Editor’s note: Next-generation firewalls (NGFWs) are becoming an essential tool for organizations taking steps...
to fortify their network security. Our easy-to-digest reviews look at what you can expect from NGFWs. To help you understand what you should look for when assessing a next-gen firewall, click HERE for our NGFW buying overview.
Check Point Software Technologies, long a leader in the traditional firewall space, now offers a variety of next-generation firewall (NGFW) products and features. We reviewed the standalone Check Point 12610 NGFW appliance, which offers a variety of capabilities in a 2U chassis that has a number of flexible network card expansion and configuration options.
Notable Features: Check Point was easily the most user-friendly NGFW platform we tested. The interface is incredibly powerful and easy to navigate, and long-term Check Point customers will feel immediately at home configuring and managing the 12610 appliance.
Check Point utilizes its software blade architecture within the 12610 appliance. This means you can choose which specific feature sets you want to license. For this review, we chose the following:
- IPsec VPN
- Advanced networking and clustering
- Identity awareness
- Mobile access
- Intrusion prevention system (IPS)
- Application control
- URL filtering
- Email security
Check Point was easily the most user-friendly NGFW platform we tested.
The basic firewalling and VPN configuration options are powerful and easy to configure, although the Check Point-specific supernetting options can be clumsy and cumbersome at times. The advanced networking and clustering feature was also relatively simple. The key features for NGFW functionality were identity awareness, IPS and application control.
The identity awareness functions in Check Point's 12610 next-gen firewall are easier to get set up and working than they are in most other NGFW vendors' products. They allow for simple rules and policies based on user activities and identities. For example, creating rules allowing certain users to access particular sites (while explicitly blocking others) was simple and performed well. In some cases, however, blocking only parts of sites like Facebook and LinkedIn to users and groups did not work properly and would function only if the entire site was blocked. Integrating with Active Directory was relatively painless, but other directory sources were not tested.
NGFW buying advice and reviews
How to buy: Assessing next-gen firewalls
Fortinet FortiGate 3950B review
Palo Alto PA-5060 product review
Application control rules were somewhat less robust and capable than Palo Alto's, but they were easier to manage and integrate into the overall rule sets. The logging and alerting for application control rules were also the best of any vendor tested. Check Point's intrusion prevention rules were not as powerful as those in a standalone IPS, but they caught all major signature-based attacks sent through the device during testing. Turning on IPS rules caused a slight performance drop on the appliance, however.
Additional capabilities. The 12610 NGFW appliance can also integrate URL filtering, antivirus, and email security features (antimalware and antispam), acting as more of a content filtering gateway. Some of these attributes can be associated with NGFW application control and identity awareness rules, too.
The 12610 appliances can handle Secure Sockets Layer (SSL) and other encrypted traffic, with better performance than most. In testing, performance was only slightly affected when SSL inspection was enabled, although we noted some small performance drops when numerous application control rules were used in conjunction with SSL inspection.
The last word. The Check Point 12610 NGFW platform is a capable next-gen firewall system. Its extensive capabilities and flexible configuration, with very high performance and accurate application identification, make this a successful NGFW system altogether. In some cases, the Check Point appliance was challenging, however, with "all or nothing" blocking for applications like Facebook and failure to properly block certain applications like Skype. In addition, Check Point licensing is well known for being difficult to properly manage, and upgrades to its appliances are more difficult than they should be. Overall, the devices are very good, with solid features and management. Check Point is a good fit for customers of all sizes, usually trending toward midsize and larger organizations and core data center deployment scenarios.
How to buy: Assessing next-gen firewalls