Check Point Quantum Force (NGFW) Reviews

I used Check Point NGFW to secure the data centers of medium to large enterprise companies. In many cases, it serves as a perimeter firewall, though its use can vary based on specific needs. Primarily, it functions as a defensive firewall.

The GUI is not very user-friendly, and configuring it can be challenging. The management console often has issues, sometimes requiring high CPU usage on your FTP or Windows system to open or manage sessions. It can be resource-intensive. Additionally, when viewing or monitoring logs, they sometimes do not appear immediately and may be outdated or missing.

I have been using Check Point NGFW for two years.

It is a stable device.

They support a range of enterprises, from small to large. Their solutions can accommodate environments with as few as 50 users to those with thousands or more. So, handling a large number of users is not an issue.

Support is very good.

The initial setup is not straightforward and can be more complex than that of other devices like Palo Alto or Fortinet firewalls. The setup for the CMA and management center requires careful implementation. Additionally, integrating components such as MDM and other security devices, including sandboxes, can be challenging to achieve a cohesive and secure environment.

The time required for deployment depends on the amount of configuration needed. Typically, it might take a full day, but with sufficient time, a basic configuration can often be completed in about eight to ten hours.

I have worked with both on-premises and VM versions. The CMA is typically deployed as a VM on a server, while the firewall is a physical device. 

I have already deployed many times by myself, so there is no need for many people.

It is a cheaper device than what other vendors offe.

For security features, I typically use the templates or standards provided by the vendor. Based on my experience over the past three years, I haven’t encountered any significant complaints from customers about attacks or major issues while using the firewall to protect their data centers.

Google has a premium partnership with Check Point, involving extensive verification processes for major customers. This strong partnership indicates a significant level of collaboration between the two companies.

I haven’t handled any maintenance, but the support center has been very helpful. They provided excellent support and demonstrated strong knowledge whenever I reached out for assistance. They are proficient in various languages and have a good grasp of Linux, which is essential for effective support.

They provide good step-by-step implementation guides, similar to what is available for Fortinet's FortiGate. However, I find the implementation process for other vendors to be easier. Pricing varies among the three vendors, so there are differences in cost. Palo Alto offers the best options for sizing, though I haven’t worked operationally.

I recommend it, but you should know Linux and its commands to work effectively with this device.

Overall, I rate the solution a six out of ten.

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

Currently, we utilize Check Point firewalls, IPS, site-to-site VPN, and remote access VPN features for our various client operations.

We have implemented a cloud firewall for one of our customers and primarily handle perimeter security using Check Point firewalls for multiple customers.

We also handle POCs, implementation, upgrades, and daily security operations as part of our services.

We are distributor partners who also distribute Check Point products to our customers. We recently convinced our clients to use Check Point firewall services and signed a contract with them.

We have not received any issues from any clients using Check Point services so far. It is really great to use and up-to-date. In Check Point, we have never seen it hit any vulnerabilities like other products.

Also, the TAC support from Check Point is excellent. I really appreciate it when dealing with complex issues. It allows us to easily obtain vendor support without many issues compared to other products.

Certifications and training from Check Point are valuable. I recently attended a boot camp and found it both knowledgeable and enjoyable.

Recently, I came across the Check Point Infinity AI feature in one of the Check Point webinars, which I believe is unique and will be very useful in the future.

Also, Check Point Harmony and Quantum deliver uncompromising performance with advanced threat prevention, policy management, remote access VPN IoT security, SD-WAN, and more.

Infinity Threat Prevention is an innovative management model. It provides zero-maintenance protection from zero-day threats and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.

The upgrade process of Check Point could be simplified to match other products.

For some of the MSSP partners, Check Point should personally go and give demos to them. This way, the MSSP can show their clients what Check Point is capable of and what kind of new technologies and features Check Point is coming up with.

Adding automation for upgrades and hotfix installation would be a beneficial new feature for administrators from an operations standpoint. Additionally, Check Point should pay more attention to endpoint security; they are currently lacking in that area compared to other competitors.

I've been using Check Point products for more than eight years.

The solution is 100% stable. 

The solution offers 100% scalability.

Technical support is very good.

Positive

No; we have multiple clients, so we use multiple products.

The setup is fine; I've only faced issues during upgrades.

The expertise of the vendor is excellent. I'd rate them ten out of ten.

The ROI is really good.

In terms of cost, pricing, and licensing, Check Point is not very expensive or complex.

We did not evaluate other options. 

My overall experience is really good. I am enjoying working with Check Point products, especially on the firewall. It's much easier compared to other firewalls.

The solution is used to provide firewall security to cloud integrations.  

The spoofing prevention feature is the most valuable feature.

The solution provider needs to upgrade the IPSec VPN port because VPN branch-to-branch configuration can be easily implemented at our company, but several difficulties arise in a cloud environment like AWS or Azure cloud. The aforementioned cloud providers often need to create VPN interfaces, but in a few cases, these teams don't have the knowledge for configuration or IP points; their knowledge remains limited to the architecture of the clouds on a networking level. 

In future releases of the solution, a remote access VPN feature should be added. Our organization expects the aforementioned feature because we have a secure validated configuration in our remote access VPN, and the feature would allow easy configuration.

For instance, if a customer wants to connect a VPN to a particular domain laptop, our company can integrate the domains with our network's remote access VPN, but the user is unable to connect with other personal laptops.

I have been using Check Point NGFW for five years. 

I would rate the stability of the solution as seven out of ten. The tech support is not operational sometimes, and in a few cases, the tech team of the vendor is unable to provide support with a proper explanation or resolution. Check Point NGFW fails to provide workarounds for certain issues and thus leads to huge time consumption for a single task. The support team of Check Point NGFW on a few occasions takes five to ten hours to resolve an urgent VPN issue which impacts the stability. 

At our company, if we raise an RMA for Check Point NGFW, it takes immense time, which is around 15 to 30 days, to obtain the box, whereas other vendors offer it within five to seven business days. Due to the aforementioned issue, our organization needs to implement a test device on the environment and purchase temporary licenses for that device so that the customers in a stand-alone environment can access the internet. 

In Check Point NGFW, sometimes the logs consume excess storage, and even the storing or indexing process is not implemented correctly. 

I would rate the scalability a seven out of ten. 

Support is available for Check Point NGFW, but the support team, in most cases, is unable to provide an effective and on-time solution after collecting logs. I would rate tech support a seven out of ten. 

Neutral

I worked with Palo Alto previously before transferring to Check Point NGFW. I wanted to learn about Check Point NGFW in-depth as it's considered a difficult solution compared to others, so I ventured into it. 

In our company, we have the option for both cloud-based and on-prem deployment of the solution. The management server integration is different for the aforementioned options. If the traditional management server is present locally, in that case, at our company, we are using the solution for integration, but if a cloud is involved, some keys need to be integrated with the cloud management to let the firewall have internet access. 

Almost every time when the management server reaches or expands to another country in our organization, we face difficulty with integrations. The deployment time of Check Point NGFW depends upon customer requirements, but it takes approximately 15 to 30 days. More feature integrations demand the involvement of more teams in the deployment process. In my area of business, about 50 to 70 customers are using Check Point NGFW. 

If the solution is in a cluster environment, a maintenance window is not required and most of our customers are using the solution in a clustering or stand-alone mode. 

It's an expensive solution. 

Most of our organization's customers are using Check Point NGFW for networks, as enhancing the firewall's performance is not required; if the firewall goes inactive, total protection decreases. Our organization's customers don't want to depend on any particular product and are thus investing in multiple security products. 

On a few occasions, integrating a RADIUS configuration with Check Point NGFW has been difficult because some versions are not supported. I have also faced trouble regarding authentication when integrating Check Point NGFW with Azure EAD. 

Recently, Check Point NGFW has been integrated with zero-threat AI security features. In our organization, we are installing the solution on the Blade architecture, where the aforementioned features function well enough. I would recommend Check Point NGFW to others. I would rate Check Point NGFW overall a six out of ten. 

Our customers find that the Check Point NGFW highly effective for data center deployments. Additionally, smaller models are well-suited for branch locations where local internet breakout is necessary. These smaller models streamline internet access at remote sites, eliminating the need for third-party service providers and reducing costs. The 26000 and 28000 series excel in securing DMZs, while the lower-end versions are ideal for branch-level internet breakout, allowing direct cloud connectivity without intermediary networks. It offers cost savings and efficient security solutions tailored to various deployment scenarios.

Some of the most valuable features are URL filtering, web filtering, and content filtering. Typically, customers would need to invest in cloud web security solutions for local internet breakout. However, by deploying Check Point firewalls, which include these functionalities built-in at each site, the need for separate cloud-based solutions is eliminated. This consolidation reduces costs significantly, as one product serves multiple purposes: routing, switching, and next-generation security features such as timeboxing and malware filtering.

Check Point could enhance its capabilities further by focusing on global threat intelligence, particularly in addressing zero-day attacks and other unknown threats. If I were to suggest improvements for this firewall, it would involve enhancing its core features. Currently, there are many additional licenses available for purchase, such as DDoS protection, URL filtering, and global threat intelligence. These additional licenses increase the overall cost significantly, as they are add-ons to the base model. It would be beneficial if Check Point included more licenses bundled with the base model, reducing the need for additional subscription charges for essential functionalities.

I have been working with it for one year.

I would rate its stability capabilities eight out of ten. I'm uncertain about its performance in large enterprises, where stability is paramount. It's crucial that the firewall can handle high throughput, accommodating multiple gigabytes of bandwidth, alongside additional firewall features like web filtering, content filtering, and sandboxing. In my experience with capacities ranging from one hundred to two hundred megabytes, focusing solely on web and content filtering, the product has proven to be stable.

There is room for improvement in scalability. Adding more firewall features can impact the performance of the device, particularly in terms of processor capacity. I would rate it six out of ten. Our customers typically fall within the medium-sized business category.

All manuals are accessible on the website, ensuring comprehensive documentation is readily available. The publicly available documentation is satisfactory, covering a wide range of information. However, certain documents not accessible to the public are provided to partners through a partner sign-in portal. This access ensures that all necessary documentation is available within our organization.

The initial setup was quite straightforward. It involved basic configuration, which I would rate as an eight out of ten in terms of simplicity.

The deployment took approximately five hours. The process can be executed in various methods. I typically perform a remote login from the console. The deployment involves three main steps: IP configuration, security configuration, and DNS setup, including any necessary DNS protection configurations.

It falls in a moderate price range, not as inexpensive as some alternatives but not as costly as Palo Alto. I would rate it seven out of ten. There are numerous additional licenses required for advanced security features, leading to additional costs.

Check Point has introduced several SD-WAN and IoT features, among others. I would suggest exploring the zero-trust features offered by Check Point. Additionally, if interested in incorporating SD-WAN or IoT capabilities, these features are readily available within the product. It's important to note that in today's landscape, Check Point offers more than just a traditional firewall; it's a comprehensive and advanced solution. Overall, I would rate it eight out of ten.

We use Check Point Quantum Network Gateways for all our on-site firewalls. It protects the network edge, network core, data center, and our AWS direct connect. 

We are a payment facilitator and security is one of our core requirements. 

We have implemented VSX which enabled us to reduce the hardware footprint. 

We have implemented 6700NGFW, 6600NGFW, and 6400NGFW in different network segments. We have enabled basic firewall, ClusterXL, and IPS licensing. 

Due to the nature of the traffic, we do not use Application Control or URL Filtering.

With our previous firewall solution, we had no automated compliance tools. Now, with the Check Point Quantum Network Gateways, we have the ability to automate compliance reports for both GDPR and PCI3.2, and by using VSX (Virtual System Extension) we have reduced our data center footprint. This will lead us to become a more sustainable organization. 

We have found the central management (Smart Console) to be very helpful in managing all the firewalls and keeping the software/hotfix versions up to date.

By implementing VSX (Virtual System Extension), we were able to reduce our hardware footprint, reducing both direct and indirect costs. This also enables us to quickly scale up or down to meet business needs.

We have also found that the Intrusion Prevention System implemented on Check Point Quantum Network Gateways is robust, efficient, and very easy to implement. Being able to add it later as a software feature is a real boon. The customization options enabled us to zero in on our specific use case.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration.

We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The solution has been in use for one year.

During the first year of operation, we have seen 100% up-time.

Due to the VSX implementation, I would conclude that it is highly scalable.

Customer service and support from the vendor have been excellent. They have assisted in communicating issues back to Check Point and the subsequent response from Check Point has been very good.

Positive

We used Cisco ASA 5500 series firewalls, but these have reached the end of life and needed to be replaced.

The initial setup and migration was complex and we had a vendor team assisting.

The expertise of the vendor team is excellent; I'd rate their services nine out of ten.

It is important to carefully consider your needs. Additional features can be activated easily - for additional licensing costs. However, opting for extended licensing can provide cost savings through discounts.

In looking at replacing the existing firewalls we considered Cisco, Palo Alto, and Check Point. 

Check Point Quantum Network Gateways offered us a more favorable price point without compromising on functionality.

We use the solution for threat protection in the banking and finance sectors.

Check Point NGFW is popular because of the protection it offers. 

The pricing and UI need to be improved. 

The enterprise is quite expensive. There are small boxes that are competitive enough.

I have been using Check Point NGFW for a year.

The product is stable.

I rate the solution’s stability a nine-point five out of ten.

The solution can scale up to enterprises.

I rate the solution’s scalability a nine-point five out of ten.

The initial setup is easy, but maintenance is very difficult. Deployment and fine-tuning take a day.

There were no glitches or issues. We were able to achieve a positive ROI for our business. It saved them a significant amount of money that would otherwise have been spent on dealing with ransomware activities.

The product is expensive and costs around one-point-five million.

I rate the product’s pricing an eight out of ten, where one is cheap, and ten is expensive.

Thorough planning is essential when implementing a Check Point NGFW. You need a checklist outlining what policies to establish. While the installation is straightforward and does not require much effort beyond obtaining a license, creating and configuring policies can be time-consuming. Therefore, allocating sufficient time and resources to policy creation is crucial to ensure effective security management.

Overall, I rate the solution a nine out of ten.

Historically, the primary uses for these gateways were perimeter security and internet filtering. However, we now push all our internal traffic through the gateways for LAN segregation and to isolate obsolete operating systems.

Our isolated operating systems and LANs only allow specific traffic from a specific source to access them, making these critical production/business systems more secure. It's not a simple case of just replacing these legacy operating systems but replacing the industrial machinery that they control - which would require an investment of tens of millions of pounds.

Isolating obsolete operating systems wasn't in the scope when implementing the gateways originally. However, it has enabled us to secure Windows XP/Windows 7/2003/2008 machines which are end of support yet are still required to run industrial software and interface with large machines, which are not easy to replace.

Isolating machines and networks, along with SSL inspection, wasn't in scope when the gateways were spec'd. That said, five years later, they are still rock solid, and along with the Threat Cloud intelligence service, this ensures that our firewall is equipped with up-to-date threat intelligence, enhancing its ability to detect and mitigate emerging threats.

One of the strengths of Check Point Firewall lies in its granular policy management capabilities. We can define security policies based on a variety of criteria, including user identity, application, and content type. This level of granularity allows us to enforce security policies that align with our specific needs and compliance requirements.

One of the standout features of our Check Point Gateways is the user-friendly interface. Smart Console (management console) is well-designed and intuitive and provides administrators with a centralized hub for monitoring and configuring security policies. The web version isn't quite there yet, so to get the most out of it, the console needs to be installed, but it allows users to tailor it to their specific needs, and the menu structure is logical, making navigation a breeze for both novices and experienced administrators.

2FA on login would assist us with compliance however at the moment, it's not a major factor for us - yet may be in the future.

It would be nice to have comprehensive documentation and training resources that can help users and administrators better understand and utilize the full range of Check Point's capabilities. We ended up having to travel to London to sit through lots of training as we didn't find the information readily available.

Finding the costs associated with a particular blade can be challenging. This isn't specific to Check Point, but sometimes we need a ballpark cost quickly and don't have the time to speak to a reseller.

The company has been using Check Point gateways for around five years, myself about two years.

Hardware has been 100%; software has been slightly less as we had an issue where the gateways would failover. 

We run a pair of Gateways in HA mode, this solution has worked for us, and there have been no cases of downtime. Adding additional gateways should in theory be quite simple however for us there is no need.

Support has been quick to respond to any questions or issues.

Positive

The company used to sue Cisco Firepower. I wasn't with the company when switching.

The setup was straightforward; the implementation team went on the CCSA and CCSE courses.

We handled the setup initially in-house.

We ran these gateways for five years and will look to do the same with the replacements.

Work with Check Point's presale team and complete the scoping document. If you are an existing customer, use the CPSizeME. 

The company also evaluated Palo Alto.

We have run Check Point Security Gateways for five years and have had very few issues; they have been rock solid, and the hardware has been 100%.