I have a fair amount of Cisco background including a CCNA Security cert and was a CCNP at one point.  Cisco makes great routing/switching products that I enjoy working with, however the acquisition of Sourcefire and the integration of it into FirePOWER has been a huge train wreck.  Some eye-opening reading from real users of the product:

https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/

I've been working with CheckPoint gear for a little over 4 years now as a customer.  And my company has been a CheckPoint customer for nearly 20 years.

In a large production environment, CheckPoint is the only firewall I've ever used.  Though I've seen demos from the other big guys.

I love working with CheckPoint gear.  It is fun and challenging (sometimes exceedingly challenging).  The product is solid and if you pay for it, support is amazing.

CheckPoint is an enormous platform and it is difficult for 1 person to be an expert in every aspect.

Here's a couple good things to say:  Day-to-day gateway management is a breeze and is enjoyable to work with.  Using the platform for IPSEC VPN is amazing.  It's daunting and overwhelming at first.  But their implementation is brilliant.  Deep troubleshooting can be annoying, but it is getting better.

Here's a bad thing: Licensing - licensing stinks.  It is a royal pain in the behind and my least favorite thing to deal with.

Any vendor you end up dealing with is going to have their strengths and weaknesses.  The trick is finding the one who's strengths play to your objectives and their weaknesses are someone else's problem.  🙂

Here's my advice:

*Form a super-strong relationship with your sales person and your SE.
*Once you get a large presence in the platform, sign up for Diamond Support (or negotiate it in).  You won't regret it.
*GET TRAINING (your sales guy is going to hate me - but negotiate this one in every time you buy something)!  This is an absolute must for a beginner (and even those who have been around a long time) in this environment.  Continuous education with this platform is a must for you to remain successful with it.
*Make sure you have a lab environment.  Playing around in production is a disaster waiting to happen.
*Grab the Max Power troubleshooting books by Tim Hall (he posted just above me).  Great resource to have on hand.

At the end of the day (or, rather, beginning) I look forward to coming into the office knowing that I'll get to play with this platform.  There are some annoyances, sure.  But they are far outweighed by how awesome the platform is.

I'd have to second the opinions voiced here.

I've worked with SonicWalls, Cisco PIX, NetScreen and, most recently with Fortinet as well as a number of other products, notable exception being Palo Alto.

Of all of them, Check Point seem to have the best logical approach to the management, logging and analytics.

Completely agree and cannot emphasize strongly enough a need for training. Bake it into the purchase cost. It will pay 100 folds.

Once you'll get the idea behind the product, its capability to managing the distributed environments is truly awesome.

Of course there will be occasional troubleshooting and deep diving, but of my recent 40 or so designs and implementations with R80++, with the ability to model a lot of it in the virtual labs using evaluation licenses, I had zero unresolved issues even in some very complex (by my standards) environments.

I am relatively new to manage Check Point firewall (only about a year) but things are really easy in R80 +

Our other sales rep tried to sell us Cisco ASA/Firepower and insist on showing us demo. During the demo I asked 10 questions on "how do you do......"; At the end of demo everyone on the team felt the same way: it's easier to do it/manage it in Check Point.

If you are familiar with ASA and want to stick with it (without the firepower license), I'd advise you evaluate whether or not its capability can catch up to current threat landscape.

Hi guys,

I have been working with various firewall manufacturers for many years and I am also certified by some of them Check Point (CCSM), Fortinet (NSE5), Cisco (CCNA Security), Juniper (JNCIA Firewall), Genugate and a little with PaloAlto.

Check Point is much better than other manufacturers in many point:

- Simple and very good central management

- Easier and faster VPN configuration

- Very good clustering

- Easy creation of policy and NAT rules

- Easy central management of all blades: IPS, Anti Bot, Anti Virus, Anti Spam, URL Filtering, Application Control, IA, DLP, ...

- Central logging

And much more.

If you can handle  an ASA, then you can handle a Check Point Firewall perfectly after approx. 1 week.

If there are still questions you have here a very good forum with CheckMates:-)