FW-1 is a respectable product in many ways. Unfortunately the documentation is filled with FUD slams against other techniques. It's really expensive though, so you can hardly blame them.
My experience with FW1 was that it was actually less secure than what I could build with other tools, but probably more secure than what your average new-to-security employee would create as a first attempt.
Something important to keep in mind about large corporations is that they (and their security groups) are more concerned about insurance and liability containment than security in the sense most people think of it.
Take a large corporation and give them the choice between a single person or two designing a system for maintaining all the firewalls in their enterprise and buying a product (FW1) which allows them to shift plausible deniability (checkpoint is protected by their license agreement and resellers no doubt) -- well it's a no brainer.
FW-1's best feature was the slick way you could setup NAT. NAT should be a niche function, but the IPv4 shortage is making it all too common.
One downside was the license counting (you are licensed by internal clients but the mechanism that counts these won't time out entry -- even after weeks).
The other big downside was the implicit rules. You can't create equivalents to many of the implicit rules using the GUI. Furthermore implicit rules are never logged. If you want all decisions made by the firewall logged you have to reengineer all the implicit rules you need -- and this gets into some _very_ subtle programming in INSPECT (the language which FW1 rules compile into).
The GUI also doesn't let you select ranges of origination ports unless you know some INSPECT.
Finally, the GUI log file viewer, for reasons I never determined, would occasionally incorrectly display entries. It took me a while to realize that I could only trust the UNIX command line log viewer.
The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.
