Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mohit_Yadav
Contributor

Cisco or Check Point

Which is better cisco or checkpoint & why? I am not able to get clear answer to this over the net. Can anybody explain in simple language. From features, pricing and any number of point of view?

22 Replies
PhoneBoy
Admin
Admin

Cisco focuses on a lot more than just security.

With Check Point, that's all we do.

_Val_
Admin
Admin

In other words. 

If if you need networking, to Cisco. If security is what you are looking for, go Check Point 

Mohit_Yadav
Contributor

But, cisco provides security also with ASA. What makes Checkpoint better than Cisco ASA?

Like Pro & Cons for both of them?

0 Kudos
PhoneBoy
Admin
Admin

For a general answer: WHY CHECK POINT – THE FOUR POINTS 

If you can provide a bit more details about your specific use case, we can give you more specific answers.

HeikoAnkenbrand
Champion Champion
Champion

Hi https://community.checkpoint.com/people/376e8997-fad8-487d-a901-7c9d82a892ff 

Pro Check Point:

- easy and faster VPN configuration

- faster policy creation

- more security blades

- open server

- Linux as OS -> scripting

- higher security level

- multi domain management

...

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
Danny
Champion Champion
Champion

Petr_Hantak
Advisor
Advisor

Unfortunatelly every vendor has his own version Smiley Sad

0 Kudos
Vladimir
Champion
Champion

A lot of ASA management functions rely on the use of Java runtime of particular versions, specifically those that are considered insecure.

Additionally, look at this Cisco resource:

Security Advisories and Alerts 

and enter "ASA" to see the list of vulnerabilities that this line of products were a subject to.

Then, on the same site, select a "Non-Cisco Product" and look up "Check Point".

The results are pretty conclusive.

Timothy_Hall
Champion
Champion

And the SourceFire-acquired FirePOWER product integration with Cisco ASA has its own issues, see this very eye-opening reddit thread from actual users of the product:

https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/ 

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Josh_B
Contributor

And this one from last month. Many, many people are unhappy with FirePOWER

https://www.reddit.com/r/networking/comments/9vynr9/cisco_firepower_rant_ii/  

Timothy_Hall
Champion
Champion

Hadn't seen this most recent one, thanks!

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Josh_B
Contributor

The number of Cisco advisories in the last few years with hardcoded credentials has been pretty alarming. 

0 Kudos
Ryan_St__Germai
Advisor

We previously had a Cisco ASA protecting our Guest Network. Managing that thing was nightmare. It was always refreshing coming back to our corporate CheckPoint firewall interface. The ASA management interface is just so convoluted and more complicated than it needs to be. Not to mention its a Java application.  Many basic functions such as NAT and object management are so much more streamlined in CheckPoint. It's hard to describe without you actually having to use one over the other. 

Viewing logs is another nightmare on an ASA. It takes more work than it does on CheckPoint. This means you spend far less time debugging. 

Jason_Dance
Collaborator

I did some price matching last year, and the Cisco FirePower Product was 2-3 times more expensive for our application.

Also, there have been a spate of vulnerabilities affecting all of Cisco's product in recent history. Palo Alto too has its share of issues in this arena.  I can't remember the last time I had to put an emergency patch onto Check Point devices to harden it against something in the wild.

0 Kudos
Vladimir
Champion
Champion

I believe last time we've had to apply the emergency patch, it was for the heartbleed vulnerability.

0 Kudos
Aidan_Luby
Collaborator

My personal feeling is that Cisco's Firewall offerings are overpriced due to people that are willing to pony up the cash to have all of their services be Cisco based. But their Firewalls end up seeming very much like a lot of modules slapped together that don't integrate well. They keep acquiring companies and then instead of integrating their software into the main product you end up needing something like an IPS module that runs a full operating system just for that feature. 

CheckPoint's product is more stable and modular to allow the OS to add and remove parts without necessarily needing hardware to do so. 

Also fixing issues in CheckPoint is nicer when you are able to login to a full Linux OS to run regular Linux commands and check log files like you could on any Linux server instead of memorizing hundreds of proprietary Cisco commands for every function.

0 Kudos
Duane_Edman
Explorer

For a very very simple answer, you can't beat Checkpoint logging.  One line one answer, you don't have to sift through syslog rolling off your screen or buy another product to see if your connection is working or not.  Checkpoints logging solution is top of the line.

Leslie_Parece
Explorer

For years I have been a firewall admin and worked on both Cisco ASA and Check Point one feature that has always stood out for me is the centralized management with Check Point.  So, say I am managing fifty firewalls and I need to roll out 1 rule, the same rule to all of them.  On Check Point management I can make the rule once then copy and paste it to all the other firewall policies.  On a Cisco ASA firewall I need to login to each one and create the rule.  That's a lot of time.  I did work for a large company with ASAs and I would have these make rules that needed to be put 50 firewalls and every time I would think this would be so much easier and faster if they was a Check Point environment.  

Rob_Ballard
Explorer

I've managed Check Point firewalls for lots of years with no exposure to any other vendor until roughly 5 years ago, when it was decided, by management, that we needed to try Cisco ASA.   Since we've implemented ASA, I've now been exposed to just how good the Check Point solution is.   To Leslie's point, Check Point's central management is the most noticeable difference.   If I have the same policy across a large number of firewalls, it's one policy push to all.    However, with Cisco, it's copy/paste/paste/paste/paste/etc., with occasional random paste errors.

In the 5 years since we've had both in place, I've seen far more vulnerabilities reported on ASA's than Check Point's as well.

Logging is also a major difference.   Check Point offers it natively.  With Cisco, you have to use a SIEM solution of some kind.

0 Kudos
Andrew_Gabriel
Explorer

Better at what? This is an absolutely meaningless question and a waste of time to answer, unless you are specific on what exact parameters and use-case you are talking about. 

Douglas_Chenjer
Contributor

I had the priviledge of using Cisco (ASA, FirePower etc) and CheckPoint. For Network Security my own assessment is Check Point is miles ahead. That holistic integration of services(blades) and its rich-reporting capability also stands-out. Cisco is good also but Check Point is a step ahead.

0 Kudos
Harmesh_Yadav
Collaborator

agent in AD server and all login and logout event will come to cisco firepower management , in this case user will get single sign authentication when FMC is reachable . suppose for some reason when FMC will goes down or not reachable in that case all user affected which will not be authenticated without FMC.  ----------- Other side checkpoint is more reliable because in  Checkpoint when Mangement connectivity goes down and unreachable it will not impact on production - only one thing that we can not do changes but network is running good without fluctuation .-------------------->> so in this comparison Checkpoint is good  ---For mitigate this limitation in cisco we can make high-availabity for FMC so it will always reachable.


2. In cisco Local user we can not create - we shoule compulsary use authentication method like Radius or LDAP without this method there is no option available to make user locally.
--- Checkpoint have this feature means in checkpoint we can make local user

3.In Cisco when we have multiple objects for service and network etc, so in this case we should create manually - only when we will do migration from asa that will we get in migration tool directly but when we are migrating  to cisco firepoer from another OEM we should do manually .
-- In checkpoint newer version R80 provide this feature when we have bulk object we can create through CLI

4.Checkpoint SSL VPN provide OTP integration --- Cisco Firepower don't have option to configure OTP integration with SSL VPN -- they have only option for RSA which is published in new release.

5. IN Checkpoint we can assign IPS and Threat prevation profile  to all traffic directly from that blade - in cisco we have to assign IPS and Malware policy to each and every policy . so if we have around 4000 policy so we have to do manual process for all policy.

Harmesh Yadav
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events