Check Point IPS Reviews

IPS is part of our Check Point Firewall Solution and a key function in securing our infrastructure. It is good to have an instance already on the gateway that protects specific services from attacks.

Very often, patch installations and downtimes cannot be implemented immediately in the case of critical security vulnerabilities.

IPS helps to secure short-term security vulnerabilities with its regular signature updates. The variety of products being covered is always impressive.

IPS is a key instance to secure services behind our Gateway.

Online attacks and malware have been evolving, using sophisticated and even evasive attack methods. Check Point addresses the changing threat landscape while meeting several key operational requirements for Intrusion Prevention Systems. Check Point IPS protections include checks for protocol and behavioral anomalies which means they detect vulnerabilities in well-known protocols such as HTTP, SMTP, POP, and IMAP before an exploit is found.

If you have any doubt if an update might interfere with any of your services, you can just mark it as "detect only" and observe how it behaves.

IPS easily allows follow-up flags on recently updated patterns. If, in rare cases, a false positive does occur, it is quickly detected and an exception can be easily created.

Basically, it is easy to use and offers a wide variety of protections through all kinds of software, services, appliances, and IoT-Devices. Updates are available regularly and can be easily downloaded and deployed through all the infrastructure. Rollback is easy to perform if ever something happens. It is a must-have on each gateway.

Usually, new signatures for known vulnerabilities come very quickly. In some cases, I would have liked the updates to be faster.

I am not aware of a preview channel or some repository to have a preview on upcoming signatures, however, this would be nice to have.

There is not too much else I am missing on Check Point Intrusion Prevention.

We've used the solution for years now.

We have no concerns at all when it comes to stability. 

We've never reached a performance limit.

Technical support is responsive and helpful.

I've worked with Check Point for years now.

The setup process is straightforward. I'd recommend others join a CCSA training to cover the required knowledge.

We implemented through our vendor and they were very experienced.

I've worked with other vendors before - however, of those that I've used, I found they didn't offer the whole package under one admin console.

We have a hybrid infrastructure with an on-premise data center, cloud data center, and multiple branch offices. All of these firewalls are managed via Check Point Multi Domain Management as well as Smart Event to see security events across our environment.

IPS is set primarily to prevent and only some signatures are set to detect (only after some false positives) so we still see them and get notifications via the Smart Event reports.

IPS is updated automatically and pushed to all gateways every two hours. 

Check Point's IPS simply works and is continuously kept up-to-date on all gateways. Via the management, it's possible to let the gateway update the IPS signatures itself, instead of letting the management update itself and then push the updates to the gateways.

If there's a new data center or branch office and everything is still in the test phase, it's possible to set the IPS policy to detect only so you can gather data and create a baseline without completely disabling IPS. That way, you can still see log entries.

Automatic updates can be done either via management or the Gateway itself, without any user interaction. The gateway is up-to-date with the newest signatures.

If you're unsure which profile to use, Check Point has some pre-defined profiles according to its best practices. Each one adds a different load to the relevant gateway, so you have to first check the current load and then decide on the right profile.

IPS signatures can be set quite granularly depending on your environment. You can filter on performance impact, severity, and confidence which makes sizing and adapting easier.

You can't turn off IPS completely as there are some signatures that are set even without activated IPS. If you know that, you can act accordingly. But sometimes you have to do a general exception instead of a granular one.

There are always some false positives with non-RFC traffic. This is good for security, however, it will cause some effort in day-to-day business as there will have to be exceptions for certain applications.

Threat Prevention policies are not very easily manageable as there are several profiles/policies/etc. Therefore, there are several ways to add exceptions and check the configuration.

I've used the solution for over ten years.

The solution is very stable.

The scalability is quite good, depending on which IPS profile you're using.

The solution is easy to set up.

Intrusion prevention and detection are the most valuable pillars in the security system, which detects and prevents exploits or weaknesses in vulnerable systems or in applications and protect against threats not only based on signatures but also based on anomalies, behavioral analysis, etc.

IPS is already integrated and comes as a security license in Check Point NG Firewalls and NGTX Firewalls.

Every defense system must have a feature set that provides complete security for Network IPS and Check Point has very powerful high throughput - almost at terabyte speed - with the help of a hyper-scale approach.

Organizations can scan for vulnerabilities know as VAPT, which many prefer as one-step closure for maximum security for the entire network. Check Point IPS plays a leading role in patching those vulnerabilities based on CVE IDS.

Based on updates received from the Check Point Threat Cloud, CVE IDs get updated or we can manually add those signatures.

It helps organizations to get a complete report for vulnerabilities in applications, the host running in the network (which helps to fixed to vulnerabilities based on CVE IDs), and gives reports for the compromised host, C&C host, DNS tunneling attempts, and protects against vulnerability in SNMTP HTTP POP, etc.

There's a good out-of-the-box configuration for recommended security based on severity levels, confidence levels, and network impact - also known as an IPS Profile.

For better security, we can edit options based on requirements and we can keep actions as detect-only which gives us alerts but allows traffic to flow without stopping anything.

There's an automatic update after every 2 hours which makes sure that the database is up to date and providing zero-day vulnerability protection.

Check Point IPS provides reports for running vulnerabilities which help enable SOC teams to respond to the highest-priority events first to patch them.

After the R80 release, there are almost all feature sets available under IPS Configuration. However, further to this, adding a direct vulnerability scan based on ports and protocol for every zone (LAN, DMZ, or Outside) will make Check Point very different compared to other vendors on the market.

Most customers take an IPS license but they don't take a SmartEvent license and when this happens, they will not be aware of the report parts such as current threats in the network open ports/protocol, vulnerabilities in a system, or detected/prevented attacks. For such cases, Check Point should provide a bundled license with IPS. 

I've been using the solution for more than four years.

The solution is highly stable for this particular blade.

Scalability can depend on throughput and if we use Maestro Hyperscale, we can distribute load across multiple Check Point Firewalls to get the maximum (in TPS) throughput.

Most of the time there is no need to take support for this,  but the CVE closure technical support team helps lot.

Customers may have had different NGFW solutions, however, after, they migrated over to Check Point NGFW.

The installation was straightforward in terms of configuration and onboarding.

We are service providers and provide services to customers.

Attacks are getting prevented and detected based on severity which helps our organization to get rid of compromising attacks.

Check Point IPS license is a must-have, and users need to make sure the database gets updated on daily basis after every 2 hours as per the defined configuration (which helps to get maximum protection).

The configuration is very simple and effective if you refer to the configuration guide properly.

We did not look at any other solution.

The solution is best in class.

The Check Point IPS module is applied to both internal and external traffic.

Many times, we only think about protecting ourselves from what comes from the Internet but it is also good to analyze what passes inside between one network and another and what goes out to the Internet.

I'll never forget the first backdoor report. We immediately activated email alerts for the most important reports and it was an email that indicated the compromised server. There were three of us and it took two hours to discover that through the image upload form, there had been an attempt to upload a backdoor. This IPS module had blocked this attempt.

The Check Point IPS module certainly is of great support in ensuring the security of every organization. You cannot say that users only surf the internet and you do not need this type of protection because the danger does not come only from the internet, but also from within. 

We immediately implemented the module on internal traffic and if there is any server or user that does something that should not be done, it is immediately identified. 

Valid support also comes from applying, before their official publication, the protections inherent to server and application updates. In this way, we are not forced to install updates on the servers as soon as they are published. Rather, we can also schedule updates and incorporate a delay. This protects us from the possible publication of incorrect updates that are withdrawn immediately afterward.

The Check Point IPS module allows me granularity in creating rules. I can specify which definition to apply and to which scope or network.

I can create multiple profiles, which is helpful. Profiles are the set of rules and I can choose which one to apply. Having more profiles and more options, we have not always moved in a guaranteed way with respect to internal traffic, and rigorously with respect to external traffic.

From the outside, we block directly without waiting to look at the logs. If anything, then we will allow this traffic. From the inside, we allow traffic by default and maybe we will block it after looking at the logs.

These decisions were also supported by the degree of reliability declared by Check Point itself. If we are talking about a high degree of reliability combined with a dangerous vulnerability then you can immediately block traffic with greater confidence in not having false positives

The logs and related functionality are done very well.

To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically.

If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability.

Having additional reports available would be helpful.

I have been using Check Point IPS for twenty years.

This has always scared me because it is known that activating this module in an inconsiderate way causes malfunctions of the firewall. However, Check Point tells you to apply only the IPS definitions that are useful in your environment and warns with specific pop-ups when you want to activate a definition that requires a lot of resources.

In case of high volumes of traffic, it is possible to balance the same by adding other nodes to the cluster.

It was certainly a good experience, a daily challenge to overcome oneself and compete with the world.

Prior to this product, we did not use a similar solution.

The initial setup is complex and must be done by a team, necessarily also made up of internal staff, who are highly skilled.

In the beginning, it is good to evaluate the single definitions in order to reduce the false positives and to avoid a waste of firewall resources. Subsequently, the new definitions released must be reviewed daily.

We implemented it with the support of an external team that proved to be up to the task entrusted to it.

The module has a considerable cost but you can save by purchasing a package with several modules instead of making a single purchase.

The implementation has a high initial and management cost.

We did not evaluate other options.

In summary, this is a well-made product and I don't feel like I would suggest improvements other than having more reports. I recommend its adoption to those who have the availability of a team, internal or external, that has the ability to manage it and the knowledge of the company.

We make use of Check Point IPS to protect our corporate network against incoming threats of all varieties. We have a very minimal intranet/network and this is installed and configured on our firewall that monitors all incoming/outgoing traffic.

We felt it was necessary to have this in place as part of our security hardening in preparation for a third-party penetration test of our corporate network. Their goal was to access our network undetected and exfiltrate information. They were unsuccessful.

Once we installed our Check Point firewall and activated and configured the various software blades and services, we successfully locked down our network with a near 100% success rate in preventing security threats.

I can easily monitor all of our connected devices and I get instant notification of reconnections and new connections, which removes some of the monitoring burden.

The biggest improvement is that it protects us against many different potential attacks like ransomware and malware coming from malicious IPs.

The most valuable features of Check Point IPS are the protection it provides against the various attack vectors out there with ransomware and other malware. Once we had Check Point IPS up and running, which was really quite easy and straightforward to do, we noticed a surprising number of times that it was getting triggered.

It was a little scary thinking back to how vulnerable we were prior to having Check Point IPS in place and simply relying on our users, albeit not that many, to be safe and responsible.

Really, the only thing we noticed once it was running in prevention mode (we started out in detection mode just to get a feel for how it worked and how often protections were getting triggered) was that there was a little bit of a slowdown in performance. It is generally good, but improving the performance would be the one thing I'd take a look at right now.

We have been using Check Point IPS for two years.

This solution has been extremely stable with no issues.

We're small and haven't had to deal with scaling, but I would think it should scale fine.

We did not use another similar solution prior to Check Point.

The initial setup and configuration was easy and straightforward.

Our return, in terms of peace of mind that our network is protected, is well worth the cost of implementation.

The pricing for Check Point IPS is competitive and brings good value for the money.

In summary, since we have installed Check Point IPS, we really have not had any major complaints or requests for improvement. It was pretty easy to get up and running and configured to protect our environment.

I work in MNC company and we have 6 GEO locations in India and all of our locations are using Check Point as a perimeter firewall. I sit in our HO Office and I am maintaining all the location firewalls with my team, except for 1 location. We regularly monitor the security alerts on our perimeter and based on that we will align our location IT to check and update us. IPS is our core blade for network security, it is provide the details that some suspicious activities happen on our network as per the IPS signature database, and based on that we will work on that.

As our primary use case with IPS blade we are daily receiving non-compliant IKE alert, and we know if we prevented it then what impact will happen, our all site to site tunnel will stop working which is running with noncompliant IKE and we are not forcing our client to update that noncompliant IKE protocol. 

We have configured the IPS daily report on our Check Point Gateway so we get daily reports with details of IPS related alerts. Based on the report we will check whether it is in prevention or detection mode and based on that we will check with the internal team and work on that. This is a very useful blade to prevent unwanted and unknown attacks. We can also create strict policies in the IPS blade to prevent high and critical severity but in our organization, we follow the same but in some cases, we have created exceptions.

Overall with the IPS blade we can say we are secure with unknown attacks. 

The default category (Low, Medium, High, Critical) is the most valuable feature because we don't know what type of attack will happen, but with this category, we can create a policy to prevent any high and critical severity behavior. With this, we can protect our organization from weakness exploit of vulnerable systems.

IPS can protect our organization with any old vulnerabilities or if any vulnerability was detected within a few minutes. IPS can protect us as per our configured policy.

I strongly agree that with IPS blade we can protect our organization vulnerabilities. I would like to have the ability to virtually patch our application or vulnerable machine that is talking ourside our network. If it is there then we can protect our application and systems to any unknown attack if our system or application has a weakness or vulnerability. 

I observed on our management that sometimes IPS does not connect to the threat cloud, we have to check and improve it. Otherwise, all of the features are good.  

I have been using Check Point IPS for the last four years. 

Sometimes it will not connect to the threat cloud.

This is a fully salable blade.

Overall okay.

Straightforward.

Vendor team

Priceless.

Reg. cost and licensing part out procurement team taking care.

The IPS is a very good blade in Check Point NGFW.

Our company works in developing and delivering online gambling platforms. The Check Point NGFWs are the core security solution we use to protect our DataCenter environment located in Asia (Taiwan). The environment has about ~50 physical servers as virtualization hosts, and we have two HA Clusters consist of 2x5400 hardware appliances, managed by an OpenServer Security Management Server on a Virtual Machine (KVM), all running on R80.10 with the latest JumboHotfix. 

The Clusters serve as the firewalls for both inter-VLAN and external traffic. We have the Intrusion Prevention System (IPS) blade activated on both Check Point HA Clusters as the counter-measure against advanced threats and malware. The IPS blade mostly used for ingress traffic from the Internet to the DMZ VLAN.

I think that the security of our DataCenter has been increased to a large extent by activating of the Check Point Intrusion Prevention System software blade. Before that, we used the Cisco ACLs and Zone-Based firewall configured on switches and routers, which currently not an efficient solution for protecting from advanced threats. Now we have state-of-the-art, true, and efficient Next-Generation firewall, and the IPS blade is the heart of it. The security profiles activated in the IPS blade check the traffic not just by TCP/UDP port of the connection, but by traffic patterns and the application behaviour. 

The number of IPS protections is amazing - after the latest update, I see more than 11000 in the SmartConsole.

All the protections are tagged and categorized by the vendor/type/product, the severity of the threat, confidence level, and performance impact of the activation, which helps in finding and enabling only he profiles that we really need (e.g. we don't have any Microsoft Windows servers in our environment, so decided to disable such protections by default).

The protections are updated based on the schedule - we used the default once-a-day approach.

I also like that the new protections may be automatically activated in the "Staging mode", which only detect the possible threat and alerts them, but doesn't block the actual traffic, thus minimizing the impact of the false positives. 

In my opinion, the Check Point software engineers should works on the performance of the blade - when it is activated with the big number of the protections in place, the monitoring shows us the significant increase in the CPU utilization for the gateway appliances - up to 30 percents, even so, we are cherry-picking only the profiles that we really needed.

Due to that fact it is also not so easy to choose the correct hardware appliance when you are planning the infrastructure. It is even more important when you realize that the Check Point hardware is very expensive.

We have been using this solution for three years, starting since late 2017.

The solution is reliable and stable, we didn't have any software or hardware issue while using it.

The Check Point software blade is activated on the HA Clusters in Active-Standby mode. There's a space to grow with the current setup, but eventually, we may switch to the Active-Active mode and add additional appliances to the clusters.

Even so we had a number of the support cases opened with the Check Point team, none of them was connected with the IPS blade. In general, there are professionals in the support team, but some cases took surprisingly long time to be resolved. 

Before the Check Point IPS, we relied on the simple stateful firewalls configured on Cisco switches and routers and moved to Check Point to get improved security against the modern threats.

The initial setup was easy, as was the configuration. Now the solution almost doesn't require the time for managing it.

The implementation was done by the Certified Check Point Expert we have in the in-house team - the Check Point solutions are popular, so there are such engineer available on the job market.

The overall cost of the solution is really high. You should properly scale the setup you are planning to purchase. 

The licensing model is simple, but some of the software blades are not included into the default bundles and should be purchased separately - pay attention to that.

We didn't evaluate the other solutions.

The correct performance sizing is essential for this kind of software - use the tools provided by the vendor, and consult the sales if you are still not sure.

We use the solution as a firewall to monitor and prevent intrusion into our system.

The notifications are the most valuable feature of the solution.

The solution is expensive and the cost has room for improvement.

The installation documentation has room for improvement. We can use more detailed information because sometimes it is difficult to understand.

I have been using the solution for two years.

The solution is stable.

The solution is highly scalable.

We have 100 people using the solution in our organization.

I have had issues with the technical support not contacting me back.

Neutral

The initial setup is straightforward. The configuration is completed with a few clicks. After the configuration, we can access the portal and start using the firewall. 

We used a vendor for the implementation.

I give the solution a nine out of ten.

The maintenance is easy.

Check Point IPS has zero-day detection and next-generation servers which make it a good solution and I recommend it.