Differences between Cisco ASA and Checkpoint Firewall

	Cisoco ASA	Checkpotin Firewall
1	CISCO ASA - Firewall throughput ranges from 5 Gbps upto 20 Gbps ( Low end device - on 5500 Series supports 5Gbps, High end Device supports 20Gbps), with VPN Throughput reduces to 1Gbps to 5Gbps, with IPS Performance would further reduce.	Checkpoint Firewall - Firewall through ranges from 3Gbps upto 200 Gbps ( Low end device 2200 Appliance supprts 3Gbps , High end Device 61000 supports 200Gbps), with IPS, throughput reduces to 2Gbps (on the lower end device) to 85 Gbps ( on the higher end device).
2	Context based mode available in Cisco	Checkpoint has a similar offering which is Security Gateway Virtual Edition (VE)
3	Context based mode in Cisco has the following limitations: 1.VPN Services will not work such as Remote access or Site to Site VPN Tunnels 2.In context mode dynamic routing protocols not supported, you have to use static routes only 3. Threat Detection ( IDS/IPS) not supported 4.QOS not supported 5.ASA Resources are shared for various contexts within the Hardware platform	Checkpoint will not have his limitation since you can scale up the base hardware based on requirement on number of Virtual firewalls you would want to implement and also easily portable to new hardware
4	Cisco ASA can have only 2 gateways in a active/active Cluster	Checkpoint Cluster XL can support upto 5 Gateways in a cluster
5	Cisco ASA active/active is not a true cluster(active/active) since it is available or is of use only if you are running multiple contexts ( one context will will be active on one gateway and another context is active in another gateway)	where as Checkpoint Cluster XL is a true cluster, you can utilize all the 5 gateways simulatenously
6	Cisco is base of routing later as per market demands they develop security	Stateful firewall was first invented by checkpoint (Nir ZUK)
7	ASA doesn't support FQDN	FQDN is supported in checkpoint
8	not possible in ASA	User based access can be provided in checkpoint ( Identity awareness blade) based on active directory login information
9	this is not possible in ASA	Access can be granted based on the system name or destination domain object rather than the IP in checkpoint
10	Cisco ASA doesnt provide this information other than this Cisco ASA requires seperate syslog server for logging in cisco	Logging and tracking is easy and comprehensive in checkpoint, with identity awareness blade, you would have machined details along with user ID information logged.