because each application has its own way of working. If the solution is not being able to learn how your applications work, there are going to be a lot of serious issues. With CloudGuard WAF, we did not have much of this issue. We never had an issue where something stopped working because of CloudGuard WAF. Whatever was prevented was actually malicious, so we have a very low rate of false positives. 

CloudGuard WAF is a very straightforward solution. I do not have to worry about signatures. Most of the solutions that are out there are mainly based on signatures, and I have to do a lot of maintenance to get the signature updates, and sometimes, due to a lack of resources, I am not able to do so. With CloudGuard WAF, I have peace of mind, because most of the features are AI-based, and there is not much configuration that needs to be done on my side. Once set, I only go to CloudGuard WAF to check. I do not have to worry about signatures or updates. Everything is done perfectly, and I have a sense of peace because I know our applications are safe. 

It is very important for us that CloudGuard WAF protects our applications against threats without relying on signatures. That is definitely one of the key features I need.

We are satisfied with the product because it does what we need it to do, but one thing that I would like to see improved in the product is the protection of our mobile applications. When I migrate the traffic from our mobile application to CloudGuard, we are not getting what we expected. We would like to be able to also look at our mobile applications.

I have been using Check Point CloudGuard WAF for three years.

It is very stable. We run some of the agents on our data centers and never had any issues. We are happy with the solution.

It is completely scalable.

Technical support is very nice. I have encountered a couple of issues related to the solution. They were not actual issues but things that needed clarification, and support was always there. They gave me the right reference to solve the issues that I faced. I do not have any complaints about the support and customer service aspects.

I would rate them an eight out of ten. They have very short working hours. Especially on the weekends, when you call them, the team is not working because they are a very small team. They need to increase the number of people for 24/7 support.

Positive

We were using Check Point's next-generation firewall. We are heavily Check Point customers.

When it comes to monitoring the solution, I do not have to worry that much about the solution itself. We have the peace of mind that the solution is doing what is expected from us. We do not have to worry much about the solution itself.

It is doing what it is supposed to do, and I do not need people to look at it 24/7. Most of the operations happen in the background, so I do not spend much time on it.

As Infiniti customers, the pricing is manageable, as we have allowances dedicated to each Check Point product. The price is not as high compared to other options I have dealt with in the past. 

Regarding the reduction of the overall total cost of ownership, I am not deeply involved with cost management. However, feedback from a senior manager indicates that we have made a positive decision.

When we were choosing the solution, we had a couple of vendors. After assessing the advantages of each solution, we found Check Point CloudGuard WAF to be the perfect match for my needs.

First of all, there are no signatures. We do not have to rely on signature updates. That was the main reason. Also, it does not only focus on our web application; it also focuses on our APIs. We have got a couple of them.

We, as a company, focus on consolidation. Instead of having siloed solutions separately where people have to look at different solutions, we focus on consolidation. Being able to have another solution that is consolidated and integrated with the other ones we had was a perfect match for us.

I would rate Check Point CloudGuard WAF a nine out of ten.

I am using not only Fortinet, but I am also dealing with other vendors as well, such as Check Point. I am working with email security by Check Point. I have a little bit of experience with Check Point CloudGuard WAF, as we ran a proof of concept here.

The efficiency improvements provided by Check Point CloudGuard WAF are something I can describe. It was fairly easy to set up Check Point CloudGuard WAF if you are looking at the basic configuration. It was pretty acceptable with setting up rules, and so forth. If you were looking for advanced configurations, then you had to go for a different setup, and that made it a little bit complicated.

In terms of efficiency, Check Point CloudGuard WAF is very straightforward to set up rules because you really do not need to do much customization, as it is the case with all Cloud WAFs.

I have been familiar with Check Point CloudGuard WAF for about six months.

Check Point could improve or add more flexibility when it comes to migrating to different sites. Multi-tenancy is an area where Check Point has room for improvement.

From what I saw, the customer support by Check Point was pretty good, but they were trying to sell it to us, so I would rate it eight out of ten.

Positive

I have experience with FortiWeb, although we just stopped using them. We used to have FortiWeb for the last few years, but now we have actually stopped using them.

The price of Check Point CloudGuard WAF is not expensive, as it was the cheapest solution we found. There is good competition for Check Point CloudGuard WAF at the moment, with big players in the market.

If we selected Check Point CloudGuard WAF, which we did not, it would certainly be much cheaper. I would recommend Check Point CloudGuard WAF to others at a rating of seven out of ten. I would recommend it if you have a simple setup, then it is cheaper and it does the job. My overall review rating for Check Point CloudGuard WAF is seven out of ten.

Due to the nature of our business, we have heavily invested in backend API development, providing services exclusively through this interface. Similar to how banks and medical industries utilize data from centralized sources, our APIs cannot be exposed directly to the Internet. To safeguard these critical APIs, a robust security solution is essential. 

Check Point CloudGuard WAF fulfills this need by intercepting all incoming internet traffic, categorizing requests as legitimate or malicious, including attack details, and blocking suspicious activity at the initial stage. Only verified, non-malicious requests are permitted to interact with our APIs.

When we activate the WAF, our security signatures and all the latest threat intelligence are immediately updated. Our protection is automatically refreshed every few hours to address emerging threats. For example, if a zero-day attack originates in Europe, Check Point CloudGuard can detect it within minutes and distribute a new signature globally. This ensures that when the attack reaches Australia, it is already blocked by our up-to-date WAF.

Although the WAF still produces false positives because of the signatures, we can apply a rule to exclude them easily.

Automated threat intelligence is crucial because a ransomware attack can compromise a network in minutes. Imagine an attack occurring at 3 AM when staff is unavailable; the damage may already be done when someone investigates. Ransomware can infiltrate and complete its task within just a few sessions. Once inside, attackers can lay dormant for months, covertly sending data using internal IP addresses. These addresses are often whitelisted, making it difficult to detect whether the outbound traffic is authorized or malicious. Automated threat intelligence can rapidly detect and respond to attacks, unlike manual processes that take 15 to 20 minutes, often too late to prevent significant damage like a completed ransomware attack. Systems like OCSP, utilizing best practices from multiple vendors such as Azure, Microsoft, CheckPoint, Palo Alto, and CloudStrike, provide an open platform for sharing and updating threat signatures. This enables organizations to tailor their security measures based on specific application needs and behaviors, effectively mitigating risks without unnecessary restrictions.

Cloud-based WAF solutions, such as Check Point's, offer significant advantages compared to traditional on-premises WAFs like Cisco or Palo Alto. On-premises WAFs require substantial upfront costs for hardware, expensive licenses, and frequent, costly upgrades as technology evolves. Cloud-based alternatives eliminate these expenses by providing the latest features and capabilities without hardware or software management. This flexibility and cost-efficiency make cloud WAFs appealing to many organizations. However, cloud solutions can be more expensive for high-throughput applications like Instagram or Facebook due to data transfer costs. At the same time,  on-premises options might be more economical in these cases. Ultimately, the best choice depends on specific network size, criticality, and application requirements.

Machine learning is a valuable tool for this assessment because it allows for a two-phase approach: secure and non-secure. In the first secure phase, pre-built signatures are used, eliminating the need for a live tracker as the necessary data is readily available. This approach efficiently blocks threats without progressing to the slower, resource-intensive second phase. Unlike competitors who process every request, this method conserves CPU power and prevents application slowdowns.

Check Point CloudGuard WAF's code could be improved. While the GUI allows configuration for application-related features, specific definitions cannot be modified through the code. Ideally, we would prefer consistent configuration across all products to simplify deployment, but in this case, the ISE is incompatible with the two or three different models we've identified. Therefore, we must rely solely on the GUI for configuration.

I have used Check Point CloudGuard WAF for four months.

It was stable in the four months we ran Check Point CloudGuard WAF.

I would rate the stability nine out of ten.

I would rate the scalability nine out of ten. We only reached 80 percent of our CPU capacity.

The technical support is good. We didn't use them much, demonstrating the product's quality.

Positive

At that stage, our primary goal was to select a suitable WAF to replace our existing F5 WAF. While the F5 WAF performed well, we sought to eliminate it due to excessive licensing costs. Given the high expense of our entire WAF solution, we explored alternatives, including Azure WAF, Check Point WAF, and Palo Alto WAF. Although we initially considered Cisco WAF, it was quickly discarded as outdated. After a two-week evaluation, we narrowed our options to Azure, Check Point, and Palo Alto WAFs.

The deployment is straightforward and similar to any standard firewall installation. While the process took four days due to design finalization, deploying directly from code can be completed in less than thirty minutes.

Two people were involved in the deployment, one working on the design and the other on the ISE.

Check Point CloudGuard WAF is expensive compared to Azure WAF. I would rate the cost of Check Point CloudGuard WAF as eight out of ten, with ten being the most costly.

We evaluated Cisco WAF, but it is outdated and no longer competitive. Since we utilize Azure Cloud, we opted for Azure WAF due to our preference for cloud-based solutions. Azure WAF has performed well and is seamlessly integrated behind the scenes. We also evaluated Palo Alto, but configuration challenges through ISE led us to discontinue its use seven months ago. Check Point CloudGuard WAF was abandoned for similar reasons. Azure WAF's integration with ISE, including built-in Bicep modules for CLI configuration and deployment, is a significant advantage. Currently, we manage approximately 35 IP addresses and require two distinct stages for WAF settings and module deployment. Consistent signature stem definition across different environments is essential. ISE was crucial in our decision-making process, ultimately replacing Check Point due to the latter's lack of ISE integration, a critical requirement. While Check Point offered several strengths, the absence of ISE was a deal-breaker. Overall, Azure WAF has met our expectations.

I would rate Check Point CloudGuard WAF eight out of ten.

We have six environments in multiple locations and eight products that use 20 APIs.

We have a team of four working with the WAF.

I would recommend Check Point CloudGuard WAF if it fully meets the organization's needs, the cost is reasonable, and they desire AI and ML integration in the future. However, since we do not require AI or ML and prioritize ISE for our management approach, this solution did not align with our requirements.

My main use case for Check Point CloudGuard WAF is defending from SQL injection or DDoS attacks, and a quick specific example would be that it protects our applications and data from these threats.

I don't have anything else to add about my main use case, as there are no stories or examples where it helped my team.

The best features Check Point CloudGuard WAF offers are that it's very easy to use, the automated management is very nice, and the introduction of new AI is very efficient, which I find valuable.

With the introduction of AI in general, Check Point CloudGuard WAF provides very high accuracy on the data, allowing me to avoid a lot of false positives and saving me time in determining if what I'm seeing is a possible attack.

Check Point CloudGuard WAF has positively impacted my organization by reducing incidents because I don't have false positives.

Check Point CloudGuard WAF can be improved; initially, the setup is very complicated, and there's not a lot of documentation available, plus it didn't have something for anti-bot, but other than that, it is fine.

The documentation issue means that I can't find it online very easily, and while I can always ask support, it's a bit limited. As for anti-bot, I refer to a feature that I can find a better option for on Cloudflare.

I don't have anything more to add about the needed improvements or anything regarding the onboarding.

I have been using Check Point CloudGuard WAF for one year.

Check Point CloudGuard WAF is very stable, and I haven't had any issues with downtime or reliability, plus it handles growth easily in my environment.

The customer support is rated eight. I have had to contact them, and my experience was satisfactory.

I did not previously use a different solution before Check Point CloudGuard WAF, so there's no prior comparison.

I don't have metrics, but I see a return on investment in overall efficiency, as it has saved my team time and reduced incidents.

I don't know about the pricing, setup cost, or licensing for Check Point CloudGuard WAF, as I don't manage costs.

Before choosing Check Point CloudGuard WAF, I did not evaluate other options, as I went straight with it.

Check Point CloudGuard WAF works very well with all the clouds, such as Azure and AWS, and I shouldn't have any problems adding this feature to my environment.

Regarding the reduction in incidents, I don't have any percentages, but I know I can save a lot of time because I understand that if something is signaled, I need to check it, as it's very not probable that it is a false threat.

My advice for others looking into using Check Point CloudGuard WAF is that, similar to other Check Point services, it can be intimidating at the start, but you will manage after some time.

I rate Check Point CloudGuard WAF eight out of ten.