Check Point NGFW Reviews

The primary use of Check Point NGFW is as a firewall that gives us the control of allowing in non-threatening traffic in and blocking malicious traffic. It is also a valuable tool that allows us to interconnect our remote sites via IPSEC VPN. 

This, alongside all of the basic blades such as Application Control, allows us to be granular when choosing what applications we allow within our organization and additionally filters based on categories combined with identity awareness. This allows us to be as granular as we would like with specific users/departments within our organization.

Check Point NGFW was one of the top contenders when we were looking to implement a new firewall strategy. 

We have had some issues with VPN tunnels specific to AWS, which were eventually resolved after a lengthy case however, other than that, the features offered are all great, and the firewall has done its job to my expectation. 

It is, however, difficult at times to read the actual documentation for the blades/appliance as it would appear that sometimes the terminology is incorrect or skewed, which leads to a longer implementation time.

As with any firewall, IPSEC VPN is the critical functionality. Not every organization has the budget to implement MPLS or SD-WAN, which makes IPSEC the go-to for site-to-site connectivity. 

Another critical blade/feature is the application control blade in combination with URL filtering. These two security features, tied together with identity awareness, are a game changer and allows an admin to be as granular as possible when blocking specific applications or allowing a specific application to a specific user/department within the organization

Being on R80.40, I am sure a bunch of features have already been implemented that I am not currently taking advantage of. However, one feature I have yet to see implemented is authenticated email support for alerts generated via the GW or SMS. As a security product, it is mind-blowing that this is not a thing today, and it only relies on SMTP un-authenticated to send emails to administrators. However, I'm not sure if that really applies to the firewall itself or if it is more so a topic of discussion for the SMS.

I've used the solution for five years.

We switched from SonicWall back in the day due to the feature sets available at the time.

We also evaluated Palo Alto.

We have deployed this software to provide comprehensive security beyond the Next Generation Firewall (NGFW). 

This software provides advanced analytics on any security measures that can have a great impact on our applications. 

It blocks malware attacks that can destroy data and leak confidential information to unauthorized parties. Check Point NGFW has helped the company to set up security policies that enhance the effective transfer of files and secure browsing strategies. There is improved prevention of external threats to data and increased production across the networking infrastructure.

Check Point NGFW has helped the company in the prevention of cyber attacks that could affect operations and slow down production. 

The intelligence reports from the real-time insights have helped members to avoid risks and plan efficiently for the future. 

Security threats that we used to experience before we deployed this product have been reduced, and the networking channels are ever safe. 

Sharing documents under secure infrastructure has increased the confidence of employees and enhanced faster implementation of tasks and projects.

The software provision of uncompromising security models across all the company applications has stimulated increased production. 

It has given the IT team full control and setup authority to scale down and deploy security to the most demanding platforms. 

The solution is safeguarding our financial databases and always has prevented fraud while giving employees peace of mind. 

The software has enabled us to come up with a unified dashboard that can monitor all accounting operations and investigate when there are security loopholes that can lead to data mismanagement.

The current features have a full set of security models that can protect any organization's information from ransomware attacks. 

When installed on Windows, the system with low storage space slows down. It is not compatible with all mobile devices and this may be unfair to some users. The next release can be more compatible with Windows and mobile devices for increased efficiency. 

I have experienced the best environment while working with this platform. All the data across the transactional records is ever secure under Check Point NGFW and I am proud of that great step ahead.

I've used the solution for nine months.

This platform is stable in the prevention of ransomware attacks.

I have been impressed by the performance of this software since we deployed it.

The customer support team has been always been responsive and interactive with our members.

Positive

I have not used a similar solution.

The setup was straightforward.

The deployment was done through the vendor team.

The current ROI is 35%.

The setup cost is good and the solution is affordable.

I evaluated other options. However, the company settled on Check Point NGFW due to its performance.

This is a great solution for many organizations that require stable data security.

I have a relatively small infrastructure, with a VMware Vsphere running all my servers on virtual machines. My network consists of approximately 30 workstations. The Check Point NGFW helps detect attacks against enterprise applications. 

It can enforce application functionality specific controls, monitor application data and content, and monitor HTTP, HTTPS, SMTP and other application protocols for better protection. I can audit applications running on my network, monitor their content and data, identify hosts on which applications are running, and identify users of the applications.

I have been using the Check Point NGFW as a primary firewall with all policies and rules configured on it. It helps as an Intrusion Detection System. This has improved my network performance as it illuminates suspicious activities before they reach the network. 

The network monitoring tool allows me to know who and what is hogging all the bandwidth and therefore apply it to remediate action and hence improve network performance. The Check Point NGFW helps me with QOS, during these times of work from home and virtual meetings, I can easily allocate required bandwidth to MS Teams, Zoom, and WebEx.

The most valuable features are the application and user control. This allows me to allow applications that encourage productivity and limit those that hinder productivity. The Network Address Translation (NAT) will always be a valuable feature as it allows me to turn my private cloud to the public at the click of a button and have secure control over the accessible servers/applications. sandboxing is also a valuable feature that allows the NGFW to act as an anti-malware, this would be largely helpful to prevent or minimize ransomware attacks.

Although very efficient, the product could be developed in a way that does not take a lot more system resources. It would be very useful if the Check Point NGFW was able to learn the environment and its user's real-time activities and automatically send only logs of interest to the security admin to actually force the security admin to review these logs since the logs are useless if not reviewed. Implementation and setup should be made as easy as possible. At times a misconfigured NGFW because of its complexity will be more of a vulnerability than protection.

I've used the solution for four years.

The stability is very good.

The scalability is very good.

Technical support is always on point.

Positive

We did use a different product. The previous solution was actually more complex to set up and had a high price.

The individual setup was complex. However, with the support of an expert on the solution, it became straightforward.

We used a vendor team. Their level of expertise was acceptable.

The ROI is on the positive side.

I'd advise users to find a local vendor of the solution they are looking into and compare all middleman pricing.

We also looked at Cisco Firepower.

The device is being used for perimeter security devices across multiple clients across sites. Check Point has not only improved our organization - it also has given us holistic perimeter and endpoint security protection throughout the enterprise.  

Our sites across the globe have Check Point perimeter protection.

Pros include:

• Internal Network Protection from outside network
• VPN connectivity for secure data transmission across multiple vendors
• File download antivirus security
• URL Filtering
• Application filtering
• Malicious domains blocking

The solution has helped out organization stay safe with its depth application filter, URL filtering, and SSL inspection. It's mitigated a significant amount of risk for corporate users as well as to host services at our terminal that need access from the internet. By far, it's the best security solution one can adopt for their organization. 

It's:

• Reduced attacks on DMZ servers
• Blocked access of malicious destinations hit by internal users
• Complete visibility about what is going and what is coming via internet
• Check Point is the industry’s unified cybersecurity architecture that protects businesses against sophisticated 5th generation cyber-attacks.
• Having multiple checkpoint products under the same roof provides consolidated security.
• Ultimately saving cost by having better centralized solution

The solution has a lot of valuable aspects, including:

• IPS & IDS
• Sandbox (Threat Emulation & Extraction)
• Ease of management
• Reports for analysis
• Better technical support
• Stateful inspection
• Application-aware boxes
• Threat detection capabilities
• Hyperscaling

Data loss prevention, compliance, threat emulation, and other blades overall make this a robustly unified platform for the implementation and management of security controls.

Since it is Layer 7, we are able to get down to the application level and block certain applications from even running.

Since it has an IPS in place, we are able to see possible attacks that have been prevented by the firewall.

The perimeter antivirus can be improved. It's not as good as other leaders.

Additional features that could be good to have/improved include:

• Modular capabilities 
• Integration with VMware and NSX products per client requirement
• 3rd Party support product is very limited 

The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.

The licensing part is a bit tricky. The product can simplify this further for ease of use.

They need to work on log size optimization.

Antivirus signatures should be updated in real-time.

We've used the solution for the last eight years.

The stability is very good.

The scalability is very good.

Technical support has been great.

Positive

We did not use a different solution previously.

The initial setup is straightforward. 

We had a vendor assist us.

We haven't used other products.

We also looked at FortiGate and Palo Alto.

Check Point is currently our perimeter firewall at various locations. We use their failover clustering with high availability option, which performs flawlessly. Upgrades are easy to perform and have always worked reliably for us. Technical support is always available to assist with these operations, which makes the process less stressful to the admins. 

We are also using their ISP Redundancy feature, which works as advertised - perfectly! It's easy to implement, especially with the awesome documentation from our engineer. We also use their Remote Access VPN offering and have really seen its value this past year, due to COVID-19. The VPN has been 100% rock solid, especially during the most critical times in our history.

As mentioned in the primary use case question, ISP Redundancy and VPN are the two primary use cases. When the pandemic hit, a sudden shift to a remote workforce was a major requirement for us, and we needed a reliable and stable firewall. Implementing ISP Redundancy helped ensure that, as well as having a tried and tested VPN solution. Upgrades have occurred during this time and manually planned failovers as well; every upgrade and test went smoothly and without issue. The last thing we could afford is an outage.

They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements. 

Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released. 

Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.

The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading. 

The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing. 

Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

We have been using Check Point firewalls for 20+ years. We originally used the Nokia hardware platform, which was not technically NGFW at the time, however, the OS and its configuration have maintained some similarities over the years. It keeps getting better every release.

Lately, stability is 100% reliable. Earlier generation firewalls were a bit unreliable, however, as Check Point acquired third-party hardware. For example, their Nokia acquired security appliances had a firmware that worked, until they started to modify the firmware (IPSO 6.0 was solid, but problems started with our upgrade to R75), then it became less stable; frequent crashes, settings not saving, high availability issues, frequent reboots required.  Eventually, we upgraded to their NGFW offerings.  Their newer hardware, and firmware R77.x was released, and we have been stable ever since.  Upgrades to R80.x have been flawless, HA works as expected, and we have had zero performance issues.

They are very scalable. If you need more computing resources, adding more hardware is easily done.

Customer support is not always as responsive to finding solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

Positive

We have always used Check Point.

Setup was very straightforward and easy. We did have the assistance of our Check Point engineer, which is just awesome.

We implemented through Check Point directly.

I do not measure ROI financially, although personally speaking, we have definitely gotten back every dollar we've spent by having reliable and secure infrastructure.

The setup cost is not a challenge at all. Check Point engineers work directly with you throughout the whole process. The pricing is high, for the hardware and software, although discounts are negotiable. The software blade licensing is broken down into many flavors, depending on your needs. It is very a la carte and provides various product offerings, including endpoint management, VPN, disk encryption, etc.

We did review a few competitors during a possible migration plan. The proof of concept did not yield better results, so we stayed with Check Point. We reviewed Cisco, Palo Alto, and SonicWall.

If you don't need/use their a la carte software blades (FDE, Ransomware, etc.) you can always add on later. They are very accommodating with trial licensing to test in a proof of concept way. If you already have other third-party products that perform those functions, you can bundle Check Point's and save a bit of money consolidating them.

We needed to replace our external firewall solution as we were having issues with the HTTPS inspection on our previous solution and the level of support being provided was terrible, leaving us with an issue that could not be fixed for over six months. 

We had already deployed a new internal firewall solution but needed something that would protect that from external factors. We also needed a new solution to replace our client VPN solution. The Check Point solution gave us that as one whole solution instead of having to manage multiple services.

Our policy is to deny all outbound traffic unless we allow it, which can generate a lot of work to build a rule base that allows everything we need to get out. 

This solution has made managing connections out to the web much better due to the categorisation and app control that is available. Being able to say certain apps and services are allowed out, instead of finding all the relevant IPs, has massively reduced the workload. The ability to manage the Client VPN and relevant rules for that in the same location has also improved the way we work. Having links into AD for group membership recognition and having rules based around this has been very useful in improving the way remote users can access the network.

Logging has been excellent. Being able to see all logs from all the various firewalls at different sites in one window has made fault finding much easier. We can see how the traffic is moving through the sites and on which firewall. 

It has also been easy to see machines that may have had infections as we can report easily on devices trying to talk out to sites and services that are known to be dangerous. We have these set up as an HA pair on our main site and we have a lot of audio and video services that go out over the web. 

The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats. 

The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. 

We find the GUI to be wrong and the CLI doesn't always show all of the connections. 

From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

I've used the solution for six months.

On the firewall side and content filtering side of the solution, it has been faultless. There has been no real downtime to note and the access to the web via relevant rules has always worked as expected.

We have a fairly small setup in the grand scheme of things, however, from what we have seen, the ability to add in new firewalls or increase the hardware spec seems very good and it would be easy to transition from older to newer hardware when the time comes.

Due to the support model we signed up for, we don't deal directly with Check Point support. We deal with the vendor first and they will deal with any 1st/2nd and even most 3rd priority issues. They would then go to Check Point if they need more assistance on our behalf. The level of support and responsiveness of their support has been excellent. We're always getting at least a response within a few hours, even on a P3/P4 issue.

Positive

We did have another solution, but due to an issue with the HTTPS inspection that the manufacturer was not able to properly rectify or fix for 6 months, we lost faith in their ability to provide adequate support going forward for any issues we might come across. 

The setup was complex due to the nature of the Check Point firewalls and us having to make some config setup in one portal and others on the CLI. We also had to arrange the rule base via the management console. There could be 3 different places you need to make various changes. We also used private microwave links as redundancy for VPN connections and that had caused significant issues in getting set up as the link selection did not cooperate at first.

We implemented via a vendor and I have to say their level of expertise was brilliant. Every question we threw at them, they were able to provide an answer to. 

It was not the cheapest solution to go for, but the amount of admin time that has been saved by the use of Check Point firewalls has definitely given us a great return, giving us more time to work on other aspects of our network. Also, being able to consolidate 2 solutions (Firewall and Client VPN) into one solution has saved more money and admin time. 

We found that Check Point was very flexible with its pricing. We were looking at a spec of hardware in other solutions. We found that Check Point did not have a direct competitor, but to help with the bid, they managed to reduce the costs of their higher-spec hardware to make it competitive with the other solutions we were looking at. It's not our fault they did not produce the hardware of a similar spec. It's up to them to try and provide a solution that would make it a competitive solution. 

We looked at several other solutions in including Palo Alto at the top of the market and Sophos XG further down.

I would say as good as the solution is, if you are looking to get the most out of it, you should look to get a company or consultant who knows the Check Point solution inside out to assist with the setup. We found a partner who specialized in Check Point and we would not have been able to get it to the stage we have without them.

I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years. 

I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.

This solution has helped keep the security posture of my organization in the best possible shape. Check Point's solutions stay a cut above its competitors to make sure your IT infra Cyber is safe from both known as well as zero-day attacks and malware. 

From an operations point of view, Check Point solutions are the best in terms of providing central configuration management and also central log correlation and management. Additionally, Check Point's virtualization solutions around VSX are super-efficient and very stable.

I found Check Point's software ability to provide for all the perimeter security solutions including next-generation firewalls, intrusion prevention systems, identity and access management, and URL filtering. They are all excellent. Check Point's Central configuration management, central log correlation, and management solution are a cut above the other vendors and are the best in the industry. Check Point's virtualization solutions are also very efficient and can be scaled. They are highly stable solutions (MDS/Domain Managers & MDLS).

To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture. 

Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space.

I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.

I've worked with the solution for a little over 12 years.

The product is very stable.

The solution is highly scalable.

The sales, pre-sales, professional services, and tech support are all very nice.

Yes, and we switched because Check Point proved to be more reliable.

The initial setup is absolutely straightforward.

We implemented it through an in-house team.

Every dollar spent is worth it.

Yes, we looked at Cisco, Juniper, and Palo Alto.

Not at the moment.

In our organization, we are using distributed device management. Here, management and distributed devices are separate deployments. Therefore, our management is very easy in our organization for traffic management. Here, tier architectures are used. That smart console, smart getaway, and management are different devices. Each device is connected to the other. 

Threat prevention is used as well. Basically, threat prevention is used for preventative management traffic entering into our internal organization. The hash value is used whether traffic is legitimate or not for distributed traffic. 

We are using Check Point for URL filtering. 

In our organization, we are using policy configurations where various policies are configured for internal to outside organization communication, and our DM's are there too. Various zones are created in our organization. 

For each particular zone, if I want to communicate with the external zone, then I need to create a policy for internal to external. Various rules can be created, particularly for organization communication outside the organization. It will be configured in our organization and four gateways are there allowing for our four different locations to communicate. 

In our HR deployment, hiring deployment, there is a new and legacy mode that we are currently using.

The distributed deployment is very helpful. This way, the burden on each device is less and management is very easy and CPU process utilization will be not high on a particular device - it'll be distributed on each device. Management is very easy.

We like that it is a next-generation firewall where hackers would need to inspect down to a seventh layer, an application layer, and that offers us better protection. 

The initial setup was straightforward.

The solution can scale.

We would like to see constant improvement in anti-malware functionality and anti-threat protection.

Various functions affect our organization's traffic performance.

They need more focus on the stability of IP security.

The organization has used the solution for five years, however, I only joined the company two years ago. 

It provides very good stability for traffic management and network flow. We monitor various locks that will be there for internal and external traffic. I'd like, however, more stability of IP security, more of that is needed. Sometimes there is an issue in IP security clarity.

The scale is currently very good. In our organization around 3000 or more employees use it. There is two IT personnel that will configure 30 Check Points, 13,500 gateways will be there and it will handle around 3000 plus employees. 

We will increase usage. Currently, one new branch will be open. They are also migrating from Fortinet to Check Point's firewall. The previous they did 40 deployments here, however, currently they're migrating to the Check Point next-generation firewall.

Tech support is very good. After logging the call, if there is an issue discovered, they are very supportive. They are helpful and responsive. We've very happy with them.

Positive

We used to use Fortinet, however, it did not go deep enough and check down to layer seven.

The initial setup was straightforward. That said, I wasn't part of the initial setup, as it was set up before I came to work with the organization.

I'm comfortable with the licensing. The pricing, for what you get, is pretty reasonable. 

I'm an end-user of the product. I don't have a specific business relationship with the company.

I'd rate the solution at a ten out of ten.