Next-generation firewalls (NGFWs) from Check Point and Palo Alto Networks appear on eSecurity Planet’s list of top NGFW vendors – and while both solutions have their fans, there are substantial differences between the two. What follows is a look at the core functionality of each solution, as well as some critical strengths and weaknesses.
The Bottom Line
Check Point’s and Palo Alto’s NGFW solutions are highly rated by users and analysts, although both are priced higher than more value-conscious solutions. Check Point’s wide range of security offerings makes it a good fit for a company seeking a broad, integrated approach for complex and hybrid environments, while Palo Alto’s solution fits best when features, management and performance are the most important factors.
NSS Labs’ most recent analysis gave both vendors high marks for security and performance, but suggested that Check Point’s solution may be more expensive to operate, rating its total cost of ownership per protected Mbps at $13, compared to $7 for Palo Alto. Both are aimed at enterprises that have above average demands, and for those use cases, they deliver.
Check Point Product Highlights
Overview: Check Point’s NGFWs leverage an application library of more than 6,600 web applications to identify, allow, block or limit usage of applications and the features within them, enabling safe Internet use while protecting against threats and malware. The company’s SmartLog analyzer provides real-time visibility into billions of log records over multiple time periods and domains.
Recent developments: Check Point recently expanded its NGFW product lines with the introduction of new high-end platforms, and launched the Check Point Infinity security architecture, which is designed to protect a company’s entire IT infrastructure.
Analysts’ take: Gartner says Check Point’s offering is a particularly good match for companies seeking an integrated and consolidated approach to security, thanks to its wide range of network, mobile and endpoint security products. User complaints tend to focus on price, the speed of technical support, and firmware releases that take a considerable amount of time to become stable.
Palo Alto Product Highlights
Overview: Palo Alto Networks’ NGFWs monitor applications, threats and content, and tie them to the user regardless of location or device type. The company’s NGFWs are available in purpose-built hardware appliances ranging from the PA-200 to the high-end PA-7000 Series (with threat prevention throughput of 100 Gbps), and as virtual appliances supporting a wide range of cloud environments.
Recent developments: Palo Alto recently released version 8.1 of its PAN-OS operating system, which adds more than 60 new features, including expanded SSL decryption capabilities and more granular control of SaaS applications.
Analysts’ take: Gartner says Palo Alto Networks boasts high customer satisfaction and is a solid contender for all enterprises, particularly when features and management quality are more important than price. Still, some clients say Palo Alto’s centralized Panorama solution can experience a performance hit when managing a large number of appliances, and that the company waits too long between firmware releases, resulting in very large updates that require more time to stabilize.
NGFW Product Ratings
Here is eSecurity Planet’s take on the key features of each solution, followed by a chart comparing the two.
Security Performance: Both are tops. In NSS Labs’ recent test results, Palo Alto’s PA-5220 received a 98.7% security effectiveness rating, while the Check Point 15600 blocked 99.6% of attacks in NSS Labs tests.
Performance: Palo Alto topped all firewalls tested by NSS Labs with 7,888 Mbps performance, while Check Point clocked in at a solid 6,034 Mbps.
Value: Both companies’ NGFWs are more expensive than most. If you’re looking at Palo Alto and Check Point, price is likely not your top criteria.
Implementation and Management: Users of both systems say their setup process requires a little more knowledge and advanced planning than most. Once up and running, many Check Point users single out the solution’s management interface as a key strength. Palo Alto users praise the rich management features of the company’s firewalls, but some users say the Panorama centralized management solution can take a performance hit when managing a large number of appliances.
Support: Check Point has faced some customer complaints about responsiveness. Both companies face customer frustration that their large, infrequent firmware updates can cause stability issues.
Cloud Features: Both are strong contenders for cloud needs, offering virtual appliances and a wide range of cloud functionality.
Gartner Peer Insights users give Check Point an average rating of 4.5 out of 5, with Palo Alto Networks following close behind at 4.4 out of 5.
Check Point NGFW reviewers said the solution “is really fast,” has a “great management interface” and “a great log server,” and offers different sizes of appliances for different purposes. Still, some reviewers said the system “is way too complex” and “requires hiring experienced staff,” and that the “cost is still high and licensing is still complex.”
Palo Alto Networks reviewers said “the product itself is rock solid” and “support is fantastic.” “It just works,” one noted, adding, “While the cost may be higher than some, it really does the job we ask of it.” Still, some reviewers warned that “it has a decent learning curve” and “can be faulted for overly complicating some simple setup tasks.”
Check Point’s products are available as hardware appliances, as software only, and as cloud services. The company also offers managed services.
Palo Alto’s NGFWs are available as hardware appliances (PA Series), as well as the VM Series for use in a virtualized or cloud environment.
Check Point’s pricing is based on the cost of the server and security gateways required, starting as low as $799 for a single gateway. Check Point management appliances start as low as $7,500 for the Smart-1 405. The 15600 tested by NSS sells for approximately $70,000.
Palo Alto Networks offers a wide range of NGFW options. The company’s most recently released appliances, the PA-220R (ruggedized), PA-3200 Series and PA-5280, range in price from $2,900 to $200,000, while the base PA-220 lists at $1,000. The 220 offers 100 Mbps VPN throughput and 64,000 sessions; the 5280 offers 24 Gbps VPN throughput and 64 million sessions. The PA-5220 tested by NSS sells for around $70,000, with support packages extra.