My Thoughts on Firewall
Types of Firewall
Stateful FW (State Table with PF)
Deep Packet Inspection FW (IPS + PF)
Application Aware Firewall (NGFW / WAF)
Application Proxy (Proxy)
Layered Firewall Strategy (Stateful + NGFW = Outside + DMZ)
Each type of firewall serves different needs on both sides of the DMZ. The inside doesn't have the requirements that the outside has. The outside is under constant attack. The inside is limited to the traffic that is routed to it.
While the CheckPoint firewalls are scanning the applications that are hitting the data center, the Cisco ASAs are checking ports and protocols. The layered firewall approach is part of a security strategy that demarcates responsibilities. A team is in charge of the perimeter devices (CheckPoint) outside the DMZ, while a separate networking team manages the ASAs inside the DMZ.
If someone is able to crack CheckPoint and get inside, when they get through to the second firewall and have to deal with a completely separate type of personality and a completely different device.
The idea is to make it such a pain in the arse to get inside that the attacker will go away.
FW - Firewall
PF - Packet Filter
IPS - Intrusion Prevention System
NGFW - Next Generation Firewall
WAF - Web Application Firewall