Anyone running both Palos and checkpoints in their envs?
Anyone go from checkpoint to Palo in the last year or two?
Anyone go from Palo to checkpoint recently?
What versions of hardware and firmware are you running?
Do you use global protect?
How big is your estate?
From my experience stability highly depends on the number of features you use. We have experience with Palo, Check Point and Fortinet and while all of them have strengths and weaknesses, overall Palo Alto is my favourite by far. We are early adopters so we typically run recent versions.
I’m about 2/3 complete with a Checkpoint to Palo migration, so both have a heavy hand in my environment, which is about 5k on prem, 1k remote. We have a few Palos, but the biggest are 5410s on 10.2.x.
We currently use Checkpoint’s remote VPN solution but we might move to Palo in the coming months.
We moved away from CP primarily due to poor support experience but Palo has also been overwhelmingly disappointing as well.
Screw checkpoint man, Palos are 1000simpler
I have done migrations some years ago from CP R77.3 to Palo 8.X . Simple and faster integration with Palos . Global protect is free unless you need HIP profiles.
Migrated from a diverse Checkpoint environment into Palo Alto with Panorama for central management, primarily used expedition for migration of policies and interfaces however we soon learnt about the importance of policy tidying and a standardised structure with objects.
Just under 100 firewalls migrated to Palo!
Anyone running both Palos and checkpoints in their envs? YES
Anyone go from checkpoint to Palo in the last year or two? YES
Anyone go from Palo to checkpoint recently? Not even a thought.
What versions of hardware and firmware are you running? 5400’s on 10.2.8.
Do you use global protect? YES
How big is your estate? 6K employees and 12K hosts.
Check Point has a lot of old technical debt still in their product. I avoid them.
We have mostly Palo Alto, some Fortigates. We had only one checkpoint and we removed it, because PaloAlto’s usability outranks any vendor. PALOalto #1
For an estate of that size Premium/platinum service is not good enough. You should talk to your SE/AM about Focused Services. Its for larger customers and comes with dedicated TAC engineers, project management, and you start at T3 on any case you open. It costs money, but I run a team thar covers Fortune 50 accounts and ALL of them have it. Can’t run a big estate without it.
Platinum/Premium is built for smaller customers.
Edit: a word
That’s where I’m at right now. I even have platinum support and an EA with Palo. I’m thinking of starting to add to checkpoints to reduce blast radius. Did you find checkpoint more or less stable than Palo?
This is the way.
The surest way to get PTSD is to run checkpoint and expect it not to crash, or to expect their support to know how to fix it so it won’t crash. They will absolutely take your money however.
So far, what the last 10 years have taught me, is to run Palo on the perimeter, Fortinet on the intermediary, and anyconnect for remote access.
Every time we’ve tried to do any of these separate tasks on a unified management plane, people end up dead.
No, seriously. Checkpoint has assassins…
How did you find the stability of Checkpoint? I haven’t used them since R75.30 days. Never upgraded to 77.30 as we went to Palo. I’m having stability issues in 10.2 and I’m looking to bring checkpoint in.
Even Focused Services isn’t great. As a Focused Services customer, my tickets are usually updated with “referred to engineering”.
Why would you choose Check Point as a secondary over Fortinet? Fortinet is highest in ability to execute on the Gartner MQ.
Check Point carries significantly more stability than Palo. I use both, each for different purposes. There are some things Palo excels at while Checkpoint falls short and vice versa. Overall from a hybrid to cloud adoption, Checkpoint wins!
They where stable however we did hit multiple bugs which to this day we’ve not experienced the same with Palo.
Gartner mq are just orientation.
Checkpoint is in place for decades
I had never the issue that I can’t do it with checkpoint
The big point is: checkpoint is old and grown and 100 times more complex. But you also have nearly ALWAYS the option to trick to a solution
And we are not at the point where we talk over security wholes.
See last 10 years checkpoint cve count and level und the fortinet ones 
Ability to execute security at fortinet is low in direct comparison
Because Fortinet is buggy garbage and wouldnt they be so insanely cheap no one would buy this shit.
I agree with this completely. I recently moved from PAN’s to Checkpoints, and the checkpoints are crushing it from a policy and flow standpoint. Their smaller “small business” appliances can handle more than my PAN-5240’s. The simplified licensing is far more desirable, integrated threatcloud and sandblast hasn’t even broken a sweat.
However, I absolutely despise their remote access VPN solutions right now. I much prefer GP (aside from the asinine absurd CVE). I can implement a machine auth PKI infra for GP in less than 30 mins and have it handle everything I need, where as with Checkpoint, it’s a long drawn out process due to needing their EDR to properly handle it. For most cases Checkpoint just does damn well for less. However I will still recommend PA’s for remote access, and some other niche items.
As a former checkpoint engineer, they have vulnerabilities, they just don’t tell you about them unless they are affected and they may or may not report the CVE.
Checkpoint is notably absent from CISA’s Secure by Design Pledge
Also, ~80% of Fortinet’s vulnerabilities are discovered internally and not being exploited in the wild.