We use Check Point Gateways for securing our data centers including DMZ networks as well as gateways for our branch offices around the world. They are connected via MPLS, internet, or site-to-site VPNs depending on the branch connectivity.
A minimum standard for the whole environment is the NGFW. Firewall rules according to our security policy. VPN for site-to-site tunnels to our own gateways or to partners and customers. IPS is set primarily to prevent, and for some signatures to detect.
Application Control is still in the early stages.