Hi https://community.checkpoint.com/people/376e8997-fad8-487d-a901-7c9d82a892ff 

Pro Check Point:

- easy and faster VPN configuration

- faster policy creation

- more security blades

- open server

- Linux as OS -> scripting

- higher security level

- multi domain management

...

Regards

Heiko

Facts vs. Hype

A lot of ASA management functions rely on the use of Java runtime of particular versions, specifically those that are considered insecure.

Additionally, look at this Cisco resource:

Security Advisories and Alerts 

and enter "ASA" to see the list of vulnerabilities that this line of products were a subject to.

Then, on the same site, select a "Non-Cisco Product" and look up "Check Point".

The results are pretty conclusive.

The number of Cisco advisories in the last few years with hardcoded credentials has been pretty alarming. 

We previously had a Cisco ASA protecting our Guest Network. Managing that thing was nightmare. It was always refreshing coming back to our corporate CheckPoint firewall interface. The ASA management interface is just so convoluted and more complicated than it needs to be. Not to mention its a Java application.  Many basic functions such as NAT and object management are so much more streamlined in CheckPoint. It's hard to describe without you actually having to use one over the other. 

Viewing logs is another nightmare on an ASA. It takes more work than it does on CheckPoint. This means you spend far less time debugging. 

I did some price matching last year, and the Cisco FirePower Product was 2-3 times more expensive for our application.

Also, there have been a spate of vulnerabilities affecting all of Cisco's product in recent history. Palo Alto too has its share of issues in this arena.  I can't remember the last time I had to put an emergency patch onto Check Point devices to harden it against something in the wild.

My personal feeling is that Cisco's Firewall offerings are overpriced due to people that are willing to pony up the cash to have all of their services be Cisco based. But their Firewalls end up seeming very much like a lot of modules slapped together that don't integrate well. They keep acquiring companies and then instead of integrating their software into the main product you end up needing something like an IPS module that runs a full operating system just for that feature. 

CheckPoint's product is more stable and modular to allow the OS to add and remove parts without necessarily needing hardware to do so. 

Also fixing issues in CheckPoint is nicer when you are able to login to a full Linux OS to run regular Linux commands and check log files like you could on any Linux server instead of memorizing hundreds of proprietary Cisco commands for every function.

For a very very simple answer, you can't beat Checkpoint logging.  One line one answer, you don't have to sift through syslog rolling off your screen or buy another product to see if your connection is working or not.  Checkpoints logging solution is top of the line.

For years I have been a firewall admin and worked on both Cisco ASA and Check Point one feature that has always stood out for me is the centralized management with Check Point.  So, say I am managing fifty firewalls and I need to roll out 1 rule, the same rule to all of them.  On Check Point management I can make the rule once then copy and paste it to all the other firewall policies.  On a Cisco ASA firewall I need to login to each one and create the rule.  That's a lot of time.  I did work for a large company with ASAs and I would have these make rules that needed to be put 50 firewalls and every time I would think this would be so much easier and faster if they was a Check Point environment.  

Better at what? This is an absolutely meaningless question and a waste of time to answer, unless you are specific on what exact parameters and use-case you are talking about. 

I had the priviledge of using Cisco (ASA, FirePower etc) and CheckPoint. For Network Security my own assessment is Check Point is miles ahead. That holistic integration of services(blades) and its rich-reporting capability also stands-out. Cisco is good also but Check Point is a step ahead.

agent in AD server and all login and logout event will come to cisco firepower management , in this case user will get single sign authentication when FMC is reachable . suppose for some reason when FMC will goes down or not reachable in that case all user affected which will not be authenticated without FMC.  ----------- Other side checkpoint is more reliable because in  Checkpoint when Mangement connectivity goes down and unreachable it will not impact on production - only one thing that we can not do changes but network is running good without fluctuation .-------------------->> so in this comparison Checkpoint is good  ---For mitigate this limitation in cisco we can make high-availabity for FMC so it will always reachable.

2. In cisco Local user we can not create - we shoule compulsary use authentication method like Radius or LDAP without this method there is no option available to make user locally.
--- Checkpoint have this feature means in checkpoint we can make local user

3.In Cisco when we have multiple objects for service and network etc, so in this case we should create manually - only when we will do migration from asa that will we get in migration tool directly but when we are migrating  to cisco firepoer from another OEM we should do manually .
-- In checkpoint newer version R80 provide this feature when we have bulk object we can create through CLI

4.Checkpoint SSL VPN provide OTP integration --- Cisco Firepower don't have option to configure OTP integration with SSL VPN -- they have only option for RSA which is published in new release.

5. IN Checkpoint we can assign IPS and Threat prevation profile  to all traffic directly from that blade - in cisco we have to assign IPS and Malware policy to each and every policy . so if we have around 4000 policy so we have to do manual process for all policy.