Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls. Why other firewall vendors have been so slow to copy the FW-1 interface is a question worth asking. The drawback to this GUI is that you have to use it; there is no ASCII menu or command line access.

On the downside, FW-1's installation process can be problematic if you are not using a (pre-installed but not pre-licensed) Nokia. Installation typically must be performed via the console of the local machine; it is impractical if not impossible to install FW-1 from a remote host.

If you do attempt a remote install, and try to ssh to a remote FW-1 unix host, the session will be blocked even with "allow all" as the initial rule. This is counterintuitive. The problem is that FW-1 denies any protocol it doesn't know about, and ssh not in the default list of protocols (for reasons unknown). You must first define ssh (tcp/22) before it can be recognized and allowed.

Under NT FW-1 (V3 at least) NAT addresses do not arp correctly. NT/FW-1 fails to read the $WINNTDIR\FW\STATE so you must write a (startup) batch file to load the arp table manually.

Under Solaris FW-1's `fwui` does not always work. You may need to use the fwpolicy program instead. Fwpolicy comes in a separate package. The remote GUI client works fine under Unix or NT once the initial setup is complete.

Some of FW-1's default "pre-applied" rules are insecure, allowing RIP from any to any and SNMP from any to the firewall for example.

Cisco's PIX does have an HTML interface, however, it is normally configured from the command line. If your admins are not IOS literate they may require some training to be comfortable with the PIX command line interface.

One benefit of the PIX is that it requires no special client side software other than ssh, telnet, tftp or serial port terminal software.

Setting up VPNs in FW-1 is straightforward, whether FW-1 to FW-1 or from client to firewall. Configuring a PIX, in contrast, is considerably more difficult. Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing. Admins who need to setup multiple VPNs and lack an in depth understanding of IPsec should consider FW-1 despite the high price of Checkopint VPN modules. Cisco shops would do well to look at the (Altiga) VPN concentrator over a PIX for this task.

Licensing FW-1 has always been problematic but seems to have become worse over the last few years. Checkpoint keeps their license database on a computer in Israel. When you purchase FW-1 your vendor needs to notify their supplier, who then notifies Checkpoint, who then updates their database and website. Only then can you go to Checkpoint's licensing web page and get the permanent keys. This process can take several weeks. I have seen it take 2 months. The Checkpoint license computer is often down or your vendor or VAR may lose your paperwork. If you change external IP addresses or hostids you will need to go through this process all over. It can be a major headache.

Determining which FW-1 license options you need can be another exercise in frustration. Even pre-sales tech support often gets it wrong. There are over 2 dozen license options, none of which are well defined. One example is the motif option. It is supposed to be free, and it is supposedly required to run under X11, but it is often not included in the base license keys. There is an unlinked and undocumented web page, separate from the regular license page, where you must get the motif license key.

UPDATE: As of FW-1 version 4.1 the Motif GUI is an extra $1,000.

Checkpoint requires you to provide your Company Name, Industry, Contact Name, Contact Title, Address, Phone, Email, and hostid or external IP address in order to receive a license. This is an unusually broad requirement with significant privacy implications.

Cisco's PIX comes fully licensed for any IP addresses and does not need to be relicensed in order to change the internal or external IP address.

FW-1 has no free tech support. You are supposed to rely on your vendor for front-line tech support. Checkpoint's own front-line support is not as well trained as they could be and escalation is often necessary. To access Checkpoint tech support you must already have a support/upgrade contract. Contracts start at 50% of the price of the original software, per year.

Cisco tech support is free for 90 days and relatively cheap thereafter. Their support desk is staffed with skilled engineers. Escalation to 2nd line (senior) engineers is rare.

FW-1 supports a large number of 3rd party add-ons making it the most feature-rich firewall software. Cisco's PIX supports 3rd party software though this may require a separate server. Either product can use an external RADIUS server for authentication.

FW-1, except perhaps for the Nokia version, is "software based" and dependent on its underlying operating system (Unix or Windows). This OS must be properly configured for FW-1 to operate reliably. If the OS encounters problems during the boot cycle it may require manual intervention to boot. Boot problems are especially common under Windows NT. OS patches (especially Windows' service packs) and OS upgrades can also be problematic. FW-1, for example, did not support Solaris 2.7 as late as 2 years after the OS was first released.

Hardware-based firewalls like the PIX typically boot faster than their OS-dependent counterparts, do not experience boot-time errors, and are simpler to upgrade.

FW-1 has always lacked documentation and no longer ships with any sort of manual. Checkpoint's website is also not particularly useful. For example: It is possible to define a password with more than 8 characters, however, it will fail when a user tries to login. This is not documented and front-line tech support will not know why it fails either. Second-line tech support may or may not recognize this bug. You can imagine the headaches these sorts of bugs can create. While FW-1 lacks documentation there is at least one well written website dedicated to FW-1 tips and tricks (http://www.phoneboy.com/fw1/).

Cisco documentation is generally considered second to none and the PIX reflects this attention to detail. Cisco's website is also widely known for its wealth of high quality documentation (www.cisco.com/warp/public/110/top_issues/pix).

FW-1 upgrades are provided to users with a support contract only. If your contract has expired you must purchase a new copy to get the latest release. PIX upgrades are free of charge and available for download from the Cisco website.

Checkpoint has been promising syslog support and plaintext logging for 3 versions now but has not delivered. For reading logs the Checkpoint GUI is cumbersome at best, often looses log entries, and can crash a Windows PC due to high CPU utilization. Though FW-1 can pipe its logs to syslog via Unix's `logger` command, and there are third party log-reading utilities, most sites will get much more useful information from a PIX and one or more syslog and/or SNMP loghosts.