Next-generation firewalls (NGFWs) from Check Point and Palo Alto Networks appear on eSecurity Planet’s list of the top NGFW vendors. While both solutions have their fans, there are substantial differences between the two. What follows is a look at the core functionality of each solution as well as some critical strengths and weaknesses.
The Bottom Line
Check Point’s and Palo Alto’s NGFW solutions are highly rated by users and analysts alike, and Cyber Ratings gave both companies’ firewalls its highest rating. Not surprisingly, both are priced higher than more value-conscious solutions. Check Point’s wide range of security offerings makes it a good fit for a company seeking a broad, integrated approach for complex and hybrid environments, while Palo Alto’s solution fits best when features, management and performance are the most important factors.
Both are aimed at enterprises that have above average demands, and for those use cases, they deliver.
Check Point Product Highlights
Check Point’s NGFWs leverage an application library of thousands of web applications to identify, allow, block, or limit usage of applications and the features within them, enabling safe internet use while protecting against threats and malware. The company’s SmartLog analyzer provides real-time visibility into billions of log records over multiple time periods and domains.
Recently, Check Point expanded its NGFW product lines with the introduction of new high-end platforms, and launched the Check Point Infinity Security Architecture, which is designed to protect a company’s entire IT infrastructure. Software features include autonomous threat prevention, simplified configuration, and TLS 1.3 support with detection of fake Server Name Indication (SNI).
It provides several firewall lines: Quantum Security Gateway hardware appliances such as the Maestro Hyperscale product line and Lightspeed Firewall products, CloudGuard virtual appliances and cloud security products, the Harmony firewall as a service (FWaaS) line, and recent container-based firewalls.
Gartner says Check Point’s offering is a particularly good match for companies seeking an integrated and consolidated approach to security, thanks to its wide range of network, mobile, and endpoint security products. User complaints tend to focus on price, the speed of technical support, and firmware releases that can take a considerable amount of time to become stable.
Check Point was graded as a Leader in the latest Gartner Magic Quadrant (MQ) for next generation firewalls. However, it scored a little below Palo Alto. Gartner noted that it offers “a comprehensive security portfolio,” and that the company is a good candidate for organizations with a mix of on-premises and infrastructure-as-a-service (IaaS) security needs.
Palo Alto Product Highlights
Palo Alto Networks’ NGFWs monitor applications, threats, and content and tie them to the user regardless of location or device type. The company’s NGFWs are available in purpose-built hardware appliances ranging from the PA-200 to the high-end PA-7000 Series, with threat prevention throughput of 100Gbps, and as virtual appliances supporting a wide range of cloud environments.
Its next-generation firewalls run on its PAN-OS. The NGFWs classify all traffic, including encrypted traffic, based on application, application function, user, and content. They combine policy enforcement and cyberthreat prevention via the company’s Content-ID and WildFire sandboxing features.
Content-ID limits unauthorized data transfer and blocks threats. WildFire identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a virtual environment. It automatically disseminates updated protections globally in near-real time.
The Application Command Center includes visibility of sanctioned and unsanctioned software-as-a-service (SaaS) applications. Combined with automated event aggregation and filtering and drill-down options, this makes it easier to understand application flows and related risks.
There are also virtual and containerized firewalls available as well as FWaaS. In addition, the company offers endpoint security, cloud security, and security management products.
Palo Alto recently released version 10.1 of its PAN-OS operating system, with new features for decryption, IoT security, data loss prevention (DLP) and more. Palo Alto claims that its firewalls are the first to utilize deep learning, continuing the company’s impressive history of innovations.
Gartner placed Palo Alto in the Leaders quadrant and gave it the highest ratings in its latest next-generation firewall Magic Quadrant (MQ). It was also named a Leader in a Forrester Wave for Enterprise Firewalls.
Gartner says Palo Alto Networks boasts high customer satisfaction and is a solid contender for all enterprises, particularly when features and management quality are more important than price.
While users praise Palo Alto’s robust security, some say managing that ability can be too complex for a generalist.
NGFW Product Ratings
Here is eSecurity Planet’s take on the key features of each solution.
Both Check Point and Palo Alto are top performers, with AAA ratings in 2021 Cyber Ratings tests.
Gartner believes Check Point is a good fit for high-security use cases. The company is particularly strong in threat inspection, content disarm and reconstruction (CDR), shared threat intelligence, and identity-based segmentation. Its firewalls also come with SandBlast Zero Day protection. However, Check Point relies on a partnership to deliver advanced SD-WAN features.
Palo Alto too is for high-security use cases and those seeking a wide range of security services and innovation – and are willing to pay extra to get them.
In 2021 testing, the Palo Alto PA-5220 topped the Check Point Quantum 16000 with 5,124 Mbps performance compared to 4,292 Mbps for Check Point. Based on Check Point’s new Infinity Architecture, though, the company claims the new Quantum Security Gateway line up of 15 models can deliver up to 1.5Tbps (terabits per second) of threat prevention performance and scale on demand. The high-end Palo Alto PA-7080 can reach 600 Gbps, so both companies offer plenty of performance for those who need it.
Value and Pricing
Both companies’ NGFWs are more expensive than most. If you’re looking at Palo Alto and Check Point, price is likely not your top criteria. These firewalls are not cheap, yet users rate them well in terms of value. In Cyber Ratings testing, Palo Alto scored higher in TCO/Mbps because of its higher throughput, so performance factors into the equation too.
Check Point’s pricing is based on the cost of the server and security gateways required, starting under $2,000 for the Quantum 1500 gateways, while the high-end 28600 starts at $200,000 and up.
Palo Alto Networks offers a wide range of NGFW options. At the low end, the PA-220R (ruggedized) starts at about $3,280, while for the high-end PA-7080, pricing starts around $170,000 and can rise considerably from there.
Implementation and management
Users of both systems say their setup process requires a little more knowledge and advanced planning than most. Once up and running, many Check Point users single out the solution’s management interface as a key strength.
Palo Alto users praise the rich management features of the company’s firewalls, but some say they require some expertise to get the most from them.
Check Point offers on-premises (Quantum Security Management) and cloud-hosted (Infinity portal) centralized management and monitoring products. Additionally, its Maestro Orchestrator allows IT to scale up from a single gateway to the converged capacity of up to 52 gateways and reach a threat prevention speed of up to 1.5Tbps. Overall, users report relatively easy implementation.
Palo Alto, though, can pose some complexity in implementation and management. Yet, users praise the product’s rich features. Management features, application visibility, sandboxing, and small branch office options are among its greatest strengths. To keep things simple, branch offices can install low-end PA-220R devices, which are much simpler to operate locally yet can also be managed centrally.
Check Point faced some customer complaints in the past about responsiveness. It has responded by investing heavily in its distributed support workforce. This has led to an improvement in its overall customer satisfaction.
Palo Alto, too, has faced customer frustration about technical support, with some users reporting that they’ve had to pay for a higher tier for better support. However, its customers can be so loyal that many renew without a competitive evaluation.
Cloud and container features
Both are strong contenders for cloud needs, offering virtual appliances and a wide range of cloud functionality. Check Point is behind Palo Alto on container firewalls, as it was later to the market.
Gartner Peer Insights users give Check Point an average rating of 4.5 out of 5, with Palo Alto Networks slightly ahead at 4.6 out of 5. This is a change from two years ago when Check Point held the lead.
Check Point NGFW reviewers said the solution “is really fast,” has a “great management interface” and “a great log server,” and offers different sizes of appliances for different purposes. Still, some reviewers said the system “is way too complex” and “requires hiring experienced staff” and that the “cost is still high, and licensing is still complex.”
Palo Alto Networks reviewers said “the product itself is rock solid” and “support is fantastic.” Another reviewer added that “While the cost may be higher than some, it really does the job we ask of it.” Still, some reviewers warned that “it has a decent learning curve” and “can be faulted for overly complicating some simple setup tasks.”
Check Point’s products are available as hardware appliances, as software only, as containers, and as cloud services. The company also offers managed services.
Palo Alto’s NGFWs are available as hardware appliances (PA Series), containers, FWaaS, as well as the VM Series for use in a virtualized or cloud environment.
See our full list of the Top NGFW Vendors