Check Point Quantum Force (NGFW) Reviews

We use Check Point to protect our two data centers under an active scheme. It allows us to protect our customer information while preventing cybersecurity events that put our customers at risk. We use threat prevention and extraction, VPN, firewall blade, VSX, and the entire Check Point management suite. Our setup includes two firewalls in a high availability and VSX environment, respectively. We also take advantage of Check Point's load balancer, which works very well. The failover is performed automatically, without any flashing or noticeable impact on the user. 

Check Point NGFW enabled us to switch from a decentralized solution with seven firewalls to a solution that's easier to manage with high-availability firewalls and capabilities that were previously lacking in NGFX. It helped us connect our users working remotely during the quarantine while maintaining our security policies and avoiding zero-day attacks. 

The solution makes administration more straightforward because we can replicate the policies in both data centers with a single click, helping us to deploy quickly in both gateways without problems.

Check Point's most useful feature is threat prevention and extraction. It was tough to manage seven firewalls and a perimeter solution for IPS, anti-malware, anti-bot, and sandboxing. 

Integrating everything in Check Point allows us to see all the attacks that are blocked with our perimeter countermeasures every day. Check Point's high detection rate improves our overall security posture, and we can achieve a low rate of false positives through a few adjustments to the configuration.

It could be easier to access the installation of the Hostfix for VSX solutions. The CLI commands help us understand how virtual firewalls behave in terms of processor, memory, and other aspects. More graphic visualizations of CPUSE commands would be a welcome improvement, and Check Point could expand scripts to run within the solution for multiple tasks.

I've been using Check Point NGFW for seven years

Check Point works well in a high-availability setup, and the failover is fast. We had very few instances of unavailability. It happened once when we had hard disk issues, but the RMA process was quite simple, and the replacement part came quickly.

We added new Check Point firewalls twice this year, and it was relatively simple. You can quickly migrate the configurations, and your new firewall is ready to go after a few adjustments to the settings.

Check Point's support has been excellent, and they respond immediately via phone, chat, and email. In particular, I think the chat support was great. 

Previously, we were using seven open-source firewalls, and we decided to go for a solution with good ratings from NGFW users. We wanted something well-positioned in the market that had good support.

Migrating from an open-source, decentralized setup with seven firewalls to centralized management was complex, but it was less complicated than we expected thanks to Check Point’s management features. The ability to perform a parallel startup helped a lot during deployment.

A vendor team helped us, and the migration was smooth. The Check Point engineers who worked for our partner were well trained to handle the implementation.

Check Point NGFW can be expensive compared to other competitors, but the price matches the functionality and efficiency of the solution.

We considered Fortinet, Palo Alto, and SonicWall before settling on Check Point

We are using Firewall Intrusion Prevention and URL Filtering, and we just purchased the Endpoint Protection package for our workstations.

It is deployed on-premises. We have two Check Point systems in place. We have one that's between our business network and the outside world, and we also have one that's between our business network and our internal SCADA system.

We haven't updated to version 81, so we're still at version 80.

It has provided us with great protection from threats. I've been here 30 years, and we've had two incidents, and none of them were within the time we've used Check Point.

The console or the single interface on the blades is most valuable.

The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.

I have been using this solution for probably 10 years.

I would rate it a nine out of 10 in terms of stability.

Its scalability is very good. Our entire force is about 190 people, and most of them use it at some point just because they are going out to the internet and have that protection for the workstations. 

It is being used extensively. Everyone is using it, and we do have plans to increase the functionality on the device.

They provide really good support. I would rate them a five out of five. 

I can't remember the product, but what we had initially was an entry-level device. It was a single-purpose firewall. We went up to an enterprise solution that had additional features.

It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.

It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.

We used a consultant. Our experience with them was very good.

For deployment and maintenance, we have five people on our staff. We have to do some maintenance on it. It's pretty much scheduled to rotate between us so that we keep our skills fresh.

We've not done an initial study on any kind of ROI. We rarely do. In positives, we try to perform a yearly risk assessment of our systems, and we find very few vulnerabilities. So, it is doing what it's supposed to. It is keeping us safe.

Its cost is a little higher than other products.

We evaluated other options, but I don't remember their names. We basically went to the consultant we deal with for security-related things and said, "What's out there? What do you recommend?" He gave us three and recommended that the Check Point was probably the lead one.

I would advise comparing it to the other products.

I would rate it a nine out of 10. It has served us very well and given us very few headaches.

Our business houses just over 100 staff, along with over 200 devices ranging from mobile to tablets, computers, laptops, and Servers. 

We use a Check Point 5100 cluster running R80.40 to protect our business from external threats. 

Our network is also extended to the likes of Microsoft Azure, Amazon AWS, and other 3rd parties utilizing secure VPN tunnels terminating on our Check Point 5100 cluster. 

Our business also offers the ability of hybrid working - which is only possible with our Check Point solution.

Prior to using Check Point, we had a Draytek small business firewall, the Draytek would often hard lock, which resulted in the loss of internet connectivity for the business. The only way around this was to reboot the Draytek device which in turn would lose logging data as to what was causing the issue. 

Moving onto Check Point completely solved this problem. The hardware is much more capable and the logging and alerting functionality means, should anything happen (like it did with the Draytek), we would have visibility on the logs which would give us a direction for troubleshooting and mitigation. 

Check Point offers a secure VPN client. We distribute to our agents via group policy. Our agents can then connect to our network when working from home - which was a game-changer due to the recent pandemic situation. 

Check Point also offers a mobile app capsule connect which, as a system administrator, has proven very useful when a high-priority issue occurs. I am able to connect to my internal network via a phone or tablet - which has proven useful in some scenarios. 

As a system administrator my favourite part of Check Point is the smart view tracker. This alone is a must-have tool for tracking all traffic traversing the Check Point appliance. It makes troubleshooting much easier. This software alone sets Check Point out in front of the competition.

Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. 

The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. 

Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software. 

I've used the solution for five years.

The solution was not always stable when running the older R77.30 version. Paired with a mid-spec box, we did find some issues with performance on more than one occasion, specifically the network would slow to a halt until a system reboot, there was nothing within the error logging and our external SOC couldnt find anything either. We'd often when updating the firewall policy it would fail to deploy usually taking around three or four policy pushes each taking about 20 minutes. We are now running much faster hardware with the later R80.30 release and those issues have completely disappeared.

Scaling is dependant on the size of your network. Check Point does offer a wide range of lower to high spec appliances depending on your scale set.

I've only had two instances using their support as we have a third party on contract for third-line issues that I cannot resolve. They were prompt yet not shy about pointing out potential issues with third parties and it not being their appliance. 

Positive

We used Draytek. It didn't offer the security features that Check Point does and we were a victim to a successful attack from external sources which Check Point would have caught. We also found the hardware of Draytek was too underpowered to handle the size of our network. 

A third party installed the appliances initially. It is a complex process, as Check Point is vast in features and very configurable. You find yourself using the web interface, their own management software smart dashboard, and a mixture of CLI and config files to get your end result. 

We implemented it through a vendor team. Their level of expertise ranged as we moved through three separate technicians during our installation which was problematic. I wouldn't use this particular vendor again. That said, this was nothing against Check Point. 

You cannot put a price on security. Check Point is a field leader. However, it comes at a high price. 

If you have no experience with Check Point and you are on a deadline, it's essential you find a company certified to help with the deployment and configuration. The feature set is rich however, it's not always user-friendly. 

Pricing, including licensing, is very expensive compared to alternate products such as Sophos, Barracuda, or FortiGate

We evaluated Fortigate, Sophos XG, and Barracuda. However, ultimately the decision boiled down to our parent company already using Check Point. 

We use the solution as a frontend firewall in our headquarters and in our branches. We use packet inspection, the antispam feature, and the VPN. We have configured threat prevention and content awareness to improve security on incoming email and on web surfing from interlan networks wits SSL inspection. Mobile access through the VPN mobile client is also used from all outside workers and is fully integrated with our AD. We also use the solution to route traffic on internal networks and manage security through client and server networks.

We have improved our performance and bandwidth through the networks. Security is also improved. We have better control over the logs and better integration with our SIEM. 

We can also manage all our firewall from a central management console so each policy is under control and can be developed better. Inline policies help to understand on the correct use of the policies and a more readable list. We can also manage policies in two or more people at once without problems or risk of making the wrong policy.

VPN and mobile VPN are extremely valuable to us. The policies are simple to deploy to the new branches. 

All policies can be deployed and managed in a very simple way. 

AD single sign-on with VPN mobile is very helpful and simple to manage and deploy. 

Log management is also a good place to make troubleshooting and through console manage events. 

Management of the object is also a valuable feature. At every point in the console you can manage object properties and look to each policy where it is used and simply change or find where the object is involved.

Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications. 

I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser. 

I've used the solution for four months.

It is very stable. We have reboot only to install updates.

We chose the solution for scalability and now we are running with all branches with a Check Point firewall. The solution is meeting our expectations.

We do not need customer support.

Positive

We did use a different solution. We switched to improve security.

It was complex to set up due to the fact that we changed our mind on how the firewall works. Central management is hard to improve.

We implemented it through a vendor. There was not a high level of expertise, however, I took a course with Check Point and that was very clear and now I'm very expert on the Check Point world.

We have seen an ROI in that we need less time on managed policies and we have better control.

The cost is high but the benefits are too.

We also looked at Palo Alto, WatchGuard, and Fortinet.

The solution is a good solution and at the top of the market.

The primary use case is as a perimeter firewall separating different security zones from each other. We separate several zones, such as Internet Of Things (ie. cameras and several sensors), Internet-facing DMZ, internal networks, and guest networks from each other. 

Also, we use the VPN feature to create Site to Site tunnels between branch offices and the headquarters. Threat Prevention features including IPS, Anti-Bot, Threat Emulation, and Threat Extraction and are used to secure our users from being victims of several threats. 

It is hard to say how a product like a firewall is improving our organization. The firewall does what it should. Primarily, the management makes this product great. There is no other product on the market that is nearly as perfect a tool for managing firewall rule bases and I know many of them. Check Point has much fewer vulnerabilities in their products and also is very quick to react to vulnerabilities.

The Threat Extraction software blade feature is the most valuable feature as it extracts any potential harmful content from several kinds of documents, which our users receive via e-mail or download from the Internet. We know, that our users tend to click on everything they get without thinking too much about the consequences. 

The second feature to mention is Threat Emulation, which is basically a sandbox, which runs executables received via email or downloaded from the Internet and creates a verdict if this executable is harmful or not in regards how it behaves on a specific operating system and application.

Unfortunately, the API is not fully complete and also it is not an API which I would refer to as a RESTful API as there are different endpoints for the same entity. For me, a restful API would use one endpoint to handle, for example, host objects and use different HTTP methods to distinguish between different operations. 

I would expect to use the PATCH method to update an object and the PUT method to create one. Currently, there are separate endpoints for these operations and all of them use the POST method. The most important issue with the API is, that there are some endpoints we are missing (for example for managing VPN users).

We have been using this product and its predecessors for about 20 years.

The stability is very good. Sometimes there are issues, however, most of the time, they have no big impact. SecureXL was sometimes a bit of a problem. That said, this has improved in the last few versions.

Check Point offers several possibilities to scale (load sharing, Maestro, and scalable platforms such as 44K or 64K appliances), however, in our case, we just replaced the appliance after a few years. If one needs real scalability, they should take a look at Maestro which is the scaling solution from Check Point.

Technical support can be good or bad. It depends. Sometimes they are really great, and sometimes very annoying. Most of the time we have a good experience.

Positive

We did not previously use a different solution.

It's really simple to set up. You simply install from an ISO with a few questions (ie. mgmt IP address and gateway) and restart with a graphical installation wizard with a few more questions (such as is this a management box or a gateway or a cluster member ASO).

We handled the setup in-house. We have enough knowledge to do that. Our expertise is CCSM level.

We evaluated several competitors such as Cisco, Palo Alto, and Baracuda

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.

Check Point is currently our perimeter firewall at various locations. We use their failover clustering with high availability option, which performs flawlessly. Upgrades are easy to perform and have always worked reliably for us. Technical support is always available to assist with these operations, which makes the process less stressful to the admins. 

We are also using their ISP Redundancy feature, which works as advertised - perfectly! It's easy to implement, especially with the awesome documentation from our engineer. We also use their Remote Access VPN offering and have really seen its value this past year, due to COVID-19. The VPN has been 100% rock solid, especially during the most critical times in our history.

As mentioned in the primary use case question, ISP Redundancy and VPN are the two primary use cases. When the pandemic hit, a sudden shift to a remote workforce was a major requirement for us, and we needed a reliable and stable firewall. Implementing ISP Redundancy helped ensure that, as well as having a tried and tested VPN solution. Upgrades have occurred during this time and manually planned failovers as well; every upgrade and test went smoothly and without issue. The last thing we could afford is an outage.

They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements. 

Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released. 

Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.

The pricing is on the high end, specifically with the software licensing, although they are flexible on some levels, and offer hardware buyback options when upgrading. 

The software licensing model is too complicated with all the various tiers of SKUs (i.e. per software blade). They need to simplify this for easier purchasing and renewing. 

Customer support is not always as responsive with solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

We have been using Check Point firewalls for 20+ years. We originally used the Nokia hardware platform, which was not technically NGFW at the time, however, the OS and its configuration have maintained some similarities over the years. It keeps getting better every release.

Lately, stability is 100% reliable. Earlier generation firewalls were a bit unreliable, however, as Check Point acquired third-party hardware. For example, their Nokia acquired security appliances had a firmware that worked, until they started to modify the firmware (IPSO 6.0 was solid, but problems started with our upgrade to R75), then it became less stable; frequent crashes, settings not saving, high availability issues, frequent reboots required.  Eventually, we upgraded to their NGFW offerings.  Their newer hardware, and firmware R77.x was released, and we have been stable ever since.  Upgrades to R80.x have been flawless, HA works as expected, and we have had zero performance issues.

They are very scalable. If you need more computing resources, adding more hardware is easily done.

Customer support is not always as responsive to finding solutions as you might need. They do provide on-the-spot assistance when upgrading, which is great. However, there are times when an issue is reported and it may take a week or two before a solution is provided.

Positive

We have always used Check Point.

Setup was very straightforward and easy. We did have the assistance of our Check Point engineer, which is just awesome.

We implemented through Check Point directly.

I do not measure ROI financially, although personally speaking, we have definitely gotten back every dollar we've spent by having reliable and secure infrastructure.

The setup cost is not a challenge at all. Check Point engineers work directly with you throughout the whole process. The pricing is high, for the hardware and software, although discounts are negotiable. The software blade licensing is broken down into many flavors, depending on your needs. It is very a la carte and provides various product offerings, including endpoint management, VPN, disk encryption, etc.

We did review a few competitors during a possible migration plan. The proof of concept did not yield better results, so we stayed with Check Point. We reviewed Cisco, Palo Alto, and SonicWall.

If you don't need/use their a la carte software blades (FDE, Ransomware, etc.) you can always add on later. They are very accommodating with trial licensing to test in a proof of concept way. If you already have other third-party products that perform those functions, you can bundle Check Point's and save a bit of money consolidating them.

We needed to replace our external firewall solution as we were having issues with the HTTPS inspection on our previous solution and the level of support being provided was terrible, leaving us with an issue that could not be fixed for over six months. 

We had already deployed a new internal firewall solution but needed something that would protect that from external factors. We also needed a new solution to replace our client VPN solution. The Check Point solution gave us that as one whole solution instead of having to manage multiple services.

Our policy is to deny all outbound traffic unless we allow it, which can generate a lot of work to build a rule base that allows everything we need to get out. 

This solution has made managing connections out to the web much better due to the categorisation and app control that is available. Being able to say certain apps and services are allowed out, instead of finding all the relevant IPs, has massively reduced the workload. The ability to manage the Client VPN and relevant rules for that in the same location has also improved the way we work. Having links into AD for group membership recognition and having rules based around this has been very useful in improving the way remote users can access the network.

Logging has been excellent. Being able to see all logs from all the various firewalls at different sites in one window has made fault finding much easier. We can see how the traffic is moving through the sites and on which firewall. 

It has also been easy to see machines that may have had infections as we can report easily on devices trying to talk out to sites and services that are known to be dangerous. We have these set up as an HA pair on our main site and we have a lot of audio and video services that go out over the web. 

The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats. 

The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. 

We find the GUI to be wrong and the CLI doesn't always show all of the connections. 

From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

I've used the solution for six months.

On the firewall side and content filtering side of the solution, it has been faultless. There has been no real downtime to note and the access to the web via relevant rules has always worked as expected.

We have a fairly small setup in the grand scheme of things, however, from what we have seen, the ability to add in new firewalls or increase the hardware spec seems very good and it would be easy to transition from older to newer hardware when the time comes.

Due to the support model we signed up for, we don't deal directly with Check Point support. We deal with the vendor first and they will deal with any 1st/2nd and even most 3rd priority issues. They would then go to Check Point if they need more assistance on our behalf. The level of support and responsiveness of their support has been excellent. We're always getting at least a response within a few hours, even on a P3/P4 issue.

Positive

We did have another solution, but due to an issue with the HTTPS inspection that the manufacturer was not able to properly rectify or fix for 6 months, we lost faith in their ability to provide adequate support going forward for any issues we might come across. 

The setup was complex due to the nature of the Check Point firewalls and us having to make some config setup in one portal and others on the CLI. We also had to arrange the rule base via the management console. There could be 3 different places you need to make various changes. We also used private microwave links as redundancy for VPN connections and that had caused significant issues in getting set up as the link selection did not cooperate at first.

We implemented via a vendor and I have to say their level of expertise was brilliant. Every question we threw at them, they were able to provide an answer to. 

It was not the cheapest solution to go for, but the amount of admin time that has been saved by the use of Check Point firewalls has definitely given us a great return, giving us more time to work on other aspects of our network. Also, being able to consolidate 2 solutions (Firewall and Client VPN) into one solution has saved more money and admin time. 

We found that Check Point was very flexible with its pricing. We were looking at a spec of hardware in other solutions. We found that Check Point did not have a direct competitor, but to help with the bid, they managed to reduce the costs of their higher-spec hardware to make it competitive with the other solutions we were looking at. It's not our fault they did not produce the hardware of a similar spec. It's up to them to try and provide a solution that would make it a competitive solution. 

We looked at several other solutions in including Palo Alto at the top of the market and Sophos XG further down.

I would say as good as the solution is, if you are looking to get the most out of it, you should look to get a company or consultant who knows the Check Point solution inside out to assist with the setup. We found a partner who specialized in Check Point and we would not have been able to get it to the stage we have without them.