We primarily use Check Point CloudGuard WAF for web application security. It protects applications from various threats and vulnerabilities like SQL injections, cross-site scripting issues, and cross-site request forgery. We ensure proper security policies and logs are maintained.

CloudGuard WAF helps by providing advanced protection for web applications and APIs, defending against the OWASP top ten scenarios, and offering comprehensive AI-driven behavior analysis. This assistance in data protection is vital for financial domains such as banks.

One of the best features of CloudGuard WAF is its user-friendly GUI dashboard. It's easy for beginners in security to understand and set policies. The solution's easy access and AI-driven behavior analysis for real-time threat detection are also highly valuable.

Support could be improved, particularly in terms of availability. Although they provide 24/7 support, there are sometimes delays in delivering solutions. Advanced bot protection has recently been improved, which has helped a lot.

I have been using the solution for over four to five years, working as a project manager and handling implementation projects. We are primarily focused on Check Point CloudGuard implementations.

I would rate the stability of the solution as a nine out of ten. The solution is quite stable.

In terms of scalability, I would rate it a nine out of ten. The solution is highly scalable.

Customer service is satisfactory yet requires some improvement. I would rate support as an eight out of ten, as there is room for enhancement.

Positive

I have experience with other WAF vendors such as Imperva and Imperva WAF, which are leading products in India and have a significant presence in the US and UK.

The initial setup is generally straightforward, yet it can vary depending on the client's platform and whether deployment occurs on-site or remotely.

We have a team of around 25 engineers; 50% handle project implementation, while the other 50% provide post-deployment support.

Return on investment is seen when data is properly organized, and the ability to show reports to top management ensures that their expectations are met.

Pricing is average—not too expensive, yet not cheap either. CloudGuard offers bundled packages, which may reduce costs compared to paying for individual features as opposed to other providers.

I have evaluated solutions like Empower and EmpowerVac, which are leading WAF products in India and other countries.

I would definitely recommend Check Point CloudGuard WAF to other users due to its availability, scalability, and support. These aspects contribute significantly to receiving new contracts and maintaining client referrals.

I'd rate the solution nine out of ten.

Currently, I am working in a DNB environment. Since we have on-premises to Azure traffic, we utilize the Azure subnet. From the Azure subnet, we have different tags and servers hosted over the Azure side. When our internal traffic moves from the DNB to the Azure site, we use the CloudGuard firewall. Multiple tags are created in that firewall, each containing multiple servers. Users connect through the Azure site, utilizing an ExpressRoute link from on-premises to Azure. The CloudGuard firewall at our premises helps secure traffic to the Azure site.

The CloudGuard firewall's multiple features like web access filter, HTTPS inspection, and authentication are very useful in our environment. It provides secure and flexible connectivity between the user and the Azure subnet.

The most valuable features are its ease of use and multiple functionalities. In CloudGuard, we create tags with servers, which makes connections secure and flexible. Features like web access filters, HTTPS inspection, and authentication are very important for our environment.

The user interface, SmartConsole, sometimes malfunctions and requires a restart. This part of the interface needs improvement.

I rate the stability as seven or eight out of ten. We sometimes experience lagging, crashing, and downtime.

The scalability of CloudGuard is very good. I would rate it as nine.

Whenever we observe any issues at the firewall level or require assistance, we contact tech support. We open cases, especially during upgrades, and they provide standby support. I would rate their support as eight out of ten.

Positive

When I joined the project, most of the deployment had started, so I was not aware of previous solutions used by the company. Personally, I have worked with Check Point on-premises firewalls but not on the Azure site before joining this company.

Some deployments were already in progress when I joined, and I participated in about half of the deployment process. It was easy with third-party vendor assistance, if required.

The deployment was handled in-house with occasional vendor support related to specific components such as blades.

Pricing is a bit high, but it is justified considering the features and support provided by Check Point.

I recommend CloudGuard for its extensive security features. It not only provides security but also detects threats and inspects traffic thoroughly. It is especially useful for securing connections between users and Azure subnets.

I'd rate the solution eight out of ten.

We were focused on mitigating malicious activity at the application level. We were searching for technology to help manage frequent traffic issues, which is why we decided to implement a WAF. Our main use case was to also address the security of APIs. Since we were using many APIs in our environment, we wanted a solution that could manage restrictions and throttling for these APIs effectively.

The WAF allowed us to define objectives like throttling to control API usage. Additionally, we utilized the WAF to handle OWASP Top Ten vulnerabilities by creating rules to inspect incoming traffic from the internet to our internal infrastructure. Suspicious activities would be flagged and alerted as necessary. These features were key to our decision to implement the WAF in our last organization.

Check Point CloudGuard WAF provides a range of built-in features. It includes default policies based on the OWASP Top Ten vulnerabilities, which help detect and mitigate common threats. However, for vulnerabilities beyond the OWASP Top Ten, the WAF also offers the flexibility to create custom rules.

You can create and implement custom rules if you need to address other common vulnerabilities in the external environment. There are various options for implementing these custom rules, including using Terraform. For organizations that prefer to use only default policies, those are also effective at handling traffic and identifying application-specific vulnerabilities.

WAF solutions offer a wide range of features, and many cloud vendors integrate WAF capabilities directly into their platforms. For instance, Azure CloudGuard includes built-in WAF features fully integrated with the Azure environment.

Within this platform, you can easily define API restrictions, set web application vulnerability policies, and manage security headers like content security policies and HSTS policies. This integration streamlines the process of configuring and managing these security features, making it more efficient than using separate tools for each task.

When I was working with the WAF platform, there were limitations, particularly concerning compliance and reporting. Managing multiple tools for different functions like WAF, firewall, CDN solutions, and antivirus—could be cumbersome for organizations. They often prefer a more centralized platform to manage various features efficiently.

While having separate tools can enhance visibility and support a defense-in-depth strategy, the WAF platform's reporting capabilities could have been improved. 

Security headers, such as content security policies and HSTS policies, protect applications from web vulnerabilities like cross-site scripting attacks and cookie theft. These parameters can be defined at the CloudFront level or within a WAF.

WAFs operate in two main modes. Initially, they may be set to detection mode, monitoring activity without blocking traffic. This is useful for assessing the impact and tuning the rules. Once your implementation and team are ready, you can switch to the blocking mode, where the WAF actively blocks suspicious traffic. It’s important to carefully configure this mode to avoid blocking legitimate traffic, which can cause disruptions.

Additionally, you might see cost savings if you don’t use an API management platform and instead rely on WAF to manage API-related features. However, the decision depends on your specific architecture and implementation needs.

Overall, I rate the solution an eight out of ten.

Due to the nature of our business, we have heavily invested in backend API development, providing services exclusively through this interface. Similar to how banks and medical industries utilize data from centralized sources, our APIs cannot be exposed directly to the Internet. To safeguard these critical APIs, a robust security solution is essential. 

Check Point CloudGuard WAF fulfills this need by intercepting all incoming internet traffic, categorizing requests as legitimate or malicious, including attack details, and blocking suspicious activity at the initial stage. Only verified, non-malicious requests are permitted to interact with our APIs.

When we activate the WAF, our security signatures and all the latest threat intelligence are immediately updated. Our protection is automatically refreshed every few hours to address emerging threats. For example, if a zero-day attack originates in Europe, Check Point CloudGuard can detect it within minutes and distribute a new signature globally. This ensures that when the attack reaches Australia, it is already blocked by our up-to-date WAF.

Although the WAF still produces false positives because of the signatures, we can apply a rule to exclude them easily.

Automated threat intelligence is crucial because a ransomware attack can compromise a network in minutes. Imagine an attack occurring at 3 AM when staff is unavailable; the damage may already be done when someone investigates. Ransomware can infiltrate and complete its task within just a few sessions. Once inside, attackers can lay dormant for months, covertly sending data using internal IP addresses. These addresses are often whitelisted, making it difficult to detect whether the outbound traffic is authorized or malicious. Automated threat intelligence can rapidly detect and respond to attacks, unlike manual processes that take 15 to 20 minutes, often too late to prevent significant damage like a completed ransomware attack. Systems like OCSP, utilizing best practices from multiple vendors such as Azure, Microsoft, CheckPoint, Palo Alto, and CloudStrike, provide an open platform for sharing and updating threat signatures. This enables organizations to tailor their security measures based on specific application needs and behaviors, effectively mitigating risks without unnecessary restrictions.

Cloud-based WAF solutions, such as Check Point's, offer significant advantages compared to traditional on-premises WAFs like Cisco or Palo Alto. On-premises WAFs require substantial upfront costs for hardware, expensive licenses, and frequent, costly upgrades as technology evolves. Cloud-based alternatives eliminate these expenses by providing the latest features and capabilities without hardware or software management. This flexibility and cost-efficiency make cloud WAFs appealing to many organizations. However, cloud solutions can be more expensive for high-throughput applications like Instagram or Facebook due to data transfer costs. At the same time,  on-premises options might be more economical in these cases. Ultimately, the best choice depends on specific network size, criticality, and application requirements.

Machine learning is a valuable tool for this assessment because it allows for a two-phase approach: secure and non-secure. In the first secure phase, pre-built signatures are used, eliminating the need for a live tracker as the necessary data is readily available. This approach efficiently blocks threats without progressing to the slower, resource-intensive second phase. Unlike competitors who process every request, this method conserves CPU power and prevents application slowdowns.

Check Point CloudGuard WAF's code could be improved. While the GUI allows configuration for application-related features, specific definitions cannot be modified through the code. Ideally, we would prefer consistent configuration across all products to simplify deployment, but in this case, the ISE is incompatible with the two or three different models we've identified. Therefore, we must rely solely on the GUI for configuration.

I have used Check Point CloudGuard WAF for four months.

It was stable in the four months we ran Check Point CloudGuard WAF.

I would rate the stability nine out of ten.

I would rate the scalability nine out of ten. We only reached 80 percent of our CPU capacity.

The technical support is good. We didn't use them much, demonstrating the product's quality.

Positive

At that stage, our primary goal was to select a suitable WAF to replace our existing F5 WAF. While the F5 WAF performed well, we sought to eliminate it due to excessive licensing costs. Given the high expense of our entire WAF solution, we explored alternatives, including Azure WAF, Check Point WAF, and Palo Alto WAF. Although we initially considered Cisco WAF, it was quickly discarded as outdated. After a two-week evaluation, we narrowed our options to Azure, Check Point, and Palo Alto WAFs.

The deployment is straightforward and similar to any standard firewall installation. While the process took four days due to design finalization, deploying directly from code can be completed in less than thirty minutes.

Two people were involved in the deployment, one working on the design and the other on the ISE.

Check Point CloudGuard WAF is expensive compared to Azure WAF. I would rate the cost of Check Point CloudGuard WAF as eight out of ten, with ten being the most costly.

We evaluated Cisco WAF, but it is outdated and no longer competitive. Since we utilize Azure Cloud, we opted for Azure WAF due to our preference for cloud-based solutions. Azure WAF has performed well and is seamlessly integrated behind the scenes. We also evaluated Palo Alto, but configuration challenges through ISE led us to discontinue its use seven months ago. Check Point CloudGuard WAF was abandoned for similar reasons. Azure WAF's integration with ISE, including built-in Bicep modules for CLI configuration and deployment, is a significant advantage. Currently, we manage approximately 35 IP addresses and require two distinct stages for WAF settings and module deployment. Consistent signature stem definition across different environments is essential. ISE was crucial in our decision-making process, ultimately replacing Check Point due to the latter's lack of ISE integration, a critical requirement. While Check Point offered several strengths, the absence of ISE was a deal-breaker. Overall, Azure WAF has met our expectations.

I would rate Check Point CloudGuard WAF eight out of ten.

We have six environments in multiple locations and eight products that use 20 APIs.

We have a team of four working with the WAF.

I would recommend Check Point CloudGuard WAF if it fully meets the organization's needs, the cost is reasonable, and they desire AI and ML integration in the future. However, since we do not require AI or ML and prioritize ISE for our management approach, this solution did not align with our requirements.

We did a PoC with Check Point CloudGuard WAF for a month. We had acquired it for a month for testing purposes to see how it would help us with our setup.

It was placed at the starting point of our network infrastructure wherein all the traffic was monitored. We created security policies on Check Point CloudGuard WAF. Whenever an IP used to come to us, it would basically go through a set of policies, and then Check Point CloudGuard WAF would search for malware and other things in the traffic.

During the PoC, we did not face any issues related to false positives. I am in the network security team, and we have a security operations team as well. The security operations team has an SIEM tool. Whenever an alert got updated in the SIEM tool, they used to pass it on to us. We could easily find the logs for a particular alert generated on Check Point CloudGuard WAF. It was always correct. We did not observe any false positives with them.

Check Point CloudGuard WAF protects your applications against threats without relying on signatures. It works fine without signatures, but it cannot detect all the malicious traffic that might enter the setup.

Check Point has its own threat intelligence database. It is global. All the malicious samples are added to that. Whenever there was a new CVE, Check Point CloudGuard WAF used to block them. That was a good feature of Check Point CloudGuard WAF.

We had scheduled a time for the database update, so every day at 3 pm, the CVE database used to get updated.

It was costlier than other solutions. We brought it into our setup for PoC purposes. It was there for one month. We liked all the features, but compared to its competitors, such as Fortinet and Palo Alto, it was a little bit costly. However, considering the cost, it was good and efficient. Other than the price, I did not see any room for improvement.

I used Check Point CloudGuard WAF for a month. It was in the month of January 2024.

We never faced any issues with Check Point CloudGuard WAF. However, in the case of Check Point Firewall, we experienced crashing issues with the SmartConsole application.

I have not contacted Check Point support for Check Point CloudGuard WAF. It was with us only during the PoC. During the one-month period, we did not face any issues, but for other products, we generally raise a TAC case with the Check Point team. We have a Check Point Firewall in our setup, and whenever we face issues with it, we raise a case with Check Point TAC. Technical support of Check Point is good. They respond on time. They analyze the logs properly and give a proper workaround.

I was not involved in its deployment. We have a company named Softcell in India. They are the first point of contact, and Check Point is the second point of contact in our setup. Whenever we have to implement any new Check Point devices in our setup, we raise a service request with the Softcell team, and they provide an engineer for the implementation. However, I was a part of the deployment team of the Check Point Firewall 16000 series, and we did not face any issues.

I work for an Indian banking client. In India, companies are on a budget. The company liked Check Point very much, but it was a little bit costly compared to FortiWeb. However, it had more features compared to FortiWeb. 

Check Point CloudGuard WAF was quite good compared to FortiWeb. We have FortiWeb now due to budget constraints, but feature-wise, Check Point CloudGuard WAF was quite durable and reliable.

I am not very aware of how Check Point CloudGuard WAF works at preemptively blocking Zero Day attacks and detecting hidden anomalies. If it is updated in the global database, Check Point CloudGuard WAF could prevent Zero Day attacks from getting triggered.

Overall, I would rate Check Point CloudGuard WAF a nine out of ten.

We have multiple cloud tenants, such as AWS and Azure, and we wanted to make sure we are secure.

By implementing CloudGuard WAF, we wanted to avoid using the built-in WAF. We wanted to avoid using the WAFs built into our Azure or AWS products. We wanted to make sure that we were using something proven and secure.

It is extremely important to us that CloudGuard WAF protects our applications against threats without relying on signatures. We are a financial institution, and we want to make sure that we do not have any type of traffic that infiltrates our cloud environment. We have 90,000 members around the world.

CloudGuard WAF is very good in terms of false positives. I do not see a lot of static noise, which we used to see with other apps that were in place. It is fantastic.

CloudGuard WAF has been fantastic for preemptively blocking Zero Day attacks and detecting hidden anomalies. I would rate it a ten out of ten for that. As soon as we see a Zero Day, we get the alerts right away, and we are able to do the patching. This guarantees the use of our services. It is immediate and in real-time.

CloudGuard WAF has reduced the total cost of ownership for our web application firewall. It has reduced the overhead of not having people manually look at or review the alerts. It has been more automated.

It is mainly for egress and ingress, just making sure that we are keeping the proper traffic. The integration with Azure ExpressRoute was also key for us.

We have not had any incidents. We could realize its benefits immediately. We watched and monitored the traffic, and it was amazing to see the results.

In terms of features, I do not have any negatives. Their integration is extremely quick. It is better than others I have been involved with in the past. Their pricing model, however, can be better. 

I have been using CloudGuard WAF for two years.

We have had zero issues. Being a financial organization, just like others, our big issue is having any kind of downtime. Any downtime affects our members, and if our members are affected, they will withdraw the money. It has been fantastic. We have had zero events.

There are no real ends. We are a smaller environment compared to what they are used to working with. I have no concerns with being able to scale with them.

It is being used across cross-functional teams for different applications that are involved. We have 335 employees, and at least 300 employees touch this environment at any given time.

We definitely have plans to increase its usage. There are some plans in-house to expand the cloud environment.

They are fantastic. We never had an issue. Whenever we need something, we get a response. 

We also have a managed service provider. We have engineers from the Teneo group, and they are always great if we need any help. 

Positive

We were using the built-in WAF, but that was before my time, and I knew better. 

We did not go with our cloud vendor's web application firewall because it is against the best practices. From everything I have read and studied, I would rather go with something that is proven. There are a lot more vulnerabilities that have been exploited with native WAFs.

It is a public cloud. We have AWS and Azure.

I was involved in the initial deployment only from a high level. I was able to support the team to grab the necessary resources. Outside of that, it was just more of approvals.

Its deployment was straightforward. The deployment was outlined very well. We use one of the resellers and managed service providers for Check Point called Teneo. They explained everything. They told us exactly how it was going to go. They had their folks in place, and it was just very straightforward. It was very easy.

We had the help of Teneo. They were brilliant, and then I was able to help the team with the right pieces to get it accomplished.

We recently did an integration with Azure ExpressRoute. We are bringing it in so that we have a safer way for the egress and ingress with our vendors. I wanted to make sure that we involved the infrastructure team. We had a cloud architect and our cybersecurity team involved. We also ran it through our change advisory board and the architectural review board. We wanted to cover all bases to make sure that all aspects are covered.

We have definitely seen an ROI. There has been a consolidation with not just the cloud stack, but Check Point in general. It has been nice to eliminate products. We have already eliminated close to $250,000 annually in different tools by consolidation.

This is where I have a different opinion. If the pricing for the Infinity platform covers everything, it would be more straightforward. I had a hard time selling it to our CEO as a former CFO because of the differentials. There are different deltas year to year over a five-year period. It is very difficult to explain. It would be easier to digest for our executives if there was a flatter scale.

We did not evaluate other solutions only because we have Check Point in-house, and I was able to talk to our rep. We were able to get a nice solution from them, so we did not have to evaluate any other solution.

To those evaluating CloudGuard WAF, I would advise that for integration, make sure they have a trusted partner that is going to help them with the integration plan or they have the in-house skills to develop that plan. 

I would rate CloudGuard WAF a ten out of ten.

With CloudGuard WAF, I can deploy a cloud-based network protection solution that secures my applications, endpoints, and data.

The features I have found most valuable are the comprehensive threat prevention capabilities, automated policy management, and seamless integration with cloud environments.

For the next release, I would suggest considering features like enhanced threat intelligence integration.

I have been using Check Point CloudGuard WAF for about two years.

The stability of the product has been good so far.

Check Point's technical support is helpful and knowledgeable overall, but there can be delays in response, especially regarding licensing issues.

The main reasons I chose this vendor for web application security were their ability to consolidate management facilities, their comprehensive features, and their flexibility in addressing different security needs.

We have seen ROI from using CloudGuard WAF.

I believe that the pricing or licensing of CloudGuard WAF could be more competitive.

Implementing CloudGuard WAF allowed me to address the challenges of securing my applications and data in a rapidly evolving cloud environment.

Using CloudGuard WAF has brought significant benefits, including improved threat protection, streamlined policy management, and enhanced usability. I noticed these advantages shortly after the first deployment.

It is extremely important to me that CloudGuard optimizes security to protect my applications without solely relying on signatures.

To access the false positive rate, I typically review assessment reports available on platforms like AWS or Azure. By evaluating how effectively the solution preemptively blocks zero-day attacks and minimizes false positives, I can reduce the total cost of ownership for my web application security.

The solution's privacy features, user-friendly web console, virtual deployment options, and physical appliance capabilities have all contributed to reducing my total cost of ownership.

Overall, I would rate CloudGuard WAF as an eight out of ten.

Our primary use cases include enhancing security for web applications and APIs, optimizing resource utilization to reduce costs, and maximizing efficiency in log management for better insights and savings.

CloudGuard WAF has improved our organization by simplifying security management and enhancing our ability to monitor and analyze logs effectively.

The most valuable feature we have found in Check Point CloudGuard WAF is its rich logging capabilities.

In terms of improvement, I feel like I need more clarity in understanding pricing for DDoS protection.

I have been working with CloudGuard WAF for a month.

CloudGuard WAF impressed us with its stability; it is a powerful tool providing great visibility.

CloudGuard WAF's scalability is excellent, especially as a SaaS, offering significant improvements over on-premises environments and providing consolidated scalability.

The technical support is amazing.

We previously used Cloudflare. Now, we are testing WAF to enhance our log insights.

The initial deployment was straightforward. We transitioned from an on-premises solution to a SaaS model, which was simpler and more useful. Our implementation strategy involved redirecting the site to the new solution and creating policies to ensure smooth operation.

We haven't seen ROI metrics yet, but we expect long-term benefits, especially in budget management and risk reduction.

Before choosing CloudGuard, we evaluated options like Azure and AWS. The main differences lie in policy customization, market size, and preset features. Each has its pros and cons, but CloudGuard stood out for its robust policy options and wide market presence.

By implementing Check Point CloudGuard WAF we aimed to address challenges related to enhancing security for web applications while leveraging powerful logging capabilities.

We check false positives in CloudGuard WAF using logs and the interface, and we have had very few issues, which helps our business.

Using preset policies, the solution preemptively blocks zero-day attacks and detects hidden anomalies without requiring full data.

The solution has cut our web application firewall costs because it is adaptable to our environment.

My advice to new users would be to focus on the benefits of software as a service and ensure clarity in understanding pricing, particularly for DDoS protection.

Overall, I would rate Check Point CloudGuard WAF as a ten out of ten.