Check Point Quantum Force (NGFW) Reviews

We deploy solutions for customers. We don't engage in buying. 

We are both consultants and implementers.

We have not had any issues with the firewall.

Support is good and it's centralized architecture.

We are also working on load balancers. We don't have the option to work more with load balancers, we would like to see what else can come out of this in terms of security.

Technical support and scalability both require improvement.

I have been working with Check Point NGFW for the last ten years.

Check Point can scale but at times we have experienced some issues.

Palo Alto is better compared to Check Point. I would rate Palo Alto as superior support to Fortinet or Check Point.

We used to work with Fortinet for approximately five years, and the Palo Alto Appliances was some time back.

I believe the Palo Alto support is excellent, and it has more features than Fortinet. Many businesses, in my opinion, are choosing Palo Alto.

Palo Alto support is very good.

Fortinet's main issue is the support. We can't take it to the enterprise level because the Fortinet support is not very good.

Check Point has previously held a large market share, but perhaps not recently. I think that the price point in India is a bit different. Check Point offers options. I don't see that Check Point is very high, but it is geared more towards enterprises.

We have evaluated Palo Alto Networks VM-Series to see what was available, and recently, I researched the Azure VM series to know how it worked.

I'm leaning toward the now cloud. The appliance base has now been removed. We are now concentrating our efforts on the Azure Cloud, AWS, and other similar platforms. I believe that people must mature in order to work on it. That's where things stand. As a result, we must learn how this is implemented on cloud platforms.

I would rate Check Point a seven out of ten but NGFW a six out of ten.

We wanted to deploy a specialized Next-Generation Firewall in our perimeter security.

The solution addresses the Security requirements at Perimeter Layer including:

1. Network IPS
2. Application Control
3. IPSEC VPN
4. SSL VPN.
5. Proxy

It was required to enable IPSEC VPN between our vendors across the world

We got positive responses on Check Point Firewalls from our vendors as well.

Our team addresses the regular audits with a Next-Generation Firewall, starting from configuration and application vulnerabilities to customized reporting.

We have planned to achieve many business use cases including IPS, Network AV, Content Awareness - Data Leakage Prevention, IPSEC VPNs between our peers, SSL VPN with Posture Assessment, and Web Proxy as well.

This solution addressed most of our needs but required multiple license subscriptions.

Below are the few Business use cases we achieved through Check Point NGFW:

1. SSL VPN with Security Posture Assessment
2. SSL VPN with In-build Multi-Factor Authentication Option (Certificate + User Credentials)
3. Content Filtering (Identity Awareness and DLP)
4. Forward Proxy with Web and Application Control
5. Enabling Anti-Bots and IPS

The SSL VPN with posture assessment helped us to remove the dedicated Standalone SSL VPN solution which was benefited both commercially and technically.

Anti-Bots and IPS enabled security on the network traffic.

Along with VPN and Proxy (Web and application control), we removed another standalone proxy for internal use and extended the content filtering to roaming users as well.

The security posture assessment with two-factor authentication has saved more time and commercial costs by avoiding deploying having to deploy another solution.

It took so many weeks to migrate our old firewall to Check Point after we did internal and external assessments on earlier setups and enabled multiple security features.

We had difficulty configuring the NAT. For example, instead of following A-B-C, we need to do A-C-B

Initially, we faced a few challenges with firmware. Later this was addressed with jumbo hotfixes.

We tried to create a single management software to manage the policies, view the logs, have a mobile access VPN, and do reporting.

Please concentrate on local services enablement for faster resolutions.

We have been using this solution since July 2020.

Initially, we faced a few challenges with the firmware. We later addressed this with help of jumbo and custom hotfixes. Later, it performed well.

The solution is scalable in terms of enabling the features and deploying management servers.

We would recommend they have regular feedback sessions with customers.

Neutral

We used another firewall that enables basic security features with lot of limitations.

We found the setup difficult in the earlier stages as our team used to work with another CLI-based solution.

Our In-house team handled the implementation. 

I'd advise users to validate the licensing model during the pre-evaluation period itself. It took a few days for us to understand DLP and Mobile Access Blades that had to be procured separately along with the NGTP bundle to address our requirements.

We evaluated Palo Alto and FortiGate.

Our primary use case for Check Point NGFW is as our internal firewall within the datacenter to route traffic within it as well establishing our rulebase for part of our datacenter.

We have also implemented some other nodes as ICAP servers only. They have been a great replacement even though the installation was not the easiest.

They are the last line of defense (or first depending on how you look at it) within our perimeter and are therefore a critical part of our system within the company.

Check Point NGFW have been a real rock in terms of reliability (except for Identity Awareness) and we have not had any issues in terms of CPU or memory usage as our model might have been overkill with how well it is able to process traffic and how easy and unimpactful it is when adding new blades to manage this traffic

One ability that Check Point has is that it is the first to provide us with the ability to use identities instead of using the traditional IP-based format, which allows way more flexibility in what we can do with the rule base.

Identity Awareness has been an absolute gamechanger in how we've been able to create rules within the company. It allows us to give access to certain resources in very specific ways that were not possible before.

The SmartConsole is a very powerful interface compared to many other competiting products, which allows us to seamlessly go from watching logs, to modifying the rule base and easily find what objects are used where or even check which logs are linked to a specific rule

Logs are very well parsed when sent to Splunk.

Identity Awareness has been a massive source of problems for our deployment and the ability to debug it has been lacking.

The VPN setup is definitely way harder than it should be. The wizard or anything surrounding it doesn't allow for a quick setup without having to read documentation or actually getting a project with an external company

Our gateways have not felt like a day older than when we first got them, on the other hand, our physical management server Smart-1 has been definitely showing its age as it is sometimes quite long to do anything on SmartConsole when it decides to act up.

I have been using Check Point since joining my current workplace - about 4 years ago.

In 4 years, we've only really had one big incident with availability that was due to a faulty network card, which was changed quickly once diagnosed.

Since we chose a model larger than our needs, we aren't looking for a scalable solution.

Customer service and support have been a bit hit or miss and it takes a while for escalation to happen, however, once it does happen, you get proper support right away.

Neutral

I was not present within the company when it was decided to switch from one solution to another, and actually our previous solution was Check Point as well - and it was just reaching its end of support.

I did not participate in the setup.

We used a vendor team along with our in-house team.

I would need to compare it with other solutions used in our environment, which I haven't done.

I'd advise users to only choose blades when they are absolutely necessary - unless getting a good deal with a package.

As mentioned, we switched from Check Point to Check Point.

For the Identity Awareness setup, try to follow Check Point guidelines from the start as it is really capricious and hard to debug.

This is the perimeter firewall and manages all security facing towards the internet,

It's a distributed solution composed of a Security Gateway and a Security Manager. It controls all the traffic from the LAN to the Internet and the VPN tunnels for connections with external partners. We control the traffic to the internet with blades as URL filtering to manage the bandwidth, limit the use of this resource, and apply the security policies as well as protect the LAN network against advanced threats from the internet to the servers and PCs. 

This solution applies NGFW features to the inside and outside traffic of the networks. The other options did not have sandboxing, reports, and the same advantages as Check Point.

We have a small firewall from another vendor. The solution is working with limitations, as it was designed with Check Point as a security solution for the perimeter with more security features for covering our network requirements and specifications and preventing advanced threats from the internet to our servers and PCs. 

The sandbox feature is great.

The Sandblast blade is a very powerful solution that works against archives infected with ransomware.

The anti-malware is quite effective as many applications can be infected with any kind of malware with the goal of interrupting the productivity of our work equipment.

The reporting is great.

With this solution, we have had many kinds of logs and a very friendly way to view them. Now can we know what is happening within the network's traffic.

The performance has been very good. 

This security solution has grown more options and has expanded slots, including RAM slots, Optical Fiber slots, and various other features.

The anti-spam needs improvement.

A weakness with the Check Point solutions is the anti-spam, as they have a partnership with some solutions for anti-spam. They should have their own solution. We have email provided through Office 365 and they have their own way to fight spam and, due to this, we haven't bothered looking into anti-spam options. That said, Check Point is the most adapted to our necessities.

I consider the price of this solution high. It is very good, however, the prices are high - it's like buying a car.

I've been using the solution since 2018.

We changed from an older solution as it worked for five years and was old. It wasn't equipped for the new generation threats.

The price should be considered, however, it shouldn't be the only reason you choose the solution, or not.

We also evaluated WatchGuard, Palo Alto, and FortiGate.

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.

The Check Point firewall is a reliable perimeter security product. Check Point gives me access to explore various security features in a single box (loaded with all features that an organization needs most). 

I can say I have been using it for one year and getting a grip on it and I will always try to implement it wherever it is required. 

When it comes to Check Point, there are great security features and a marvelous inbuilt design that caters to handling all threats, including zero-day attacks and perimeter security. I really like the user-friendly interface of the Smart Console dashboard and the maximum security is integrated.

The intruder blocking real-time is a great feature that does not even require policy installation or committing to something. This feature enables real-time attack mitigation along with full security access which helps our organization to improve its security factors. 

IPS detection is a big plus for me since it deeply scans the packet. 

URL fileting along with application control gives me the access to manage the least privilege to maximum rights on a single click.

The product provides multiple security layers that build upon each other, from the traditional security policy that is IP and port-based to application security, intrusion prevention, and their latest sandblast cloud-based malware detection. 

Everything is easily managed through their Smart Console dashboard. It's a very easy-to-understand dashboard that provides a detailed view. Check Point helps to resolve a lot of problems, such as showing our organization all known threats. 

It is easy to deploy and manage. 

The product offers a simple Web User Interface.

While not being cheap, their pricing models are competitive. In the pricing structure, however, they need improvement. 

I would love to see an SSL offloading feature that is not there right now. I am following many forums related to Check Point and it seems like they are going to launch it very soon. SSL Offloading will be very helpful for NBFC and for financial institutes.'

The Check Point NGFW OS is a historically grown OS. It has been on the market for a long time and has many releases. It is a very complex system. All features are done in software - no extra hardware chips are installed.

I have been using this solution for almost a year.

This solution is one of the best solutions in terms of stability.

It is highly scalable.

I have been using this solution from the start as it was recommended by my organization.

The pricing is a little bit high, although I have no issue with the licensing or setup. It is easy to use.

I have stuck to this solution as I read reviews before and it was all positive in regards to Check Point NGFW. I did not use a different solution.

The primary use case is as a perimeter firewall separating different security zones from each other. We separate several zones, such as Internet Of Things (ie. cameras and several sensors), Internet-facing DMZ, internal networks, and guest networks from each other. 

Also, we use the VPN feature to create Site to Site tunnels between branch offices and the headquarters. Threat Prevention features including IPS, Anti-Bot, Threat Emulation, and Threat Extraction and are used to secure our users from being victims of several threats. 

It is hard to say how a product like a firewall is improving our organization. The firewall does what it should. Primarily, the management makes this product great. There is no other product on the market that is nearly as perfect a tool for managing firewall rule bases and I know many of them. Check Point has much fewer vulnerabilities in their products and also is very quick to react to vulnerabilities.

The Threat Extraction software blade feature is the most valuable feature as it extracts any potential harmful content from several kinds of documents, which our users receive via e-mail or download from the Internet. We know, that our users tend to click on everything they get without thinking too much about the consequences. 

The second feature to mention is Threat Emulation, which is basically a sandbox, which runs executables received via email or downloaded from the Internet and creates a verdict if this executable is harmful or not in regards how it behaves on a specific operating system and application.

Unfortunately, the API is not fully complete and also it is not an API which I would refer to as a RESTful API as there are different endpoints for the same entity. For me, a restful API would use one endpoint to handle, for example, host objects and use different HTTP methods to distinguish between different operations. 

I would expect to use the PATCH method to update an object and the PUT method to create one. Currently, there are separate endpoints for these operations and all of them use the POST method. The most important issue with the API is, that there are some endpoints we are missing (for example for managing VPN users).

We have been using this product and its predecessors for about 20 years.

The stability is very good. Sometimes there are issues, however, most of the time, they have no big impact. SecureXL was sometimes a bit of a problem. That said, this has improved in the last few versions.

Check Point offers several possibilities to scale (load sharing, Maestro, and scalable platforms such as 44K or 64K appliances), however, in our case, we just replaced the appliance after a few years. If one needs real scalability, they should take a look at Maestro which is the scaling solution from Check Point.

Technical support can be good or bad. It depends. Sometimes they are really great, and sometimes very annoying. Most of the time we have a good experience.

Positive

We did not previously use a different solution.

It's really simple to set up. You simply install from an ISO with a few questions (ie. mgmt IP address and gateway) and restart with a graphical installation wizard with a few more questions (such as is this a management box or a gateway or a cluster member ASO).

We handled the setup in-house. We have enough knowledge to do that. Our expertise is CCSM level.

We evaluated several competitors such as Cisco, Palo Alto, and Baracuda

We use Check Point NGFW mainly for a perimeter firewall for ingress and egress traffic control, firewalling, but we also use a lot of other functions within the NGFW capability.

Check Point NGFW provides a bunch of different products or Blades, as they call it in Check Point. The firewall engine is what we use the most but we also use the IPS IDS and Anti-Bot features. The solution provides many features.

The management of memory in the hardware needs to improve. They have had a lot of issues with memory leakage.

I have been using Check Point NGFW for approximately 10 years.

The solution is mostly stable. However, we have these memory issues from time to time, that cripple the performance occasionally, but other than that, they are very stable.

The solution is scalable and it is easy to do.

Overall the technical support is very good. If we have an operational issue, they can sometimes be a bit slow in responding. Other than this, I have nothing to complain about.

I was not around when the implementation was completed but using my experience in these global scenarios, there's always complexity, there probably was some complexity involved.

Check Point NGFW requires security and OS patching, and life cycle management. Every three to five years you need to replace the hardware. We have a dedicated team that does the maintenance of the solution.

It's hard to say exactly how many people are involved in implementing and maintaining the solution because some of the work is outsourced, but I would say it's a team of approximately between 10 and 20 people.

When comparing the price of Check Point NGFW to other solutions it's difficult to compare because even though everything is included in the Fortinet price, there are large differences between the models. You need to go to a quite expensive Fortinet firewall to receive the same throughput and functionality as in a Check Point firewall. In the end, they are quite similar in price, Fortinet might be a bit cheaper.

I have used other solutions, such as Fortinet and Palo Alto.

I'm not sure that there are many differences between Check Point NGFW, Fortinet, and Palo Alto. I haven't used any Fortinet solutions myself, I'm not sure exactly how they work, but I would say that, from a management perspective, both of them are quite similar. Operational-wise, Check Point NGFW is a bit more stable and has a more mature operating system, at least the model that we are using. 

The only difference in functions is how they have branded the firewalls because, in Fortinet, you receive all the functionality for the same price as the firewall itself. Everything is included. However, with Check Point, you buy the hardware separately, and then you buy the different plates that you need and the different licenses for the functions that you need. It's a bit more complex license-wise with Check Point.

When you implement anything in an environment you need to have a good design to begin with, you do not want to have to rebuild it after you have implemented it. It is important to
be thorough in preparations and planning.

I would recommend this solution to others.

I rate Check Point NGFW an eight out of ten.