One minor note on question 3: what you're calling policies, Check Point calls rules. In Check Point's terminology:
- Each firewall runs exactly one "Policy Package".
- A Policy Package is a collection of one or more "layers". These can be Access layers, HTTPS Inspection layers, and/or Threat Prevention layers. Each policy package can be applied to one or more firewalls.
- A layer is a collection of one or more rules.
- Access layers cover traditional source-destination-service-action rules.
- HTTPS Inspection rules govern whether the firewall will try to insert itself into TLS negotiations.
- Threat Prevention layers govern how deep inspection features like IPS, antivirus, and so on are applied.
The number of rules in a policy package is not limited, but adding more than about 10,000 slows down the rule management UI. Even very large policy packages don't usually affect the performance of traffic through the gateway, they mostly affect the ability to scroll through the rules and make changes to them in the management client.