PAN-OS VS. CHECK POINT R80.

30
Licensing
About Check Point
Check Point is trying to fix its reputation for complex licensing with
Founded in 1993, Check Point was named worldwide firewall leader by IDC in 1996, with 40% market the Infinity Total Protection ELA, but the adoption rate has been
share (11.9% in 2019). The company has acquired 10 companies in its history, most recently Dome9.
OVERVIEW

negligible. For NGFW, there are a total of 16 different software

In 2017, Check Point introduced its Infinity Architecture as a platform solution. A year later, Infinity Total blades. Each blade is a feature pack with a separate license that
Protection, a per-user ELA, was unveiled. Most customers are still on the older R77 operating system needs to be enabled on every appliance/VM. Two bundles, Next-
from 2013, and the current R80 is struggling with adoption. Gen Threat Prevention (NGTP) and Next-Gen Threat Extraction
(NGTX), are available.
Check Point’s messaging is about protecting against “Gen V” cyberattacks, which the company defines as
large-scale, fast-moving attacks across multiple industries. Check Point claims to be the only vendor that
can help customers move to “Gen V” protection levels. Blade NGTP NGTX Our Equivalent

Strengths Anti-Virus ✔ ✔

• Loyal, change-resistant customer base. Proofs of concept will be eye-openers for them.
Anti-Bot ✔ ✔ Threat Prevention
• Central management for security gateways, public/private cloud, and SaaS, but separate management for
endpoint and mobile. Separate UI for device setup and cluster management. IPS ✔ ✔
• Threat Extraction sanitizes potentially malicious content and looks good on paper but is difficult to
implement (see Page 3). URL Filtering ✔ ✔ URL Filtering

• Good mobile security offering, but slow customer adoption.

Anti Spam and ✔ ✔ N/A
• VSYS implementation allows system-level load balancing but is difficult to implement and manage, and Email Security
only works with very specific setups.
Threat Emulation ✔ WildFire
AT A GLANCE

• Good at pointing out flaws in competing products to divert conversations to technical details.
• Interesting release of Maestro “orchestrator.” Threat Extraction ✔ N/A
Weaknesses
Included blades: Firewall, App Control, Logging (SmartLog), Identity
• Throughput performance is an issue due to reliance on software in many areas. No single-pass, but
Awareness, Content Awareness, Network Policy Mgmt., IPsec VPN,
degradation with every enabled blade. Performance tuning guide is more than 300 pages long.
Advanced Routing & Clustering
• Slow to innovate. Often 24 months between announcement and release. Sold separately: IPS, Anti-Spam and Email Security, Data Loss
• Complex migration path from R77 to R80 and instability of newer releases (see caution rating in 2018 Prevention, Mobile Access
NSS Labs Next Generation Firewall Test). More information about blades
• Complex licensing with hidden renewal costs after the first year. Infinity Total Protection is too expensive
for enterprises.
• Limited automation on security gateways, and automation is disabled by default on management.
• Support is slow due to time zone differences between TAC and Dev. Lots of complaints.
• Upgrades and downgrades are painful, causing the second-most outages after user error.

© 2019 Palo Alto Networks, Inc. | PAN-OS vs. Check Point R80.30 | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
PAN-OS VS. CHECK POINT R80.30
Questions to Ask
Predictable Performance with Single-Pass Architecture
Check Point as Check Point as
Check Point’s security gateways often require extensive performance tuning. The “Performance Incumbent Primary ­Competitor
Tuning Administration Guide” is more than 300 pages long. No such document exists for Palo Alto
Networks. Finding the right Check Point appliance is difficult. Each blade is a separate product and Did you know migrating from
impacts performance. SSL decryption is implemented without hardware acceleration and can double R77 to R80 requires a complete Does the product work “out-
CPU utilization. Our Single-Pass Architecture allows accurate sizing, and security does not need to redesign and professional services? of-the-box” or require complex
be compromised for performance. R77 is EOS in Sept. 2019. Are you ­performance tuning?
prepared?
Best Security with WildFire
Still waiting on the release of SSL Is Check Point transparent about how
Check Point SandBlast only supports HTTP and SMTP, and it only generates short-lived, hash-based accelerator cards? You can decrypt datasheet numbers are measured, or
signatures. Common protocols like IMAP or SMB are not supported, which limits usefulness inside at wire speeds with Palo Alto do they revert to opaque enterprise
the perimeter. WildFire can detect the most evasive threats with our bare metal analysis, which is Networks today. traffic mixes?
not supported by SandBlast.
Does your vendor out-innovate
Natively Engineered Next-Generation Firewall Did you know Check Point’s Threat
your adversaries? How often are
Extraction feature requires your
Check Point tries to build an NGFW with acquisitions and third parties. The App, URL, IPS, and other major feature updates released, and
NGFW to be the first hop for
blades are based on acquisitions. The company’s AV engine for static malware analysis is provided by do you feel prepared for the latest
HOW TO COMPETE

­incoming email?
a third party. This bolt-on approach results in unpredictable performance and slows down trouble- threats?
shooting. Any issues have to be relayed to the third party through support. If Check Point decides to
Are you compromising security for How are you protecting your users
replace a vendor—e.g., Kaspersky in R77—then customers are required to upgrade their gateways.
performance (e.g., turning off IPS from phishing and credential theft
Single OS for Consistency signatures or blades)? attacks?
Check Point runs different operating systems on their SMB, enterprise, and chassis models. Does the competitor leverage third
Are you satisfied with your vendor’s
­Additionally, some releases are Management Only, and the gateways cannot be upgraded to them. parties for subscriptions? How
technical support? Are issues
With the latest release of R80.30, Management and Gateway are now separate installations. PAN- efficient is the support for these
resolved in a timely manner? offerings?
OS powers all physical and virtual appliances.
Simple Upgrades/Downgrades What is the strategy for security (In a POC, push for all vendors to go
as a whole? Cloud? Endpoint? from brand-new, fresh appliances to
Check Point customers need to perform a complex migration and retrain their staff when upgrading
Analytics? Etc. How does Check a full, POC ready environment at the
from R77 to R80, and rollbacks are arduous. PAN-OS upgrades are easy and do not require a certain customer site. How long did it take?)
Point help with those?
combination of hotfixes or patches to be in place.
What are your thoughts on having
Management via WebUI to fix your Check Point environment
—
Check Point requires the installation of a 1.5 GB Windows-only package of 10 different applications. after the company switched AV
A management appliance/VM is mandatory even for a few security gateways. Management VMs vendors?
require a lot of resources (min. 4 CPU cores, 16 GB RAM). PAN-OS can be managed directly on the
appliance, either centrally with Panorama or via an API.
Better Support
Palo Alto Networks TAC won “Outstanding Assisted Support Global” from TSIA in 2018. Check
Point’s TAC did not win any awards and is regularly quoted by Gartner as an issue that customers
bring up.

© 2019 Palo Alto Networks, Inc. | PAN-OS vs. Check Point R80.30 | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2
PAN-OS VS. CHECK POINT R80.30

No. 1: Win on Price No. 4: Sell Open Server to Reduce Price

Check Point will offer aggressive discounts to incumbents. A POC is often the only way to show Open Server is a software firewall offered by Check Point
customers that better products are out there. New customers often enjoy several free one-year that is licensed by CPU core. It’s not a server, and it’s not
subscriptions (e.g., NGTP or SmartEvent for advanced visualization). They are often surprised at open. The product is not openly advertised, but it is still
renewal time about these additional costs. Appliances are often undersized. SSL decryption will, in available as of 2019.
most cases, double the hardware requirements. Customers initially like it because of the upgradability. Run
Counter steep discounting by selling our vision (Cortex and Prisma) and automation story. No gurus it on your own hardware (Dell/HPE/IBM) and scale by
required. upgrading your server if needed. The TCO is generally lower
SALES PLAYS AGAINST PALO ALTO NETWORKS

SALES PLAYS AGAINST PALO ALTO NETWORKS

than with appliances, but support costs are about twice as
No. 2: Position Threat Extraction high as compared to appliance (up to 40%).
Check Point claims “realtime” prevention via the SandBlast Threat Extraction blade and wrongfully The problem is the limited number of compatible servers
compares this to our five-minute WildFire update interval. Threat Extraction is Check Point’s patient zero and components (checkpoint.com/support-services/hcl).
offering, which strips potentially dangerous files from email attachments or browser downloads, sends Troubleshooting is difficult because the customer has to deal
them off for analysis and replaces them with a sanitized version. Threat Extraction has several limitations: with two vendors who will blame each other.
• It is limited to files send over HTTP or SMTP (no SMB or FTP support). No. 5: Put Competitors on the Defensive
• Only Microsoft Office and PDF files can be sanitized. Check Point sales reps are prepared to attack any vendor
on specific implementation details. This often puts the
• Protecting SMTP requires MTA mode (the firewall acts as email server). This can disrupt the other side in a defensive position and wastes customers’
email delivery process and complicate email troubleshooting while increasing cost and install time with technical discussions. See Objection Handling on
footprint. Page 4 for more information.
This “100% protection” story resonates with customers. Counter by pointing out the limitations, and
No. 6: Slip Zero-Dollar Orders into Renewals and Tell
explain how WildFire and Traps prevents patient zero infections without these limitations.
Customers They’re Free
No. 3: Show the Compliance Blade Dashboard and Reporting with SmartEvent A common ploy, especially for incumbent deals, is to give
The Compliance blade is a separate subscription that checks policies for adherence to best practices customers free Diamond support, or seats of endpoint
related to certain standards. Customers like it because it makes compliance look simple, and Check protection placed into renewals at a zero-dollar cost.
Point Sales Reps like it because we do not have an equivalent product. Point out these limitations: Customers see they are getting “free” product.
• The blade does not attest any compliance. • Nothing is free, and at next year’s renewal, that “free”
• It is limited to security gateway and management policies only. It has no visibility into endpoint, product is charged for renewal.
cloud, or OS configuration compliance. • Did the customer know they would be charged for the
• The pretty dashboard oversimplifies compliance requirements. The firewall is only one security product later down the line?
control among many in scope for compliance checks. Also, the checks are not verified to match • How many of these products have been rolled into a
against actual regulations; they are user-created. renewal and paid for even if they never got used?
• Reporting on this and other management/logging findings is done in a separate appliance or
blade called SmartEvent. This is Check Point’s SIEM answer, but it has extremely basic SOAR
elements.
• The reports are visually impressive, but reports on only half the data don’t really help security.

© 2019 Palo Alto Networks, Inc. | PAN-OS vs. Check Point R80.30 | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 3
PAN-OS VS. CHECK POINT R80.30
Feature Comparison Matrix
“Palo Alto Networks is not profitable.”
This is only true on a GAAP accounting basis. Check out our Financial Quarterly Highlights, which
demonstrate the financial well-being of the company. Feature PAN-OS 9.0 Check Point R80.30
“Palo Alto Networks Next-Generation Firewall can be evaded and fails open.” Predictable perfor-
mance with all threat No
This is often demonstrated via YouTube videos of unknown origin. Following our best practices prevention signatures Yes (every blade degrades
(now in IronSkillet) will stop all evasions from tools like HTTP evader and set the fail-closed option. due to Single-Pass ­performance)
“Palo Alto Networks cannot protect against attacks in real time.” Architecture

See the “Threat Extraction” sales play on Page 3. Natively engineered No (App & URL blades
Next-Generation Yes with underlying stateful
“Check Point Management is the de-facto ‘Gold Standard.’ ” Firewall ­inspection firewall)
This quote from the 2014 Gartner Magic Quadrant comes up regularly. In reality, Check Point’s Single OS for all form No (embedded and service
central management only covers its gateways and public cloud offerings. Dome9 and SandBlast Yes
factors provider OS different)
Agent/Mobile have separate consoles. DLP, Mobile Access, Anti-Spam, and HTTPS inspection
blades still use SmartDashboard (from R77). This is not the gold standard. Fat clients
OBJECTION HANDLING

Lean
Management UI (1.5 GB, Windows only,
Check Point uses an “Agony Meter” in an effort to prove effectiveness, but counting mouse clicks WebUI
10 apps)
is not a good metric. Well-documented, complete APIs and web-based management are more
important today. Being efficient at a single task that must be done multiple times due to lack of Requires separate ­appliance
Central management Optional or VM with high spec
automation is not effective.
­requirements
“Check Point covers more IPS, AV, App, and DLP signatures, and provides updates faster.” Bare metal malware
Yes No
Check Point claims to detect more signatures and types across these features, but more is not analysis
always better. It’s more important to be protected against current threats and have all protections
Natively integrated
always on without compromising security for performance. Yes No (third party)
antivirus
Check Point also claims a faster response time for releasing signatures. The question is how Vwire support Yes Limited functionality
effective these early signatures are, especially if there is no POC code or packet capture available.
These signatures often do simple pattern matching on samples, not the actual attacks that follow. HTTPS, SMTPS, HTTPS only
Decryption
FTPS, SCP/SSH (in software)
“Check Point detects more applications than any other vendor.”
DAG, EDL, HTTP Rest API for mgmt. only;
The number of applications can easily be inflated by changing the granularity or by adding niche Automation
Log Forwarding disabled by default
applications. How many of Check Point’s apps are actually seen in a typical deployment?
Any feeds via Buy feeds through
“Check Point has more researchers than any other vendor.” Threat intelligence feed
open source ­commercial IntelliStore;
ingestion
Check Point claims to employ 1,400 R&D employees compared to our 800. It looks different when MineMeld can share from STIX
you look at actual R&D spending according to official SEC filings: in 2017, we spent $347M while
Check Point spent $193M. We also increased R&D spending from $284M in 2016 to $347M in
2017, and further to $400M in 2018.

© 2019 Palo Alto Networks, Inc. | PAN-OS vs. Check Point R80.30 | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 4