Check Point Cloud Firewall (formerly CloudGuard Network Security) is a cloud-native application protection platform and a suite of multiple products. We primarily use it for our hybrid multi-cloud environment, primarily around cloud environments. The deployments for different clients were a bit different. For one of the clients, it was just a single cloud vendor, which I believe was AWS, and then multi-organizations with hierarchical architecture.

The intent was to manage hundreds or perhaps thousands of EC2 instances and Kubernetes workloads, EKS (Elastic Kubernetes Service), and a lot of PaaS applications, Infrastructure as a Service, container registries, and ECR. The end result was to understand the overall security posture of the cloud, figure out if there are any deviations, and make sure that there is no zero-day and all the detections are in place. Check Point Cloud Firewall (formerly CloudGuard Network Security) is a typical CNAPP suite that comprises cloud workload protection, runtime security, and code quality checks, not just your typical SonarQube or SAST, but definitely something that can integrate with your VCS.

The advantages of Check Point Cloud Firewall (formerly CloudGuard Network Security) as a service provider include the platformization story that every single major security provider is doing, something similar to what Palo Alto does.

Check Point had lacked this particular capability in their product stack, so they brought in CloudGuard, integrated it, and used many of the Check Point next-gen firewalls capabilities, along with threat intelligence. This typically brings a lot of other security solutions together, gearing it primarily for the cloud and multi-cloud environment.

With regards to capabilities, it helps detect any attacks that typically fall under the zero-day category. I would not focus on signature-based scanning because that is something everyone can do practically. You can build policies to avoid unintended exposure of storage buckets, sensitive data disclosure, and manage misconfigured policies or privileges that are quite extensive, not following the least privilege principle. It also takes care of that.

Check Point has augmented many API security capabilities as well. If you are hosting any APIs using AWS PaaS services, such as API Gateway Lambda, even on-premises, it can fairly detect standard web vulnerabilities, OWASP Top 10, and all of that. I think that is decent as well. We have pretty much got most of them.

Regarding organizational risk, Check Point Cloud Firewall (formerly CloudGuard Network Security) is definitely meant for improved visibility and risk mitigation. If you have got multi-cloud environments, you cannot use cloud-native services efficiently and effectively because you look at two or three different clouds with controls scattered across them. You do not have a centralized pane of glass, and you do not know what happens to a particular traffic flow if it is moving from one cloud to another. This product is not just Check Point that does this; Palo Alto and Wiz also provide similar solutions to an extent. You get an entire view of it, knowing what controls already exist, which helps build additional policies and definitely aids in risk mitigation.

Check Point Cloud Firewall (formerly CloudGuard Network Security) is definitely lagging behind its peers. I am not sure what the reason is. Compared to Palo Alto, they are not there in terms of capabilities and feature set. I do not think there are any obvious misses, but there is mostly lesser adoption in the industry.

Regarding the negatives, sometimes we encounter challenges, especially if a feature may not be working, but that is typical of any vendor. There is no glaring gap; it is a solid product, but based on my experience, the adoption has not been on par with what its peers are doing.

From time to time, we do face challenges with some features, especially if you need to configure a policy where you may need false positive fine-tuning. Sometimes, you have these anomaly detections, which are crucial from a zero-day attack perspective, but they can create a lot of false positives. When you have to tweak, you sometimes need to bring in technical assistance or professional services to achieve what you want. The documentation may not be quite sufficient. There were instances in the past, but I am not sure if they have ramped it up quite significantly recently.

I have been dealing with the product for about three and a half to four years, starting after COVID for sure. It happened sometime back in 2022, which was the first time that we saw and used that as a comparison with Palo Alto and other firewall products, Cisco Secure Firewall. Check Point ramped up a lot of its capabilities, including CNAPP and all the additional detections that it can bring in, threat prevention, and then adding on visibility, deep packet inspection, and things of that nature. So it has been about four to four and a half years now.

Check Point Cloud Firewall (formerly CloudGuard Network Security) was stable; we never had any outages because of it, so definitely stable. We had a couple of instances, but I would not count that against Check Point since that is typical for most vendors. We raised a couple of feature requests that they introduced in later releases, which made us happy. Nothing glaringly bad; it was mostly stable. Because it is more of a CNAPP solution, it will not disrupt significantly, and we had a very conservative configuration, especially regarding preventive controls.

The product is super easy to scale; just talk to PS. If you do it on day zero, then that is really great. Wanting to do it afterward is possible, but you have to plan it well.

The technical support is great. When working with an EMEA client, the majority of the TAC was based out of Israel, and they are fantastic with quick resolutions and turnaround times.

I would rate Check Point's support nine out of ten; they are really good.

I have tried both Check Point Cloud and other providers such as AWS. If I were not under strict regulatory jurisdiction, I would prefer Check Point Cloud itself, as you get better support and they own the infrastructure. Troubleshooting becomes simple, and they seamlessly take care of the pre-provisioning of the underlying infrastructure. However, for a few clients in financial services with strict regulatory requirements, we had to create it on our infrastructure.

The deployment of Check Point Cloud Firewall (formerly CloudGuard Network Security) is very seamless. It learns when you operate in monitoring mode on day zero and day one, understanding the lay of the land, checking what services you have, tweaking them, and applying policy compliance templates like PCI DSS or HIPAA. You can use all those templates to start configuring your policies, so it is pretty robust. Day zero is smooth, just API integration, service principal, and API keys. If you need to integrate with GitHub or other platforms, there are additional integrations, but it serves the purpose by default.

The deployment procedure for Check Point Cloud Firewall (formerly CloudGuard Network Security) is straightforward and takes only a couple of minutes for initial integrations. Fine-tuning takes some time because every environment is different, and you must first understand what the product does and its capabilities before tailoring the configuration. But it is really straightforward, and they have it well documented. If you are using very unusual SaaS applications or non-standard configurations, that might take a bit more time, but that is the same for most others.

You cannot compare ROI from one vendor to another definitively, but if I compare against capabilities that I never had before bringing in Check Point Cloud Firewall (formerly CloudGuard Network Security), then there is quite a decent ROI. The product itself is cheap; whatever capabilities that you get are significant. Low cost significantly brings a decent ROI. Additionally, because you have a centralized pane of glass to manage the entire infrastructure, the cloud security piece reduces the workforce needed for management, which definitely contributes to ROI.

Check Point Cloud Firewall (formerly CloudGuard Network Security) is comparatively conservative in terms of pricing; it is not a very expensive product. If you are a Check Point shop with multiple products throughout your infrastructure and have a good relationship with a decent reseller, then I think their pricing is much more conservative compared to Palo Alto and a couple of other vendors.

If you look at adoption, if you have got ten clients, then seven or eight of them go with Palo Alto, and the remainder get scattered between Cisco and Check Point.

If you are a Check Point shop, then it integrates really well. The basic integrations that you have with identity and access management and SIEM solutions or SOAR platforms work well. All decent vendors have playbooks that center around Check Point, so I think those are decent and not a challenge. There are a lot of out-of-the-box integrations available, and if you want to build custom integrations, you can work with the TAC or professional services and get that done. If you are a Check Point shop in its entirety, if you have got CloudGuard, Harmony, and the old Check Point UTMs or next-gen firewalls, all of them stitch seamlessly together.

Check Point Cloud Firewall (formerly CloudGuard Network Security) is available through the AWS marketplace, and if you have got a committed spend, you can use that toward purchasing via the marketplace. While I have not used it personally, it was communicated as an option available by our resellers.

I would rate Check Point Cloud Firewall (formerly CloudGuard Network Security) somewhere around seven or eight overall. The adoption is a bit low, which makes me curious about the roadmap; if you have a great market share, you typically see a very decent number of feature releases coming out all the time. Considering stability, ROI, and other factors, I think seven is a fair rating.