Check Point Quantum Force (NGFW) Reviews

This is the perimeter firewall and manages all security facing towards the internet,

It's a distributed solution composed of a Security Gateway and a Security Manager. It controls all the traffic from the LAN to the Internet and the VPN tunnels for connections with external partners. We control the traffic to the internet with blades as URL filtering to manage the bandwidth, limit the use of this resource, and apply the security policies as well as protect the LAN network against advanced threats from the internet to the servers and PCs. 

This solution applies NGFW features to the inside and outside traffic of the networks. The other options did not have sandboxing, reports, and the same advantages as Check Point.

We have a small firewall from another vendor. The solution is working with limitations, as it was designed with Check Point as a security solution for the perimeter with more security features for covering our network requirements and specifications and preventing advanced threats from the internet to our servers and PCs. 

The sandbox feature is great.

The Sandblast blade is a very powerful solution that works against archives infected with ransomware.

The anti-malware is quite effective as many applications can be infected with any kind of malware with the goal of interrupting the productivity of our work equipment.

The reporting is great.

With this solution, we have had many kinds of logs and a very friendly way to view them. Now can we know what is happening within the network's traffic.

The performance has been very good. 

This security solution has grown more options and has expanded slots, including RAM slots, Optical Fiber slots, and various other features.

The anti-spam needs improvement.

A weakness with the Check Point solutions is the anti-spam, as they have a partnership with some solutions for anti-spam. They should have their own solution. We have email provided through Office 365 and they have their own way to fight spam and, due to this, we haven't bothered looking into anti-spam options. That said, Check Point is the most adapted to our necessities.

I consider the price of this solution high. It is very good, however, the prices are high - it's like buying a car.

I've been using the solution since 2018.

We changed from an older solution as it worked for five years and was old. It wasn't equipped for the new generation threats.

The price should be considered, however, it shouldn't be the only reason you choose the solution, or not.

We also evaluated WatchGuard, Palo Alto, and FortiGate.

We use the product to secure our network, using all Check Point has to offer, including multi-domain servers, centralized log servers, gateways on-premise, and VSX. It has improved a lot with the last versions making day-to-day operations very user-friendly. 

I have used almost all the blades Check Point has and it's incredible what a Next-Generation firewall is capable of, including VPN, IPS, monitoring, mobile access, compliance, and more. The reports of the Smart Event console are also very useful. It's good to have a view of what's going on in our network. 

Since Check Point has Linux working on them, it gives us plenty of tools to adapt to any specific need we have.

In actuality, Firewalls are a must in any organization. Check Point's ability to adapt to any environment is their strength. The interface is very easy to understand, and the Smart Console can be configured to fit almost anything you need to.

When an issue appears, the logs are very easy to read, and that helps to identify the reason for the problem and solves it faster. The issues are not so annoying. 

The support Check Point gives is key. As the Firewall vendor, I recommend them. It's always great to work with them. For this reason, I am very satisfied with Check Point. Every doubt I had they were pleased to help with and we ab;e to provide a resolution. The technical services always replied in a very fast and effective way. The live chat is great as well. There is always someone willing to help. This makes working with Check Point a good experience.

Check Point expert mode is basically Linux, so working with that allows us to implement a variety of scripts.

In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve. 

One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations. 

Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations.

One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.

I've used the solution for three years.

With other products, I have used quite a lot of RMAs, usually for not the most important component, however, enough to need an RMA, such as FANs or PSUs.

With Check Point it's quite easy, if it's needed, to replace. You just install the correct version and hotfix and load a backup from the old device. After that, the new device is ready to go.

The scalability of Check Point is great. With the usage of Multi-Domain Servers, you can integrate all the devices into one console. You also always have the chance to expand creating new domains. Also, this distribution helps to have a very structured and organized management. It is always a very good thing when things don't go as expected and you need to solve any problem. Finding where the issue is in your organization is key.

The technical cases are replied to in a very fast and effective way. The live chat means there is always someone willing to help. This makes working with Check Point a good experience.

Positive

The most I have used are Forcepoint, Cisco, F5, FortiGate, and Palo Alto.

The initial setup is very straightforward and very guided. 

With the few replacements we need to do, there is very little downtime. It is worth the investment. The great support team behind Check Point is also worth the cost.

Check Point is not the cheapest manufacturer, however, it's worth the price.

I have been always on the side of Check Point, however, Palo Alto was another option we considered.

Having the option to use a UNIX-based shell instead of being forced to use GAIA, in this case, is great. It makes Check Point very customizable.

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.

The Check Point firewall is a reliable perimeter security product. Check Point gives me access to explore various security features in a single box (loaded with all features that an organization needs most). 

I can say I have been using it for one year and getting a grip on it and I will always try to implement it wherever it is required. 

When it comes to Check Point, there are great security features and a marvelous inbuilt design that caters to handling all threats, including zero-day attacks and perimeter security. I really like the user-friendly interface of the Smart Console dashboard and the maximum security is integrated.

The intruder blocking real-time is a great feature that does not even require policy installation or committing to something. This feature enables real-time attack mitigation along with full security access which helps our organization to improve its security factors. 

IPS detection is a big plus for me since it deeply scans the packet. 

URL fileting along with application control gives me the access to manage the least privilege to maximum rights on a single click.

The product provides multiple security layers that build upon each other, from the traditional security policy that is IP and port-based to application security, intrusion prevention, and their latest sandblast cloud-based malware detection. 

Everything is easily managed through their Smart Console dashboard. It's a very easy-to-understand dashboard that provides a detailed view. Check Point helps to resolve a lot of problems, such as showing our organization all known threats. 

It is easy to deploy and manage. 

The product offers a simple Web User Interface.

While not being cheap, their pricing models are competitive. In the pricing structure, however, they need improvement. 

I would love to see an SSL offloading feature that is not there right now. I am following many forums related to Check Point and it seems like they are going to launch it very soon. SSL Offloading will be very helpful for NBFC and for financial institutes.'

The Check Point NGFW OS is a historically grown OS. It has been on the market for a long time and has many releases. It is a very complex system. All features are done in software - no extra hardware chips are installed.

I have been using this solution for almost a year.

This solution is one of the best solutions in terms of stability.

It is highly scalable.

I have been using this solution from the start as it was recommended by my organization.

The pricing is a little bit high, although I have no issue with the licensing or setup. It is easy to use.

I have stuck to this solution as I read reviews before and it was all positive in regards to Check Point NGFW. I did not use a different solution.

I protect customers and other types of data by ensuring a secure environment. Check Point allows me to deploy quickly and securely, along with using more advanced detection and prevention. By securing multiple sites and various infrastructure elements, I have reduced my overall workload.

I'm using a lot of permanent tunnels and protecting them to ensure that monitoring customer infrastructure is not compromised in any way, shape, or form.

Various hardware has been deployed at proper sizing for customers and the equipment is stable without the need for a lot of custom configuration

By deploying Check Point, it has made it easier to manage everything from a single interface. The management dashboard and policies are on its single pane of glass. This has allowed for faster resolution of problems during deployment.

Being able to look at log events and sort quickly for information in regards to problems with connectivity or traffic makes it easier to troubleshoot and gain other insights into traffic-related problems.

Overall, the insights provided also allow for data to be presented to customers to give them an overall perspective of their security.

The management interface is well designed and easy to understand. It reduces the time for deployment, changes, and onboarding new customers.

The logging facility is amazing and gives great insights into traffic. Although Event Management is also amazing, it can be cost-prohibitive for other companies to onboard.

The ability to deploy VPN communities makes onboarding new sites easy. Multi-site configurations can be deployed with very little oversight and with minimal additional work after the initial deployment is successful.

I would like to see better Data Leakage protection options and easier-to-understand deployment models for this. I have been working with DLP for a while now and find that other vendors seem to be doing better at this. That said, having to deploy another solution adds other costs.

Some error messages could be better and more specific. The days of generic error messages should be over by now to allow faster, better insights into fixes for any traffic-related problems.

Some of the sizings of firewalls for deployment seem not exact and require some tweaking based on real-world traffic and connectivity types (for example, PPPoE).

I have been deploying Check Point firewalls for about 12 years and still work with them on many projects. I trust them to protect my infrastructure along with other tools.

I will continue to use Check Point as long as they keep pace with the innovation currently in place without sacrificing customer service.

The product is very stable once deployed.

So far, no issues with scalability have been detected - other than hardware replacement on the growth of traffic

The initial setup has some come complexities, however, that is the nature with multiple types of connectivity and different customer requirements.

Check Point firewalls are/were deployed in various parts of our network to achieve perimeter defense and internal network segmentation. 

In addition to the firewall functionality, each appliance also leveraged Check Point's IPS blades. The perimeter Check Point appliances were also responsible for terminating any and all site-to-site VPN connections with third parties. 

All traffic from remote locations, remote VPN users, and egress traffic to the internet is filtered through the Check Point equipment at some point in our network.

Check Point has not improved our organization. We have observed a sharp decline in the quality of both products and support. 

Over the last several years, there has not been a single week where we have not had an outstanding issue open with Check Point support's advanced tier teams. 

Initially, we had incredibly impactful issues regarding their scalable platform hardware (which is being discontinued in favor of Maestro) to the point we were forced to rip them out due to them being completely unreliable. 

Check Point support has also seen a significant drop in quality, despite my organization even being a Diamond Support customer with Check Point. We fully believe it would be a wiser investment of time to call Geek Squad rather than Check Point.

The only area that Check Point still seems to excel in is their logging. Reviewing logs on Check Point is a snappy and intuitive process that allows the end-user to filter down traffic to specifically what they're looking for very easily and even with little knowledge of Check Point. 

The ability to create filters on the fly in the GUI with simple clicks to various areas of the log is fantastic and allows one to find exactly what they're looking for with very little effort. Note that this is probably the only thing Check Point still has going for it.

Check Point's support, at all levels, needs a complete overhaul. The Check Point support staff aren't even shy about telling you how understaffed, underpaid, and underappreciated they are. Any engineer with a hint of talent is pulled from general support to higher tiers, and then, once they reach a level of competency above that of your average acorn, they leave for better-paying jobs elsewhere. 

My organization witnessed this first hand fighting through the lower tiers of support and working frequently with the scalable platform team. When we switched to Diamond Support we saw no significant improvement in support save for shorter hold times.

I have personally used Check Point solutions for nearly ten years. My organization has used Check Point for 15+ years.

The solution is absolutely unstable. My organization follows vendor best practices exactly and has every deployment vetted by multiple levels within the vendor. Despite this, Check Point hardware has repeatedly proved unreliable at best, sometimes resulting in total outages for our company. 

My current organization has used Check Point for the relevant past and is only recently completely switching vendors to Palo Alto.

All current Check Point hardware is destined for the recycle bin. There is a pretty low ROI.

Most firewall vendors, Check Point included, make the selection of hardware easy enough based on projected usage. Likewise setup on many vendors in greenfield environments is simple enough and should not require professional services.

I was not involved with the initial deployment of Check Point in our environment as it was before my time. However, each subsequent deployment I have been involved in with Check Point was used based on the existing relationship. Once the issues became too impactful and we realized we had no hope of seeing any improvements we began efforts to rip out the existing Check Point equipment.

Do not let Check Point's past success lure you into their current state of bottom of the barrel.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.

The solution protects our internal network (traffic between VLANS) and also is used as a perimeter firewall in our on-premise and cloud environments. Also, we use functionalities such as IPS, ABOT, AV, VPN, and mobile access.

We have about 200 small branches distributed all over the world protected with 1,430 devices and connected via VPN to AWS Cloud Guard and Check Point firewall.

We also have endpoint protection in about 500 devices with firewalls, antimalware, antibot, anti-ransomware, threat emulation and prevention enabled, and also port control.

We have NGTX blades so that we have protection against known and unknown attacks (zero-day). In terms of protection, we passed from none to one of the most advanced protections in the market. 

Regarding endpoints, we can see a lot of prevented attacks and phishing attempts every day. We can see the whole solution running in our environment correctly.

We gained a lot of visibility of traffic patterns, destinations, and use of network (internal and external) resources due to the logs and views within the Smartconsole.

The centrally managed firewalls are great. We can save a lot of configuration time in configuration tasks. We have deployed about 200 devices in record time due to the fact that we use a unique policy for almost all of them.

Logs, Views and Reports are the most detailed compared to other vendors (FortiGate, etc.) We can see a lot of detail in the logs and also we can configure any report we need without any problem and in two clicks.

We can see that, for IPS signatures, we have updates every day, sometimes twice a day, so we see a lot of effort from the vendor. They really try to protect our environment from known attacks and vulnerabilities.

We try to not depend of the SMS application and leave it as a web application. Sometimes it takes a long time to authenticate and open correctly. It's a windows application, so you need a machine to install the application on.

If you have the standard support level, sometimes they take a long time to understand or even give you a solution or good workaround to a problematic situation. We had a problem in the past with a VPN blade that lead some devices to flap the VPN up and down. That case lasted 6 months as we were jumping between Check Point's internal departments in order to find a solution on our problem.

I've used the solution for eight years.

We are very happy regarding the stability. In last year, we only have had three problems regarding software bugs or stability problems.

They have a solution called Maestro where you can add devices in 10 minutes to scale the solution without doing a lot of configuration.

In our environment, we have a classic deployment so it's not as easy to scale; you need to do some configuration and have a maintenance window in which to do it. 

We have the standard support service. I can't say anything too bad and nothing too good. It's normal. Regarding customer service at the local office, I can say that it is very good. They have helped us a lot in deploying some complex characteristics without cost.

Neutral

We have Cisco, however, that's for networking and not security. 

The installation was done by a partner, however, it was very straightforward.

The product was implemented by a partner and their expertise was very good.

There are a lot of licenses for almost every feature, therefore, it's possible to buy only the licenses needed and not a bundle that would have unused features. That leads to savings in costs.

We have evaluated FortiGate, and we saw that it was more user-friendly, however, some characteristics we needed in regards to complex VPN deployments were only available from Check Point.