Check Point Quantum Force (NGFW) Reviews

It assists us in filtering files for our internal users, ensuring that our data remains secure and protected. During the pandemic, it has been invaluable in enabling remote connections through VPN for our employees who are working from home, facilitating our COVID-19 response efforts. We established point-to-point VPN connections with approximately thirty clients, which enhances our security, especially at the outermost layer of our network, safeguarding us from external threats.

It includes features like IPS, which keeps us informed about potential threats attempting to breach our infrastructure, adding a crucial layer of security. It is user-friendly and straightforward to manage, which simplifies our overall network security management.

It could greatly improve our customer experience by centralizing management. Currently, we face the issue of having different management interfaces, which require us to switch between them, causing some difficulties and inefficiencies in our workflow. There are instances where the software crashes and this necessitates frequent upgrades from one version to another.

I have been using it for four years now.

I would rate it as highly stable, giving it a solid nine out of ten.

In terms of scalability, we haven't needed to expand significantly as our current setup consists of firewall checkpoints at the main site and another set at the HQ. These devices can seamlessly communicate with one another. We use SmartConsole managing system, which serves as a centralized hub for collecting and managing logs from all our Check Point Firewalls. As far as I know, the limit for management servers is five firewalls, so beyond that, additional licensing may be required to accommodate more devices.

We don't engage directly with its support team. Instead, we work through a reseller who handles our support needs. When we require assistance, we reach out to the reseller, and if necessary, they will liaise with Check Point on our behalf.

We were previously using Cisco ASA, Cisco X-ray, and FortiGate. However, the technologies we had, particularly the Cisco ASA, were outdated, and there was a clear need to upgrade to a next-generation appliance. When considering our options, we received a proposal from a local vendor in Angola, and after reviewing it, we decided to move forward with Check Point as it is widely recognized as one of the top solutions in the market.

The initial setup is straightforward. I would rate it nine out of ten.

We've had positive experiences with the deployments, and we've recommended it in several instances. Currently, we have implemented four Check Point Firewalls. Our initial deployment at the primary site took approximately a week to set up. After fine-tuning and making necessary adjustments, the total time for implementation was roughly two weeks. The main office at our headquarters had a similar timeline, as the tuning process does require a significant amount of time and effort.

The technology itself is impressive, but I find the pricing a bit on the higher side. This is partly due to the complexities we face with exchange rates in our country, as obtaining foreign currency can be challenging.

Having worked with products from various providers, I've found the experience and functionality of Check Point to be quite impressive and I strongly recommend it, provided they invest in essential training, which is a critical component. Its user-friendly management interface simplifies the process, and it offers a wealth of features. I would rate it nine out of ten.

Our customer’s infrastructure is entirely based on Check Point. They are using around 2,000 firewalls worldwide. We resolve the problems in their product as a service provider.

Check Point is a great technology. It doesn't compromise the performance of the users. The tool provides great security. It was the first firewall that provided 3-way handshake. It was the first stateful firewall in the market.

The tool’s architecture could be improved a bit. It should provide Single-Pass Parallel Processing. Check Point’s interface is quite segregated.

I have been using the solution for seven to eight years.

The tool will be stable if the implementation team has done a good job.

The tool is scalable. If a user faces any constraints, we can upgrade the tool. The hardware is scalable. Our customers are enterprise-level businesses.

The technical support team is not excellent. It’s not easy to get people on call on urgent tickets. They join the call, but the support is not as smooth as other vendors like Cisco and Zscaler.

Positive

Palo Alto provides Single-Pass Parallel Processing. Palo Alto and Check Point are not very different.

The product is easy to install. It's an interesting product. Once we get the knowledge of Check Point, it's quite easy to work on. However, for new users, the solution is a bit difficult. For a single gateway, if we are ready with all the necessary software we need while installing, the deployment takes one to two hours.

A single-site deployment, where all gateways and management are taken care of, can be done by one or two people. However, a complete implementation team is required if some things are to be done on the cloud and some in the branch offices. One team will handle the policies, and the other will handle the basic installations. Once the solution is stabilized, maintenance will be easy.

Check Point is a good tool. I would recommend it to others. Overall, I rate the solution a nine out of ten.

We use the solution as a perimeter firewall. We also use it for endpoint security and VPN.

The product is very user-friendly. The configuration can be managed and customized as required. We can customize the tool for each stakeholder.

It will be good if the product is rack-mounted. The product must be updated to protect users from the latest firewall threats.

I have been using the solution for almost six years.

The tool is very stable.

The tool is easily scalable. Almost 2000 people are using the product in my organization.

The support is good.

Positive

We also work with other vendors. Check Point is as good as its competitors, but its cost is a bit higher.

The initial setup is very easy. One firewall engineer can deploy the product within a few hours. It is very easy to maintain the tool. We need only one person to maintain it.

The tool is a bit expensive. The product’s operational cost is very high. We pay a yearly licensing fee. We also pay for support.

Check Point is the most user-friendly solution. It can be configured quickly. Overall, I rate the product an eight out of ten.

The primary use case is segmentation in many different areas of the company network. We had a few critical use cases: there was a need for an internal firewall, and also an edge firewall. Apart from having simple segmentation, we had a requirement for additional features like the possibility to decrypt traffic, the possibility to inspect URLs or the intrusion prevention system feature. 

A very important thing for us was also to have a very good quality of vendor support. Definitely, this is something we can get here. 

With Check Point we have achieved our primary goal - segmentation. We were able to limit North-South and East-West traffic which had a very impressive impact on improving security posture. 

We also have the possibility to control Internet traffic, we can use the URL filtering feature together with traffic decryption to be able to allow only safe communication. A very important thing for us is also having the possibility to use identity awareness and be able to implement policy based on user IDs (user ad groups).

I like the Next-Generation Firewall. This is the primary feature and use case for this solution. It's a very important thing for us to have a solution that provides ease of use and an intuitive interface.

We are also using other security blades that are included in the package like URL filtering, identity awareness, IPS, antibot, and threat detection.

The most valuable thing for us is to have the possibility to use all the security blades and all security products and have a consistent policy among different security features. Reporting and integration with external solutions are great.

Check Point could improve the time for delivering requested features from customers. It could be delivered much faster. Also, communication and status reporting for such requests have a lot of room for improvement. After the request, we do not get any information on the status or progress until it is implemented.

Looking at the trend in the market which aims for vendor consolidation, the strategy to deliver one vendor SASE could be beneficial for Check Point and its customers. 

I've been familiar with the product since 2003. At my current company, CheckPoint appeared three years ago.

The stability is good.

The range of platforms is huge. It can fit every traffic requirement.

Overall I have had a positive experience with support. Sometimes it takes too long to resolve issues, however.

Positive

I have been using Cisco ASA. The switch was done based on the intuitive management interface and ease of use of Check Point.

The setup is straightforward, even if the policies are big and complex.

We have used help from a third-party company.

I'd advise users to prepare their requirements before choosing the product and model.

I also evaluated Palo Alto.

It is a really good solution. You should be happy with it if you choose it.

The customer's use case involves employing it to safeguard their internal applications from external threats. They utilize various gateway features, including user identity-based policy, anti-spam, antivirus, IPS, anti-BOT, and other security measures, effectively creating a robust defense against a wide range of potential risks.

The primary focus is on safeguarding the customer's internal applications, especially for traders. When it comes to security, the main advantage lies in risk mitigation, akin to insurance.

The most valuable feature is its unique inspection model, which was initially a basic firewall inspection. Over time, they've developed and refined this model to cater specifically to trade-related intelligence. It is now a crucial and central component of their security infrastructure.

From an administrative perspective regarding Check Point NGFW, there are two key suggestions to improve efficiency. Firstly, administrators should be able to create a unified policy which means that when administrators set up policies in Check Point, they should have the flexibility to configure different security profiles and other security parameters all within the same access policy, simplifying the process. Secondly, the upgrade process for Check Point Firewalls currently involves extended downtime as it often requires a fresh installation. This downtime can last up to around sixty minutes, causing disruptions to business operations. To enhance the user experience, Check Point should consider adopting an incremental upgrade approach, similar to competitors like Palo Alto or Fortinet, as it would help minimize downtime and streamline the upgrade process, making it more efficient and user-friendly.

I have been working with it for about ten years.

It provides good stability features. I would rate it six out of ten.

Scalability is achievable in the cloud environment. By following the appropriate processes, you can configure automated scanning and other necessary functions to ensure it.

From a technical support perspective, there is room for improvement in Check Point's services. They have increasingly outsourced a significant portion of their support, primarily to third parties. This outsourcing has raised concerns, as it often results in longer resolution times and troubleshooting processes. In my experience, working with Level 3 engineers is more satisfactory and efficient, whereas Level 1 and Level 2 support can sometimes fall short of expectations and extend the time required to address issues.

Neutral

When comparing Check Point to Fortinet and Palo Alto solutions, there are several advantages and disadvantages to consider. One key advantage of Check Point is its robust logging capabilities. Administrators can access detailed traffic flow information, providing valuable insights into network activity. Another strength is the trust associated with Check Point. They pioneered the concept of "stateful firewall," which has established a strong foundation for trust in their security solutions and is built on their extensive experience and history in the field.

The initial setup is a medium-level complexity task.

When deploying on AWS cloud, I typically opt for CloudFormation templates to facilitate the setup of Check Point. This approach offers the advantages of infrastructure as code. When it comes to on-premises deployments, the process is manual and involves tasks such as physical cable connections, configuring interfaces, setting up routes, and defining network policies. For a typical mid-sized project, a single person is usually sufficient for the cloud deployment, taking no more than two hours if the implementation plan is well-defined and the design is in place.

The cost can vary depending on the specific model and feature set requirements, as well as the unique value it offers to the organization. The price may be perceived as relatively high when compared to the features and capabilities they provide.

My advice for anyone considering it would be to begin by thoroughly understanding their specific needs and requirements. It's crucial to assess budget constraints and security priorities. If an organization has a sufficient budget and prioritizes a robust security posture, I would recommend considering Fortinet. They often provide a more comprehensive security exposure when compared to Check Point. For organizations with legacy systems or a strong preference for Check Point's Endpoint solutions, my advice is to segregate the management and gateway components. Avoid running both on the same platform to prevent complexity and potential issues. Separating these functions can lead to a smoother and more efficient operation. Overall, I would rate it six out of ten.

The primary distinction between an NG Firewall and a traditional firewall lies in their configuration flexibility and scalability. Regarding options and features, the spoofing functionality in Check Point has been instrumental in enhancing security in our critical environment. It plays a crucial role in securing our internet connectivity.

Its functionality is highly satisfactory. In the newer Check Point version, there are additional features in VPN and IP security that enhance tunnel security. This flexibility extends to the Check Point MDM platform, allowing for streamlined management across different domains. In my current client's complex infrastructure, there's often a need to replicate rules from one firewall to another within the same room. With Check Point, it's a straightforward process of creating the rules in one policy and then easily copying and pasting them into other policies.

The log management process in MDS consumes a significant amount of storage, so it would be highly beneficial if there's an opportunity to optimize these logs and save storage space. While it does enhance network security, it tends to consume substantial resources, including CPU, memory, and storage. It could be an exceptionally useful and efficient solution if there were outgoing or AI-driven algorithms to streamline log management and periodically delay the logs.

I have been working with it for almost four years.

Regarding stability, I would rate it seven out of ten. While there have been occasional issues like false positives and blocking misreads in my NGFW, overall, it's a good product.

In terms of scalability, I would rate it seven out of ten.

The level of support provided depends on the specific contract. With a premium contract, it gets you treated as a top-priority customer, and they respond promptly, making every effort to find solutions. If you have a standard support contract, your experience might be more like that of an ordinary customer. In general, I've found them to be helpful, and I would rate their support six out of ten.

Neutral

I was working with Palo Alto for a couple of years, and I found their data protection functionality to be particularly interesting. I believe this feature is quite innovative and that other vendors should consider taking inspiration from it.

When it comes to the setup process, I've noticed that publishing and informing policies in different steps can be a bit complex. The typical sequence of publishing policies, configuring them, and then deploying them to the firewall can feel suboptimal at times. There are situations where an immediate policy installation is needed and it would be beneficial if there were options to install policies directly before the publishing step. Overall, the setup process is not overly complex, but it's not as straightforward.

When it comes to the quality-price ratio, I've found that Check Point offers a competitive balance in the market. I would rate it four out of ten.

I would rate it six out of ten.

We've used the solution for perimeter and DMZ security as we host a website that is accessible online.

On the perimeter, we have Check Point acting as the entry point to our web server farm with load balancers. The access policy is configured with the least privilege, only allowing connections that are part of business requirements.

Intrusion prevention is enabled in prevent mode to detect and block well-known vulnerabilities and attacks. The device connects to Check Point's cloud for updates on signatures to new threats. 

We are peering with Partners via Site-to-Site VPNs for Services.

1. It's offering perimeter security to publicly accessible sites. There's better security at the edge and DMZ with the use of access policies. 

2. The activation of Intrusion Prevention Blades offers better security at the perimeter and between DMZ Zones. IPs also have prebuilt security profiles making deployments of IPS fast and efficient, and exceptions to the rule base are easy.

3. The use of a remote access VPN is used to connect to partner sites.

4. Check Point offers virtualized systems, making it easy to scale. Instead of buying new equipment, we have set up virtual systems for the DC and user networks.

1. Intrusion prevention. Preventing and detecting well know vulnerabilities to our publicly accessible systems is easy. Inbuilt predefined security profiles can be deployed out of the box.

2. Virtualized security. Virtualized products are used to provide more scalability and ease of administration to the network.

3. Identity awareness. Granular policies on the firewall are based on identities.

4. Site-to-site VPN. We can make connections with partners securely.

5. Reporting. Prebuilt reports that are already in a well-presented manner could be presented to management.

6. Access Policy and NAT rules base.

1. Complexity in upgrades. Currently, upgrades are quite cumbersome. I would prefer the click of a button and process upgrades.

2. Pricing. The pricing is quite high as compared to other industry firewalls (such as Cisco or Fortinet).

3. Documentation. They have to improve on providing more documentation and examples for certain features online. In other sections, it feels shallow and we could use more information and examples.

4. Complexity in system tweaks. There are some knobs that need to be tweaked at the configuration files on the CLI which can be considered complex.

5. Check Point Virtual Security. The features take a bit more time to be released as compared to physical gateways.

I've used the solution from 2017 until now.

A word of caution, especially on new software: you might hit a couple of bugs. Therefore, the general recommendation is to wait for a few takes before upgrading to a major version.

With older versions it's stable.

The solution offers high-performance devices ranging from small to big data centers.

Virtual Security offers up to 13 connected gateways helping with managed security.

First-line support is hit or miss, and at times getting an engineer to assist on the call can take hours.

Opening tickets on the Check Point platform is ok with the first response depending on the workload of the engineers.

This is one place Check Point needs to improve.

Positive

Previously we were using Cisco ASA 5585. However, the performance was not reliable, and scaling would have been an issue.

We opted to go with Check Point, which could handle high performance and scaling was easier. Check Point also offered IPS features which were easier. Check Point also had better reporting and management tools.

The initial setup was a bit complex since we were deploying virtual systems.

The interface configurations, access policy, VPNs, and NAT setup were easy. The complexity was in understanding how Check Point handles virtualized security instead of physical security gateways.

The initial implementation was with the help of a vendor with good knowledge of the product.

It's used to protect the organization from security threats and provide connectivity to our applications which is the main platform for business. That's the ROI we've noted.

The pricing and licensing for Check Point are high.

Due to experience with Check Point, we did not evaluate other options (like Fortigate or Palo Alto).

Generally, Check Point is a good product with a lot of security features that I would recommend to any organization.

We are a top enterprise with a huge Check Point presence. We have been using Check Point since its older R65 version, and we are currently on the R81 version. 

We have close to 200 Check Point devices for DC and all remote sites. We are also using Check Point for our edge security along with the Sandbox environment. 

Check Point is also used as a VPN solution which is a pretty easy setup. 

Check Point Cloud Guard is an excellent find we were able to do some cloud-based networking in our private cloud. 

HTTP forwarding is one feature that I haven't seen in Check Point's competitors. With it, I can just send all HTTP traffic to a cloud-based proxy directly without building a GRE tunnel or VPN. 

We took some major leaps with Check Point virtualization. VSX is one of the phenomenal features of Check Point. It allows us to virtualize multiple environments. We have saved hundreds of thousands of dollars with VSX. 

Instead of using a number of small firewalls, we bought a couple of CP 23K series with 20 virtual licenses. It really worked for us with the MDS and smart log. 

HTTP forwarding is something I haven't seen elsewhere.

VSX, URL filtering, and DLP are all excellent. VSX is the best thing we have used. We can use virtual switches and virtual routers for VLAN extensions. Another great feature is the "Active-Active" state that no other firewalls provide. I worked with other vendors as well; however, Check Point is the only one that can provide very good support on the Active-Active state. I still like the traditional way of troubleshooting using TCPDUMP and the FW monitor. Application IDs can be used, which is a significant improvement from previous versions.

The web UI for VSX could be better. As we enable VSX on physical gateways we cannot access the web UI. Smart log setup isn't so easy. We have some issues with some domains, however, overall, the smart log is a really good feature that helps navigate to the right domains for troubleshooting. 

We have so many applications, including smart updates, provisioning, etc. I would like to see a single pane where I can do everything instead of going to each application and making changes. 

More and more application IDs and integration is a really good thing and that's something I am looking for. 

I've used the solution for eight years.  

We used another solution before, which was only command-line based. Check Point was only the major competitor and best option a decade ago. 

We need to choose technology first, and obviously, others follow. Check Point's three-tier architecture is the main reason for us using it. I believe the pricing is pretty competitive.

We did look at other options, including Fortinet, however, nothing is as good as Checkpoint. 

Check Point is a good solution. It is a reliable solution above all.