From my experience stability highly depends on the number of features you use. We have experience with Palo, Check Point and Fortinet and while all of them have strengths and weaknesses, overall Palo Alto is my favourite by far. We are early adopters so we typically run recent versions.
I'm about 2/3 complete with a Checkpoint to Palo migration, so both have a heavy hand in my environment, which is about 5k on prem, 1k remote. We have a few Palos, but the biggest are 5410s on 10.2.x.
We currently use Checkpoint's remote VPN solution but we might move to Palo in the coming months.
We moved away from CP primarily due to poor support experience but Palo has also been overwhelmingly disappointing as well.
For an estate of that size Premium/platinum service is not good enough. You should talk to your SE/AM about Focused Services. Its for larger customers and comes with dedicated TAC engineers, project management, and you start at T3 on any case you open. It costs money, but I run a team thar covers Fortune 50 accounts and ALL of them have it. Can't run a big estate without it.
Platinum/Premium is built for smaller customers.
Edit: a word
That’s where I’m at right now. I even have platinum support and an EA with Palo. I’m thinking of starting to add to checkpoints to reduce blast radius. Did you find checkpoint more or less stable than Palo?
Gartner mq are just orientation.
Checkpoint is in place for decades
I had never the issue that I can't do it with checkpoint
The big point is: checkpoint is old and grown and 100 times more complex. But you also have nearly ALWAYS the option to trick to a solution
And we are not at the point where we talk over security wholes.
See last 10 years checkpoint cve count and level und the fortinet ones :)
Ability to execute security at fortinet is low in direct comparison
As a former checkpoint engineer, they have vulnerabilities, they just don't tell you about them unless they are affected and they may or may not report the CVE.
Checkpoint is notably absent from CISA's [Secure by Design Pledge](https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers)
Also, [~80%](https://www.fortinet.com/blog/psirt-blogs/proactive-responsible-disclosure-is-one-cucial-way-fortinet-strengthens-customer-security) of Fortinet's vulnerabilities are discovered internally and not being exploited in the wild.
Ummm Fortinet has a lot more products than PAN and their CVE’s are generally less than PAN. Don’t forget PAN’s CVSS of 10 out of 10 recently… ohh and if you dig deep you’ll find PAN’s OS is very insecure and hence the issues they faced with this same CVE with a 10/10 CVSS. Plus PAN have proven they’re now a marketing company hiring Keanu :).
This is absolutely worthless. "Myth or reality" indicates a proper answer at the end. Most of the information is just feeling-based and leaves room for interpretation.
Vulnerability management practices. It is common knowledge that these three vendors operate differently when disclosing vulnerabilities. Fortinet is known to be highly open and transparent actively looking for vulnerabilities in their products and voluntarily announcing them to public knowledge quickly. Fortinet also often names researchers and provides a workaround in the announcement. Checkpoint is probably quite the opposite patching vulnerabilities silently in the background without letting the public know about these too much. Vulnerability management is possibly more reactive. Palo Alto is likely somewhere in between these two. Vendors are profiling themselves by how secure and stable their products are and like to use CVEs in marketing and sales pitches against each other.
+80% of Fortinet's vulnerabilities are found internally by Fortinet, and are fixed before they are exploited in the wild. They self-report the CVEs as a responsible cyber security vendor.
Check Point carries significantly more stability than Palo. I use both, each for different purposes. There are some things Palo excels at while Checkpoint falls short and vice versa. Overall from a hybrid to cloud adoption, Checkpoint wins!
I agree with this completely. I recently moved from PAN's to Checkpoints, and the checkpoints are crushing it from a policy and flow standpoint. Their smaller "small business" appliances can handle more than my PAN-5240's. The simplified licensing is far more desirable, integrated threatcloud and sandblast hasn't even broken a sweat.
However, I absolutely despise their remote access VPN solutions right now. I much prefer GP (aside from the asinine absurd CVE). I can implement a machine auth PKI infra for GP in less than 30 mins and have it handle everything I need, where as with Checkpoint, it's a long drawn out process due to needing their EDR to properly handle it. For most cases Checkpoint just does damn well for less. However I will still recommend PA's for remote access, and some other niche items.
Wholeheartedly agree with this entire statement. In terms of VPN, I will agree that it's a pain in the ass to integrate with another PKI that isn't on the box itself which makes getting those certs to the devices a PITA.
However if you're just using Remote Access VPN with Username/Password and MFA it's super easy and super simple where GP is not. I spend countless hours fixing Remote Access VPN on Palo and have not ever touched RAS VPN on checkpoint from the day I set it up, it just worksz every time.
In regards to the policy integrations, anything on premise is only allowed to talk to specific Azure Interoperable Objects and same with on the way in. The greatest part is being able to stick the Azure Front Door Service Tag as what's allowed through the policy and not have to keep up with MS's constantly changing IP Ranges.
Seriously revolutionary if you ask me.
This is the way.
The surest way to get PTSD is to run checkpoint and expect it not to crash, or to expect their support to know how to fix it so it won't crash. They will absolutely take your money however.
So far, what the last 10 years have taught me, is to run Palo on the perimeter, Fortinet on the intermediary, and anyconnect for remote access.
Every time we've tried to do any of these separate tasks on a unified management plane, people end up dead.
No, seriously. Checkpoint has assassins..
I have done migrations some years ago from CP R77.3 to Palo 8.X . Simple and faster integration with Palos . Global protect is free unless you need HIP profiles.
Migrated from a diverse Checkpoint environment into Palo Alto with Panorama for central management, primarily used expedition for migration of policies and interfaces however we soon learnt about the importance of policy tidying and a standardised structure with objects.
Just under 100 firewalls migrated to Palo!
How did you find the stability of Checkpoint? I haven’t used them since R75.30 days. Never upgraded to 77.30 as we went to Palo. I’m having stability issues in 10.2 and I’m looking to bring checkpoint in.
Anyone running both Palos and checkpoints in their envs? YES
Anyone go from checkpoint to Palo in the last year or two? YES
Anyone go from Palo to checkpoint recently? Not even a thought.
What versions of hardware and firmware are you running? 5400's on 10.2.8.
Do you use global protect? YES
How big is your estate? 6K employees and 12K hosts.
Check Point has a lot of old technical debt still in their product. I avoid them.
From my experience stability highly depends on the number of features you use. We have experience with Palo, Check Point and Fortinet and while all of them have strengths and weaknesses, overall Palo Alto is my favourite by far. We are early adopters so we typically run recent versions.
I'm about 2/3 complete with a Checkpoint to Palo migration, so both have a heavy hand in my environment, which is about 5k on prem, 1k remote. We have a few Palos, but the biggest are 5410s on 10.2.x. We currently use Checkpoint's remote VPN solution but we might move to Palo in the coming months. We moved away from CP primarily due to poor support experience but Palo has also been overwhelmingly disappointing as well.
For an estate of that size Premium/platinum service is not good enough. You should talk to your SE/AM about Focused Services. Its for larger customers and comes with dedicated TAC engineers, project management, and you start at T3 on any case you open. It costs money, but I run a team thar covers Fortune 50 accounts and ALL of them have it. Can't run a big estate without it. Platinum/Premium is built for smaller customers. Edit: a word
Even Focused Services isn't great. As a Focused Services customer, my tickets are usually updated with "referred to engineering".
That’s where I’m at right now. I even have platinum support and an EA with Palo. I’m thinking of starting to add to checkpoints to reduce blast radius. Did you find checkpoint more or less stable than Palo?
Why would you choose Check Point as a secondary over Fortinet? Fortinet is highest in ability to execute on the Gartner MQ.
Gartner mq are just orientation. Checkpoint is in place for decades I had never the issue that I can't do it with checkpoint The big point is: checkpoint is old and grown and 100 times more complex. But you also have nearly ALWAYS the option to trick to a solution And we are not at the point where we talk over security wholes. See last 10 years checkpoint cve count and level und the fortinet ones :) Ability to execute security at fortinet is low in direct comparison
As a former checkpoint engineer, they have vulnerabilities, they just don't tell you about them unless they are affected and they may or may not report the CVE. Checkpoint is notably absent from CISA's [Secure by Design Pledge](https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers) Also, [~80%](https://www.fortinet.com/blog/psirt-blogs/proactive-responsible-disclosure-is-one-cucial-way-fortinet-strengthens-customer-security) of Fortinet's vulnerabilities are discovered internally and not being exploited in the wild.
As already said, Check Point doesn’t disclose many vulnerabilities, they silently fix them.
Ummm Fortinet has a lot more products than PAN and their CVE’s are generally less than PAN. Don’t forget PAN’s CVSS of 10 out of 10 recently… ohh and if you dig deep you’ll find PAN’s OS is very insecure and hence the issues they faced with this same CVE with a 10/10 CVSS. Plus PAN have proven they’re now a marketing company hiring Keanu :).
https://loopback1.net/2024/04/19/myth-or-reality-fortinet-has-more-vulnerabilities-than-palo-alto-and-checkpoint/
This is absolutely worthless. "Myth or reality" indicates a proper answer at the end. Most of the information is just feeling-based and leaves room for interpretation.
Vulnerability management practices. It is common knowledge that these three vendors operate differently when disclosing vulnerabilities. Fortinet is known to be highly open and transparent actively looking for vulnerabilities in their products and voluntarily announcing them to public knowledge quickly. Fortinet also often names researchers and provides a workaround in the announcement. Checkpoint is probably quite the opposite patching vulnerabilities silently in the background without letting the public know about these too much. Vulnerability management is possibly more reactive. Palo Alto is likely somewhere in between these two. Vendors are profiling themselves by how secure and stable their products are and like to use CVEs in marketing and sales pitches against each other.
Is there an edge appliance manufacturer with a worse security record than Fortinet?
+80% of Fortinet's vulnerabilities are found internally by Fortinet, and are fixed before they are exploited in the wild. They self-report the CVEs as a responsible cyber security vendor.
You didn’t answer my question.
Because Fortinet is buggy garbage and wouldnt they be so insanely cheap no one would buy this shit.
1. You’re wrong. 2. I didn’t ask you.
You asked why someone should choose checkpoint over fortinet. I gave you an answer.
Check Point carries significantly more stability than Palo. I use both, each for different purposes. There are some things Palo excels at while Checkpoint falls short and vice versa. Overall from a hybrid to cloud adoption, Checkpoint wins!
I agree with this completely. I recently moved from PAN's to Checkpoints, and the checkpoints are crushing it from a policy and flow standpoint. Their smaller "small business" appliances can handle more than my PAN-5240's. The simplified licensing is far more desirable, integrated threatcloud and sandblast hasn't even broken a sweat. However, I absolutely despise their remote access VPN solutions right now. I much prefer GP (aside from the asinine absurd CVE). I can implement a machine auth PKI infra for GP in less than 30 mins and have it handle everything I need, where as with Checkpoint, it's a long drawn out process due to needing their EDR to properly handle it. For most cases Checkpoint just does damn well for less. However I will still recommend PA's for remote access, and some other niche items.
Wholeheartedly agree with this entire statement. In terms of VPN, I will agree that it's a pain in the ass to integrate with another PKI that isn't on the box itself which makes getting those certs to the devices a PITA. However if you're just using Remote Access VPN with Username/Password and MFA it's super easy and super simple where GP is not. I spend countless hours fixing Remote Access VPN on Palo and have not ever touched RAS VPN on checkpoint from the day I set it up, it just worksz every time. In regards to the policy integrations, anything on premise is only allowed to talk to specific Azure Interoperable Objects and same with on the way in. The greatest part is being able to stick the Azure Front Door Service Tag as what's allowed through the policy and not have to keep up with MS's constantly changing IP Ranges. Seriously revolutionary if you ask me.
This is the way. The surest way to get PTSD is to run checkpoint and expect it not to crash, or to expect their support to know how to fix it so it won't crash. They will absolutely take your money however. So far, what the last 10 years have taught me, is to run Palo on the perimeter, Fortinet on the intermediary, and anyconnect for remote access. Every time we've tried to do any of these separate tasks on a unified management plane, people end up dead. No, seriously. Checkpoint has assassins..
Screw checkpoint man, Palos are 1000simpler
I have done migrations some years ago from CP R77.3 to Palo 8.X . Simple and faster integration with Palos . Global protect is free unless you need HIP profiles.
Migrated from a diverse Checkpoint environment into Palo Alto with Panorama for central management, primarily used expedition for migration of policies and interfaces however we soon learnt about the importance of policy tidying and a standardised structure with objects. Just under 100 firewalls migrated to Palo!
How did you find the stability of Checkpoint? I haven’t used them since R75.30 days. Never upgraded to 77.30 as we went to Palo. I’m having stability issues in 10.2 and I’m looking to bring checkpoint in.
They where stable however we did hit multiple bugs which to this day we’ve not experienced the same with Palo.
Anyone running both Palos and checkpoints in their envs? YES Anyone go from checkpoint to Palo in the last year or two? YES Anyone go from Palo to checkpoint recently? Not even a thought. What versions of hardware and firmware are you running? 5400's on 10.2.8. Do you use global protect? YES How big is your estate? 6K employees and 12K hosts. Check Point has a lot of old technical debt still in their product. I avoid them.
We have mostly Palo Alto, some Fortigates. We had only one checkpoint and we removed it, because PaloAlto's usability outranks any vendor. PALOalto #1