We just raised a $30M Series A: Read our story

Forcepoint Next Generation Firewall Competitors and Alternatives

Get our free report covering Fortinet, Palo Alto Networks, Darktrace, and other competitors of Forcepoint Next Generation Firewall. Updated: November 2021.
552,695 professionals have used our research since 2012.

Read reviews of Forcepoint Next Generation Firewall competitors and alternatives

MK
IT Administrator / Security Analyst at a healthcare company with 11-50 employees
Real User
Reliable, good support, good documentation makes it straightforward to set up

Pros and Cons

  • "We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government."
  • "It would be great if some of the load times were faster."

What is our primary use case?

I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get. 

We have a pair of 2110 models, with high availability set up.

There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.

We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.

I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.

How has it helped my organization?

This product enriches all of the threat data, which I am able to see in one place.

There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.

Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.

The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.

With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.

In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.

What is most valuable?

We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.

If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.

The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.

The firewall does DNS inspection, and you can create policies there.

The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.

In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.

I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.

I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.

Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.

At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.

What needs improvement?

It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.

The speed of deploying policies could be improved, although it is not terrible by any means.

Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.

That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.

What do I think about the stability of the solution?

They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.

What do I think about the scalability of the solution?

We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.

Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.

How are customer service and technical support?

People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.

Which solution did I use previously and why did I switch?

The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.

Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.

If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.

How was the initial setup?

Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.

It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.

I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.

Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.

Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.

I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.

Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.

Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.

You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.

What's my experience with pricing, setup cost, and licensing?

Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.

Which other solutions did I evaluate?

We also use Cisco Umbrella, and I may use features from that product, depending on where I am.

What other advice do I have?

Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.

I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.

One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.

While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.

Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.

My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.

In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.

I would rate this solution a nine out of ten.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
MM
Core Network Manager at a comms service provider with 11-50 employees
Real User
Top 20
Excellent integration capabilities, good UI and offers great security features

Pros and Cons

  • "Overall, it's nice and very user friendly. That's what makes it so successful. They give you complicated features but with a very simple user interface, and that's been a big success for them."
  • "The support needs to be improved."

What is our primary use case?

We mostly implement this product for our clients.

What is most valuable?

There are many great aspects to the product. 

It's flexible. It's possible to have it on a universal CPE. The CPE is a small server or device that can be installed on the client's premises which the FlexVNF software can be installed onto. It doesn't have to be a vendor-specific CPE. This can help users reduce costs. Other solutions don't offer such flexibility.

One of the interesting things about the solution, which is not an easy feat, is that they offer a multi-tenancy solution at the CPE level.

They also allow for the integration of their solution as a provider with other security vendors, like Fortinet, Palo Alto, and Forcepoint. With other vendors, they stick with their own security appliances or images. This solution, however, really does try to integrate with everything.

In terms of support, they are very focused on SD-Wan technology. They are not working on multiple technologies. This ensures your business is very focused. It allows you to be very focused on your support and ensures your level of support will be very high. The customers will be satisfied with the results. 

The development is fast because they are only focused on one direction. Of course, SD-WAN not only means that you are optimizing the routing and the speed of the internet but also it allows you to optimize the security. Users can have better, more advanced security features. 

They are focusing on integrating their security features right now. They are growing quickly in this direction. That means they're giving a lot of attention to the security within the product. It's making it a more complete product without forcing you to just use Versa.

Overall, it's nice and very user friendly. That's what makes it so successful. They give you complicated features but with a very simple user interface, and that's been a big success for them.

What needs improvement?

The support needs to be improved. 

The interface does still need enhancements to make it even easier to operate in the future. They have complicated policies that need to be applied.

For how long have I used the solution?

We've been using the solution for about one and a half years now.

What do I think about the stability of the solution?

If the setup is done properly, the solution is quite stable. There's no need to worry about bugs and glitches. It doesn't crash.

What do I think about the scalability of the solution?

It is easy to scale. The solution has considered various roadmaps and focused on future growth for organizations. Some features may not be active just yet, however, they are in the roadmap.  They are looking at, for example, delivering Ethernet over two or three layers, over the internet, which is very interesting and is, in my opinion, revolutionary.

The solution benefits huge companies, more so than smaller ones. Currently, various product features are capable of fulfilling any big enterprise requirements. They are trying to get the certifications from international security communities like Gardner. Their focus is more so on the larger scale organizations and they are trying to compete with companies like Cisco, Palo Alto, etc. Since it is meant for bigger companies, it can get pretty big itself.

How are customer service and technical support?

Their support is okay, but they need to grow it out faster. They need a better mechanism for getting quick responses to clients and to hire more people on the support level. The gold standard is Cisco, and they should try to be more like that. 

They have a very focused product and because of that, they need a very focused support staff. They should have different people who are specialized on different aspects. They don't have to spend a lot of money to do this, they just need to ensure they have the right people in place to answer questions.

It seems a bit unfair to judge them in totality, however, as I just had one instance with them so far. 

How was the initial setup?

The solution's initial setup is complex in that it's not plug-and-play. You won't face zero-touch provisioning with this solution. Instead, there will be a staging process. It requires certain commands and you need to run it on Linux or Unix.

The solution has some issues with staging, and, if you compare it to other products, you'll see other vendors are much more straightforward. Zillow Clouds and Meraki are two good examples of a straightforward setup.

For myself, I have a technical background. These things are interesting for me, and I'm happy to do it, but on the commercial side of things, the customers don't really want to deal with difficult setups. Usually, however, it's the partner that provisions for the client, so the client never has to really deal with these issues. If you are a partner or a supplier, you'll end up doing this part yourselves. So, for those that know the product, it can be considered straightforward.

After that, users will enjoy a lot of features. 

It only takes about one hour to deploy the solution. I handled the POC myself and I've done some extensive training. I didn't feel comfortable in staging Versa devices. This was a problem. For comparison, if you would like to stage a VeloCloud device, it may take from you 10 minutes, whereas Versa could take about an hour.

If you are facing complications, you need to spend time understanding them before doing the provisioning. It will take some effort to understand the staging process, but it's worth it to take a step back. 

What about the implementation team?

I handled the POC myself and I've done some extensive training, so I was able to handle all the provisioning and staging. We found we struggled a bit with our engineers figuring out how to write everything correctly. Unlike other deployments where it's a very straightforward couple of clicks, if you make a mistake in provisioning there is a receipt required, and you need to call the engineer from your Versa vendor to help troubleshoot problems.

What's my experience with pricing, setup cost, and licensing?

In the end, it's not only about cost. A lot of big enterprises don't care about the cost. They care about having a single point of contact to take care of their security and internet routing optimization. Having one support ultimately reduces costs, as there would only be one maintenance contract and one device.  

What other advice do I have?

We have a lifetime implementation. We're using the latest version of the solution.

It's a good product for high-end and large enterprises, but smaller enterprises might not be a good fit.

I'd just advise that especially surrounding the initial setup, a new company needs to ensure they have the right support in place. Companies need to make sure their SLA's are very clear so they can get the support they need from the outset and into the future. Compare companies and be clear about the requirements and you will have an easier time.

I'd rate the solution eight out of ten. I'd give it full marks, however, I do believe that they can continue to improve on the existing product in various ways. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CL
System Architekt at a financial services firm with 1-10 employees
Real User
Top 10
Prevents users from accessing things on the Internet that they are not supposed to access

Pros and Cons

  • "The firewall feature and DDoS Protector, when turned on, keep away attacks from the outside. They also prevent users from accessing things on the Internet that they are not supposed to access."
  • "It depends whether the problem is known to Check Point. If they are aware there is a problem, quite often it will then depend on which tech you finally land on if it's easier or harder to get to the root cause. The last issue was in India so that was pretty bad. It's easier if you get directly through to Tel Aviv or Ottawa, but you can't choose. Once they know what the issue is, it's pretty good. It pretty much depends on the engineer that you get. There are pretty good engineers and there are many engineers who are at just the starter level at Check Point who are not really into the stuff. Sometimes it's hard, sometimes it's easy, depending on the problem and the tech engineer you get."

What is our primary use case?

We use it as a normal firewall for perimeter security, using some of the Next Generation features, like Anti-Bot and Antivirus. 

We have two ISPs. We have a different firewall system in front of the Check Point Firewall. We also have normal Cisco switches combined with the Check Point solution. Then, our internal network is with Cisco, which is about 300 servers and 1,500 clients.

How has it helped my organization?

Since we are an insurance company, the solution is a necessity.

Two-thirds of our employees are working at home at the moment, so we use the VPN feature more than we used to. Of those two-thirds, only 100 or 200 are using the remote client from Check Point. The other employees are using other technologies, like NetScaler from Citrix. 

What is most valuable?

We use the basic firewall functionality, plus the VPN functionality, a lot.

We have about 100 remote sites, which is where we use the VPN functionality. For private lines, we prefer to do further private encryption on the line. It is very convenient to do it with Check Point, if you have Check Point on both sides. It is convenient and easy to monitor.

The firewall feature and DDoS Protector, when turned on, keep away attacks from the outside. They also prevent users from accessing things on the Internet that they are not supposed to access.

What needs improvement?

The Threat Emulation definitely needs improvement. A couple of years ago, we did a comparison with other companies, e.g., Lastline, offering threat emulation and threat detection functionalities, and Check Point was lacking. 

For how long have I used the solution?

I have been using Check Point for 22 to 23 years. I have been using Check Point NGFW for 15 years, since 2005.

What do I think about the stability of the solution?

We used to have more problems. For the past five years, unless we have had a bug, which happens like once a year, it has been pretty stable. We did have a bug for the last three months, which has just been fixed. Before that we had another two or three major bugs. However, when there is a bug and it's not known to Check Point, they need quite a while to get it fixed. If they have a fix already, then there is a pretty quick turnaround to get it fixed.

There are three people working on firewalls, but not at 100 percent. We have the equivalent of one person doing firewalls 100 percent of the time using three people.

What do I think about the scalability of the solution?

For our requirements, it's scalable enough. We have a 1 gig uplink to the Internet, which is easily doable with open servers. 

We used to have some problems with the performance, then we upgraded the license and the scalability has worked well since.

There are 1,200 to 1,500 users.

How are customer service and technical support?

It depends whether the problem is known to Check Point. If they are aware there is a problem, quite often it will then depend on which tech you finally land on if it's easier or harder to get to the root cause. The last issue was in India so that was pretty bad. It's easier if you get directly through to Tel Aviv or Ottawa, but you can't choose. Once they know what the issue is, it's pretty good. It pretty much depends on the engineer that you get. There are pretty good engineers and there are many engineers who are at just the starter level at Check Point who are not really into the stuff. Sometimes it's hard, sometimes it's easy, depending on the problem and the tech engineer you get.

To the next manager, it's pretty easy to escalate an issue, if needed. Though, it depends on the manager. 

Our current sales staff isn't too good. Though, the one before was pretty good. So, you can escalate on that process well. As an escalation path, it works most of the time.

How was the initial setup?

Once you do it for over 20 years, it is straightforward. If you have done it a couple of times, then you know what to do. However, even if you are a beginner, Check Point is more straightforward than Palo Alto or something like that. Once you get the idea of how a firewall works, Check Point does it that way.

There is a central location where we deploy upgrades, which normally take one business day since we have several clusters there. 

When deploying the solution to remote locations, we have several models to choose from.

What about the implementation team?

When we tried Threat Emulation, we have received professional services from Check Point. However, for the normal setup, we don't involve any professional services.

What was our ROI?

It is like insurance for us.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are pretty steep. They know that they are good, so they are pricey.

Which other solutions did I evaluate?

We are also using Forcepoint, which is a little bit different on the OS and focused more on IPS/IDS. It is a good practice to combine two different firewall vendors in case one of them gets hacked.

We also evaluated Palo Alto, like five years ago, but that doesn't make much sense for us. 

What other advice do I have?

Since we are trying to get our customers to do more self-service, we should see more inbound traffic. So, the usage will increase in the next two years.

We get more attacks from the outside these days, so it has become more important to use systems like Check Point. When I started with security 25 years ago, it was still something not everybody was aware they needed. Today, it's common sense that everybody needs to protect their perimeter.

Plan first, implement last. You should first be aware of what assets you want to protect and what are your traffic patterns. You should plan your policy and network topology ahead of time, then start to implement a firewall. If you just place it there without any plan of what it's supposed to do, it doesn't make too much sense. I think planning is 80 percent of the implementation.

I would rate this solution as an eight out of 10. It would be better if the support was quicker in the cases we had. Apart from that, we are happy with the functionality.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Manuel Gellida
Owner at Dinamica en Microsistemas de Informatica, S.A. de C.V.
Reseller
Top 5
Easy to use and deploy with an improved pricing structure in place

Pros and Cons

  • "The initial setup is pretty easy."
  • "They need to allow their solution to integrate with other products and not just other Sophos solutions."

What is our primary use case?

My clients are mostly based in the government. They are my core clients. I install the solution for my clients.

What is most valuable?

The solution is very easy to use. 

Of course, we have the skills, however, it's very easy for us to deploy the solution. That's one of the valuable features. 

They have a communication between the endpoint and the firewall which is very, very useful for security purposes.

Pricing is now pretty good. They changed the pricing structure a few months ago.

The initial setup is pretty easy.

What needs improvement?

The integration could be a bit better. They need to allow their solution to integrate with other products and not just other Sophos solutions.

Sophos has a feature that in my opinion is very limited. They don't have enough VPNs on their models. They have the XG 750, which is a sizeable appliance. On those models, they used to have not enough VPNs. They always were short on that area. 

Pricing used to be very bad, however, they've adjusted their strategy recently. 

The product needs to improve its marketing in Mexico. It's not a well-recognized product in our country.

The solution's technical support is very bad.

There is an overall lack of documentation in relation to features and capabilities. We need these to help explain aspects of the solution to our clients. 

For how long have I used the solution?

I've used the solution since around 2014. I have about six years of experience at this point. It's been a while. I've definitely worked with the product in the last 12 months.

What do I think about the stability of the solution?

The solution is quite stable. There are no bugs and glitches. It doesn't crash and freeze. It's quite reliable. We don't have problems with it.

What do I think about the scalability of the solution?

The solution is very scalable. It is not a problem. Sometimes we have issues when we are trying to do something with a different traditional version of hardware as sometimes the new hardware has more ports. However, if we are talking about scalability in a huge customer, we can do it very easily. 

Mexico is very different than other countries and continents as here, when we say it's a big customer, we are talking about 2,000 to maybe 3,000 users. There aren't too many large-scale operations in the country. However, in general, for our area, we tend to deal with large-scale companies.

For a company that has maybe 1,000 users, Sophos seems to work very well. We have one operation with 10,000 endpoints and it is working quite well.

How are customer service and technical support?

Technical support from Sophos is very bad.

Sometimes we lose a project due to the fact that we need to solve some issues or answer questions. Things that may be technical but also involve the administrative side. I'm talking about licensing and the capabilities of the feature. We need some documentation, something we can show clients. They can better in those cases. They can either help us or supply us with what we need. 

In response time, they are terrible. In the area of technical knowledge, they are getting better, however, they aren't where they need to be. Right now, we are not satisfied with the level of support provided.

How was the initial setup?

The initial setup is not complex. However, here in Mexico, it's very complex to sell the product. The brand is not as well known.

That said, the process is pretty straightforward. 

The deployment times vary. It depends on the end-user and what they need. Sometimes, it's easy as they don't have too many policies. The more policies they have, the longer it takes.

In other cases, clients may have a lot of VPNs. We have to work on those VPNs, and we have to do a lot of routing. However, that depends on the customer. Not all are like that.

For one appliance, you just need one person for deployment and maintenance. If we are working a lot of VPNs, we would have to use more people. We need to involve maybe two or three individuals and re-apply the configuration in that case. 

What about the implementation team?

We handle the installation process ourselves. We do not need the assistance of consultants.

What's my experience with pricing, setup cost, and licensing?

The pricing has recently changed on Sophos. Their licensing and cost structures are much more clear now. It's much better than it was.

Which other solutions did I evaluate?

Clients, in many cases, evaluate for Check Point, Forcepoint, and sometimes Fortinet. Occasionally, they may look at SonicWall, or Palo Alto however, the others are the main big competitors. 

Palo Alto is very expensive as are Check Point and Forcepoint. That's why we sometimes win the projects. We find Fortinet, is very, very hard to beat as they have a lot of market share, have a lot of marketing. Sophos doesn't have that presence, that marketing. Also, when you have to think about prices, Fortinet gives customers everything and it's hard to beat.

The biggest issue I've found with Sophos is the small number of VPNs that we can do compared to a similar appliance with Fortinet or in the same level center. In fact, many other brands offer more VPNs than Sophos.

What other advice do I have?

I'm a Sophos reseller.

We use multiple versions. We have worked with XG 460 and XG 135 and some others -such as XG 230. In those cases, sometimes it has been Rev 1 and in other cases Rev 2 in terms of the hardware versions.

I mostly work with on-premise deployments. The only item I have installed in the cloud is an email solution by Sophos.

I'd recommend the solution to other organizations. Overall, I would rate it at a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
Rein Pusra
Solutions Architect at Jedi Global Teknologi
Real User
Top 5
Easy to use and the Dynamic Multipath Optimization is useful

Pros and Cons

  • "The most valuable feature is the Dynamic Multipath Optimization (DMPO), which allows the customer to maintain and monitor their link quality in real-time."
  • "VeloCloud needs improvement in terms of its security features."

What is our primary use case?

We are a solution provider and this is one of the products that we implement for our customers. Our customers use VeloCloud to create their own SD-WAN.

What is most valuable?

The most valuable feature is the Dynamic Multipath Optimization (DMPO), which allows the customer to maintain and monitor their link quality in real-time. It will tell them whether the performance is good, bad, or degrading.

This solution is quite easy to use.

They have their own gateway offering where they have sensors in front of the applications like Office 365 and G Cloud. It is a unique advantage compared to other SD-WAN vendors.

What needs improvement?

VeloCloud needs improvement in terms of its security features. It needs to work with third-party vendors such as Fortinet, Check Point, or Palo Alto because at an increasing rate, and because of new rules for compliance, organizations require security features that are not offered by VeloCloud.

For how long have I used the solution?

We have been using VeloCloud for one and a half years.

What do I think about the stability of the solution?

With respect to stability, we have had some issues in the past that are related to the performance of the equipment. I would rate the stability an eight out of ten because there are some features that are currently unstable, like the link select and the path selection between the gateway and the devices. The result is a loss in performance.

How are customer service and technical support?

We have been in contact with technical support and I would rate them a seven or eight out of ten. Their response time is typically fast but in terms of resolution, sometimes it takes a long time for us to get the patch for the system.

Which solution did I use previously and why did I switch?

We also work with Forcepoint SD-WAN and we have tried other solutions as well. Some of these include Riverbed and Fortinet.

One of the big differences between VeloCloud and the other vendors is the speed and ease of deployment. VeloCloud is fast and quite easy to deploy. The second difference is that they have their own VeloCloud gateway.

How was the initial setup?

The initial setup is straightforward. In my experience, VeloCloud is one of the easiest SD-WAN vendors when it comes to initial setup and deployment.

What's my experience with pricing, setup cost, and licensing?

The price of this solution is higher than that of other SD-WAN vendors.

What other advice do I have?

We have been using multiple versions of this solution. We have been using the software as well as different Edge devices including the Edge 510 series and the Edge 520 series. The 510 series is the most common one.

Most of the deployments are cloud-based. Our customers prefer the cloud from a business point of view because it is less expensive. To deploy on-premise, the cost of using VeloCloud is quite high and it becomes an obstacle for some customers.

My advice for anybody who is considering this solution is to first think about their SD-WAN needs. VeloCloud is a very good product as long as you don't have any concerns about security. If the main concern is about the link performance and bridge connectivity then it is a very good product.

Overall, it is a good product that is friendly, integrates well, and has good performance. It is only lacking in the security perspective.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Get our free report covering Fortinet, Palo Alto Networks, Darktrace, and other competitors of Forcepoint Next Generation Firewall. Updated: November 2021.
552,695 professionals have used our research since 2012.