Thursday, January 5, 2017

Check Point support - are you happy with it?

One of the recurring complaints around Check Point is about support. Every third post at CPUG mentions CP support being slow, ineffective, sometimes calling names.

Even in the latest Gartner Magic Quadrant for Enterprise Network Firewalls 2016 report, one of the cautions says:

 -  Gartner receives anecdotal reports from clients about support issues, mostly focused on the time it might take to get appropriate escalation. Gartner analysts recognize that this is inevitable for a vendor of this scale, but note that the frequency of issues is, of late, slightly higher than its direct competitors. Check Point has recently extended the support quality metrics it monitors to address this issue and monitor its progress.

I am personally not convinced Check Point support is the ultimately worst of all. I have seen some cases with other security and technology vendors and can say one's support experience with Check Point could sometimes be seemed as swift and easy in comparison.

I have also seen quite a few positive examples about Check Point support, mostly with more expensive Diamond plans, but also with some basic cases.

Support experience is a function of many factors: severity of an issue, an understanding of one's own security system and networks, and of course, an understanding of what to expect in the first place. I have seen many occurrences when SLAs and timing were completely misunderstood by a customer. I have even published a quick guide for support plans in 2015.

Granted, support can always be better. There are no magic bullets and "fix all" checkboxes, although sometimes Check Point seems to do miracles while fixing your things.

What is your own experience with Check Point support? Is it adequate, good, bad, mediocre, fantastic? What would you improve? What are you happy with?

Please do not hesitate to share in the comments.


  1. No doubts there was improvement recently. And in my opinion CP support, including Diamond used to be terrible in the past (on average), much worse than industry average.

  2. I would say this reflects more on the Check Point partner support than the vendor themselves, as most Check Point customers that I know have co-operative support and so only really interact with their VAR/Partner.
    Check Point are working on ensuring their partners are up to scratch, but this is always going to be an issue in a channel based model, and re-enforces the role that a good VAR/Partner plays.

    1. I have never seen any complain about authorised support partner, but quite a few about CP support in particular

  3. I would say that support and QA is the issue. Documentation is not full and updated. Another question is why CCSM guys don't get tier 3 support automatically. It was promised but hasn't been done.

  4. CP support is rather good; of course it has it's way up to Cisco's level of support, but working in multi vendor environment I can tell you it's OK, it's working.

    If you look for a reference about worst ever popular vendor support, look no further than Fortinet, it's beyond fairy tales.

  5. I have experienced problems that checkpoint does not read what you write. Yout tell them, that you have 50 gateways, all running in production, running alle the same hotfix except one. Then they tell you to send them all cpinfo from all gateways and the response is that they ignore the one with the different atch/hotfix installed.

    So CheckPoint should read more carefully what the customer is telling. In my example we have a dedicated support parter which we have to consult first. This partner is collecting often missing information and is sending it to checkpoint, telling checkpoint what was already done or not. So CheckPoint "should" have a good base to start debugging.

    The other this is the bad QA and these so many "special for your environment" hotfixes which do not find its way into the Jumbo HFAs. So for every update you have to ask again to make sure that "your special hotfix" ist (a) compatible with the new JHFA or (b) is already integrated in the new HFA.

    The third thing is that you often get the answer "please update to the latest JHFA" but they do not tell you what the reason is. So I - as customer - does not know what they are looking for. So telling the customer what CheckPoint thinks is the problem should be important.

    So in my opinion it should be like this:
    - Reading carefully what the custiomer already did and what environment he has
    - Telling the customer what CheckPoint thisnks/works on what could be the problem/reason for the customer's issue
    - Telling the customer why the lates JHFA (beta) Hotfix should fix the customers problem
    - Accept that the customer cannot or is not able to update the complete infrastructure with a new HFA even if it is not clear that it will fix the issue.
    - Accepting that customers need to go to different stages before bringing an update live. So the customer must be sure that the hotfix will fix the issue.

  6. It's a crap shoot for Check Point support. If you get someone that knows their stuff, they can do wizard level assessment and solutions... but if you get Tier 1 you may or may not get the correct answer (blatantly wrong sometimes - causing additional problems). I've also seen the range of immediate escalations to the right person and taking a week or more blaming holidays in Israel, vacations, etc. I like CP. It's easy. Their product is the only one that really scales for enterprise, but support depends on who was hired/got a better job that week.

  7. CP diamond support is good but we have seen issues when channel partners comes in middle.

    They 1st do their own analyais,that regular exp customers already does & collect files then open TAC. It Takes much more time to get higher level eng support,Timezone also play some role in this regard.

    SLA, Severity is considerable but when we see some progress is happening. MANY Times they take RDP for long times OR ask for data , modification etc. that doesn't give good user experience.

  8. Im a certified CCSM and Fortinet and Juniper certified. I have to say after 5 plus years in the field that Check Point support is hands down the best. Ive been to Israel for the advanced training and boy do their engineers know their stuff. Fortinet support I can count on two fingers the names of their tier 3 engineers i can confirm have skills. sometimes it can take multiple days just to get a basic update. If you are stuck with a VAR that has lots of trainee engineers then your level of service may be effected. However is this fair to bash on the vendor support ? if you have only ever had Check Point support then seriously go try another vendor and come back and tell me Check Point it bad.

  9. Im premium support user, and im waiting for replacement of failed ddos protector more than week. Thats even worse than cisco standard support.

  10. I used to work in VAR support for Check Point and several other vendors. This was from 2009-2013. I will say that it's nearly impossible to generalize support as a whole. It's really just luck of the draw. Support jobs are closer to entry level and the pay is typically less than consulting or sales. So the best support techs get promoted or move on within a few years. The rest stick around or get moved. I think a good support department is one that does what they can to hold onto their good people.

  11. My main issue with Check Point Support is, like mentioned above, that they dont read what I write. They always need a live session where I show them the issue.
    It gets worse if the Case is handed over to someone else. Instead of reading the Case History, I have to explain and show it all again. For one case, I had to go through this THREE times, and in the end we had to do a reset_gw because nobody was able to pinpoint the source of the problem.

    Another pet peeve of mine is when I have to open a case because an issue is not covered in Secure Knowledge. After closing the request, I answer in the questionnaire that Secure Knowledge was of no use.
    Every time, I get an email afterwards, why I gave Secure Knowledge a bad score. Go figure...

    Other than that, I have seen worse, and I have seen better.

  12. Worked for Palo Alto Tac as Tier2,Tier3 engineer.

    Then touching Checkpoint devices and talk with their support.

    Its a huge difference betwen Palo Alto support and CP.

    CP tac engineers tells partners to replicate the issue before sending it to them.
    This is TAC job, right ?

    iy luck you get a skilled tac engineer with Cp, if not need to open a case a few times until you reach one.