PALO ALTO NETWORKS VS.

CHECK POINT MAESTRO

About Check Point Strengths
OVERVIEW

Founded in 1993, Check Point was named worldwide firewall leader by IDC in • Throughput can scale to meet customer need (both hyperscale and gaps
1996, with 40% market share (11.9% in 2019). The company has acquired 10 in appliances).
companies in its history, most recently Dome9.
• Up to 30 NGFWs can be in each logical group (called Security Groups).
In 2019, Check Point released the Maestro hardware appliance to create
an orchestrator that presents multiple firewalls as a single logical object for • Remaining network and policy data can be auto-provisioned once
­provisioned in Maestro.
administration.
• Each Security Group can run its own set of features (NGTP, NGTX, VSX)
and policies.
Target Use Case Why Does CP Do It? How to Counter • Security Groups can be attached to different managers.

Largest customers and These most demanding This is an expensive, • It’s a new and novel idea that will get customer and media attention.
MSSPs customers need the most overly complex solution. Weaknesses
bandwidth as well as the It runs two different code
ability to slice and dice trains, both of which have • Install, upgrade, maintenance, design, and troubleshooting are highly

CHECK POINT MAESTRO

complex.
their deployments. caused pain for these
same customers. ◦◦ Runs same Service Provider code as the 44000 and 64000 Security
Systems.
Filling the gaps in They can now find small- Not right for customer, ◦◦ NGFWs run main train code, making upgrades and compatibility difficult.
­throughput requests er appliances that more and expensive. Using a
◦◦ Manual provisioning of devices is required as no automation is currently
accurately fit the need. costly, super complex
available to provision or react to circumstance.
This is seen working in option just to fit an RFP
the field. is not worth it. ◦◦ While running SP code, Maestro doesn’t have the same API backend
to handle interface provisioning, so LACP, VLAN, etc. all must be done
Make future growth easy CP gets blamed for We don’t need an entire manually on EVERY device in a Maestro deployment.
and recycle decommis- bandwidth growth killing separate appliance on ◦◦ Once designed, troubleshooting an issue is going to be even more
sioned appliances performance, but with special code just to get painful.
Maestro, they can just good performance.
add another box. • It’s expensive. The base model MHO140 is $30K, and the larger
MHO170 is $70K.
◦◦ With the NGFWs’ cost, populating an MHO140 with 30 x 6800s
What to Do If You Hear Maestro Is in Play (advertised as hitting 300 Gbps) would cost $3.3M, and double that for a
cluster. Their own product line is cheaper.
• Ask the customer if they are ready to handle all the complexities Maestro brings.
◦◦ A clustered deployment takes at least 2 Maestros and 4 NGFWs.
• Discuss the design, especially clustering, for Maestro itself—it’s either a single point of
failure or the costs grow more quickly than the throughput scalability. • Customers should know a few caveats, like SP code is based on older
NGFW code.
• Get higher than the network team. Bring in other teams like DevOps, cloud, and upper
management to show how Maestro only helps throughput but misses the boat on ◦◦ R80.20 and below lacks SNI for SSL, so large companies like Google
automation, ROI, ease of use, integrations, and more. show as “*.google.com,” even for YouTube, Gmail, or any Google app.
◦◦ No policy based routing, and routemaps are CLI Only.

© 2019 Palo Alto Networks, Inc. | Palo Alto Networks vs. Check Point Maestro | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1