Check Point Quantum Force (NGFW) Reviews

We use Check Point firewalls to prevent attacks against the data center servers by adding more layers of security, such as IPS, Data Leak Prevention. We have also used Check Point to implement security policies in layer 7 and applications as well as to configure the VPN for internal users of the organization.

Check Point's firewall security solution is a complete solution that allows you to prevent attacks against your data center servers and avoid the transmission of viruses to end-users via ransomware, phishing, or forgery of URLs.

Check Point has a centralized console that makes it possible to manage all the deployed equipment. It also has a built-in VPN service that lets users connect through VPN to our organization, which facilitates teleworking while cutting off unauthorized access to the organization's internal network.

The predefined reports are limited and should provide more information. Check Point should provide a greater number of defined reports and produce reports for each division of the organization. Also, historical statistics cannot be obtained from the central console, the data or logs must be exported to another machine and processed from there to obtain this historical information. The number of available physical ports could be increased and Check Point could add support for higher speeds.

We have been using Check Point firewalls for more than 10 years.

Check Point is a company that has been producing firewalls for many years. It is a leader in today's market, and its products are very stable. They are always updating and improving their products to stay at the top of the market. 

Check Point NGFW allows easy and fast scalability.

Our experience with Check Point technical support was very positive. They always resolved questions or incidents quickly and professionally.

We have always had Check Point solutions.

The initial configuration was simple. The previous team was also using Check Point, we only had to export and update the rules. Only a couple of things had to be corrected and changed.

It was implemented through a CheckPoint partner who demonstrated great experience in migration.

When implementing, I would suggest you define in a real way what you want to allow —applications, content, destinations, etc. — and drop the rest of the traffic. It is important to review the groups, objects, and networks created to efficiently define the security policies that you finally want to implement.

Before making the last purchase, we evaluated other solutions, such as Palo Alto or Fortinet.

I would rate Check Point NGFW 10 out of 10.

My solution is based on an on-site architecture. I currently manage a Check Point Next-Generation Firewall for my more than 400 sites such as perimeter and DMZ. For the sites with a perimeter to the internet, I have them in a high availability scheme with balancing internet services. In the case of DMZ, they allow me to control incoming and outgoing traffic through policies based on Identity awareness. I use the application control blade to allow RDP access to the specific servers needed by administrators.

In the beginning, my organization did not have a security scheme, which caused a latent security risk. My internet services were never enough due to the high traffic used towards social networks and entertainment sites. With my Next-Generation Firewall, I have managed to reduce the cost of my links since now we use them appropriately in the resources and tasks that are necessary. 

For the lateral movements, previously all of my users had access to server networks and communication could cause lateral movement of viruses and ransomware. Now, I have the perimeter towards the internet protected and I am protected against unauthorized access.

What gives me the most value is undoubtedly the security that the anti-bot and anti-virus blades provide. With the automatic updates of signatures, I am always protected against new threats. The identity awareness blade helps me to have better control and organization over unauthorized access of my users onto exclusion sites such as social networks. In the DMZ it allows me to control administrators with access to highly important networks such as servers, developments, etc.

Of the areas of improvement that I want to see in this product, without a doubt, one is the technical support. In this time of globalization, with so many cyberattacks and risks, the Check Point support staff take a long time to attend to incidents due to the high demand. 

Another change that I would like to see is the ability to be able to test the policies before launching a change. It is somewhat annoying to apply a change and then notice that, after a while, the message appears that the installation of policies has failed, either due to some duplicate rule, some duplicate port, duplicate service or IP, et cetera.

I've been using the solution for 5 years.

It really is a very stable and reliable brand.

it is better when using an open server solution since some teams are limited to growth.

The support service can improve the attention to clients as well as the escalation times.

I did not previously use a different solution. I've just used Check Point.

The installation is really simple and easy to manage.

We also previously looked at Meraki, Fortigate, and Palo Alto as options. 

I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years. 

I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.

This solution has helped keep the security posture of my organization in the best possible shape. Check Point's solutions stay a cut above its competitors to make sure your IT infra Cyber is safe from both known as well as zero-day attacks and malware. 

From an operations point of view, Check Point solutions are the best in terms of providing central configuration management and also central log correlation and management. Additionally, Check Point's virtualization solutions around VSX are super-efficient and very stable.

I found Check Point's software ability to provide for all the perimeter security solutions including next-generation firewalls, intrusion prevention systems, identity and access management, and URL filtering. They are all excellent. Check Point's Central configuration management, central log correlation, and management solution are a cut above the other vendors and are the best in the industry. Check Point's virtualization solutions are also very efficient and can be scaled. They are highly stable solutions (MDS/Domain Managers & MDLS).

To be very very honest, I do not see any major gap or improvement area for any of Check Point Cybersecurity solutions, whether it's your enterprise be cloud-based only, on-prem (Private cloud or Legacy infrastructure), or hybrid infrastructure. Check Point's solutions are highly cost-efficient, have low OPEX costs, are very stable, are safe and secure, and helps maintain the enterprise's security posture. 

Check Point's security solutions are a cut above the other vendors, not just today but for the last 30 years. Without having to mention any gaps, Check Point's development team works hard to stay ahead of technology in the cybersecurity space.

I feel the only thing that I see as a possible improvement in Check Point software is the lack of ability to create "static discard routes" which makes it difficult for NAT ranges to be advertised via BGP to neighbors. Although Check Point has an alternative of creating a dummy interface to introduce "directly connected" routes for NAT ranges so that they could then be advertised up/downstream, having the ability to do so using "static discards" would be a great thing to have.

I've worked with the solution for a little over 12 years.

The product is very stable.

The solution is highly scalable.

The sales, pre-sales, professional services, and tech support are all very nice.

Yes, and we switched because Check Point proved to be more reliable.

The initial setup is absolutely straightforward.

We implemented it through an in-house team.

Every dollar spent is worth it.

Yes, we looked at Cisco, Juniper, and Palo Alto.

Not at the moment.

We use this solution for complete protection against advanced zero-day threats with Threat Emulation and Threat Extraction. We also use:

• NSS Recommended IPS to proactively prevent intrusions
• Antivirus to identify and block malware
• Anti-bot to detect and prevent bot damage
• Anti-Spam to protect an organization's messaging infrastructure
• Application Control to prevent high-risk application use
• URL Filtering to prevent access to websites hosting malware
• Identity Awareness to define policies for user and groups
• Unified Policy that covers all web, applications, users, and machines
• Logging and Status for proactive data analysis

The solution has improved the organization with respect to the following:

• Simple implementation and operation
• Central dashboard for managing branch firewalls
• Easy measurement of security effectiveness and value to the organization
• Proactive protection with the help of many inbuilt blades
• SandBlast Threat Emulation and Extraction provides us zero-day protection from known and unknown threats in real-time 
• Great visibility on the number of threats being blocked at the dashboard
• Helps to clean traffic, both egress and ingress
• A simplified URL filtering option is available for users with detailed granularity to map user/departments with respect to specific access
• It does deep packet inspection for checking HTTPS traffic. There is a shift towards more use of HTTPS, SSL, and TLS encryption to increase Internet security. At the same time, files delivered into the organization over SSL and TLS represent a stealthy attack vector that bypasses traditional security implementations. Check Point Threat Prevention looks inside encrypted SSL and TLS tunnels to detect threats, ensuring users remain in compliance with company policies while surfing the Internet and using corporate data
• It helps in the identification of C&C via Anti-Bot
• It provides geolocation restrictions that may be imposed via IPS
  
• Excellent Application Control for the administrator to manage the access for users
• Secure remote access is configured with mobile access connectivity for up to five users, using the Mobile Access Blade. This license provides secure remote access to corporate resources from a wide variety of devices including smartphones, tablets, PCs, Mac, and Linux

We are using the Check Point Next-Generation Firewall to maximize protection through unified management, monitoring, and reporting. It has the following features:-

• Antivirus: This stops incoming malicious files at the gateway, before the user is affected, with real-time virus signatures and anomaly-based protections.

• IPS: The IPS software blade further secures your network by inspecting packets. It offers full-featured IPS with geo-protections and is constantly updated with new defenses against emerging threats.

• AntiBot: It detects bot-infected machines, prevents bot damage by blocking both cyber-criminals Command and Control center communications, and is continually updated.

• Application Control: It creates granular security policies based on users or groups to identify, block or limit the usage of web applications.

• URL Filtering: The network admin can block access to entire websites or just pages within, set enforcements by time allocation or bandwidth limitations, and maintain a list of accepted and unaccepted website URLs.

• Identity Awareness: This feature provides granular visibility of users, groups, and machines, enabling unmatched application and access control through the creation of accurate, identity-based policies.

I would like to see the provision of an industry-wide and global benchmark scorecard on leading standards such as ISO 27001, SOX 404, etc., so as to provide assurance to the board, and confidence with the IT team, on where we are and how much to improve and strive for the best.

Although Check Point provides annual updates to the Gaia platform, integration with other OEMs is difficult. This integration would be helpful in providing a full security picture across the organization. I am looking forward to the go-ahead of R81 with MITRE framework adoption in the future.

We have been using the Check Point NGFW for the last four years.

This is a very stable product.

It is highly scalable on cloud and does provide customers with lot of flexibility while performing the sizing of the appliance.

Technical Support needs improvement, especially the L1 engineers.

Prior to this solution, we were using GajShield. However, due to limited visibility and support, we opted for a technical refresh and upgrade of products.

Yes initial setup was complex as migration of policies from one OEM to another is a challenge. however we meticulously planned and completed the implementation in phases.

Yes we took help of the Certified Vendor. Vendor support was good.

We did not calculate our ROI; however, it provides good visibility to us.

Check Point is competitively priced; however, there is an additional charge for the Annual Maintenance Contract (AMC) and it is easy to understand.

My advice is to negotiate upfront with a support contract of between three and five years.

We evaluated Palo Alto, Barracuda, and Fortinet.

In summary, this is an excellent product and featured consistently in Gartner for the last 10 years. They have good R&D and support services across the globe. 

Our branch offices and customer sites require Internet access for the on-site staff and remote access capabilities for after-hours and remote support.

The Check Point firewalls allow us to provide site-to-site VPN, client VPN, web/app filtering, and IPS functionalities.

Client VPN is leveraged by site staff due to the majority of our sites requiring 24-hour support and also allows centralized teams to remotely assist with multiple sites globally.

We also use these at locations to provide security when our stand-alone network requires connectivity to the customer's network.

Check Point's solution is both affordable and easy to manage for the small business applications that we utilize them for. Due to the great pricing and support, we can afford to deploy the firewalls in a high-availability solution providing greater uptime and less worry. 

The price point of their equipment also means that we can often purchase a more robust solution compared to some competitors and Check Point's inclusion of more advanced features, such as IPS, by default, is a great selling point.

We greatly appreciate the ease of configuring firewall policy ACL rules and how the seamless integration with VPN users and user groups provides the ability to granularly restrict access. The uncomplicated configuration ensures that mistakes are avoided and rules are easily audited.

Having the ability to set an expiration date for remote access VPN users simplifies the process and increases security by ensuring that stale accounts and not forgotten.

In general, we find that CheckPoint offers a great balance between ease of use and configurability.

The one thing I have been continually asking for is a more robust certification process including self-paced study material similar to Cisco's Security certification track. Not everyone can afford the time and money to attend the official in-person classes offered by Check Point. Even if someone was not interested in fully pursuing a certification, offering certification guides is often a method that IT professionals follow in order to learn about a specific topic and keep for reference.

An area that I sometimes find lacking is the information provided by the system when performing troubleshooting issues such as site-to-site VPN tunnels. The logs provide general information regarding what is happening but often, it leaves you wanting additional details. This also ties back into the lack of training and knowledge required to utilize the more advanced features of the command line.

We have been using Check Point NGFW for more than five years.

We have never had a device or software failure in the more than five years that we have been using Check Point devices. To date, we are extremely happy with the performance.

The few times that we required customer service, they have been extremely helpful and knowledgeable. I would rate them on par with the other top-tier companies.

We previously utilized Cisco firewalls but the cost structure of the hardware, licensing, and support became prohibitive. Check Point offered a more robust solution at an affordable price point.

The initial setup was extremely quick and easy, and the deployment time for a new site is often under a day.  

The price point and licensing was the main factor in moving away from Cisco and migrating all of our sites to Check Point. They offered more features for a lower cost than competitors, and the licensing model was easy to understand.

We evaluated NGFWs from Cisco, Palo Alto, and Fortinet in addition to the Check Point.

The primary use is to protect the organization from any kind of attack. It is able to isolate, secure, and control every device on the network at all times. Solutions should have the ability to block infected devices from accessing corporate data and assets.

It provides access to the Internet for corporate resources in a secure manner. Our resources are used to host applications and services that are accessible to end-users over the Internet.

It is used to provide required/limited access for third parties who want to connect to our corporate network. Access is granted based on application type and should be independent of port or protocol.

It provides next-generation protection including IPS/Web Filtering/SSL decryption and more. 

It offers centralized policy management capabilities for all firewalls.

This solution was able to provide access to our internet-based resources using our application/FQDN.

The license offers different modules for NGTP and SNBT. It provides multiple functionality or blades, which can be enabled on the firewall depending upon organizational requirements.

Other than stateful packet filtering with the NGTP license, it provides blades such as IPS/URL/VPN/Application Control/content awareness/Anti-Bot/Anti-Virus/Anti-Spam. With SNBT, it provides additional security using the SandBlast Threat Emulation and SandBlast Threat Extraction for Zero-day attacks in real-time.

Any file, before it reaches an endpoint, is executed in a virtual environment for analysis. Based on the verdict and configured policy, a decision will be made as to whether it should be delivered to the endpoint or not.

It provides the flexibility to use any module with the NGTP and SNBT license. Depending upon the requirements, the blades/module can be enabled on the firewall security gateway and it can be deployed easily.

In case SSL decryption or IPS need to be enabled on any security gateway, it is simple to do. We can go ahead and enable the module/blade and then create a policy, deploy it, and it will start to work.

It has a default five-user license for Mobile/SSL VPN, so the organization can check the solution any time or can even provide access to critical users on an as-needed basis, without getting the OEM involved, all on the same box.

For smaller organizations with the correct sizing of the appliance, they can use the full security solution on a single box. It will provide financial benefits along with reducing the cost of purchasing additional solutions or appliances. 

For example:

• URL Filtering Module: It can replace the proxy solution for on-premises users with integration of application control and the Identity module. Active Directory access can be provided based on the User ID and the website or application.
• SSL VPN or SSL decryptor, and more. 
  
• Core assignment for each interface, which can be done using the CLI. If the administrator determines that a particular interface requires more compute, he can manually assign additional cores accordingly. This is done by enabling hyperthreading on the firewall. 
• The policy can be copied from any security gateway and pasted onto another one.

This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.

For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.

Source: User machine
Destination: any
Port: HTTPS
Action: allow (for allowing the user's machine access)

This has to be done along with the below policy:

Source: User machine
Destination: Other Zone created on Firewall
Port: HTTPS
Action: block 

The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.

The firewall throughput or performance reduces drastically after enabling each module/blade.

It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

I have been using the Check Point NGFW for more than eight years.

This solution is very much stable and does not require frequent changes in architecture. The patch frequency is limited and it does not require frequent maintenance windows in terms of downtime.

This firewall is very much scalable. The introduction of Maestro has changed the concept of hyperscaling.  

The technical support is excellent. The center is located in major cities in India along with the Check Point presales team.

We did not use another solution prior to this one. We have been using Check Point for a long time.

During the initial setup, support is excellent. It is a well-known OEM and they have people ready to resolve any issue that should arise.

Our in-house team deployed it with support from the OEM.

Cost-wise, it cheaper than industry leaders such as Palo Alto. The licensing is straightforward; there are only three types of licenses that include NGFW, NGTP, and SNBT, so the organization can choose its license according to their requirements.

We have evaluated solutions by Juniper, Cisco, and Palo Alto.

Before implementing the security gateway, you need to be sure about the license and modules that you are going to enable. This includes determining the proper size, as it can affect throughput drastically after enabling each module. This is especially true for SSL decryption.

The architecture needs to be studied before finalizing, as the configuration is done remotely using the centralized smart console. All of the security gateways need to be connected to the management server for any policy configuration, and they should be available at all times.

We require local perimeter security in one of our workshops, which is why we require a new-generation firewall solution. The local equipment works for us to be able to provide perimeter security in our workshop.

Thanks to these Check Point Gateway devices and with the integration of many additional security solutions, we have protection against zero-day threats. In addition, we have the possibility of carrying out all the management from the Infinity security portal and can administer all our policies, view logs, and monitor devices, among other tasks.

Thanks to Check Point, we managed to carry out a better security implementation. By placing one in a workshop, we managed to solve issues with attacks and malware.

The solution is easy to administer thanks to its dashboards. The monitoring is really useful.

The most valuable aspects include:

The best improvements to be considered are:

• Improvements in the time and attention given to solutions for generated cases.
• Licensing that is more comfortable and affordable. Currently, some prices are very expensive.
• In terms of language in the application, they could better facilitate the handling of others.
  

This is an excellent product of the new generation, administered in the Infinity Portal. We have used the product for at least two years.

Previously, we had not carried out verifications of other devices.

I've been dealing with the Check Point environment for over eight years, ever since SPLAT, the R75 versions, and mainly with a multi-domain management (former Provider1) set-up. I also use the Smart Management Server, with a standalone/distributed deployment.

I'm currently engaged in the design, implementation, and maintenance of a large-scale Check Point firewall environment (~100 GWs).

Presently, the customer is using Check Point for perimeter security, IPS, threat prevention, encrypted traffic, as well as access to the internet, and multi-domain server architecture.

The Check Point solution has improved the way the customer organization functions.

People are working within the organization all over the world, across NALA, APAC, and EMEA regions. Having Check Point as a security vendor made it easy to assure people they could access the resources everywhere, from offices, homes, and across the globe, especially during the pandemic, safely.

One of the last implemented projects was replacing an obsolete Client Auth solution with Identity Awareness, including integration to AVD.

The solution plays an important role in preventing security incidents from happening and preventing malicious attempts to infiltrate into the organization while quickly adapting and reacting to any attempts. For example, it protected us against Log4J vulnerability a few months ago.

It is easy to administrate and maintain.

The product is very granular in the Logs & Monitor section and also intuitive to use.

It offers good control and visibility over users' identities and actions.

It provides central policy management, which is easy to manage and maintain.

The product offers great performance tuning features like SecureXL, CoreXL, HyperThreading, and Multi-Queue.

The study material and training need to be improved and become more accessible to security engineers working with Check Point.

Needs serious skills for advanced troubleshooting. The configuration might get a little bit too complex for regular engineers, compared with easy administration.

We've encountered a few limitations when trying to accomplish simple tasks required by customers. For example, changing a domain name inside an MDS environment or missing a function in the database which removes the domain object completely from the database.

There are plenty of bugs that are not documented, or with too generic error messages.

I've used the solution for eight years.