Check Point Quantum Force (NGFW) Reviews

We are using this product as a firewall which does have the capacity to block the IPS signature as well. 

It is highly accurate for the IPS engine and has the best-in-class log monitoring and report generating facility in the firewall. 

It is easy to manage, as it has a centralized management console. We are using the firewall as a VPN service as well. It is very easy to troubleshoot the issue with the VPN. We are using IPSEC features where we can enable tunnels with the client and we can safely communicate with vendors due to encryption.

Checkpoint NGFW improved the security posture of our network infrastructure to the point where we can use antivirus, IPS, and antibot features to tighten up the security. We can also use URL filtering where we can block malicious URLs in communications. We can easily stop and detect Day-Zero attacks. 

The throughput of the firewall is very big for data transitions. The antivirus also includes DPI (deep packet inspection), which examines the data within the packet itself rather than only looking at packet headers. This enables users to identify, categorize, or block packets with malicious data more effectively. 

The IPS feature is the most valuable feature. We can block zero-day attacks within stipulated time intervals. The up-gradation activities are much simpler when we are dealing with Check Point firewalls. 

If there is a critical issue observed, the Check Point support team can create a custom package that we can deploy on the gateway to mitigate critical issues/bug fixes. 

The support reachability is very promising, as we can directly connect with them via call or chat from the support portal.

Sometimes the KB article does not include all the steps. There is a chance for improvement in the content of global KB articles. It's nearly impossible to add an exception for threat prevention services - such as antivirus and anti-bot. You will be stuck with Indicators of compromise marked as detecting only, caching issues, and random effects. There is no clear way to report incorrect classification to support. 

Sometimes we need to find a resolution by ourselves as the solution's knowledge base is not enough.

I have been using this solution for five years.

The stability is good.

We can easily scale the gateways with a few simple clicks. 

Technical support is great.

We did use a different solution. Check Point provides better visibility where security is concerned. 

The setup was very straightforward

We can implement it by ourselves.

The ROI is double annually.

It is pretty cheap as far as the setup cost, pricing, and/or licensing are concerned.

We looked at Palo Alto firewalls.

We wanted to deploy a specialized Next-Generation Firewall in our perimeter security.

The solution addresses the Security requirements at Perimeter Layer including:

1. Network IPS
2. Application Control
3. IPSEC VPN
4. SSL VPN.
5. Proxy

It was required to enable IPSEC VPN between our vendors across the world

We got positive responses on Check Point Firewalls from our vendors as well.

Our team addresses the regular audits with a Next-Generation Firewall, starting from configuration and application vulnerabilities to customized reporting.

We have planned to achieve many business use cases including IPS, Network AV, Content Awareness - Data Leakage Prevention, IPSEC VPNs between our peers, SSL VPN with Posture Assessment, and Web Proxy as well.

This solution addressed most of our needs but required multiple license subscriptions.

Below are the few Business use cases we achieved through Check Point NGFW:

1. SSL VPN with Security Posture Assessment
2. SSL VPN with In-build Multi-Factor Authentication Option (Certificate + User Credentials)
3. Content Filtering (Identity Awareness and DLP)
4. Forward Proxy with Web and Application Control
5. Enabling Anti-Bots and IPS

The SSL VPN with posture assessment helped us to remove the dedicated Standalone SSL VPN solution which was benefited both commercially and technically.

Anti-Bots and IPS enabled security on the network traffic.

Along with VPN and Proxy (Web and application control), we removed another standalone proxy for internal use and extended the content filtering to roaming users as well.

The security posture assessment with two-factor authentication has saved more time and commercial costs by avoiding deploying having to deploy another solution.

It took so many weeks to migrate our old firewall to Check Point after we did internal and external assessments on earlier setups and enabled multiple security features.

We had difficulty configuring the NAT. For example, instead of following A-B-C, we need to do A-C-B

Initially, we faced a few challenges with firmware. Later this was addressed with jumbo hotfixes.

We tried to create a single management software to manage the policies, view the logs, have a mobile access VPN, and do reporting.

Please concentrate on local services enablement for faster resolutions.

We have been using this solution since July 2020.

Initially, we faced a few challenges with the firmware. We later addressed this with help of jumbo and custom hotfixes. Later, it performed well.

The solution is scalable in terms of enabling the features and deploying management servers.

We would recommend they have regular feedback sessions with customers.

Neutral

We used another firewall that enables basic security features with lot of limitations.

We found the setup difficult in the earlier stages as our team used to work with another CLI-based solution.

Our In-house team handled the implementation. 

I'd advise users to validate the licensing model during the pre-evaluation period itself. It took a few days for us to understand DLP and Mobile Access Blades that had to be procured separately along with the NGTP bundle to address our requirements.

We evaluated Palo Alto and FortiGate.

Our organization implements, maintains, and operates Check Point's firewall. 

Check Point solutions were implemented by our organization in accordance with the project documentation and further adjusted at the request of the customer. 

We ourselves also use a Check Point firewall in conjunction with a firewall from another vendor - both to protect our network perimeter and to test various functions and new emerging firewall capabilities and identify various bugs before they reach customers in the product environment.

We and our customers use almost the entire palette of capabilities of the firewall solution from Check Point. We use almost every feature, from anti-spoofing and network segmentation to URL filtering and intrusion prevention systems. We also willingly use virtual private networks from Check Point, both site to site and client to site. We also leverage the antivirus blade and anti-DDoS attacks. Some of our customers use Check Point capabilities for mobile devices, which are also successfully implemented in the firewall.

We found a very successful implementation of the virtual private network client, since, for some time now, everyone has been working from home. With the firewall from Check Point, this function is implemented very conveniently and securely. 

A convenient new version of the firewall management console, which, starting with the R80 version, has become standard for many Check Point blades, however, unfortunately, not for all. You still need to use older consoles to manage some features. For example, to access the monitoring blade, I need the old console, but the new console should start it.

You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.

I've used the solution for six years.

There is room for improvement in terms of stability.

The scalability is great.

Technical support could sometimes be better.

Neutral

I have used and still use solutions from Sophos, however, in Check Point, some functions are implemented more conveniently. For example, work with logs.

Before installing, I recommend to go through the training.

I handled the implementation myself.

The ROI is good.

We use the product as our main and only Firewall/Gateway/VPN Gateway. we are in the finance sector, and we need a very reliable and robust system. 

We rely heavily on the VPN system, as most of our employees are working outside the office at this time. 

We also have two appliances to improve reliability, we have internet access through two ISPs configured to work simultaneously. 

Our internal LAN is with duplicated network nodes that are double connected to our Check Point cluster. That way, we have full High Availability.

Before our purchase of Check Point products, we used an open-source product that lacked good integration between products and setting up to work was very tricky.

We use the Check Point mobile VPN, which is very stable and easy to use. It allows our employees to change their internal domain password when it becomes old, even when they are outside of the office for a long time. The VPN client can connect to our internal network even before the user is logged into his laptop. This allows users to receive GPO policy updates. 

The solution offers very good central management, which saves time and is hassle-free.

One of the most useful new feature is dynamic definitions. For example, if you need to allow all of the Microsoft Azure IP addresses, you can insert them dynamically and Check Point will update them for you. Without it, to find all IP addresses would be almost impossible.

You can create additional layers for the firewall rules. This allows better organization and performance of the product by skipping to the rules that are responsible for this group of protected devices.

There are some GUI features in Check Point's SmartConsole that are still from the old versions and are in separate/duplicated interfaces; it would be most useful if it is integrated and not on different menus.

We would like to have a better search engine on the checkpoint.com site. Right now, it is difficult to find, for example, a newer version of the Check Point VPN Mobile client. The search engine shows most visited sites and the newer version won't be the most recently viewed site page. As it is right now, you have to find the general VPN page form, and from there you have to look at what version of the product you need and then go to the page of the latest version.

We have been using this product for five years.

Check Point is very stable.

We haven't needed to expand our throughput capacity.
However, based on the Check Point documentation, it is hyperscale ready  capable of up to 475 Gbps of Threat Prevention.

It is very good. Our local representatives are very helpful.

Positive

We moved from a previous solution to Check Point as it is more reliable and easy to manage, and our old solution wasn't able to provide the level of security we desired.

We have had some problems understanding how to set up HA, however, we managed to do it. This was mainly due to the fact that we didn't have experience with Check Point products in the past.

We did everything in-house.

New users should know that the first year of support is included in the equipment. After that, you have to buy it.

We choose between Palo Alto and Checkpoint.

We like it. It works well.

Our primary use case for Check Point NGFW is as our internal firewall within the datacenter to route traffic within it as well establishing our rulebase for part of our datacenter.

We have also implemented some other nodes as ICAP servers only. They have been a great replacement even though the installation was not the easiest.

They are the last line of defense (or first depending on how you look at it) within our perimeter and are therefore a critical part of our system within the company.

Check Point NGFW have been a real rock in terms of reliability (except for Identity Awareness) and we have not had any issues in terms of CPU or memory usage as our model might have been overkill with how well it is able to process traffic and how easy and unimpactful it is when adding new blades to manage this traffic

One ability that Check Point has is that it is the first to provide us with the ability to use identities instead of using the traditional IP-based format, which allows way more flexibility in what we can do with the rule base.

Identity Awareness has been an absolute gamechanger in how we've been able to create rules within the company. It allows us to give access to certain resources in very specific ways that were not possible before.

The SmartConsole is a very powerful interface compared to many other competiting products, which allows us to seamlessly go from watching logs, to modifying the rule base and easily find what objects are used where or even check which logs are linked to a specific rule

Logs are very well parsed when sent to Splunk.

Identity Awareness has been a massive source of problems for our deployment and the ability to debug it has been lacking.

The VPN setup is definitely way harder than it should be. The wizard or anything surrounding it doesn't allow for a quick setup without having to read documentation or actually getting a project with an external company

Our gateways have not felt like a day older than when we first got them, on the other hand, our physical management server Smart-1 has been definitely showing its age as it is sometimes quite long to do anything on SmartConsole when it decides to act up.

I have been using Check Point since joining my current workplace - about 4 years ago.

In 4 years, we've only really had one big incident with availability that was due to a faulty network card, which was changed quickly once diagnosed.

Since we chose a model larger than our needs, we aren't looking for a scalable solution.

Customer service and support have been a bit hit or miss and it takes a while for escalation to happen, however, once it does happen, you get proper support right away.

Neutral

I was not present within the company when it was decided to switch from one solution to another, and actually our previous solution was Check Point as well - and it was just reaching its end of support.

I did not participate in the setup.

We used a vendor team along with our in-house team.

I would need to compare it with other solutions used in our environment, which I haven't done.

I'd advise users to only choose blades when they are absolutely necessary - unless getting a good deal with a package.

As mentioned, we switched from Check Point to Check Point.

For the Identity Awareness setup, try to follow Check Point guidelines from the start as it is really capricious and hard to debug.

We primarily use the solution on all branch sites and now in DCs as well. We have more than 500 sites using Check Point NGFW in our organization. 

Earlier, we were using Cisco ASA and now it looks much better in many aspects, including upgrading/managing. I had only experience with Cisco ASA before, but after implementing this in my branch location it became quite easy to manage the firewalls remotely.

A few of our engineers use APIs to upgrade or push global changes for all regional locations which was tough to do. Now, with Check Point on board, it has eased our job as network engineers. 

Central management saves so much time. We were spending so much time with ASAs. I only had experience with Cisco ASA before, however, after implementing this in branch location it became quite easy to manage the firewalls remotely. 

As mentioned, a few of our engineers use APIs to upgrade or push global changes for all regional locations which were tough to manage. Now, it has eased our job as network engineers. It was a good decision by our organization.

The logging and central policy management are the most valuable aspects for us as we were not having success earlier with the ASA in terms of upgrading/managing. We are still exploring more features like IPS and IDS. We hope that these aspects will be a great experience for us as well. 

The smart consoles could be improved. Many times we have seen that smart console lags or has issues during the change. It also closes sometimes. Otherwise, the overall experience was great until now. 

As we are still exploring more features, we need more time to provide more reviews in the future. I would like to explore more with Check Point and would like to provide improvement review as we go into using the MDMS. It will be in our organization here by year-end. 

I've been using the solution for three years.

It looks very stable as compared to others.

The scalability looks great.

A few times I reached out to support help and in no time I was able to get experts who helped me through any issue I was having. 

Positive

We used Cisco ASA, however, we wanted a product that was more stable with central management. 

It was not easy to set up initially, however, we got some support from external vendors. 

We had help through a vendor and the experience was great. 

The stability makes it all worthwhile. 

It looks great the cost-wise for our organization. I've also suggested this product to other ex-colleagues for their companies. 

We did check out FortiGate and Palo Alto as well. 

We have had a great experience so far. 

Working in an MSP environment, there are more than a hundred firewalls and we use Check Point NGFW firewall which is mainly implemented as perimeter security and internal segmentation firewall. 

Due to our requirements, we implement site-to-site VPN between clients and cloud providers (AWS/Goggle/Azure). The centralized managed infrastructure makes it simple for the IT staff to operate and monitor the firewalls. 

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues.

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues. 

The UI decreases the hours required to complete a task. It also incorporates compliance and audit control validation into the system. 

IT staff can construct a single policy across all enforcement points in the Infinity architecture. 

There's a unified policy table that combines threat prevention and segmentation policies. 

SmartEvent allows consolidated event management and export.

The Identity-Based Inspection Control gives us the ability to leverage the organization’s Microsoft AD, LDAP, RADIUS, and Cisco pxGrid. 

The Terminal Servers group membership allows policies to automate typical processes (user moves/add/changes) and decrease configuration changes required on the firewall, which is tremendously beneficial. This limits the integration with the identity store to just one interface, and we still get broad security coverage based on a single set of identity policies. 

We leverage the combination of identity and application awareness, which is mandatory in order to build scalable security policies that protect the business without compromising user experience. This feature is extended to the SmartEvent console.

The SmartEvent blade has a huge number of security events/logs. We are trying to find correlation with the help of the SmartEvent blade, however, it may impact the performance of our Check Point management server. It requires additional licenses for Check Point management servers. It should be inbuilt within the management server.

With the increase of volume of traffic, the required resource/hardware to properly run goes up. Therefore, the hardware engineering to architecture flow has to be more efficient.

I've used the solution actively since 2008.

There were moments of where it did struggle when the rules were not properly maintained meaning that rules clean up exercise has to be performed annually to prune out rules no longer being use to allow the firewall to function more efficiently.

Overall, the product handles a production workload like a champ.

Customer service was pleasant.

Positive

Working in an MSP, we have multiple vendors/principals of NGFWs.

You have to work with a sales account manager to get the best price.

You need to work with a vendor that is overall quite knowledgeable. 

The solution should be evaluated and a trial run should be done in the lab as Check Point provides VM instances that can be installed on an open server box. Make sure to check with sales about the features and if they require additional licenses before purchasing.

Working in MSP, we have looked at various NGFWs. Check Point is one of them.

Check Point firewall is used as edge protection.

Traffic to the internet and from the internet does go through the firewall where IPS, URL, and app policies are applied.

Check Point was also used as an internal firewall to segment traffic between the data center and the user network. Basically, all traffic from any user will have to be inspected by an internal Check Point firewall before any server is accessed.

Check Point is also used for PCI-DSS credit card checks within any email sent or received. This is effective in detecting credit card numbers within any email sent by a user in error and blocks that from being exposed. 

The product has improved visibility into the traffic going through our network.

For all traffic leaving the network, Check Point provides the capability to inspect and permit traffic using not just ports but application IDs, which is more secure than simply permitting TCP/UDP.

Check Point has a robust IPS Blade which has added an additional layer of security on connections to the data center.

Check Point's compliance blade also helps in checking how Check Point's appliance configuration is in compliance with any requirement that we need to provide evidence for.

Check Point application control is very useful. This blade detects traffic and provides the ability to grant access based on the application and not the port as TCP/UDP can easily grant access for more than what's required.

The Check Point compliance model is also great. We can easily check firewall configurations against any compliance standard. It has made it easy to provide evidence and reports.

Check Point integrates with third-party user directories such as Microsoft Active Directory. The dynamic, identity-based policy provides granular visibility and control of users, groups, and machines and is easier to manage than static, IP-based policy.

Support for customers really needs to improve.

Check Point also needs to create a study license that will enable the customer to install a firewall (maybe with reduced connectivity) for a bit longer so that one can simulate scenarios without having to re-install it every 15 days.

We had a lot of problems with the VPN blade on the solution. We sometimes have trouble with the performance of the solution. Maybe some performance tuning options could be added in a future release.

Check Point needs to create a certification program that involves practical applications. 

I've used the Check Point firewall for three years.

Customer service really needs to improve.

Positive

We used Cisco ASA for Internet-facing Web applications, however, Check Point was used at the EDGE ( all user traffic to the internet), internal firewall ( all user traffic to datacenter), all internet traffic to PCI-DSS applications instead.

Implementation was done with the help of Check Point's professional services.

If you have the budget, it's a good idea to go for the Check Point Firewall.

We also evaluated Palo Alto.