For logging, earlier versions were okay...the current versions are great. It's what you'd expect from Checkpoint. A very clean, colored, self explanatory log. Of all the firewalls I wanted to work with this was the best. When trying to make a IPSec tunnel to a Cisco ASA (the one the Calyptix couldn't connect with...see previous post) the Checkpoint handled it effortlessly.
So why's it not the #1 choice for us. A couple reasons, while the logging is great..it's unfortunately missing some flexibility. If you want to filter the view by all traffic to or from an IP or only a certain port...you can't do that. You get all the log entries and just have to scroll through. ASA and SonicWall both do better on the filtering though not as good on the display.
Another minor issue is the content filtering can't kill your site if their service has an issue. Web Content Filtering is when you block sites based on categories (i.e. porn, sports, gambling, etc.). Checkpoint has the best UI for managing this I've seen in the SMB space. Once (and only once), that service had an issue and it just bogged the firewall down. Makes sense as it needs to check with the continuously updated service to see how the site is classified. That continuous updating part is the real value but if those servers have an issue then so does your location. I'm sure they have big time redundancy but we did have about 30 minutes during our testing one night where their was an issue and it will really affect your office.
Also, when connecting to another network via IPSec tunnel you're limited to 3 network ranges. The firewall can handle more but the GUI limits you to 3. Probably isn't a typical problem for SMB office but for us it came up a few times. Our partners were small but they had contracts with some large companies. Those companies had more than 3 networks on their side and to get the endpoints to talk those definitions needed to match. Out of the box, the Safe@Office can't do it. If you use their SMP Gateway solution and remotely administer the devices then you can define more then 3 networks. But that upsets me even more that it's a pure GUI restriction.
The last reason was probably the main reason...SUPPORT. CheckPoint's Safe@Office is a great product. With a few updates they would have the best SMB firewall on the market. But as a managed services provider, I need fast response for the issues I have that are affecting my customers. I don't mind chatting with support in Israel. That's what I do...bridge the gap of tech talk with remote Support departments. Vendor management is part of the value we bring. But I had several issues where level 1 couldn't resolve an issue so it go escalated and I went over a week without getting a response. That level of responsiveness was even worse than SonicWall support (and that's bad). I never did find a number for partners to call in and speak to a person after hours. The best way to get support is via online chat but both phone and online chat will close for the night so don't have problems when their closed or you'll have to wait until the next day.
So Safe@Office is the firewall we want to use but just can't right now. The GUI is slick. Managing content filtering is as intuitive and easy to use as any we'ved tested. The logging is by far the easiest to read. But it still has a few quirks that hurt in certain environments and the lack of enterprise support hurts. If CheckPoint would offer special 24x7 partner only Support were partner calls were always treated as a top priority then they could easily be #1 as an SMB firewall.
Click here to cancel reply.
Remember my details
Notify me of followup comments via e-mail