Check Point Quantum Force (NGFW) Reviews

In my previous company, one of the clients was a big chocolate company. They had this payment card infrastructure (PCI), where they needed to have auditors from PCI check the firewalls to see if everything was okay. So, they had web-based authentication. 

I'm working with the 5800, 5600, and 5200 models. I work with the UTMs as well. These are physical appliances as well as open servers.

It helped clients get through big audits for PCI, which has been very cost-effective for them. In one hour, they make 30,000 to 40,000 pounds worth of sales. A PCI audit has actually threatened them, "If you don't do it by this date, you will have to stop taking payments." Even if the audit is delayed about an one hour or so, they'll have thousands of pounds worth of losses. The previous company may have spent a lot of money on Check Point, but they save a lot as well. So, they were quite happy with that. 

The most valuable feature is definitely the logs. The way you can search the logs and have the granularity from the filter. It's just very nice. 

I love the interface of R.80.30. The R.80 interface is very nicely thought out with everything in one place, which makes Check Point easier to use. When I started in 2014, I was just confused with how many interfaces I had to go on to find things. While there are quite a few interfaces still in the older smart dashboard versions, most things are consolidated now.

The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if somebody has 500 rules, if they try to use it, it can be very confusing.

In R77.30, the only thing which I hated was having to go into each day's log file and search for that day. However, in R.80, we have a unified platform, so you can just filter out with the date, then it will give you the log for that date and time. 

I would like Check Point to have certification similar to what Cisco offers. Check Point's certification doesn't cover a lot of things. For example, Check Point Certified Security Expert (CCSE) should be actually included with the Check Point Security Administration (CCSA), as a lot of people just go for the CCSA and get stuck when it comes to a lot of things on Check Point. 

Biggest lesson learnt: Never assume. We had issues when we enabled DHCP server on one of the firewalls. We tried to exclude some IP addresses so the rest would be allocated, but that didn't work. We had to start from the beginning to include the rest of the IP addresses.

Six to seven years.

It is very stable. 

The headache with these firewalls is when they failover. The client will ask us why. We have a separate service desk and Tier 2 guys who monitor these firewalls. But, in these cases, they can't tell why, because you have to deep dive. The reason was unclear on R77.30, so I had to find it in the logs. However, in R.80, it's quite clear. We will just use a cphaprob stat to tell us the failover reason for the last time. 

Sometimes, it is very difficult to find something in Check Point Firewalls when you are stuck. Therefore, you need to know exactly what you are doing.

They do scale well as long as a company is not scaling rapidly. This is the reason we have a CPSizeMe tool. With normal growth, they will easily go for five to 10 years. Normal growth means setting up a few offices, not doing big mergers.

We have about four to five Check Point users out of 20 network engineers.

In my new job, we have 80 clients in user center.

I would rate the support as a three out of 10. It seems like they are all Tier 2 guys. If there is a problem, you search everything and read all the articles, then you contact their support center who forward you to the same articles. It is very difficult to work with their support guys, unless you work with the guys in Israel.

From my last job, I had a web UI issue on one of my firewalls. It's been a year now, and it's not been resolved. Although it's been to the Israel as well, It's still been delayed. We couldn't live with the issue, so we decided we would buy a new open server, as the previous open server was quite old, then we did a fresh install of R.30 on it.

if you buy the appliances or licenses through partners, they will try to resolve your issue or talk in a way that makes sense.

My previous company used to have Junipers that used to send all the credentials via HTTP. Because all Juniper SRXs didn't do that, since they were quite old (version 570), they had to buy new firewalls. I tried to do it, but I couldn't do it on the Junipers, especially since they were out of support and nobody would help me from Juniper.

I told my previous company, "Check Point would be the best solution for them. In the long run, while you might have a lot of issues with auditors, we will actually be able to combat this using Check Point firewalls if you get the proper licensing." Then, we did web bots on Check Points. 

About five years later, an auditor said that we needed to do a RADIUS Authentication, not a clear text password nor the Check Point local password. So, we implemented that as well. This was a bit tricky because they didn't want the local guys to have RADIUS Authentication, but anybody coming from the outside would have to go through RADIUS. This was a bit tricky with Check Point because I had to involve Check Point support in the process as well, but we were able to do it. This was one of the client use cases.

The initial setup was straightforward. I told one of my colleagues in my last job, "Just follow the prompts and you should be able to install it. It is a very simple, basic thing. Just do it as a gateway, then that's it. You are done". 

Before, on R77.30, there were cluster IDs and people needed to know what they were doing. In the R80 cluster, the cluster ID is gone, so it is very straightforward and you don't have to be an expert to install it.

A new installation on the VMs (about a week ago) took me around 20 minutes or less. This was a lot faster than I imagined, and I've created quite a lot of resources to their management and Gateway as well.

If the firewalls go down, then the employees' car payments would stop. This would be a disaster. 

There are three types of licensing: Threat Prevention, NGTP, and Next Generation Threat Extraction. Before, it used to be you would just enable the license of whatever blade you wanted to buy. Nowadays, Threat Prevention would be sufficient for most clients, so I would think people would go for the NGTP, license which includes all the blades.

All sorts of councils in London use the solution. In my new job, there are quite a lot of councils and schools as well. They need to know the web traffic from their users, e.g., what they are searching and looking for and where they are going. Therefore, its application and URL filtering comes in quite handy. I've seen the application and URL filtering on Palo Alto, and it is a pain to get those details from it and create a report for users. Whereas, the user report is very easy to get with Check Point.

I have not seen another firewall offer the same level of logs that Check Point offers. I have worked on ASA and Juniper SRX. While they are a bit similar, they are not exactly what Check Point has to offer.

This is not day-to-day firewall work, where maybe a node can do it. If you get into a trouble, you can't actually involve Check Point support all the time, especially when you won't get a response. You need to employ people who are certified. Check Point has a lot to sink in, and it's not an easy thing. You might just expose your environment, even after spending a lot of money.

It is future-proof. I would rate this solution as a nine out of 10.

We are mainly using it for policy installation and access purposes. We have a bank project where we are using mobile access, Antivirus, and IPS. These are all are configured on the Check Point Firewall, where we are using it on a daily basis. 

I have worked on the following firewall series and models:

• 15000
• 23900
• 41000 
• 44000. 

I have worked on the following versions:

• R77.30
• R80.10
• R80.20. 

I am currently working on the R80.20 version and the hardware version is from the 23000 series.

We installed this firewall in our organization one year ago, and it is completely fine. There are other deployment also going on for other customers. Most of those deployments are handled by our project teams. 

What I like most about Check Point Firewall is that it is easy to use. 

The most valuable feature is the IPS. For our bank project, we are using it as an external firewall. All the traffic is going through the Check Point Firewall. Then, using the IPS, we can easily identify if there is any malicious activity or anything else. We also have to update signatures on a regular basis.

We are facing some problems with the management on our Check Point Management Server. There are some issues with R80.20, so Check Point suggested to upgrade. However, we are in lockdown, so we will upgrade after the lockdown. We are coordinating this issue with the Check Point guys. After upgrading, I think these issues will get resolved.

For R80.10 and above, if you want to install a hotfix, then you can't install it through the GUI. I don't know why. In the earlier days, I was able to do the installation of hotfixes through the GUI. Now, Check Point said that you have to install hotfixes through the CLI. If that issue could be resolved, then it would be great because the GUI is more handy than the CLI.

Two and a half years.

They are completely stable. I haven't faced any issue with stability. 

There are no issues with scalability.

In Hitachi Systems in Mumbai, there are around 10 to 12 clients who are using Check Point Firewall. There are around 40 network security engineers who support Check Point Firewall in our organization for the Mumbai location, and there are multiple locations.

The technical support is very good. The Check Point guys are very humble and quick. They are always ready to support us if we call them.

I have done four to five initial setups and configurations of firewalls, which have been completely fine and proper. There are no improvements needed.

For one firewall, it will take around two and a half hours to configure the interface and everything else. For the deployment of one firewall, it will take around two and a half hours. If you want to make any clusters, then it is around five to six hours. 

We support companies locally and remotely. Since the lockdown, we have been supporting companies only in a remote fashion.

We have to first make a plan of action, then verify that it meets Check Point's requirements. Then, we will raise a case with the Check Point desk. We verify with them if there are any changes that they need us to do. After that, we will go for deployment. Check Point engineering will also help if there are issues with the deployment.

They have made domain improvements to SmartConsole. If you check older versions, such as R77.30, you have to open a separate, smart tracker to view logs. However, in R80.10 and above, you can view logs in SmartConsole. You don't have to open another smart tracker to view logs. That is the improvement Check Point has done which makes it better because it is much easier to find logs. This saves time, approximately 40 to 50 a day in one shift.

For the firewall, there is a limitation on the license. We are facing some problems with mobile access. We have a license for 450 licenses of VPN users. We would like Check Point to have more than that, e.g., if the organization gets bigger and there are more users, then that will be a problem.

I have done licensing and contracts for multiple firewalls. The license and contract configuration is completely fine, but if it is possible to make them cost a bit less, then this would be better.

Palo Alto is a zone-based firewall and Check Point is an interface-based firewall. With Palo Alto, we are using Panorama to install policy, and in Check Point, we are using their Management Server to install policy. The Palo Alto Panorama console has more options than Check Point.

On the Check Point Firewall, you can install policy. With the Palo Alto firewall, you can install policy on multiple gateways. You cannot install policy on multiple gateways with the Check Point Firewall.

If you are making a plan of action for the installation of firewalls, clarify with the Check Point tech engineers that all is proper and good. We always arrange a Check Point standby engineer for this activity, because if anything goes wrong, then they can help on the call.

I would rate this solution as an eight out of 10.

The product is an excellent perimeter firewall solution. But compared to Palo Alto, the management console is critical. It's difficult to let customers understand the dashboard of the firewall because there are three distinct dashboards. The three dashboards include smart connect, Check Point Firewall dashboard and more. 

The solution is used by our organization for security purposes across small and medium banks in our country, who happen to be customers of our company. 

The architecture of the solution is extraordinary because when a Check Point Firewall protects a customer or organization, a DDoS attack can hardly occur. Another valuable feature is the real-time zero-day protection.  

The user interface needs to improve and should be user-friendly. The customer of this solution also needs to undergo training to use the solution dashboards, unlike products like Palo Alto. 

In the next release, Check Point can try to add the DDoS or web application firewall within the overall firewall. If Check Point is able to implement the aforementioned integration within the firewall module, then people don't need to buy each firewall separately. The comprehensive firewall addition will increase the sales volume of any next generation firewall because TCO (Total Cost of Ownership) will be low. 

I have been using Check Point NGFW for five years. 

I would rate the stability an eight out of ten. 

If you have the Maestro version, scalability is the best among all competitors. For large organizations that have ten thousand users, they don't need to bother about the extra cost of the Maestro version. For organizations with one or two thousand users, the Maestro version can be a luxury for them. 

The tech support is very helpful for Check Point NGFW. The support team even asks for remote access to resolve the problem immediately. But sometimes, it takes between eight to twelve hours to connect with a level three engineer to get the support. The response time needs to improve. I would rate the tech support a six out of ten. 

A firewall is a critical asset, and when there is a problem with the perimeter firewall, an individual cannot communicate outside the organization, so support is required immediately. 

Neutral

Our company's usual deployment model for the solution is on-premises because cross-border data transmission is prohibited. The installation of Check Point NGFW takes between seven to ten days (working five hours a day). For the banks who are customers of our company, we could only work for deployment after the usual banking hours, so it took longer. 

I can conclude that deployment and running the User Accessibility Test (UAT) can take a maximum of forty hours. Two engineers are needed to deploy Check Point NGFW. 

I have evaluated SentinelOne and CrowdStrike. The rollback feature of ransomware attacks in SentinelOne cannot be found in competitors. 

I would recommend Check Point NGFW over Palo Alto and Cisco as a complex security solution for a complex environment. I would rate the solution a ten out of ten. 

We use the solution as a perimeter and OT demarcation firewall. As we are a large utility company with a distributed network, Check Point plays a vital role in terms of network segmentation. Specifically, we need identity-aware authentication to give us the best VPN compared to other players in the market. 

Centralized management is a major plus of Check Point, which provides us with a better user experience. 

We use it to safeguard our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. 

Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

Check Point has a Purpose fit solution for our environment A lot of things need to be improved in Check Point NGFW. 

For example, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. 

Visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security. 

Support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product offers a robust and intuitive experience, catering to the essential needs of users. 

The Cleanup Rule's ability to discard unwanted traffic and the inclusion of default Autonomous Threat Prevention Profiles does simplify security measures; we're able to cater to various deployment scenarios. 

I was impressed by how easy it was to activate blades and implement them on a security gateway. 

The Smart Console's efficient user interface ensures that the changes to the policy are swiftly made. We're also able to maintain proper audit logs.

The solution requires improvements in the following areas:

- Having the Zone Alarm and the standalone endpoint VPN become compatible products. 

- Having Smart Console in-place upgrades with IP/fingerprint retention 

- A Mac version of the Smart Console.

- Streamlining of the endpoint solution and deployment options.

I've used the solution for ten years.

Technical support is excellent.

Positive

The initial setup was straightforward.

We implemented the solution through a vendor. They offered excellent support.

We use the product for safeguarding our office network on a routine basis. These firewalls protect against external threats, manage VPN access for remote users, and address various security scenarios. 

Our primary focus involves malware prevention, intrusion detection, and ensuring robust security measures to shield our office network from potential cyber threats originating from the internet. 

It serves as a traditional yet effective security system, providing comprehensive protection against hackers and potential risks associated with internet usage.

A lot of things need to be improved in Check Point NGFW. For example, their support team isn't very efficient and useful. The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess. 

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, Mac addresses, and sometimes usernames. More granular detail is crucial for security. 

Support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

The product offers a robust and intuitive experience, catering to the essential needs of users. 

The Cleanup Rule's ability to discard unwanted traffic and the inclusion of default Autonomous Threat Prevention Profiles simplifies security measures, catering to various deployment scenarios. I was impressed by how easy it was to activate blades and implement them on a security gateway, with the process taking less than five minutes. 

Additionally, the Smart Console's clear and efficient user interface ensures that the changes to the policy are swiftly made, with the added benefit of maintaining proper audit logs.

Places for improvement include:

• Having a Zone Alarm and the standalone endpoint VPN that become compatible products.
• Having a Smart Console in-place upgrades with IP/fingerprint retention.
• Offering a Mac version of Smart Console.
• Integration of CPview and things like fw accel stat in the monitoring blade.
• No more legacy SmartDashboard for some features.
• Streamlining of the endpoint solution and deployment options and also offering the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.
• Offering a fixed deployment schedule for accumulator hotfixes. This would help us foresee maintenance windows in organizations with rigid change management procedures.
• Finding a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.
• Scheduling policy pushes in Smart Console.

I've used the solution for ten years.

We brought all of our cloud platforms to Microsoft Azure. We needed a tool that would give us the security of regulating access control so that we could monitor our environment in case something was penetrating our internal network.

This was the primary movement for which the Check Point NGFW tool was acquired since we needed our collaborators to have secure access to the company's resources and applications since this tool provides us with the alerts and corrections that must be made when finding a security breach in our environment.

Check Point NGFW also provides a great capacity of features that help us apply them to the organization. It has web filtering limited to third parties, SSL encryption, and the application's administration is very simple and centralized since it helps us a lot in reporting and generating alerts.

The organization needed a tool that would provide various security functionalities in the organization, and so far, Check Point NGFW has helped us a lot. It has helped us by applying access control policies and limiting access to third parties and only those who must enter the organization to use resources and applications.

The application behaved very well with the Azure resources in the cloud; it helped us to prevent several security holes found with web filtering and internal DDoS attack.

Check Point NGFW can quickly identify where the attacks are coming from, provides detailed and complete information on the attacks, and provides zero-day attacks in real-time.

One of the valuable characteristics of Check Point NGFW is that it presents very centralized management. Due to this, it's improved our security throughout the organization and outside of it. Many collaborators work from their homes or different places and help us filter, limit of access to packet inspection with flexibility and speed that was not previously possible.

Other characteristics are the records that it shows us and generates depending on its configuration and they are very visible to be able to attack and correct in time, or when superiors ask us for administrative information in that part it provides great value.

As such, the tool provides what is expected in its security functionality. However, some points must be improved, such as the latency in the GUI entry. It takes a while to register and allow access to the administrative panel.

Another point where customer service should be improved, both in the administrative and technical fields. Support cases have been generated several times, and it takes time for the case to be resolved. In addition to that, the solutions need to attend to us. It takes a long time to coordinate a call since they do not handle a comprehensive schedule.

This solution has been used for approximately one year in the company.

The stability of the tool is good. We have not presented any problem even when an update is made.

The scalability presented by the tool is very good and flexible.

The experience has not been very good. That is one of the points that must be improved.

Positive

There was no type of tool that would supply these qualities.

The configuration of the tool is very simple and quick to install.

The installation was done jointly with an engineer provided by the supplier, and his capacity was good.

The prices are competitive. However, it is worth making an investment since, in the future, the profit will be seen against any environmental attack.

Check Point manages a good cost in its products and it is worth making the investment since this can prevent a collapse in the organization.

Check Point was always our first option. With this type of solution, many security teams are from Check Point.

The tool behaves well. The only improvement that I have seen that is necessary is to improve the latency when entering the application and they must improve the support.

For Check Point, the main cases are just perimeter security, network security, basically detecting threats on the network, antivirus, application control, visibility, login, and data threat prevention.

I like the GUI. In terms of functionality, it used to be the detection capability. Check Point has good security intelligence, which helps detect threats. They have the historical background to do that. But now, Fortinet is a bit better. 

A lot of things need to be improved in Check Point NGFW. One, their support team isn't very efficient and useful. 

The solution itself isn't easy to learn, making it hard for support to provide solutions. The design makes it so pockets (specific teams) have to work together when there's an issue, which creates a mess.

Also, Check Point lacks competitive capabilities like SD-WAN and CGM app integration. And visibility needs improvement. For example, Fortinet shows all connected devices with IP addresses, MAC addresses, and sometimes usernames. More granular detail is crucial for security.

So support efficiency, visibility, and adding competitive capabilities are key areas for improvement.

I have been with Check Point for a very long time. So, it has been almost six years.

I would rate the stability a six out of ten. There is room for improvement here. 

I would rate the scalability a seven out of ten. My customers are mostly medium-sized businesses, but my clientele also includes enterprises.

There is room for improvement in the customer service and support. 

Neutral

I'm heavily biased towards Fortinet. Check Point is a direct competitor, so from my experience, it's a decent firewall. There are strong points and weak points, but Fortinet is superior for various reasons.

The initial setup is really straightforward. The GUI is very good. However, the issue I have is with the stability. In terms of simplicity, I don't consider Check Point to be a straightforward solution. Another point to mention is my experience in planning within customer environments. The outcomes are not always as expected. 

For instance, when setting up Check Point firewall and flat policies, the policies didn't take effect immediately. There was a situation where the policies took effect after about two hours. Such instances were mind-boggling. Regarding VPN issues, when implementing IP protection between Check Point and other vendors, remote access can be challenging.

In Nigeria, it's predominantly on-premises. Many organizations are moving towards cloud, but many others use a hybrid approach, both on-premises and in the cloud. 

A few are using Check Point in the cloud, but most test with Fortinet due to easier integration with public cloud providers like Microsoft. Public cloud vendors also have their own firewalls, like Microsoft and AWS. In terms of adoption, Check Point is behind in cloud adoption in Nigeria.

Overall, the process is very fast and depends on the type of deployment. For example, replacing a Cisco firewall with Check Point requires converting policies, which can take quite a while, depending on the size of the policy base. In my personal experience, setting up Check Point was very quick.

It's reasonably priced, but competitors offer much cheaper options. It's market-related, so the pricing makes sense for what Check Point offers.

My recommendation is to consider Fortinet as an alternative. Overall, I'd rate it a seven out of ten. There's room for improvement, especially since Check Point doesn't seem too focused on our region. 

In Nigeria, procuring the firewall and bundled services like technical account management and professional services can be challenging. The service delivery is not as efficient as one would expect, which wouldn't be the case for a European customer.

The primary use case is to enhance security by safeguarding the internet connection for both servers and users.

Its greatest asset lies in its user-friendly interface, making it exceptionally suitable and reliable for managing gateways.

When it comes to Check Point's small business gateway series, there might be a need for hardware upgrades, as configuring them can sometimes be a bit challenging.

I have been working with it for two years.

I would rate its stability capabilities eight out of ten.

I would rate its scalability abilities eight out of ten.

Seeking solutions from them can be quite challenging and often takes a while, which then impacts our workload. I would rate it seven out of ten.

Neutral

I have some experience with Juniper, WatchGuard, Cisco, and Fortinet.

The initial setup is relatively complex.

Deployment duration varies based on the customer's specific conditions. On average, an installation might take around twenty minutes.

The best solutions tend to come with a higher price tag. If something is inexpensive, it often implies a compromise in quality. The solution is indeed costly. I would rate it eight out of ten.

Overall, I would rate it eight out of ten.