Check Point Quantum Force (NGFW) Reviews

The device is being used for perimeter security devices across multiple clients across sites. Check Point has not only improved our organization - it also has given us holistic perimeter and endpoint security protection throughout the enterprise.  

Our sites across the globe have Check Point perimeter protection.

Pros include:

• Internal Network Protection from outside network
• VPN connectivity for secure data transmission across multiple vendors
• File download antivirus security
• URL Filtering
• Application filtering
• Malicious domains blocking

The solution has helped out organization stay safe with its depth application filter, URL filtering, and SSL inspection. It's mitigated a significant amount of risk for corporate users as well as to host services at our terminal that need access from the internet. By far, it's the best security solution one can adopt for their organization. 

It's:

• Reduced attacks on DMZ servers
• Blocked access of malicious destinations hit by internal users
• Complete visibility about what is going and what is coming via internet
• Check Point is the industry’s unified cybersecurity architecture that protects businesses against sophisticated 5th generation cyber-attacks.
• Having multiple checkpoint products under the same roof provides consolidated security.
• Ultimately saving cost by having better centralized solution

The solution has a lot of valuable aspects, including:

• IPS & IDS
• Sandbox (Threat Emulation & Extraction)
• Ease of management
• Reports for analysis
• Better technical support
• Stateful inspection
• Application-aware boxes
• Threat detection capabilities
• Hyperscaling

Data loss prevention, compliance, threat emulation, and other blades overall make this a robustly unified platform for the implementation and management of security controls.

Since it is Layer 7, we are able to get down to the application level and block certain applications from even running.

Since it has an IPS in place, we are able to see possible attacks that have been prevented by the firewall.

The perimeter antivirus can be improved. It's not as good as other leaders.

Additional features that could be good to have/improved include:

• Modular capabilities 
• Integration with VMware and NSX products per client requirement
• 3rd Party support product is very limited 

The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.

The licensing part is a bit tricky. The product can simplify this further for ease of use.

They need to work on log size optimization.

Antivirus signatures should be updated in real-time.

We've used the solution for the last eight years.

The stability is very good.

The scalability is very good.

Technical support has been great.

We did not use a different solution previously.

The initial setup is straightforward. 

We had a vendor assist us.

We haven't used other products.

We also looked at FortiGate and Palo Alto.

We use the solution for securing all of our servers facing the public network, site-to-site VPN, and SSL VPN like the webserver, e-services, and many other such applications. I have been using the below-mentioned modules:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

I can say each and every module has benefited my organization and I would highly recommend others to deploy Check Point solutions.

We have good peace of mind now, after deploying this solution. We could easily defend against zero-day attacks and day-to-day vulnerabilities.

Since the time we deployed the solution, we are 100% safe and secure.

At present, the newly deployed solution is being used for reverse proxy, the site-to-site VPN, and SSL VPN along with the proxy for a few of the machines.

Their threat emulations and Bot Services are a must-try. 

You can just deploy it, sit back, and relax without any issues.

The most valuable features include:

• Application Control
• SSL Inspection
• URL Filter
• IPS/IDS
• Virus Scanner
• ATP
• DNS Sinkhole
• File Content Scan (Archived Content)
• Link Protection
• Safe Search
• VPN
• Anti Bot/Anti-Spam
• Threat Emulation/Extraction

Each and every module provides 100% accuracy. 

Their threat emulations and Bot Services are excellent.

Additionally, they have an excellent support team working around the clock. The engineers have excellent knowledge and provide us with a resolution in a very timely manner.

I have been using Check Point technology since 2011 and recently I have deployed new NGFW, the upgraded version, in a cluster along with the management box.

Check Point updates and upgrades are in a timely manner. There is nothing more that I need in terms of improvement.

Additionally, they have an excellent support team working around the clock. Check Point engineers have excellent knowledge and have provided us with the resolution in a timely manner.

I have been using Check Point technology since 2011 and recently I have deployed the new NGFW. It's the upgraded version and we have it in a cluster along with the management box.

I've used the solution for the last ten years.

The solution is highly stable.

The solution is highly scalable.

Customer service is excellent.

Positive

We did use a different solution originally. We changed to Check Point for achieving high levels of security.

The initial setup is straightforward.

We implemented through a vendor team and I would rate them at a 10 out of 10.

It's excellent and the management is very satisfactory.

It's a very economical option.

We evaluated Palo Alto and Cisco.

It's an excellent solution and offers the best support.

We're using Check Point NGFW for network security, intrusion detection, intrusion prevention, application control, DDoS attack protection, sandblast, mobile device management, identity-based access control, reporting, access control policy, scalability, state-of-the-art security gateway, support, threat prevention, accelerated policy installation, concurrent security policy installation, advanced routing, easy upgrading, logging and monitoring, smart events, and smart console.

Check Point has improved our organization's security posture, especially the IBAC, application control, IPS, and IDS. It's easy to set policies on the firewall, which has greatly simplified cleanup and management.

We recently upgraded from R80.10 to R40, and we've had an overwhelmingly positive experience with this version. Our visibility of threats and vulnerabilities has improved. Check Point added new features and revamped its reporting and analysis.

Check Point's rule management helped us simplify access control. At one point, we had more than 1,000 access control policies, and it was challenging to manage them all. We cut it down to 300 policies using Check Point's management features, and we are still working on reducing this further to achieve the best way to manage policies. Its logging and monitoring enable us to trace and investigate suspicious traffic.

Check Point doesn't warn us when rules are about to expire. It was also inconvenient that we had to change hardware when we upgraded. It would be nice if they made the new version compatible with current hardware or if it only required a minor upgrade.

I would also like it if Check Point cut the number of steps needed to upgrade from R77 to R81. They should also make it possible to convert access control policies from the firewall to the management server and to downgrade from a higher version to a lower one. 

I've been using Check Point NGFW for six years.

The solution has been stable, and Check Point promptly delivers patches and updates.

I rate Check Point support nine out of 10. When we need help, they're always fast and efficient. Check Point's customer service is one of the major reasons we've stuck with this solution.

Positive

We adopted Check Point because of the cost and support.

If you have the right training, you can set up Check Point with minimal supervision.

Before you buy, check which features you need, and if possible, I recommend signing up for at least a three-year license.

We considered several vendors, including Fortinet, Cisco, Huawei, Sophos, and Barracuda.

We use Check Point to protect our two data centers under an active scheme. It allows us to protect our customer information while preventing cybersecurity events that put our customers at risk. We use threat prevention and extraction, VPN, firewall blade, VSX, and the entire Check Point management suite. Our setup includes two firewalls in a high availability and VSX environment, respectively. We also take advantage of Check Point's load balancer, which works very well. The failover is performed automatically, without any flashing or noticeable impact on the user. 

Check Point NGFW enabled us to switch from a decentralized solution with seven firewalls to a solution that's easier to manage with high-availability firewalls and capabilities that were previously lacking in NGFX. It helped us connect our users working remotely during the quarantine while maintaining our security policies and avoiding zero-day attacks. 

The solution makes administration more straightforward because we can replicate the policies in both data centers with a single click, helping us to deploy quickly in both gateways without problems.

Check Point's most useful feature is threat prevention and extraction. It was tough to manage seven firewalls and a perimeter solution for IPS, anti-malware, anti-bot, and sandboxing. 

Integrating everything in Check Point allows us to see all the attacks that are blocked with our perimeter countermeasures every day. Check Point's high detection rate improves our overall security posture, and we can achieve a low rate of false positives through a few adjustments to the configuration.

It could be easier to access the installation of the Hostfix for VSX solutions. The CLI commands help us understand how virtual firewalls behave in terms of processor, memory, and other aspects. More graphic visualizations of CPUSE commands would be a welcome improvement, and Check Point could expand scripts to run within the solution for multiple tasks.

I've been using Check Point NGFW for seven years

Check Point works well in a high-availability setup, and the failover is fast. We had very few instances of unavailability. It happened once when we had hard disk issues, but the RMA process was quite simple, and the replacement part came quickly.

We added new Check Point firewalls twice this year, and it was relatively simple. You can quickly migrate the configurations, and your new firewall is ready to go after a few adjustments to the settings.

Check Point's support has been excellent, and they respond immediately via phone, chat, and email. In particular, I think the chat support was great. 

Positive

Previously, we were using seven open-source firewalls, and we decided to go for a solution with good ratings from NGFW users. We wanted something well-positioned in the market that had good support.

Migrating from an open-source, decentralized setup with seven firewalls to centralized management was complex, but it was less complicated than we expected thanks to Check Point’s management features. The ability to perform a parallel startup helped a lot during deployment.

A vendor team helped us, and the migration was smooth. The Check Point engineers who worked for our partner were well trained to handle the implementation.

Check Point NGFW can be expensive compared to other competitors, but the price matches the functionality and efficiency of the solution.

We considered Fortinet, Palo Alto, and SonicWall before settling on Check Point

We are using Firewall Intrusion Prevention and URL Filtering, and we just purchased the Endpoint Protection package for our workstations.

It is deployed on-premises. We have two Check Point systems in place. We have one that's between our business network and the outside world, and we also have one that's between our business network and our internal SCADA system.

We haven't updated to version 81, so we're still at version 80.

It has provided us with great protection from threats. I've been here 30 years, and we've had two incidents, and none of them were within the time we've used Check Point.

The console or the single interface on the blades is most valuable.

The only thing that we've seen is instances where console and administrative interfaces get locked up or freeze, and we have to get the machine rebooted.

I have been using this solution for probably 10 years.

I would rate it a nine out of 10 in terms of stability.

Its scalability is very good. Our entire force is about 190 people, and most of them use it at some point just because they are going out to the internet and have that protection for the workstations. 

It is being used extensively. Everyone is using it, and we do have plans to increase the functionality on the device.

They provide really good support. I would rate them a five out of five. 

I can't remember the product, but what we had initially was an entry-level device. It was a single-purpose firewall. We went up to an enterprise solution that had additional features.

It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.

It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.

We used a consultant. Our experience with them was very good.

For deployment and maintenance, we have five people on our staff. We have to do some maintenance on it. It's pretty much scheduled to rotate between us so that we keep our skills fresh.

We've not done an initial study on any kind of ROI. We rarely do. In positives, we try to perform a yearly risk assessment of our systems, and we find very few vulnerabilities. So, it is doing what it's supposed to. It is keeping us safe.

Its cost is a little higher than other products.

We evaluated other options, but I don't remember their names. We basically went to the consultant we deal with for security-related things and said, "What's out there? What do you recommend?" He gave us three and recommended that the Check Point was probably the lead one.

I would advise comparing it to the other products.

I would rate it a nine out of 10. It has served us very well and given us very few headaches.

Our business houses just over 100 staff, along with over 200 devices ranging from mobile to tablets, computers, laptops, and Servers. 

We use a Check Point 5100 cluster running R80.40 to protect our business from external threats. 

Our network is also extended to the likes of Microsoft Azure, Amazon AWS, and other 3rd parties utilizing secure VPN tunnels terminating on our Check Point 5100 cluster. 

Our business also offers the ability of hybrid working - which is only possible with our Check Point solution.

Prior to using Check Point, we had a Draytek small business firewall, the Draytek would often hard lock, which resulted in the loss of internet connectivity for the business. The only way around this was to reboot the Draytek device which in turn would lose logging data as to what was causing the issue. 

Moving onto Check Point completely solved this problem. The hardware is much more capable and the logging and alerting functionality means, should anything happen (like it did with the Draytek), we would have visibility on the logs which would give us a direction for troubleshooting and mitigation. 

Check Point offers a secure VPN client. We distribute to our agents via group policy. Our agents can then connect to our network when working from home - which was a game-changer due to the recent pandemic situation. 

Check Point also offers a mobile app capsule connect which, as a system administrator, has proven very useful when a high-priority issue occurs. I am able to connect to my internal network via a phone or tablet - which has proven useful in some scenarios. 

As a system administrator my favourite part of Check Point is the smart view tracker. This alone is a must-have tool for tracking all traffic traversing the Check Point appliance. It makes troubleshooting much easier. This software alone sets Check Point out in front of the competition.

Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. 

The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. 

Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software. 

I've used the solution for five years.

The solution was not always stable when running the older R77.30 version. Paired with a mid-spec box, we did find some issues with performance on more than one occasion, specifically the network would slow to a halt until a system reboot, there was nothing within the error logging and our external SOC couldnt find anything either. We'd often when updating the firewall policy it would fail to deploy usually taking around three or four policy pushes each taking about 20 minutes. We are now running much faster hardware with the later R80.30 release and those issues have completely disappeared.

Scaling is dependant on the size of your network. Check Point does offer a wide range of lower to high spec appliances depending on your scale set.

I've only had two instances using their support as we have a third party on contract for third-line issues that I cannot resolve. They were prompt yet not shy about pointing out potential issues with third parties and it not being their appliance. 

Positive

We used Draytek. It didn't offer the security features that Check Point does and we were a victim to a successful attack from external sources which Check Point would have caught. We also found the hardware of Draytek was too underpowered to handle the size of our network. 

A third party installed the appliances initially. It is a complex process, as Check Point is vast in features and very configurable. You find yourself using the web interface, their own management software smart dashboard, and a mixture of CLI and config files to get your end result. 

We implemented it through a vendor team. Their level of expertise ranged as we moved through three separate technicians during our installation which was problematic. I wouldn't use this particular vendor again. That said, this was nothing against Check Point. 

You cannot put a price on security. Check Point is a field leader. However, it comes at a high price. 

If you have no experience with Check Point and you are on a deadline, it's essential you find a company certified to help with the deployment and configuration. The feature set is rich however, it's not always user-friendly. 

Pricing, including licensing, is very expensive compared to alternate products such as Sophos, Barracuda, or FortiGate

We evaluated Fortigate, Sophos XG, and Barracuda. However, ultimately the decision boiled down to our parent company already using Check Point. 

We use the solution as a frontend firewall in our headquarters and in our branches. We use packet inspection, the antispam feature, and the VPN. We have configured threat prevention and content awareness to improve security on incoming email and on web surfing from interlan networks wits SSL inspection. Mobile access through the VPN mobile client is also used from all outside workers and is fully integrated with our AD. We also use the solution to route traffic on internal networks and manage security through client and server networks.

We have improved our performance and bandwidth through the networks. Security is also improved. We have better control over the logs and better integration with our SIEM. 

We can also manage all our firewall from a central management console so each policy is under control and can be developed better. Inline policies help to understand on the correct use of the policies and a more readable list. We can also manage policies in two or more people at once without problems or risk of making the wrong policy.

VPN and mobile VPN are extremely valuable to us. The policies are simple to deploy to the new branches. 

All policies can be deployed and managed in a very simple way. 

AD single sign-on with VPN mobile is very helpful and simple to manage and deploy. 

Log management is also a good place to make troubleshooting and through console manage events. 

Management of the object is also a valuable feature. At every point in the console you can manage object properties and look to each policy where it is used and simply change or find where the object is involved.

Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications. 

I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser. 

I've used the solution for four months.

It is very stable. We have reboot only to install updates.

We chose the solution for scalability and now we are running with all branches with a Check Point firewall. The solution is meeting our expectations.

We do not need customer support.

Positive

We did use a different solution. We switched to improve security.

It was complex to set up due to the fact that we changed our mind on how the firewall works. Central management is hard to improve.

We implemented it through a vendor. There was not a high level of expertise, however, I took a course with Check Point and that was very clear and now I'm very expert on the Check Point world.

We have seen an ROI in that we need less time on managed policies and we have better control.

The cost is high but the benefits are too.

We also looked at Palo Alto, WatchGuard, and Fortinet.

The solution is a good solution and at the top of the market.

The primary use case is as a perimeter firewall separating different security zones from each other. We separate several zones, such as Internet Of Things (ie. cameras and several sensors), Internet-facing DMZ, internal networks, and guest networks from each other. 

Also, we use the VPN feature to create Site to Site tunnels between branch offices and the headquarters. Threat Prevention features including IPS, Anti-Bot, Threat Emulation, and Threat Extraction and are used to secure our users from being victims of several threats. 

It is hard to say how a product like a firewall is improving our organization. The firewall does what it should. Primarily, the management makes this product great. There is no other product on the market that is nearly as perfect a tool for managing firewall rule bases and I know many of them. Check Point has much fewer vulnerabilities in their products and also is very quick to react to vulnerabilities.

The Threat Extraction software blade feature is the most valuable feature as it extracts any potential harmful content from several kinds of documents, which our users receive via e-mail or download from the Internet. We know, that our users tend to click on everything they get without thinking too much about the consequences. 

The second feature to mention is Threat Emulation, which is basically a sandbox, which runs executables received via email or downloaded from the Internet and creates a verdict if this executable is harmful or not in regards how it behaves on a specific operating system and application.

Unfortunately, the API is not fully complete and also it is not an API which I would refer to as a RESTful API as there are different endpoints for the same entity. For me, a restful API would use one endpoint to handle, for example, host objects and use different HTTP methods to distinguish between different operations. 

I would expect to use the PATCH method to update an object and the PUT method to create one. Currently, there are separate endpoints for these operations and all of them use the POST method. The most important issue with the API is, that there are some endpoints we are missing (for example for managing VPN users).

We have been using this product and its predecessors for about 20 years.

The stability is very good. Sometimes there are issues, however, most of the time, they have no big impact. SecureXL was sometimes a bit of a problem. That said, this has improved in the last few versions.

Check Point offers several possibilities to scale (load sharing, Maestro, and scalable platforms such as 44K or 64K appliances), however, in our case, we just replaced the appliance after a few years. If one needs real scalability, they should take a look at Maestro which is the scaling solution from Check Point.

Technical support can be good or bad. It depends. Sometimes they are really great, and sometimes very annoying. Most of the time we have a good experience.

Positive

We did not previously use a different solution.

It's really simple to set up. You simply install from an ISO with a few questions (ie. mgmt IP address and gateway) and restart with a graphical installation wizard with a few more questions (such as is this a management box or a gateway or a cluster member ASO).

We handled the setup in-house. We have enough knowledge to do that. Our expertise is CCSM level.

We evaluated several competitors such as Cisco, Palo Alto, and Baracuda

Check Point Security Gateway GAIA R80.30 is used as our secure gateway firewall. We have configured two gateways as active-passive in cluster mode. 

We also use R80.30 as our security management server to configure the policies on the firewall. We use it primarily to control traffic and secure our network perimeter against unknown attacks. The rules and policies for the SSL VPN connections are configured on the mobile access blade. We use the policies to segregate and filter the traffic flow.

This is for a bank environment.

A traditional firewall provides a stable inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules.

A next-generation firewall (NGFW) does this, and so much more. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner's definition, a next-generation firewall must include:

• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Threat intelligence sources
• Techniques to address evolving security threats

Check Point Endpoint anti-malware benefits include:

• Improves user productivity and frees up system resources
• The industry’s fastest malware and anti-virus scan and boot time
• The smallest memory and disk footprints
• A single-console centralized management
• Prevention of malware from accessing endpoints with a single scan
• Malware identified using signatures, behavior blockers, heuristic analysis
  
• Protection automatically updated with optional Program Advisor Service
• A knowledge base of more than one million trusted or suspicious programs
• Integrated into Check Point Software Blade Architecture
• Flexible licensing options—annual or perpetual
• Centrally managed and deployed
• Activate anti-malware and application control on any Check Point security gateway

Almost all organizations are using cloud computing, and the vast majority are using a hybrid cloud deployment. Private and public cloud deployments have different security requirements, and it is necessary for an organization to be able to enforce consistent security policies across cloud-based environments hosted by multiple vendors. 

The firewall should be easily deployable and scalable in any major cloud environment and enable an organization’s security team to manage all of its security settings from a single console.

I've used the solution for five years.

Check Point is a very stable solution.

It is good in terms of scalability.

From the start, we have been using Check Point.

We would adivse users to install Check Point NGFW. The setup cost is simple and it is not too much. The license fits most budgets.

We also evaluated Cisco and Fortinet.

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.