My use case is mainly for new products that come up in the marketing field, products that are fast and need quick assimilation.

We connected protections, mainly of the WAF for products that do not need too much scam validation or more complex functions. The aim was to provide a quick response to marketing campaigns, customer transportation, and things that need very fast implementation.

Check Point CloudGuard WAF has helped our organization in time-to-market manners; the time to market is very short. Unlike other products we tested, which were a bit more complex, they would take a day's process. Check Point CloudGuard WAF only takes a few minutes of assimilation and then goes live.

Its ability to protect our applications against threats without relying on signatures is one of the benefits I liked about this product. It does not depend on signatures. It looks at the anomaly in behavior. This is what we call a modern application. It saves us the headache of these updates and also the fact that the zero day usually has no signature.

The ability to preemptively block zero day attacks and detect hidden anomalies is exactly its advantage. The zero day does not wait for a signature but looks at behavior. This is how a modern app should be. If you wait for the unknown, your application will be affected, but with this solution, even if you don't know where the attack could come from, the product protects it because of the behavior. That's the advantage.

The assimilation time is short, about a few minutes only, so it is very simple for us and shortens the time of our functions. I'd say it has lowered 30% of our time.

In a product like this, there are not many false positive cases, at least not in our type of implementations, which are not complex. When you do not hear about any false positives, it is a sign that the solution is doing its job.

This product is very simple, it does not require complexity in its implementation. Its ability to deploy our materials quickly is what we appreciate the most.

I would like it to be able to analyze more complex functions, although I did not examine the case study of more complex implementations. Things like forum fields, etc seem to need a little more focused protection of the fields scheme validation. I would say that the more automation this product has, the easier it will be to work with it.

I have been using Check Point CloudGuard WAF for six months.

There were never any server issues, they're very stable.

I am not really sure about its scalability since our framework is very limited at the moment. I am guessing that after we try to deepen our use cases, we may scale then.

Check Point is known for providing really good service. If a ticket is opened, it is addressed and not neglected. The emphasis is on the Israeli team, which knows how to achieve escalations and provide a response. We were never left without an answer.

Positive

We have had several protections from other WAF products that we have tested. Their implementations were longer, more complex, and sometimes, because of the speed we would implement it after it went live because of the times. The time to market was short, and we didn't have time to achieve the desired time window.

Today, with Check Point CloudGuard WAF, there is no way we'll go live without protection.

We used and evaluated Radware and Reblaze. They were very expensive and also dependent on third-party services. With Check Point CloudGuard WAF, everything was done easily in-house.

I'm in charge of the regulations, the SECOPS team is the one involved in the deployment. I'm more of a policy guide, and from what I've noticed, the experience was good.

We always have a business partner who accompanies us in projects of this type. We have always had a good experience with them, the're very professional.

The biggest ROI is that the time to market is good; I am not holding back the business. I do not look that much at attack prevention because that's something that every product usually does. The ROI is the time to assimilate and the short time to market. Those are its benefits.

I am less knowledgeable with prices because I only define the requirements and look at the execution. I know that its price is relatively expensive compared to other products but it gives benefits that are worth it.

My advice would be to use this solution since it's cloud-based and the deployment is quick and easy.

Overall, the platform is great. I would consolidate it from the usual infrastructures, though. Every platform requires someone to focus on it, so it would be good if an integrator would be more involved in this specific solution.

I am currently evaluating a hybrid solution for our infrastructure since some of our services are hosted on-premises while others are processed through the cloud. We have multiple websites, applications, and some non-web-based applications that we need to protect.

The solution's ability to handle multiple websites and applications without needing more expensive hardware is a key advantage. 

The communication between the on-premises device and the cloud for analysis and feedback is a valuable feature. It also supports legacy applications and improves security access. Upon implementation and evaluation with third-party penetration testing, it meets rigorous security standards required for dealing with financial institutions and provides necessary protection between our central office and peripheries through VPN access. 

The solution allows for proactive support and parts replacement.

The learning curve was a challenge due to initially incorrect configurations. It took approximately a month and a half to understand how the solution works because of inadequate documentation. The provider could improve by providing better guidance and support during the configuration process.

I am happy with their support. They were responsive even before we committed to buying their solution. The support rating is about seven and a half to eight out of ten.

Positive

We looked at FortiGate and some open-source solutions, however, they either did not fully meet our requirements or required a dedicated person for administration, making them cost-prohibitive.

We collaborated with our vendor, A1, which also offers parts replacement and support as part of the package.

The base solution costs approximately 30,000 euros, with an additional 2,000 euros per year for licenses and support.

The price is fair for the features offered. For us, it is cost-effective compared to hiring a dedicated person for administration.

Prior to choosing the current solution, we considered FortiGate and other open-source solutions.

I would rate the solution eight out of ten. 

Currently, I am working in a DNB environment. Since we have on-premises to Azure traffic, we utilize the Azure subnet. From the Azure subnet, we have different tags and servers hosted over the Azure side. When our internal traffic moves from the DNB to the Azure site, we use the CloudGuard firewall. Multiple tags are created in that firewall, each containing multiple servers. Users connect through the Azure site, utilizing an ExpressRoute link from on-premises to Azure. The CloudGuard firewall at our premises helps secure traffic to the Azure site.

The CloudGuard firewall's multiple features like web access filter, HTTPS inspection, and authentication are very useful in our environment. It provides secure and flexible connectivity between the user and the Azure subnet.

The most valuable features are its ease of use and multiple functionalities. In CloudGuard, we create tags with servers, which makes connections secure and flexible. Features like web access filters, HTTPS inspection, and authentication are very important for our environment.

The user interface, SmartConsole, sometimes malfunctions and requires a restart. This part of the interface needs improvement.

I rate the stability as seven or eight out of ten. We sometimes experience lagging, crashing, and downtime.

The scalability of CloudGuard is very good. I would rate it as nine.

Whenever we observe any issues at the firewall level or require assistance, we contact tech support. We open cases, especially during upgrades, and they provide standby support. I would rate their support as eight out of ten.

Positive

When I joined the project, most of the deployment had started, so I was not aware of previous solutions used by the company. Personally, I have worked with Check Point on-premises firewalls but not on the Azure site before joining this company.

Some deployments were already in progress when I joined, and I participated in about half of the deployment process. It was easy with third-party vendor assistance, if required.

The deployment was handled in-house with occasional vendor support related to specific components such as blades.

Pricing is a bit high, but it is justified considering the features and support provided by Check Point.

I recommend CloudGuard for its extensive security features. It not only provides security but also detects threats and inspects traffic thoroughly. It is especially useful for securing connections between users and Azure subnets.

I'd rate the solution eight out of ten.

We were focused on mitigating malicious activity at the application level. We were searching for technology to help manage frequent traffic issues, which is why we decided to implement a WAF. Our main use case was to also address the security of APIs. Since we were using many APIs in our environment, we wanted a solution that could manage restrictions and throttling for these APIs effectively.

The WAF allowed us to define objectives like throttling to control API usage. Additionally, we utilized the WAF to handle OWASP Top Ten vulnerabilities by creating rules to inspect incoming traffic from the internet to our internal infrastructure. Suspicious activities would be flagged and alerted as necessary. These features were key to our decision to implement the WAF in our last organization.

Check Point CloudGuard WAF provides a range of built-in features. It includes default policies based on the OWASP Top Ten vulnerabilities, which help detect and mitigate common threats. However, for vulnerabilities beyond the OWASP Top Ten, the WAF also offers the flexibility to create custom rules.

You can create and implement custom rules if you need to address other common vulnerabilities in the external environment. There are various options for implementing these custom rules, including using Terraform. For organizations that prefer to use only default policies, those are also effective at handling traffic and identifying application-specific vulnerabilities.

WAF solutions offer a wide range of features, and many cloud vendors integrate WAF capabilities directly into their platforms. For instance, Azure CloudGuard includes built-in WAF features fully integrated with the Azure environment.

Within this platform, you can easily define API restrictions, set web application vulnerability policies, and manage security headers like content security policies and HSTS policies. This integration streamlines the process of configuring and managing these security features, making it more efficient than using separate tools for each task.

When I was working with the WAF platform, there were limitations, particularly concerning compliance and reporting. Managing multiple tools for different functions like WAF, firewall, CDN solutions, and antivirus—could be cumbersome for organizations. They often prefer a more centralized platform to manage various features efficiently.

While having separate tools can enhance visibility and support a defense-in-depth strategy, the WAF platform's reporting capabilities could have been improved. 

Security headers, such as content security policies and HSTS policies, protect applications from web vulnerabilities like cross-site scripting attacks and cookie theft. These parameters can be defined at the CloudFront level or within a WAF.

WAFs operate in two main modes. Initially, they may be set to detection mode, monitoring activity without blocking traffic. This is useful for assessing the impact and tuning the rules. Once your implementation and team are ready, you can switch to the blocking mode, where the WAF actively blocks suspicious traffic. It’s important to carefully configure this mode to avoid blocking legitimate traffic, which can cause disruptions.

Additionally, you might see cost savings if you don’t use an API management platform and instead rely on WAF to manage API-related features. However, the decision depends on your specific architecture and implementation needs.

Overall, I rate the solution an eight out of ten.