Check Point’s Latest Innovation: A Licensing Scheme

3,207 people reacted 0 1 min. read
Nir Zuk


Category: Firewall


I am pissed off. I am hurt. I built a big part of the Check Point product and to see what a bunch of jerks have done to that company really hurts. Check out  “Check Point Revolutionizes Security with New Software Blade Architecture”. WTH? Are you kidding me? Do you think people are that dumb? Anyone with an IQ over 70 reading the press release will see immediately what it’s about. It is about a new licensing scheme. Check Point’s major innovation is a new freaking LICENSING SCHEME!!! This not only hurts to see. It’s sad. A former top innovator in network security has been spending the last 3 years of its research and development on a licensing scheme aimed at squeezing more money from its customer based. So sad. So sad.


14 Reader Comments

  1. Avatar

    Check Point latest news are all very sad, buying Nokia security platform biz was already shocking their busienss partners while they have their own hardware platforms. Complicated licensing will only speed up their existing customers considering appliance solution like Juniper or others …

  2. Avatar

    At first pass I can’t help feel the same way, however after spending some time with some of my local CP team talking about direction and strategy, looking beyond this initial release, I do have confidence that this amounts to far more than just a licensing change.

    After all, one big change here is that for the first time you don’t need to actually purchase a firewall if all you are looking for is IPS/VPN/AV/URLF/Messaging/etc.

    I’m willing to give CP the benefit of the doubt & wait eagerly to see what is coming to put more substance in the claim.

  3. Avatar

    Hi Toby,

    If you look at the picture closely,
    you will see the firewall is gray out. You can’t buy the others without a firewall.

    CP can just give you all the blades then provide a enable/disable button for you to chose. This is what UTM vendor does. You can have protection profile with different feature turned on.

    licensing it is.

  4. Avatar

    Come on Nir. You’re a fine innovator, a good manager and an excellent programmer.
    As for trash talk, leave it for the basketball court. I’d rather read you saying encouraging comments about your direction or any fruitfull direction of other companies which you appreciate.

  5. Avatar

    I had exactly the same thought when reading the information about Software Blades. A true blade-based system where virtualisation and resource sharing for network security, authentication, VPN and application monitoring would be potentially innovative, especially if the components could be properly distributed and centrally managed. However the implementation here really does look like a new way of cutting up the same old pie, with the advantage of being able to go the well and get the existing userbase to do functionality upgrades that really provide more of the same.

    The real pity is that there are a few really interesting things hidden in there – the new IPS engine is interesting, and the retooling of the inspection mechanism to improve efficiency has potential. So why promote the product based on the weakest area in Check Point’s portfolio, it’s licensing? As a veteran of Check Point, I’m also depressed about this…

  6. Avatar

    And this would be why we have become the Palo Alto Networks VAD in New Zealand, so I can go out there and convert all those Checkpoint firewalls 🙂

  7. Avatar

    Nicely said, Jordan. There are alot of features that CheckPoint has that we’re still waiting for in PAN. Active/Active HA w/Loadbalancing comes to mind as one big one. With all the other possibilities out there in the Firewall and “Next Gen Firewall” arena, Mr. Zuk and his coders should be working alot harder in order to keep up rather than complaining about the various competitors. With his background, you’d think PAN would be WAY out in front.

  8. Avatar


    I would expect that a person of your intellect would not base his judgement solely on a press release. It seems that you have formed an opinion based on minimal information, and bitterness towards your former employer.

    Israeli Companies, and Check Point in particular, guard their information and product roadmaps very carefully. You should know this as well as anyone.

    I am a current Check Point employee, and having taken the time to truly understand
    the Software Blade architecture, I believe that it is revolutionary in the flexibility it provides our customer. If you were to look at the pricing associated with this architecture, it is quite easy to see that under this architecture, this will actually lower the cost to our customers.

    Once the true nature of the Software Blade Architecture and other upcoming announcements have been made, I am confident that the security Industry will understand the true nature of Check Points direction. Innovation is still the primary focus at Check Point, and if you actually took the time to read more than a press release, you could actually provide an informed Opinion.

    The screenshot that one poster points to as having the “Firewall” grayed out, is nothing more than a screenshot of a single appliance, which includes the firewall blade. This is not a requirement when purchasing an appliance, and appliances can absolutely be purchased with only the functionality that a customer wants.

    Software Blades are portable from appliance to appliance, allowing for the simple repurposing of your existing hardware.

    Do you have an appliance you no longer need. Well, take the “Software Blades” from that appliance and move them to a different appliance, or distribute them amongst many of your other appliances.

    Are you running an SSL blade on all your perimeter Gateways. Would you rather move to an SSL only Appliance. Simply move the SSL Software Blade from each perimeter gateway to a single appliance, and VOILA you have an SSL Concentrator.

    It is sad that a person of your intellect does not have enough common sense to really educate yourself on the offering of a Company you hope to compete against.

    I look forward to any comments you may have.

  9. Avatar

    Nir – 100% on the ball…
    We’re a CP partner, so I could not express my thoughts as openly, but at CPX when they unveiled the “software blades”, everyone basically reacted the same way.

    CP does not win new business anyway, they consistently lose POC’s to other players, more than 50% of revenues are subscription and support, the rest is current customer expansion and end-point, almost no new customers.

    It is really sad, because CP could have been so much more successful, with all the talent it had, and the great market position at the end of the millennium.

  10. Avatar

    Read your own reply again, several times and very slowly, and you will see that even you describe Check Point’s new “innovation” as a licensing scheme. What does it mean to move a software blade from one appliance to another? What is it that you actually move? You move a license key. Man – wake up and face the truth. You are working for a company focused on milking its customer base and not on innovation. The last time Check Point released a new security feature was 2002 when Smart Defense was “released” (it was mostly renaming the existing “security servers”). The last time Check Point released a security feature than anyone actually uses was 1997. Your customers and resellers are already awake. It’s time for you to wake up too. It’s time to fix the firewall…

  11. Avatar

    Ok, someone just mailed me a video feed highlighting Check Point’s “innovation”, all with sound effects:

    For anyone that was really curious about the blade architecture…

  12. Avatar

    This is embarrassing..!! I went through CP website talking about their blade architecture after reading this blog…Sorry to say, but its so embarrassing and disappointing..!! I would not have cared if they claim “A Revolution in our product series” because they never probably had these feature flexibility in their product…But its absolutly WRONG to claim “A Revolution in IT Security” when there is not even a single stuff which is new a contribution to the security industry…

    They don’t even have a hardware flexibility as they again wrongly claim…Look at their SG103 and SG203 series…Does that mean since the lower their models does not have enough resources to host all the blade features, an SMB customer who doesn’t have big chunk of dollors to shell out should live with critical protection….Guys…look around and see how the competitors work…Couple of the so called UTM leaders delivers everything ..every single feature they release on their smallest box possible..SO what hardware flexibility are we talking here…??

    Now look at their list of Security Gateway Software blades…Tell me one feature which has not be there with them or their competitors…I would still bid on the Security Management Software blades…I would be a honest person to call them as ‘Product Enhancements’..!!

    With the acquisition of Nokia Appliances Business, they probably wanna sell more appliances looking at the lucrative revenue it can bring..!!Nothing wrong with it…But I am skeptical about “Guaranteed performance – Enables provisioning of resources that guarantee service levels” when it comes to open and VMWare platform though you can allocate resources.

    The cut it short…Its nothing but the same glorified UTM stuff..with the more granular control and management which is there already with few of the reputed product in terms of granular role based models.

    From a partner precective is lesser the number of part numbers in BoQ, it makes much easier….regardless of the deal size..I would attribute that aspect as one of the key reasons for the success of the leading UTM vendor…!!

    Lastly, the era of hiring expensive CP certified specialist gone…!! Companies would invest that amount to get one Firewall knowledgeable Security Admin and IS Auditor for that cost.. 🙂 Benefit is double fold guys…!! And that attributes why one of the world biggest Routing/Switching companies UTM enhancement of the older legacy product still didn’t pick up the way expect…Its a nightmare to manage…so is CP..


  13. Avatar

    I’ve been working with Checkpoint/Cisco firewalls for 5 years. Over the years, the FW-1/VPN-1 code has stabilized, no doubt. ASA is doing well for perimeter firewalls. With regard to innovation, I think Checkpoint/Cisco are lacking. The Checkpoint support is absolutely crap unless you purchase Diamond Support. I think Checkpoint has became so complicated (especially vsx/provider-1) codes it is difficult to have innovation.

    I havent had the opportunity to play with Palo Alto Networks firewall, but from reading on the Internet, i feel it is the way forward. Perhaps other vendors will follow PAN’s lead.

  14. Matt

    Thx for the words of encouragement. Obviously, we tend to agree!

    There is a weekly live demo that you can sign up for if your interested in a quick overview. Sign up here:
    The agenda is a little bit of powerpoint as an intro (10-15 minutes), then a demo of the UI (20-30 minutes), then Q&A.
    Feel free to spread the word!


Got something to say?