checkpoint firewall

hi i have purchased an asa5505 firewall with full access about a year ago, which i will eventually use.

i now wish to purchase a checkpoint firewall with full access or at least wireless and vpn access which i think are the main features, can anyone advise  ?

i have been looking at the below but not sure what is  a best buy due to funds:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Maybe to start of for any need for UTM though good for an all in one strategy but performance can be a challenge if you going for more to scale up usrr number support.

So it is always good to compare in terms of performance to. There are alternative like Fortigate 60D or 100D, Sophos UTM as of your ASA5505 (IPS throughput, AV throughput, interface speed). Check out if they all offer IPS, IDS, GW AV, DLP, WLC, SSL VPN. And look into the need for licensing the advance feature as it may impose IP connection limit threshold. Thereafter is their price.

 ASA 5505 already is limited to 50 firewall users, so for a better performance, and on  par to key petformance, I suggest you want IPS buy a hardware module AIP-SSC-5 as well as for SSL VPN, the additional SSL licenses for concurrent users..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Security Capabilities

    The Cisco ASA 5500 Series comes with high-performance security services that have been integrated into the whole set up. They include a firewall and anti-virus, anti-phishing, anti-spam and web filtering services. It also has IPsec VPN and IPS with Global Correlation and guaranteed coverage. When all these features are combined with real-time reputation technology, you end up with an application-layered security with user-based access control. You also get worm mitigation and malware protection. This firewall helps to boost the overall productivity of employees with features such as peer-to-peer control, instant messaging and secure site and remote user connectivity. It also allows for easy access to a wide range of desktop and mobile platforms.

Integrated Services

    The Cisco ASA 5500 Series has a powerful Modular Policy Framework (MPF) and a unique combination of hardware and software extensibility. This enables it to offer businesses tailored protection in a dangerous threat environment. It comes with security service processors (SSPs), security services modules (SSMs) and security services cards (SSCs) that enable businesses to install more high-performance security services easily. This firewall provides protection to businesses and allows them to expand their security services profile.

Single Expansion Slot

    The lower models of the ASA-5500 platform have a single expansion slot, which requires the user to pick between using either IDS or anti-X services. Since the anti-X CSC-SSM module has a license per user model, the customer must decide how he will provision the ASA and deploy it accordingly. There are other competing firewalls in the market that come with a single chassis that accommodates both integrated anti-X and full IDS/IPS services.


    Another disadvantage with this firewall is that the 5580 series was designed as a firewall and VPN only, so other functions such as IDS/IPS and load balancing will present a big challenge to a customer who intends to use it for enterprise development. There are also limits on the number of VLANs supported by each ASA model. For example, the ASA 5505 only supports a maximum of 20 VLANs.

Lack of Real-Time Updates

    The ASA-5500 firewall cannot schedule and receive automatic real-time updates from Cisco or other outside parties. There are products in the market that are able to provide three-, four- or even 24-hour assurance about protection against a known virus. As much as the ASA-5500 has a structured defense solution, it is unable to provide up-to-the-minute defense like some of its competitors.

Read more :
btanExec ConsultantCommented:
Also to note that 5500 series licensing package (below) esp if 50 concurrent users is to expanded to next tier like 100 users e.g. purchase the appropriate user upgrade license (from 50 to 100 users, for example) or Plus upgrade licence.
• Base licenses: Antivirus and antispyware functionality for the number of users licensed; pattern file, scan engine updates, and software updates for the first year.

• Plus licenses: URL filtering and blocking, antispam, antiphishing, and content filtering functionality for the number of users licensed; pattern file, scan engine updates, and major and minor software updates for the first year.

• User licenses: The right to perform the Base and Plus (if applicable) functionality for the number of users licensed. For licensing purposes, users are considered to be the total number of nonconcurrent users whose traffic is being scanned and/or protected by the module.
For the SME, can consider the 5506-X that equip with Advanced Malware Protection (AMP) and next-generation IPS (NGIPS). It is  is available in both desktop (5506-X) and 1RU rack-mount (5508-X, 5516-X) form factors. Also variants of the desktop model are available with an integrated wireless access point (5506W-X) to simplify SMB networking. See more info spec in this
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

If you want to consider the AMP and IPS then I would consider the 5545 Firewall for that with integrated Firesight / Firepower.
mikey250Author Commented:
hi I asked about the 'checkpoint' as plenty people use it so was wondering why asa5505 has been mentioned  although I assume the advice is purchase an asa type  ?
Either one of the options would work just fine.
My personal preference would go for the Cisco ASA.
A checkpoint would be the best fit if you are just planning to implement more user friend interaction / configuration.
btanExec ConsultantCommented:
ASA-X will be preferred to stay ahead too. Go for existing upgrade if poss but tier-ed FW tends to be different provider e.. external FW is one and the internal FW is another.
mikey250Author Commented:
ok thanks for the advice.
mikey250Author Commented:
not quite the advice I was after although I gather the asa firewall is the preferred.  the reason for the checkpoint is because a lot of customers out there have it on then network for one reason or another.  also I already have an asa5505 although not used yet.
mikey250Author Commented:
I did forget to ask 1 more question.

qns1.  I currently have an asa 5505 firewall with virgin media as my isp but want to know if I can use the checkpoint the same way or is it an 'adsl' connection  ?
btanExec ConsultantCommented:
FW is just a proxy just need to make sure the one that goes to WAN or internet is connected, as of the configuration will be as per vendor advice. It can be as simple like checkpoint 600 which itself already has adsl modem built in @
Really depends on the FW choice and built, for enterprise the modem is separate to avoid single pt of failure ...
mikey250Author Commented:
well the reason I ask is because I have not got an adsl connection.  ive also got a pix firewall which has an 'adsl' connection but could not get it working.
btanExec ConsultantCommented:
looks like a new question to get a wider EE audience to chip in
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.