Check point response to Cisco NGFW competitive

1. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and
individuals
Q3, 2016 | 1
ITEM 1: THIRD-PARTY FINDINGS
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS:
 Efficacy : Cisco quotes NSS-BDS 2016 results where it indeed scored 100% and Check Point Scored 99.4% (both great
results) , what is not mentioned that Cisco used 2 products to achieve that score (Firepower and AMP endpoint) where Check
Point used 1
 If comparing apples-to-apples NGFW solutions which is the scope of THEIR COMPARISON , if we take the latest NSS NGFW
test, check point scored 99.8% security efficacy where cisco missed 2900% more exploits than check point (see more here)
 Time to Detection: not clear why they represent it like this , in fact Check Point average response was ~50% faster than Cisco
(see more here)
WHAT
 CISCO PUBLISHED A COMPETITIVE COMPARISON OF ITS NGFW SOLUTION VS. OTHER VENDORS (PAN,
FORTINET, CHECK POINT) : http://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html
 THE COMPARISON CONTAINS SOME INACCURACIES ABOUT CHECK POINT
 THE BELOW CONTAINS FUD – FACTS, UNDERSTANDING AND DETAILS ABOUT CISCO COMPARISON IN
REGARDS TO CHECK POINT
CHECK POINT RESPONSE TO CISCO NGFW COMPETITIVE

2. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and
individuals
Q3, 2016 | 2
Competitive Cheat Sheet
ITEM 2: SECURITY FEATURES
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS
Cisco claims are inaccurate:
1. Continuous analysis and retrospective detection – supported (in Early Availability )
2. Network file trajectory – supported (SandBlast Agent)
3. Impact assessment – supported (SmartEvent, Sandblast)
4. Security automation – supported (R80)
5. Behavioral IOC – supported (Anti-bot)
6. User, network, endpoint awareness – supported (across all products)
7. NGIPS – supported , with the highest security effectiveness in the industry (according to NSS LABS)
8. Integrated ATP – supported (Sandblast suite)
9. Malware remediation – supported (SandBlast Agent)

3. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and
individuals
Q3, 2016 | 2
Competitive Cheat Sheet
ITEM 3: OPERATIONAL CAPABILITIES
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS
Cisco claims are inaccurate (except the claim that our management is excellent):
1. Scanning architecture: Check Point supports parallel processing (more info here 1:19)
2. Software-based segmentation : supported (actually with Cisco TrustSec & ACI , but also NSX, Azure, Aws,OpenStack and
more)
3. Automatic threat containment : supported (actually with the same Cisco ISE , but also with cooperative enforcement )
4. Operations and management : we agree it is indeed excellent
5. Different API’s : supported (REST API ,SANDBLAST API, similar to their proprietary ones)

4. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and
individuals
Q3, 2016 | 2
Competitive Cheat Sheet
ITEM 4: ICS/SCADA
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS
Cisco claims are inaccurate (except the first and last statement):
1. Base feature set : Check Point includes all relevant protections for SCADA
2. SCADA rules : rules meaning numbers of signatures and AVC , check point supports over 1,000 “rules” (more than 800
SCADA detectors , more than 300 IPS signatures)
For a more accurate comparison, read the “zero tolerance” report here) below a recap

5. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and
individuals
Q3, 2016 | 2
Competitive Cheat Sheet
ITEM 6: THREAT INTELLIGENCE
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS
Cisco claims are inaccurate:
Check Point ThreatCloud holds over 30M of IOC’s (files, hashes, domains, URL), with more than half a million unique samples per day
ITEM 7: SERVICE PROVIDER
CISCO CLAIM
CHECK POINT FACTS, UNDERSTANDING & DETAILS
Cisco claims are mostly accurate, though shows their weakness:
Cisco uses third-part stitching (mostly as a concept except Radware), where check point can provide best of breed in house solution

6. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and
individuals
Q3, 2016 | 2
Competitive Cheat Sheet
THE CHECK POINT ADVANTAGE
Unbeatable security & best management efficiency with predictable performance in the real world
Strongest Protection with Multi-Layer Security
 Industry-leading security award winning Next Generation Firewall
- Leader in Gartner's 2016 Magic Quadrant of Enterprise Network Firewall (NGFW), since 1997
- Recommended rating in NSS Labs 2016 Breach Detection System test (BDS)
- Recommended in NSS Labs 2016 Next-Gen Firewall test (NGFW)
Best management and visibility
 Easily control over 7,270 apps, 264,256 internet widgets and 200M websites by user, group, or OU
 Protect clear and encrypted traffic against data breaches with strong DLP
 Provide simple and secure corporate access from all mobile and fixed endpoints
Most efficient security consolidation while keeping predictable real world performance
 Predictable real-world performance with Security Power (SPU)
 Lowest management labor time according to NSS
 Industry’s only true unified management and reporting solution covering all aspects of security
CISCO FACTS
Security: with its integrated Sourcefire solution, Cisco provides partial security solution
 Cisco ASA equipment affected by severe vulnerability – (Read more: http://goo.gl/B6IVKR)
 Vulnerable to a full inspection bypass, allowing an attacker to bypass malware detection mechanisms (https://goo.gl/VwCELc)
 Cisco Botnet filter lacks core components to detect network behavioral anomalies
 Cisco has limited visibility of risk with 68 P2P/File sharing types vs. Check Points 342+
 The APP Gap: Cisco has limited application awareness with ~4,366 apps vs. Check Point over 7,270
 Cisco management has multiple vulnerabilities (CSRF - http://goo.gl/I9ukZP) and (Cross-Site Scripting http://goo.gl/cRXw0n)
 Cisco new unified image Firepower Threat Defense (FTD) has many limitations and missing features such as High
Availability, remote access VPN, multiple context, QoS, PBR, etc.
 Cisco has 3 separate images (ASA, FirePOWER and FTD) for different appliances lines and different managements which adds
to deployment complexity and increase admin labor time
Management: with its Sourcefire integrations, Cisco solution requires two separate management Interfaces
 Cisco needs 3 separate management consoles to properly manage Threat Prevention, Content Security, and 3
rd
party event
analysis (Splunk, Logrythm) (vs. 1 from Checkpoint). In some cases with cisco CSM (core FW) is also needed
 Cisco needs an added Security Administrator headcount compared to Check Point due to cumbersome management
interface (according to 3rd party analysts)
 Cisco lacks an Event Analysis solution—no correlation of security events leads to lack of visibility & added management time
 Cisco troubleshooting with FirePOWER management, requires an admin to look at seven different categories for threat
prevention and Next-Gen logs
 Cisco central management lacks some basic multi-domain tasks such as Global IPS, Global services, Global VPN
Performance: Cisco very high price performance makes it a less attractive solution
 Cisco is limited in regards to VPN setup rate with 95% less tunnels comparing Check Point
 Cisco fastest appliance performs only 225Gbps of Firewall throughput (Check Point’s is 400Gbps)
 Cisco shows very high cost performance (x3 times more than Check Point )
 Cisco-FirePOWER SSP20,40,60 with FirePOWER services and 4000 series show very low performance throughputs
compared to Check Point parallel appliances
FOR MORE FACTS SEE “WINNING AGAINST“SLIDE DECK IN
COMPETITIVE WIKI OR PARTNERMAP