CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 4 of 4

Thread: Business case to keep Check Point

  1. #1
    Join Date
    Rep Power

    Default Business case to keep Check Point


    I am hoping to obtain some help in building my business case for my organization to keep Check Point and not replace with Palo Alto.

    I work for a credit union with about 350 employees, we have a small IT department with myself being the only network engineer, and I love Check Point and truly believe Check Point is the best option for this credit union. Check Point is the only firewall vendor this credit union has ever used.

    The issue is that Check Point prices seem to be significantly higher than competitors. My leadership is looking to replace our Check Points with Palo Alto's as it seems PA can offer us a much more competitive price.

    I am writing a business case to justify Check Point and have pointed out all of the obvious reasons I can think of - better logging and visibility, the IT department has a knowledgeable engineer on hand who really knows Check Point and there would be a huge learning curve with PA, the cut over process would be a nightmare.

    Is there anything any of you can think that makes Check Point much better than the competition?

    Thank you.

  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Business case to keep Check Point

    My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature enabled which send domain admin credentials to any box they detect trying to access things. The firewall is trying to log in to the box to see who else is logged in.

    How many firewalls/clusters are involved? I don't think Panorama is to the level of SmartCenter when it comes to managing multiple firewalls. Higher cost to admin efficiency.

  3. #3
    Join Date
    Rep Power

    Default Re: Business case to keep Check Point

    I'm going to try really hard not to go into a full-on rant here...

    Disclaimer: All of this is just from my own experiences/observations/conversations, and therefor somewhat subjective. Your mileage may vary.

    The less-technical side: Over the years, PAN has built a pretty solid reputation in the industry as a marketing organization - especially to their investors. They work very hard to please Wall Street, putting a lot of money behind their hype. They are very good at convincing people, on paper, that they're the one to beat. It seems to me that most of the "news" I see from/about PA comes from financial publications. One reason I believe Check Point doesn't have to play that game quite as aggressively because they're cash-heavy (and not as beholden to Wall Street). They are and have always been a long-term investment, which isn't quite as "sexy" to those with a day-trader mentality. I'll leave it to you to qualify this, but I'm guessing you could find plenty of articles to support it with minimal effort. Do a news search for "Palo Alto Network", and another for "Check Point Software". Discounting any press releases (published by the companies or their PR), I'm confident that a majority of the coverage on PA will be about finance/investing (or problems). Most of the CP news will be technical (such as this week's MAJOR Microsoft DNS vulnerability - discovered by Check Point researchers). Being a good financial investment has nothing to do with being a good technical investment - as long as the company is stable. Check Point has been a leader in this space for over 25 years. In that time I've seen many competitors come and go.

    The sales side: I have seen PAN repeatedly use the above to convince customers that they're the way to go. They're also used misleading and out-dated materials to try to convince that CP (and others) can't do what they do. Most disturbingly (to me, anyway) is that they have won quite a few deals on price. I've had clients that have either replace other products with PAN or augmented with new PAN gear because they came in significantly lower than the competition. Far too often, those clients later learned that the gear they purchased wasn't quite powerful enough for their needs - requiring more investment in properly-sized equipment. In a few cases I know of personally, the ultimate price ended up equal or higher than the realistically-priced CP quote. It's me belief (and it's nothing more than that) that PAN puts the customer in this position - knowing that they'll either have to admit they made the wrong technology decision (unlikely), or that they simply undersized (less painful to admit). My strongest advice in this post is to ensure that the quotes you're looking at are realistic!

    Technically (kinda): This is where I don't really want to start anything too deep - I'll leave it to the community to expand. What I will say is that PAN definitely beat CP to market once - with App-ID. Check Point had to play catch-up to add Application Control. Related to the first point above, PAN continued to for years claim that CP couldn't do "App-ID" - which, of course, is a trademark (side note: vendors play this game all the time - using a trademark so that nobody can offer direct/exact/literal competition). Eventually PAN began admitting that CP had "something", but that they newer/younger to it than PAN. In one of my favorite history lessons, in reality, CP had acquired Application Control from a company that had been working on it since long before PAN existed. Yes, it was new to CP, but far more mature than App-ID. (Bonus points to the first to name the company CP acquired APCL from. Hint: it creates a very loose, not-quite-relationship to Apple)

    Keep in mind that the bottom-line financial side includes a lot more than just the product quotes. The [sometimes unfortunate] reality is that incumbent vendors usually have an advantage because there are many additional costs to replacing them - mostly in the form of time (which is money). Understand/calculate the full cost of migrating, testing, learning, etc.

    As I said, I'll leave it to the community and those with more direct PAN experience to chime in as well. Keep in mind that this is a CP-related community. That means that most here have at least some affinity for or involvement (technically) with CP. It is not, however, a community driven/controlled by CP. We can/will say what we want, and I welcome/encourage counterpoints to any of the above. The goal is to help.

    Please also keep in mind that none of that means that PAN isn't the right solution in your case. There's no one vendor that's the best fit for every situation. PAN could be the best option, either financially, technically, or both. This is all just intended to help/urge you evaluate things as fairly as possible. If it sounds like there's a bit of a slant to my words, it's simply because I'm trying to level things off to help you (and your organization) to get to the proper solution - whichever one that may be. I have no vested interest/benefit in which way you go, other than the hope that I provided some good advice/info to help you along.

    Good luck, and let us know how it goes.

    Last edited by EricAnderson; 4 Weeks Ago at 11:15.

  4. #4
    Join Date
    Gig Harbor, WA, USA
    Rep Power

    Default Re: Business case to keep Check Point

    Quote Originally Posted by mjensen View Post
    The issue is that Check Point prices seem to be significantly higher than competitors. My leadership is looking to replace our Check Points with Palo Alto's as it seems PA can offer us a much more competitive price.
    Are you really comparing apples to apples here?
    My guess is...probably not.
    In most of the analysis I've seen, Palo is rarely the cheaper option.
    Again, this assumes properly sized solutions.

    That said, there may be other ways to achieve your goals with Check Point that are more cost-effective.
    Best to reach out to your local account team/partner to discuss specific options.
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. client authentication case sensitive
    By avdonzzz in forum Authentication
    Replies: 0
    Last Post: 2013-02-14, 21:57
  2. Replies: 3
    Last Post: 2012-05-17, 20:48
  3. It's Official: Nokia Security Appliance Business part of Check Point
    By PhoneBoy in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 9
    Last Post: 2009-04-14, 18:34
  4. Check Point Signs Agreement to Acquire Nokia's Security Appliance Business
    By gladiatorkev in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2008-12-22, 12:13
  5. Is there still a compelling case for Nokia?
    By flawless_cowboy in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2007-10-24, 12:22


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts