Check Point Quantum Force (NGFW) Reviews

We are a Critical Access hospital with close to 1,000 endpoints and hundreds of users. We currently have multiple ISPs coming into the hospital for internet redundancy. There are multiple buildings on our campus that are connected with copper and fiber. We have had clinics in multiple cities attached to our network at various times. 

We installed the Check Point NGFW in our environment to act as our main firewall and gateway. This allows us to keep several of the vendor devices (lab analyzers and other third-party equipment) segregated on different VLANs so they have no access to our production VLAN. This system is also our VPN concentrator for several site to site VPNs and remote software VPN connections.

In the past 15+ years that I have run these firewalls, we have been able to make huge strides in increasing our security posture. This has been evidenced by our annual Security Risk Assessments run by a third party. Check Point is always coming out with new features that help make it easer to manage our security posture. We have received multiple comments from other organizations praising us for the speed and accuracy of setting up new site-to-site VPNs with the proper access. This is all possible because of the intuitive Check Point software.

There are many great features, however, with our last upgrade, we now have a web GUI that allows us to pull up multiple facets of the firewall environment. This feature has been very handy. There have been times we have a connectivity issue, and both sides are blaming each other. If I'm away from my desk and don't have my laptop, I can quickly bring up the interface on my phone and search through the logs, rule base, and VPN communities to help quickly troubleshoot the problem. I can't say it enough - this has been invaluable.

Overall, this is a great system, and I'm struggling to come up with things that I think should be improved. 

I have had some issues in the past with the desktop client being slow to come up for logging in, and then slow to respond to screen changes, however, overall, it really hasn't been too bad. 

For additional features in the next release, I would like to see more change functions available in the new Web GUI version. This is still a new offering from the company, therefore, I can only assume it will get better as customers make suggestions/requests.

I've used the solution for over 15 years.

This system has been rock solid in our environment. I have even run beta software to try out new features. I trust the company and their top-notch support staff to keep us running smoothly.

This system has been very scalable. Check Point offers multiple security 'blades' that let you start out small, and increase as needed without having to drop a bunch of money on new hardware.

I rarely have critical issues, however, when I do, I can call and get an engineer rather quickly. For most of my issues, I utilize the online support portal and/or knowledge base articles.

Positive

We had engineers online with us to help us get everything setup. They have done this many times, and they were able to give us a lot of information to help prep the environment. This left us with minimal downtime.

We used Check Point for implementation, and they are top-notch. They know the hardware and software better than anyone.

That is difficult to calculate. We have had hospitals and clinics drop like flies to ransomware, DDOS attacks, and other issues. The financial impact of something like that would be huge. You can't put a price on safety. 

We are trying to do the best we can in an ever-changing landscape of cyber dangers, and we feel that Check Point has been a great name to hang our safety on. In the 15+ years I've been working with Check Point, I have only changed out the hardware twice. We pay an annual fee to cover licenses and support. In general, this is a great investment.

We purchased this through a VAR, so your mileage may vary when it comes to cost and initial service for setup. 

The licensing can be a bit tricky when you have more than one appliance. That said, they are very open and explain how it all works. They give the ability to set up trials of all the different license 'blades' to let you try before you buy.

We use our Check Point NGFW firewall mainly for perimeter security. Those firewalls are placed at many sites distributed over Europe. We love the firewall management and think it's still the golden standard for creating a rule base and we go more and more in the direction of identity bases user access to secure our environment.

The other firewall blades, such as Anti-Bot, Application and URL-Filtering, and IPS, are used on all sites. It's easy to deploy, as the firewall is able, with the latest version, to learn from the traffic and adapt the IPS policy.

Check Point NGFW has improved our organization with more security and easier deployments. There is a smaller amount of workload in the supporting area. We find a lot of documentation for the products and benefit from a big community. The Check Point support is much better than what we have seen from other vendors. The firewall policy is easy to deploy and we can do a more granular separation of specific user groups. We feel much more secure with this product - especially the API support - and possible automation has saved us a lot of time in our team and organization.

The most valuable features are the identity-based access and high-quality intrusion prevention functionalities. 

One of the most valuable aspects is the central management, which includes a large wide range of API calls. With the central management, we can define a reasonable security policy for many sites and not only for network segments but for user and AD groups. This gives us a bit more "Zero Trust" in our network.

It's enabled us to move away from basic LAN to LAN segmentation to a more powerful user separation approach.

One area which is still lacking is the site-to-site VPN solution. This is still an area that could be improved, although the features have gotten much broader and I really have seen an improvement over the last 10 years of working with the product. The separation from encryption domains between the tunnels came recently as a new feature to the product. This really helps a lot. Yet, we are still seeing a lack of compatibility with other devices, even though this is the case with many vendors. Especially with IKEv2, we are struggling with many vendors to set up perfectly running tunnels.

I'm working with Check Point for 10 years.

If you go by best practice recommendations from Check Point the stability is very good.

Scalability is really good. Check Point has the Maestro solution, where you can really scale easily without wasting resources.

They are really anxious to solve issues as fast as possible. They also try to get in actual contact with you via phone or chat to fully understand the issue.

Positive

In some areas we were using Cisco, however, we changed to Check Point to centralize things.

The setup is pretty straightforward, at least for the basic setup. Even with more complicated configurations, you have good support and experts at Check Point in the background that can help.

We did it ourselves.

Check Point is definitely not the cheapest solution, but the better security makes it worth the price. The licensing model is pretty easy, especially when it comes to the extension for many environments.

We looked at Cisco, Barracuda, and Fortinet.

I'd advise teams to give it a try!

I work for a large bank in Australia and the Check Point NGFW is used on the edge of the network. This strategic positioning allows the platform to provide extensive protection to internal systems from the internet, avoiding security threats on the most sensitive places on the network. 

Another factor in the positioning of the firewall is the protection from external partners connected to the internal network through VPN and MPLS tunnels. The solid performance and flexibility allow the platform to be trusted on this strategic spot.

Check Point NGFW has contributed to the success of the organization in keeping data safe through its powerful and flexible security features. 

In conjunction with the Check Point Management Platform, the firewalls provide an easy-to-use platform that facilitates and creates agility in the operation. The easiness to operate the platform creates a great value for the operation since it is easy to train people to work with the platform. 

Agility is also a key factor for the rapid response to business needs.

Even though Check Point NGFW provides a set of security features that enforce protection on the network, the most valuable aspect is also the most used feature: the plain and simple firewall component. This is the core of the product and works to a great extent without the need for all other available bells and whistles. 

What may sound obvious is actually an important point to be weighed, since several platforms in the market promise miracles but fail to deliver the basics. Check Point NGFW most definitely delivers a great, stable platform in that regard.

Although the GUI is simple to use and fairly comprehensive, more support via CLI would be beneficial for bulk operations. Repetitive tasks can surely be explored via API, however, oftentimes, tasks that are not worth automating can take longer than expected via GUI, while it could be easily tackled via CLI.

There should be better and more comprehensive reporting. This would also bring a lot of value to the platform by enhancing its capability of bringing transparency to the network.

I've used the solution for about three years.

The most recent software version is stable and reliable. There have been some issues in past versions, however, there have been no big ones in the most recent releases.

There are good scalability options through virtualisation. The platform can be expanded to multiple segments.

The support provided by the vendor either via professional services or an engineer is always spot on. They are quick to act and help.

This platform was already being used when I joined my company.

The initial setup can be cumbersome.

We did the implementation with vendor support.

As the platform delivers competent security enforcement with simplicity, the ROI is great. The easy-to-operate nature of the product means fewer hours spent by people struggling with things, while the network itself is constantly kept safe. 

The use of virtual firewalls within the platform should be considered for horizontal scaling and in order to increase the product's cost-effectiveness. 

I was not part of the evaluation process.

This is a great and stable platform overall. Performance and simplicity make this a good choice for any size of company.

We use Check Point firewalls as perimeter firewalls which are restricting the organization's incoming and outgoing traffic and taking advantage of the redundancy capacity of internet providers, which provides fault tolerance when an internet provider has a fault. 

In addition, we use it for the publication of services and with an event viewer that allows us to view alerts about behavior and unusual traffic inside and outside the network. URL filtering and application control are perfect complements to the packet filtering that it offers as a firewall solution.

Check Point offers a reliable firewall solution with VPN options that have allowed us to establish secure and stable connections with other companies and users in a very simple way.

Simple and centralized administration has allowed us to manage all the firewall nodes from a single console, facilitating the deployment of firewalls through the network, since a large part of the configurations and access rules, as well as the protection controls, are managed from a single console and via centralized maintenance.

Check Point is a robust and reliable security solution, whose architecture and design allow centralized administration with a graphical interface that facilitates its management. 

The way in which it manages the nodes within a cluster architecture is excellent, offering fault tolerance which is, in my experience, practically imperceptible when one of the nodes fails. This is thanks to the fact that it maintains a table of shared connections between the nodes and the large number of variables that it takes into consideration to validate the health of the nodes.

As a firewall, Check Point is a great solution and in my experience, there is little that I could indicate how to improve.

That said, a point where it could improve is in the redundancy of the ISP. It should allow more than two internet providers in its configuration of "ISP Redundancy". This redundancy could be managed from variables such as the automatic calculation of the load level between internet lines or load distribution between internet lines in periods of pre-established hours, etc. All could be handled from the same graphical interface.

I have been using Check Point for more than 11 years.

Its stability is one of the selling points. It allows us to have great confidence in Check Point solutions.

The performance is excellent in the new appliances. The solution is very scalable and easy to integrate.

They have a good response time and their personnel have a good technical mastery.

I was using ASA, however, we switched to Check Point as it offered a centralized interface for managing all nodes in addition to having an excellent graphical interface that facilitates day-to-day operational activities.

The initial configuration is very simple and intuitive. Check Point offers a graphical configuration interface that makes the process simple and it is complete in just a few steps.

The provider we have used has highly qualified staff and offers excellent and professional services.

It has an acceptable cost considering the stability and the benefits that Check Point solutions offer.

We did not really look at other options. We are very confident with Check Point solutions and we take the stability it offers very seriously.

You must consider Check Point as your first NGFW option. 

We use Check Point Next Generation Firewalls as a perimeter firewall for all sites, including the DMZ, disaster recovery center, and branch offices. We also use IPS, Anti-Bot, Antivirus, Identity Awareness, Application Control, and URL Filtering blades at all gateways. At our main site, these blades provide additional security controls to our existing security solutions. For our branch offices, Check Point Next Generation Firewalls work as unified security products and we do not need to implement additional security solutions.

In addition to legacy firewall features, by using Check Point Next Generation Firewalls blade technology, you can improve your security. 

By using the smart console, you can control tens of gateways from a single point. The smart console also allows you to control all the blades from the same GUI. These features decrease our manpower needs. 

The identity awareness feature makes it easier to implement and manage firewall rules. 

The ease of configuring VPNs can be very useful especially for companies with lots of remote locations.

Check Point Next Generation Firewalls have numerous blade options such as Anti-bot, IPS, and URL filtering. In most cases, one box could be sufficient to use all these blades. You can manage all these blades from a single console. This feature lowers your administrative workload. 

If you have comparatively small branch offices, in addition to administrative workload, instead of spending money for security products such as proxy or IPS, Check Point Next Generation Firewalls could meet your requirements. 

If you have a long ruleset, you may experience performance issues on the GUI, and installing rule changes on gateways can take a comparatively long time. 

If you use Check Point firewalls for a long time, it is inevitable to have long rulesets over the years. The need for using different GUI applications for different versions can be confusing. A backward compatibility feature for smart console versions could be useful - especially if you are an enterprise customer, you probably need to use different versions at the same time. 

We have used the solution for 9+ years.

I am using Check Point Next Generation.

The solution boasts a host of features that we like. 

Tech support should be improved. There are times when the technical team fails to understand things at the ground-level. 

The dashboard can stand improvement. 

The solution is overly expensive. 

The initial setup is a bit complex. 

The solution is scalable. 

Technical support could be better, as the tech team at times does not manage to understand ground-level issues. 

The setup is somewhat on the easy side, but certain things are complex. While the solution is a little easier to manage than Palo Alto, I was forced to make comparisons between the two products. 

The price is too high. 

The solution is geared towards organizations hosting more than 50,000 employees.

I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years. 

I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.

This solution has helped keep the security posture of my organization in the best possible shape. Check Point's solutions stay a cut above its competitors to make sure your IT infra Cyber is safe from both known as well as zero-day attacks and malware. 

From an operations point of view, Check Point solutions are the best in terms of providing central configuration management and also central log correlation and management. Additionally, Check Point's virtualization solutions around VSX are super-efficient and very stable.

I found Check Point's software ability to provide for all the perimeter security solutions including next-generation firewalls, intrusion prevention systems, identity and access management, and URL filtering. They are all excellent. Check Point's Central configuration management, central log correlation, and management solution are a cut above the other vendors and are the best in the industry. Check Point's virtualization solutions are also very efficient and can be scaled. They are highly stable solutions (MDS/Domain Managers & MDLS).

To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture. 

Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space.

I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.

I've worked with the solution for a little over 12 years.

The product is very stable.

The solution is highly scalable.

The sales, pre-sales, professional services, and tech support are all very nice.

Yes, and we switched because Check Point proved to be more reliable.

The initial setup is absolutely straightforward.

We implemented it through an in-house team.

Every dollar spent is worth it.

Yes, we looked at Cisco, Juniper, and Palo Alto.

Not at the moment.

We use this solution for complete protection against advanced zero-day threats with Threat Emulation and Threat Extraction. We also use:

• NSS Recommended IPS to proactively prevent intrusions
• Antivirus to identify and block malware
• Anti-bot to detect and prevent bot damage
• Anti-Spam to protect an organization's messaging infrastructure
• Application Control to prevent high-risk application use
• URL Filtering to prevent access to websites hosting malware
• Identity Awareness to define policies for user and groups
• Unified Policy that covers all web, applications, users, and machines
• Logging and Status for proactive data analysis

The solution has improved the organization with respect to the following:

• Simple implementation and operation
• Central dashboard for managing branch firewalls
• Easy measurement of security effectiveness and value to the organization
• Proactive protection with the help of many inbuilt blades
• SandBlast Threat Emulation and Extraction provides us zero-day protection from known and unknown threats in real-time 
• Great visibility on the number of threats being blocked at the dashboard
• Helps to clean traffic, both egress and ingress
• A simplified URL filtering option is available for users with detailed granularity to map user/departments with respect to specific access
• It does deep packet inspection for checking HTTPS traffic. There is a shift towards more use of HTTPS, SSL, and TLS encryption to increase Internet security. At the same time, files delivered into the organization over SSL and TLS represent a stealthy attack vector that bypasses traditional security implementations. Check Point Threat Prevention looks inside encrypted SSL and TLS tunnels to detect threats, ensuring users remain in compliance with company policies while surfing the Internet and using corporate data
• It helps in the identification of C&C via Anti-Bot
• It provides geolocation restrictions that may be imposed via IPS
  
• Excellent Application Control for the administrator to manage the access for users
• Secure remote access is configured with mobile access connectivity for up to five users, using the Mobile Access Blade. This license provides secure remote access to corporate resources from a wide variety of devices including smartphones, tablets, PCs, Mac, and Linux

We are using the Check Point Next-Generation Firewall to maximize protection through unified management, monitoring, and reporting. It has the following features:-

• Antivirus: This stops incoming malicious files at the gateway, before the user is affected, with real-time virus signatures and anomaly-based protections.

• IPS: The IPS software blade further secures your network by inspecting packets. It offers full-featured IPS with geo-protections and is constantly updated with new defenses against emerging threats.

• AntiBot: It detects bot-infected machines, prevents bot damage by blocking both cyber-criminals Command and Control center communications, and is continually updated.

• Application Control: It creates granular security policies based on users or groups to identify, block or limit the usage of web applications.

• URL Filtering: The network admin can block access to entire websites or just pages within, set enforcements by time allocation or bandwidth limitations, and maintain a list of accepted and unaccepted website URLs.

• Identity Awareness: This feature provides granular visibility of users, groups, and machines, enabling unmatched application and access control through the creation of accurate, identity-based policies.

I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best.

Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.

We have been using the Check Point NGFW for the last four years.

This is a very stable product.

It is highly scalable on cloud and does provide customers with lot of flexibility while performing the sizing of the appliance.

Technical Support needs improvement, especially the L1 engineers.

Prior to this solution, we were using GajShield. However, due to limited visibility and support, we opted for a technical refresh and upgrade of products.

Yes initial setup was complex as migration of policies from one OEM to another is a challenge. however we meticulously planned and completed the implementation in phases.

Yes we took help of the Certified Vendor. Vendor support was good.

We did not calculate our ROI; however, it provides good visibility to us.

Check Point is competitively priced; however, there is an additional charge for the Annual Maintenance Contract (AMC) and it is easy to understand.

My advice is to negotiate upfront with a support contract of between three and five years.

We evaluated Palo Alto, Barracuda, and Fortinet.

In summary, this is an excellent product and featured consistently in Gartner for the last 10 years. They have good R&D and support services across the globe.