The architecture proposed is based on Microsoft’s Cloud Adoption Framework enterprise-scale landing zone architecture. Enterprise-scale is an architectural approach and a reference implementation that enables effective construction and operationalization of landing zones on Azure at scale.

We're using CloudGuard solution in a NorthBound - SouthBound design to protect and filter both incoming and outgoing traffic.

Also, we are using a VMSS solution deployed in Azure, with a minimum of two instances

The design is based on a "Hub & Spoke" model in which the environment is set up as a system of connections arranged as a kind of bicycle wheel where the spokes are connected to a central point in the hub, and all traffic to and from the spokes passes through this hub.

The NorthBound/SouthBound design solution allows traffic to be scanned and filtered both when entering (NB) and exiting (SB) the organization.

This design is also extremely suitable for segmenting a network. Network segmentation is usually done to reduce the attack surface of the network and limit the ability of a malicious threat to spread freely across the network.

Also, CloudGuard came with a new benefit in terms of scalability, with the VMSS solution capable of auto-scale in or out, depending on the resource demand.

The most valuable aspects of the solution include:

• Easy to administer and also to deploy, thanks to automated setup with pre-configured templates. On top of that, security comes first.
• The proactive threat detection results in huge risk reduction.
• It has a user-friendly interface; it's best in the market for policy management and log monitoring.
• There are multiple options to deploy (clustering, standalone, VMSS and single management solution, SMS or MDS, and even better: Infinity Portal).
• It has a really strong user community, which seems to compensate for the very poor vendor support.
• The capability to auto-scale in or out, depending on the resource demand is great.

Vendor support might be the weakest point of the CloudGuard solution. You really struggle to find a CloudGuard specialist, even for simple tasks. As mentioned before, you can find better answers to the user community (which is actually a downside of the product).

There are lots of limitations and discrepancies across different Cloud provider deployments.

Documentation might become too complex or too spread out, especially for newcomers.

As in the past, with traditional Check Point firewalls, it sometimes seems to be moving too fast with software releases and upgrade cycles, which are difficult to keep up with.

I have been using Check Point for more than ten years - and CloudGuard for almost a year.

Check Point CloudGuard Network Security helps to ensure the security and protection of IT systems. We have many API integrations and want to ensure its protection. 

The product gives analytic reports. 

Check Point CloudGuard Network Security should give productive reports as per business requirements. It needs to improve support since the time-limit extended beyond a day. It should include more seamless API integrations. 

I have been using the product for four years. 

The product's stability is good. 

Check Point CloudGuard Network Security is very much scalable. My company has 1000 users. 

Check Point CloudGuard Network Security's deployment is easy and takes one day to complete. You need four resources to handle it. 

The product's licensing costs are yearly. 

I rate the product an eight out of ten. 

We use it to protect Internet access from our AWS environment.

Before we implemented CloudGuard, we had no filtering on what was accessed on the internet from our AWS environment. 

Now, we can filter which websites users can access and block categories that are a risk. For example, we can block social media and gambling sites. This has helped to decrease the risk of access to malicious content on the internet.

It allows us to filter what the servers on AWS can access on the Internet and allows us to filter in terms of IPS, antivirus, and so on, for the contents that are accessed on the Internet.

The complexity to deploy should be decreased. 

I have been using this solution for about five years. 

It is a stable solution. It has been pretty stable for us. We haven't faced any problems since it rolled out. 

I would rate the stability a nine out of ten.

I would rate the scalability a nine out of ten. We have around 200 end users using this solution in our company. 

The customer service and support from the vendor take a lot of time. 

The first line of support is not very good. They usually start with junior engineers when you open a case, which can be time-consuming.

Neutral

I would rate my experience with the initial setup an eight out of ten, where one is easy and ten is difficult to setup. 

For the deployment, we work with the vendor. So, the deployment took two weeks.

We need to provision the firewall, deploy the manager, and understand where the firewall needs to connect, which AWS area, and so on.

We just needed more than two people for the deployment. We worked with the security network security architect and called them engineers.

With ten being very expensive, I would rate the pricing an eight out of ten. 

It is expensive.

It's worth it in the sense that it can protect your network, and it's very scalable.

Overall, I would rate the solution an eight out of ten.

We use Check Point firewalls and SMS servers in on-prem DC and in multi-cloud environments extensively. These are used to protect the perimeter, DMZ, and internal network to protect and inspect network traffic.

The firewalls are best of breed and provide extensive rich features and a diverse range of protection against DDoS, malware, ransomware, and zero-day attacks. Also, it is used for terminating client and mobile VPN tunnels, URL filtering, IDP, DLP, etc. 

The environment is Internal and a multi-tenant hosted for external clients which is a complex setup.

The new Check Point firewalls are best-of-breed and provide next-gen firewall features with AI and ML capabilities. This helps to reduce the operational support overhead and protects against new emerging threats.

Previously we used Juniper, Cisco, and other firewall platforms which have very limited capabilities and offer no inspection or threat-prevention features at all. 

Check Point has changed this dynamic completely and offers a complete security solution to protect all digital assets which is immensely helpful.

Identity awareness, URL filtering, IDS, DLP, Content Filtering, VPN, and Application Control are all excellent. They provide features to inspect internet traffic, data protection compliance, and DDoS attack detection and protection.

The Check Point firewall product that we picked up has an excellent feature set and all the required licenses, it's a nicely engineered firewall technology and has a great support team to escalate.

Features like threat prevention and protection are good to have to protect against zero-day attacks, malware, and ransomware.

Software bugs and OS releases can be very fast to keep up with. Check Point has a history of moving fast with software release and upgrade cycles which are difficult to keep up with at times.

New features should have a single-pane-of-glass view for on-prem DC and cloud environments. 

Licensing costs are very high compared to other vendors. Check Point needs to be competitive to keep the cost down for the customers and partners. 

The previous Check Point OS model had to support multiple OSs which was difficult and cumbersome (i.e. SPLAT, IPSO, GAIA).

I've used the solution for ten years.

We did use a different solution and wanted to have better security capability and visibility.

The solution is expensive but feature-rich.

We looked at other options and checked if the firewalls had all the security and compliance features required by the organization.

The solution is a core operating system, and we use it for threat intelligence.

CloudGuard has a better catch rate with respect to any attack which is happening. We once faced an attack in a customer's environment on one of our data centers, and Check Point Firewall blocked that attack. The solution's performance is on the higher side.

The feature most valuable to me is the NDTX blade that Check Point provides, and I like how the solution is not vulnerable. We haven't had any vulnerabilities in Check Point in the last six months, which is a plus point because the OS Check Point provides is hardened enough that it's not vulnerable to the newer issues, so the network security solution is given in a proper way. These features are an advantage for our customers.

The solution is easy to use once deployed if the administrators have a basic understanding of firewalling. Administrators just have to check the traffic passing through the solution, which will log the traffic properly. And if anything gets dropped, the solution will showcase that to you. The management server Check Point uses is a gold standard.

Check Point CloudGuard is not a feature-centric product because Check Point concentrates on security. For example, if a customer asks for reporting, it might not be available, like a bandwidth report. At most, the reports are given with respect to security, not infrastructure.

I've used CloudGuard for the last three years.

We have more than 50 customers.

Customer support needs to think about what the customer is talking about. They need to improve on that.

CloudGuard is not a plug-and-play product and requires proper technical knowledge to deploy it. You need the help of a proper professional to deploy it. Deployment hardly takes four hours, but that's only if you know what you're doing. You need to plan the deployment with respect to AWS. You have to know what exactly the customers have deployed in AWS or Azure, or any cloud solution, and based on the review, you need to do their architecture before you can start the deployment. The first step, then, is to understand the customer's data because everything is on a template when it comes to the cloud. You should understand which template you need to use on any cloud. It is impossible to deploy if you're not aware of the customer's environment and how the cloud infrastructure is made. After selecting the proper template, you have to do the implementation. The implementation will go smoothly if you understand the customer's requirements and infrastructure.

I would not say Check Point is very expensive, but when customers compare it with Sophos or any other products, the price is on the higher side.

In terms of features, FortiGate has more features in terms of routing.

Our customers use Check Point solutions both on-premise and on the cloud.

Check Point's research and development happening in terms of threat intelligence is better than its competitors, and Check Point's vulnerabilities are fewer. Check Point CloudGuard Network Security has proper security in place with respect to the vulnerabilities. They do not have any vulnerabilities right now. And the research and development happening on Check Point is on the higher side. Most zero-day attacks are protected against. Customers should go for Check Point because of these two points.

If a customer wants FortiGate instead, it's all about whether they can map the budget with Check Point or any other security solution. I cannot compare Check Point and FortiGate, though, because each has its own market.

I rate Check Point CloudGuard Network Security a nine out of ten.