Check Point Quantum Force (NGFW) Reviews

I have a relatively small infrastructure, with a VMware Vsphere running all my servers on virtual machines. My network consists of approximately 30 workstations. The Check Point NGFW helps detect attacks against enterprise applications. 

It can enforce application functionality specific controls, monitor application data and content, and monitor HTTP, HTTPS, SMTP and other application protocols for better protection. I can audit applications running on my network, monitor their content and data, identify hosts on which applications are running, and identify users of the applications.

I have been using the Check Point NGFW as a primary firewall with all policies and rules configured on it. It helps as an Intrusion Detection System. This has improved my network performance as it illuminates suspicious activities before they reach the network. 

The network monitoring tool allows me to know who and what is hogging all the bandwidth and therefore apply it to remediate action and hence improve network performance. The Check Point NGFW helps me with QOS, during these times of work from home and virtual meetings, I can easily allocate required bandwidth to MS Teams, Zoom, and WebEx.

The most valuable features are the application and user control. This allows me to allow applications that encourage productivity and limit those that hinder productivity. The Network Address Translation (NAT) will always be a valuable feature as it allows me to turn my private cloud to the public at the click of a button and have secure control over the accessible servers/applications. sandboxing is also a valuable feature that allows the NGFW to act as an anti-malware, this would be largely helpful to prevent or minimize ransomware attacks.

Although very efficient, the product could be developed in a way that does not take a lot more system resources. It would be very useful if the Check Point NGFW was able to learn the environment and its user's real-time activities and automatically send only logs of interest to the security admin to actually force the security admin to review these logs since the logs are useless if not reviewed. Implementation and setup should be made as easy as possible. At times a misconfigured NGFW because of its complexity will be more of a vulnerability than protection.

I've used the solution for four years.

The stability is very good.

The scalability is very good.

Technical support is always on point.

We did use a different product. The previous solution was actually more complex to set up and had a high price.

The individual setup was complex. However, with the support of an expert on the solution, it became straightforward.

We used a vendor team. Their level of expertise was acceptable.

The ROI is on the positive side.

I'd advise users to find a local vendor of the solution they are looking into and compare all middleman pricing.

We also looked at Cisco Firepower.

I have been using this solution as a perimeter firewall. 

Our organization has ISP-based DDoS protection on the outer attack surface. Then, we have Check Point Next Generation Firewall with an IPS module as a second layer of protection. And then, we have Check Point Access Control, Application, and URL filtering, anti-virus, and anti-bot modules enabled. We also have the cloud-based Check Point Threat Emulation solution and different segmentations on Check Point Firewall as a DMZ zone, internal zone, and external zone. Our internal zones have different segments to improve our security level. We apply it by dividing our network into different VLANs by using the Check Point solution.

Check Point is the first vendor in which we found the stateful firewall terminology. It is always on the top of the list of best firewall solutions. 

Financially, the benefit of Check Point is very high when I compare it with an average firewall solution. At the end of the day, the benefits it provides are already higher than I paid. 

Our business performance is already doubled by the help of Check Point. If we need to talk about efficiency of administrators while managing a security  solution, I consider it as one of the most important item. 

Thanks to Check Point, our security team can easily handle different problems in time.

Check Point gateway and management installation are very easy. After the console-based installation steps, you can continue on the web GUI interface. This is very valuable. It doesn't let you make a simple mistake, which might be a reason to install all the systems from the beginning. It has been designed to give you flexibility as much as needed; not more, not less. It prevents human mistakes, basically.

If I have to say just one thing as the most valuable; I will say it is the most reliable firewall solution in the world. It is easy to prove that when I compare the number of CVEs which are published in a year among firewall vendors.

The routing rules and some more network settings should be listed on the Check Point Smart Console instead of GAIA Web GUI. It might be a little bit confusing when an administrator remembers the location of the settings. Also, it is hard to manage the settings by always jumping from GAIA Web-based graphical user interface to Java based Smart Console dashboard. Also, Check Point Next Generation Firewall has a very detailed and well-organized CP view on the console on both CLISH and expert (/bin/bash) shells; which gives an administrator a real-time monitoring option on the console.

I have been using it for more than six years.

On a heavy load, I haven't experienced packet loss or inconsistent behaviors.

In the beginning, I would consider Check Point solution as not scalable enough. However, after Maestro architecture, it is extremely scalable now. The organizations does not have to pay a lot of money to plan for the next 2-3 years. They are flexible enough to allow for the extension of their systems by adding another module like a blade.

The customer service and support team respond in minutes. If it is a critical issue, you can reach them in seconds via chat.

Positive

I used Palo Alto and Fortinet firewalls before. From Fortinet to Palo Alto it was a big change. 

Fortinet was not a good enough solution as compared to PA. Then, due to finances and some other reasons, I switched to the Check Point and it was one of the best decisions in my life.

The initial setup is straightforward. You just need to define disk allocation for logs and system files and backup files as an amount. Then you can continue with Web GUI to set up network, DNS, etc. settings. Then you complete your setup by installing the Smart Console interface.

The Check Point support team is one of the best. When I need them, they can escalate the ticket to an appropriate level of engineer to fix the problem.

As a security solution in this kind of market, prestige and being reliable cannot be measured with money. It costs more than a million dollars to have a defacement attack. The costs to prevent this kind of attack cannot be measured with money, in my opinion.

I'd advise others to worry about changing their firewall habits from any vendor to Check Point. It will be one of the best decisions of their life. If you have time and money to take care of other vendors, go ahead. However, if you are smart enough to manage your money and time, don't be afraid to give a chance to Check Point solution.

I did get some PoCs from other vendors such as Sophos and some other firewall vendors which are focused on small-size organizations mostly.

I recommend to all system managers and security administrators to try all the enterprise firewall solutions. Then, most likely the final decision will be to use the Check Point Next Generation firewall.

The solution is primarily used as an edge firewall safeguarding any organization or company which are really considering it as their number firewall of choice. In addition, there were also companies that are only using the specific blades, for example, IPS or IPsec, only as their primary solution. It is mostly used as an edge firewall. Sometimes, all security blades are utilized. As a significant part of the whole network infrastructure, Check Point delivers high detection and prevention rates when talking about suspicious and cyberattack types of activities.

Primarily, Check Point played a very vital role in protecting our whole network infrastructure. Having been able to implement such a solution will keep one's organization's security posture well guarded. The best part of Check Point NGFW's operational mechanisms were the Threat Extraction and Threat Emulation blades respectively. The former delivers documents with zero malware in zero seconds and the latter analyzes the original document in an isolated sandbox, identifying unknown threats. 

I'd recommend this kind of firewall for companies considering it since the detection rate for any cyberattacks/suspicious activity is very high (more than 90%).

Check Point NGFW has all the security blades a certain company would want to implement for a network firewall facing the public internet. The upsides of choosing this kind of firewall are traffic acceleration, core acceleration, and interface acceleration which would help in maintaining smooth sailing activity, giving administrators less dilemma. 

Administrators always find it hard and disturbing when such a network bottleneck occurs spontaneously out of nowhere. With that said, Check Point still ranks first among other vendors.

It would be best if the security management server console access is simpler for ease of management. System administrators find it really difficult for the management settings to incorporate easily. Most administrators nowadays are looking into something that offers easy access to a management console or GUI. 

I could not think of other areas for improvement. This is the firewall that I liked the most among other vendors in the market. It's by far the best firewall in the security industry.

I've used the solution for three years already - since the start of my Network Security Engineer career.

Stability-wise, it is perfect! 

When you perform sizing, make sure that the necessary scalability is considered. There's no going back when things like this are compromised.

Lately, Check Point support is nowhere to be found.  We are always attending other customer sessions when, in fact, support is needed for a P1.

Neutral

Mostly, they are the Gartner leaders for NGFW. A switch was made when customers found the solution more secure per doing the proof of concept.

I could say that it is complex even though they are already CCSE and Check Point Expert. There is no way I could find its management easy to use.

We handled the setup in-house.

That there is a money-back guarantee for their business. A business being secured is a business of high return.

There are a lot of evaluations to be done prior to choosing the solution. It caught the customer's attention when the threat extraction/emulation blade really did well during the proof of concept activity.

So far I have mentioned all the things needed to be given importance with regard to an NGFW solution.

We use Check Point on a daily basis. It is our primary gateway to the internet, with an extensive rule base that's used to block unwanted connections and protect our internal networks. 

Multiple gateways are used in a VPN community to build a secure homogenous company network over the Internet. 

We also use the two-factor authentication with RSA-Tokens to authenticate users that are away at conferences or in the home office to the firewall. 

RSA is also used on a portal (called mobile access) on the gateway, where users can easily check their e-mails and access company resources. 

Check Point NGFW has proven to be a reliable firewall. We have been using it for over 15 years now. 

It's offering great security while also being rather easy to manage. 

We evaluated a couple of other firewall solutions over the years, yet always came back for Check Point for a couple of reasons. First, they are the market leader and there are just very many resources online for installing, configuring, debugging, and so on. Second, other firewall solutions may initially be cheaper (especially for basic firewalling), but when you need more features Check Point has a surprisingly good price point. 

I personally like the SmartDashboard client best, which is the rule base management solution. You have a nice overview of the existing rules, and new rules are easily implemented. You can filter by IP, application, rule number, port, or hostname, so you easily find what you are looking for. Rules can be grouped by topic (internal, external, Internet, DMZ, etc.). It all can be well arranged to suit your needs. 

It also offers a dashboard to see recent threats, errors, or other issues with your gateways, as well as Logs for debugging.

Unfortunately, as is the case with many big companies, new features seem to always be more important than fixing the last little bugs that affect only a minor customer base. 

The command line, for instance, is still needed regularly if you want to dive deeper into debugging certain issues. 

While it certainly has improved over the years, it still doesn't feel like a polished product. Some features (e.g. super netting VPN connections) need to be enabled by editing a configuration file, which is sometimes lost upon upgrading to a new version. I'd really like to see more easily manageable debugging solutions. 

I've used the solution for 15 years.

We did have stability issues by using a not officially supported Check Point setup, running it in a virtualization environment, so the Firewall gateway was running on a Xen cluster. In the beginning this was running fine, buter after a couple of months the Checkpoint services kept freezing and needed to be restarted manually. As this started to occur more regularly (a couple of times per week) we migrated the firewall to dedicated hardware.

So I'd recommend always using supported setups.

The biggest enterprises in the world use Check Point products. Scalability is not an issue.

We used Microsoft ISA Server, which is a discontinued product before Check Point. 

Check Point has a pretty competitive price point if you use the features it has to offer. If you need only basic firewalling other solutions may be better suited to your needs. 

We evaluated Palo Alto, Fortinet, and Barracuda. 

I planned to block traffic from foreign countries, however, Check Point does not have the intelligence to determine VPN connections from foreign countries coming through the local VPN.

I also wish Check Point could be more effective by collaborating with Microsoft to establish a different connection for Outlook cellphones or devices not on the domain. I wish to hide my devices like cellphones only allowing them to connect via capsule, however, it applies to all devices. It works well.

It is an excellent, easy-to-acquire system to protect midsize businesses with up to 100+ users that require a security solution that can scale across corporate networks and give us protections against GenV cyberattacks as the business grows. 

What I recommend the most is its central administration. With the smart controller, you can manage all your firewalls from one location. 

Being able to access almost everything in one location manage all your gateways and get all your logs is great. For me, it's the best feature to work with.

The solution is great for cyber attack prevention, data bridges, and other threats. You need intelligent and effective solutions to minimize cyber attacks and Check Point gave me peace in December when they had an unidentified log4j vulnerability.

Our main benefit was the elimination of a server/VM from our data center and the usage of a cloud solution.

Having all the features on the cloud was also a benefit since some products when migrated to cloud solutions lose some features  - but not his one.

The setup is a little bit rough and requires some technical expertise, however, this is expected with a solution as complete as a firewall and especially a Check Point one.

Sometimes debugging is a hassle. We've had issues with VPN debugging in the past. In the more recent versions, later than R80.10, this seems not to be an issue anymore. 

This year we tried to debug performance issues of the gateways, which was cumbersome. When we finally found the performance bottleneck, it was a licensing issue. 

Check Point uses CPU-based licensing for OpenServer, and buying more licenses helped. However, this is the reason we're upgrading to Check Point appliances next year, as OpenServer becomes pricier every year, and Check Point pushes their customers to use their appliances.

I've used the solution for three years.

I have used this product in chemicals, insurance, and industrial sector companies.

The primary use case is to secure the inbound and outbound traffic and secure the DMZ servers. We use this solution for Remote access VPN (on smart view event can see reports more granular level) and IPSEC VPN for using the applications hosted on Public cloud and integrate the customer 3rd parties vendors. 

Using threat prevention helps in securing the customer environment from cyber attacks, ransomware, malwares etc. We use the Sandboxing features to protect the network from zero-day attacks

It improved the performance of the network on large scale. 

It's easy to use and configure. We can build the new firewalls with minimum effort. 

It's easy to upgrade the device. 

You can van view the device health on the smart view monitor and smart event monitor at a more granular level. We're achieving great performance using the latest quantum gateways. You can see the real-time logs on the management and also can configure the logging in redundancy mode. 

Using TCPDUMP, a firewall monitor, and firewall zdebug drop, you can troubleshoot the real-time issues.

We like the SecureXL, CoreXL, and Multi-que.  Using these features improved the performance of the gateway at a more granular level.

The Smart View Event monitor is great. You can see the real-time events on the firewall - including remote access VPN usage.

The smart licensing is great. It's easy to generate the license and apply it on the gateways.

The solution offers very good anti-virus and anti-spam capabilities. It's good security on the network.

Threat Prevention and Sandboxing are useful to have. We're protecting the network from zero-day vulnerabilities and securing the network from the latest cyberattacks.

Pricing for the gateways is too high as compared to the other vendors.

Whenever there is any issue comes checkpoint support ask to keep the gateway on the latest hotfix and OS which is difficult to roll out on all the gateways present in the customer environment.

I am using this product for more than five years.

We can achieve great stability using Check Point Quantum Gateways which improves the performance of the network.

We can achieve great scalability using Check Point Quantum Gateways.

We did not use a different solution. 

The initial setup is straightforward.

We did not evaluate other options.

We use Check Point NGFW as a perimeter firewall.

The most valuable feature of Check Point NGFW is the unparalleled distribution of the network traffic. The central management station they have allows you to manage everything from one place.

Check Point NGFW could improve by introducing machine learning and more modeling dividing the way they manage the ports. However, they have evolved over the last year.

I have been using Check Point NGFW for approximately 15 years.

Check Point NGFW is a stable solution. However, similarly to many other solutions, the stability comes from the engineer that deploys it. It requires a knowledgeable engineer to implement it in the correct way. If you undersize it, for example, you can experience instability.

Check Point NGFW is scalable. The hyper-scale platform can scale up or scale-out. You can buy different powers and stack them.

Check Point NGFW has the most mature technical support in the industry. 

The Check Point company has been around for approximately 30 years and they have everything well documented, similar to other vendors, such as Juniper and Powervault.

I have used other solutions in the past, such as Palo Alto and it has been more expensive. 

The implementation of Check Point NGFW difficulty level depends on the environment. For example, from the initial deployment, it can be easy, but you have to keep your teams learning, they have to consider their traffic size and many other factors. However, the configuration can be difficult, you need a lot of knowledge. Integrating Check Point NGFW with different networks requires a lot of knowledge about the infrastructure.

There are competitors that have more expensive solutions than Check Point NGFW, such as Palo Alto. There are times when Check Point NGFW can have good offerings with a three-year license. The presence of Palo Alto has been heavily invested in marketing. 

From Check Point's perspective, I am not sure how they compared with other vendors. I'm not heavily involved in the process of the quotations.

I have evaluated other solutions.

Check Point NGFW is trying to innovate in the market, but all the other vendors in the market are doing more the same.

I rate Check Point NGFW a nine out of ten.

The device is being used for perimeter security devices across multiple clients across sites. Check Point has not only improved our organization - it also has given us holistic perimeter and endpoint security protection throughout the enterprise.  

Our sites across the globe have Check Point perimeter protection.

Pros include:

• Internal Network Protection from outside network
• VPN connectivity for secure data transmission across multiple vendors
• File download antivirus security
• URL Filtering
• Application filtering
• Malicious domains blocking

The solution has helped out organization stay safe with its depth application filter, URL filtering, and SSL inspection. It's mitigated a significant amount of risk for corporate users as well as to host services at our terminal that need access from the internet. By far, it's the best security solution one can adopt for their organization. 

It's:

• Reduced attacks on DMZ servers
• Blocked access of malicious destinations hit by internal users
• Complete visibility about what is going and what is coming via internet
• Check Point is the industry’s unified cybersecurity architecture that protects businesses against sophisticated 5th generation cyber-attacks.
• Having multiple checkpoint products under the same roof provides consolidated security.
• Ultimately saving cost by having better centralized solution

The solution has a lot of valuable aspects, including:

• IPS & IDS
• Sandbox (Threat Emulation & Extraction)
• Ease of management
• Reports for analysis
• Better technical support
• Stateful inspection
• Application-aware boxes
• Threat detection capabilities
• Hyperscaling

Data loss prevention, compliance, threat emulation, and other blades overall make this a robustly unified platform for the implementation and management of security controls.

Since it is Layer 7, we are able to get down to the application level and block certain applications from even running.

Since it has an IPS in place, we are able to see possible attacks that have been prevented by the firewall.

The perimeter antivirus can be improved. It's not as good as other leaders.

Additional features that could be good to have/improved include:

• Modular capabilities 
• Integration with VMware and NSX products per client requirement
• 3rd Party support product is very limited 

The solution can integrate with other vendors to form IPsec connectivity with redundancy - which is only possible now between the CP to CP FW only.

The licensing part is a bit tricky. The product can simplify this further for ease of use.

They need to work on log size optimization.

Antivirus signatures should be updated in real-time.

We've used the solution for the last eight years.

The stability is very good.

The scalability is very good.

Technical support has been great.

Positive

We did not use a different solution previously.

The initial setup is straightforward. 

We had a vendor assist us.

We haven't used other products.

We also looked at FortiGate and Palo Alto.