Check Point Quantum Force (NGFW) Reviews

We primarily use the solution on all branch sites and now in DCs as well. We have more than 500 sites using Check Point NGFW in our organization. 

Earlier, we were using Cisco ASA and now it looks much better in many aspects, including upgrading/managing. I had only experience with Cisco ASA before, but after implementing this in my branch location it became quite easy to manage the firewalls remotely.

A few of our engineers use APIs to upgrade or push global changes for all regional locations which was tough to do. Now, with Check Point on board, it has eased our job as network engineers. 

Central management saves so much time. We were spending so much time with ASAs. I only had experience with Cisco ASA before, however, after implementing this in branch location it became quite easy to manage the firewalls remotely. 

As mentioned, a few of our engineers use APIs to upgrade or push global changes for all regional locations which were tough to manage. Now, it has eased our job as network engineers. It was a good decision by our organization.

The logging and central policy management are the most valuable aspects for us as we were not having success earlier with the ASA in terms of upgrading/managing. We are still exploring more features like IPS and IDS. We hope that these aspects will be a great experience for us as well. 

The smart consoles could be improved. Many times we have seen that smart console lags or has issues during the change. It also closes sometimes. Otherwise, the overall experience was great until now. 

As we are still exploring more features, we need more time to provide more reviews in the future. I would like to explore more with Check Point and would like to provide improvement review as we go into using the MDMS. It will be in our organization here by year-end. 

I've been using the solution for three years.

It looks very stable as compared to others.

The scalability looks great.

A few times I reached out to support help and in no time I was able to get experts who helped me through any issue I was having. 

Positive

We used Cisco ASA, however, we wanted a product that was more stable with central management. 

It was not easy to set up initially, however, we got some support from external vendors. 

We had help through a vendor and the experience was great. 

The stability makes it all worthwhile. 

It looks great the cost-wise for our organization. I've also suggested this product to other ex-colleagues for their companies. 

We did check out FortiGate and Palo Alto as well. 

We have had a great experience so far. 

Working in an MSP environment, there are more than a hundred firewalls and we use Check Point NGFW firewall which is mainly implemented as perimeter security and internal segmentation firewall. 

Due to our requirements, we implement site-to-site VPN between clients and cloud providers (AWS/Goggle/Azure). The centralized managed infrastructure makes it simple for the IT staff to operate and monitor the firewalls. 

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues.

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues. 

The UI decreases the hours required to complete a task. It also incorporates compliance and audit control validation into the system. 

IT staff can construct a single policy across all enforcement points in the Infinity architecture. 

There's a unified policy table that combines threat prevention and segmentation policies. 

SmartEvent allows consolidated event management and export.

The Identity-Based Inspection Control gives us the ability to leverage the organization’s Microsoft AD, LDAP, RADIUS, and Cisco pxGrid. 

The Terminal Servers group membership allows policies to automate typical processes (user moves/add/changes) and decrease configuration changes required on the firewall, which is tremendously beneficial. This limits the integration with the identity store to just one interface, and we still get broad security coverage based on a single set of identity policies. 

We leverage the combination of identity and application awareness, which is mandatory in order to build scalable security policies that protect the business without compromising user experience. This feature is extended to the SmartEvent console.

The SmartEvent blade has a huge number of security events/logs. We are trying to find correlation with the help of the SmartEvent blade, however, it may impact the performance of our Check Point management server. It requires additional licenses for Check Point management servers. It should be inbuilt within the management server.

With the increase of volume of traffic, the required resource/hardware to properly run goes up. Therefore, the hardware engineering to architecture flow has to be more efficient.

I've used the solution actively since 2008.

There were moments of where it did struggle when the rules were not properly maintained meaning that rules clean up exercise has to be performed annually to prune out rules no longer being use to allow the firewall to function more efficiently.

Overall, the product handles a production workload like a champ.

Customer service was pleasant.

Positive

Working in an MSP, we have multiple vendors/principals of NGFWs.

You have to work with a sales account manager to get the best price.

You need to work with a vendor that is overall quite knowledgeable. 

The solution should be evaluated and a trial run should be done in the lab as Check Point provides VM instances that can be installed on an open server box. Make sure to check with sales about the features and if they require additional licenses before purchasing.

Working in MSP, we have looked at various NGFWs. Check Point is one of them.

Check Point firewall is used as edge protection.

Traffic to the internet and from the internet does go through the firewall where IPS, URL, and app policies are applied.

Check Point was also used as an internal firewall to segment traffic between the data center and the user network. Basically, all traffic from any user will have to be inspected by an internal Check Point firewall before any server is accessed.

Check Point is also used for PCI-DSS credit card checks within any email sent or received. This is effective in detecting credit card numbers within any email sent by a user in error and blocks that from being exposed. 

The product has improved visibility into the traffic going through our network.

For all traffic leaving the network, Check Point provides the capability to inspect and permit traffic using not just ports but application IDs, which is more secure than simply permitting TCP/UDP.

Check Point has a robust IPS Blade which has added an additional layer of security on connections to the data center.

Check Point's compliance blade also helps in checking how Check Point's appliance configuration is in compliance with any requirement that we need to provide evidence for.

Check Point application control is very useful. This blade detects traffic and provides the ability to grant access based on the application and not the port as TCP/UDP can easily grant access for more than what's required.

The Check Point compliance model is also great. We can easily check firewall configurations against any compliance standard. It has made it easy to provide evidence and reports.

Check Point integrates with third-party user directories such as Microsoft Active Directory. The dynamic, identity-based policy provides granular visibility and control of users, groups, and machines and is easier to manage than static, IP-based policy.

Support for customers really needs to improve.

Check Point also needs to create a study license that will enable the customer to install a firewall (maybe with reduced connectivity) for a bit longer so that one can simulate scenarios without having to re-install it every 15 days.

We had a lot of problems with the VPN blade on the solution. We sometimes have trouble with the performance of the solution. Maybe some performance tuning options could be added in a future release.

Check Point needs to create a certification program that involves practical applications. 

I've used the Check Point firewall for three years.

Customer service really needs to improve.

Positive

We used Cisco ASA for Internet-facing Web applications, however, Check Point was used at the EDGE ( all user traffic to the internet), internal firewall ( all user traffic to datacenter), all internet traffic to PCI-DSS applications instead.

Implementation was done with the help of Check Point's professional services.

If you have the budget, it's a good idea to go for the Check Point Firewall.

We also evaluated Palo Alto.

We use the product to secure our network, using all Check Point has to offer, including multi-domain servers, centralized log servers, gateways on-premise, and VSX. It has improved a lot with the last versions making day-to-day operations very user-friendly. 

I have used almost all the blades Check Point has and it's incredible what a Next-Generation firewall is capable of, including VPN, IPS, monitoring, mobile access, compliance, and more. The reports of the Smart Event console are also very useful. It's good to have a view of what's going on in our network. 

Since Check Point has Linux working on them, it gives us plenty of tools to adapt to any specific need we have.

In actuality, Firewalls are a must in any organization. Check Point's ability to adapt to any environment is their strength. The interface is very easy to understand, and the Smart Console can be configured to fit almost anything you need to.

When an issue appears, the logs are very easy to read, and that helps to identify the reason for the problem and solves it faster. The issues are not so annoying. 

The support Check Point gives is key. As the Firewall vendor, I recommend them. It's always great to work with them. For this reason, I am very satisfied with Check Point. Every doubt I had they were pleased to help with and we ab;e to provide a resolution. The technical services always replied in a very fast and effective way. The live chat is great as well. There is always someone willing to help. This makes working with Check Point a good experience.

Check Point expert mode is basically Linux, so working with that allows us to implement a variety of scripts.

In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve. 

One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations. 

Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations.

One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.

I've used the solution for three years.

With other products, I have used quite a lot of RMAs, usually for not the most important component, however, enough to need an RMA, such as FANs or PSUs.

With Check Point it's quite easy, if it's needed, to replace. You just install the correct version and hotfix and load a backup from the old device. After that, the new device is ready to go.

The scalability of Check Point is great. With the usage of Multi-Domain Servers, you can integrate all the devices into one console. You also always have the chance to expand creating new domains. Also, this distribution helps to have a very structured and organized management. It is always a very good thing when things don't go as expected and you need to solve any problem. Finding where the issue is in your organization is key.

The technical cases are replied to in a very fast and effective way. The live chat means there is always someone willing to help. This makes working with Check Point a good experience.

Positive

The most I have used are Forcepoint, Cisco, F5, FortiGate, and Palo Alto.

The initial setup is very straightforward and very guided. 

With the few replacements we need to do, there is very little downtime. It is worth the investment. The great support team behind Check Point is also worth the cost.

Check Point is not the cheapest manufacturer, however, it's worth the price.

I have been always on the side of Check Point, however, Palo Alto was another option we considered.

Having the option to use a UNIX-based shell instead of being forced to use GAIA, in this case, is great. It makes Check Point very customizable.

I protect customers and other types of data by ensuring a secure environment. Check Point allows me to deploy quickly and securely, along with using more advanced detection and prevention. By securing multiple sites and various infrastructure elements, I have reduced my overall workload.

I'm using a lot of permanent tunnels and protecting them to ensure that monitoring customer infrastructure is not compromised in any way, shape, or form.

Various hardware has been deployed at proper sizing for customers and the equipment is stable without the need for a lot of custom configuration

By deploying Check Point, it has made it easier to manage everything from a single interface. The management dashboard and policies are on its single pane of glass. This has allowed for faster resolution of problems during deployment.

Being able to look at log events and sort quickly for information in regards to problems with connectivity or traffic makes it easier to troubleshoot and gain other insights into traffic-related problems.

Overall, the insights provided also allow for data to be presented to customers to give them an overall perspective of their security.

The management interface is well designed and easy to understand. It reduces the time for deployment, changes, and onboarding new customers.

The logging facility is amazing and gives great insights into traffic. Although Event Management is also amazing, it can be cost-prohibitive for other companies to onboard.

The ability to deploy VPN communities makes onboarding new sites easy. Multi-site configurations can be deployed with very little oversight and with minimal additional work after the initial deployment is successful.

I would like to see better Data Leakage protection options and easier-to-understand deployment models for this. I have been working with DLP for a while now and find that other vendors seem to be doing better at this. That said, having to deploy another solution adds other costs.

Some error messages could be better and more specific. The days of generic error messages should be over by now to allow faster, better insights into fixes for any traffic-related problems.

Some of the sizings of firewalls for deployment seem not exact and require some tweaking based on real-world traffic and connectivity types (for example, PPPoE).

I have been deploying Check Point firewalls for about 12 years and still work with them on many projects. I trust them to protect my infrastructure along with other tools.

I will continue to use Check Point as long as they keep pace with the innovation currently in place without sacrificing customer service.

The product is very stable once deployed.

So far, no issues with scalability have been detected - other than hardware replacement on the growth of traffic

The initial setup has some come complexities, however, that is the nature with multiple types of connectivity and different customer requirements.

We use the solution as a frontend firewall in our headquarters and in our branches. We use packet inspection, the antispam feature, and the VPN. We have configured threat prevention and content awareness to improve security on incoming email and on web surfing from interlan networks wits SSL inspection. Mobile access through the VPN mobile client is also used from all outside workers and is fully integrated with our AD. We also use the solution to route traffic on internal networks and manage security through client and server networks.

We have improved our performance and bandwidth through the networks. Security is also improved. We have better control over the logs and better integration with our SIEM. 

We can also manage all our firewall from a central management console so each policy is under control and can be developed better. Inline policies help to understand on the correct use of the policies and a more readable list. We can also manage policies in two or more people at once without problems or risk of making the wrong policy.

VPN and mobile VPN are extremely valuable to us. The policies are simple to deploy to the new branches. 

All policies can be deployed and managed in a very simple way. 

AD single sign-on with VPN mobile is very helpful and simple to manage and deploy. 

Log management is also a good place to make troubleshooting and through console manage events. 

Management of the object is also a valuable feature. At every point in the console you can manage object properties and look to each policy where it is used and simply change or find where the object is involved.

Some features, like the VPN, antispam, data loss prevention, etc., are managed in an external console. In the future, I'd like all features in the same console, in one place, where we can see and configure all features. I'd like a web console so that all firewalls can be managed from a web browser and we don't need to be installed on dedicated consoles and applications. 

I use the web console to mange the Gaia software in the firewall and it would be nice to have also policy management inside the web browser. 

I've used the solution for four months.

It is very stable. We have reboot only to install updates.

We chose the solution for scalability and now we are running with all branches with a Check Point firewall. The solution is meeting our expectations.

We do not need customer support.

Positive

We did use a different solution. We switched to improve security.

It was complex to set up due to the fact that we changed our mind on how the firewall works. Central management is hard to improve.

We implemented it through a vendor. There was not a high level of expertise, however, I took a course with Check Point and that was very clear and now I'm very expert on the Check Point world.

We have seen an ROI in that we need less time on managed policies and we have better control.

The cost is high but the benefits are too.

We also looked at Palo Alto, WatchGuard, and Fortinet.

The solution is a good solution and at the top of the market.

Check Point firewalls are/were deployed in various parts of our network to achieve perimeter defense and internal network segmentation. 

In addition to the firewall functionality, each appliance also leveraged Check Point's IPS blades. The perimeter Check Point appliances were also responsible for terminating any and all site-to-site VPN connections with third parties. 

All traffic from remote locations, remote VPN users, and egress traffic to the internet is filtered through the Check Point equipment at some point in our network.

Check Point has not improved our organization. We have observed a sharp decline in the quality of both products and support. 

Over the last several years, there has not been a single week where we have not had an outstanding issue open with Check Point support's advanced tier teams. 

Initially, we had incredibly impactful issues regarding their scalable platform hardware (which is being discontinued in favor of Maestro) to the point we were forced to rip them out due to them being completely unreliable. 

Check Point support has also seen a significant drop in quality, despite my organization even being a Diamond Support customer with Check Point. We fully believe it would be a wiser investment of time to call Geek Squad rather than Check Point.

The only area that Check Point still seems to excel in is their logging. Reviewing logs on Check Point is a snappy and intuitive process that allows the end-user to filter down traffic to specifically what they're looking for very easily and even with little knowledge of Check Point. 

The ability to create filters on the fly in the GUI with simple clicks to various areas of the log is fantastic and allows one to find exactly what they're looking for with very little effort. Note that this is probably the only thing Check Point still has going for it.

Check Point's support, at all levels, needs a complete overhaul. The Check Point support staff aren't even shy about telling you how understaffed, underpaid, and underappreciated they are. Any engineer with a hint of talent is pulled from general support to higher tiers, and then, once they reach a level of competency above that of your average acorn, they leave for better-paying jobs elsewhere. 

My organization witnessed this first hand fighting through the lower tiers of support and working frequently with the scalable platform team. When we switched to Diamond Support we saw no significant improvement in support save for shorter hold times.

I have personally used Check Point solutions for nearly ten years. My organization has used Check Point for 15+ years.

The solution is absolutely unstable. My organization follows vendor best practices exactly and has every deployment vetted by multiple levels within the vendor. Despite this, Check Point hardware has repeatedly proved unreliable at best, sometimes resulting in total outages for our company. 

My current organization has used Check Point for the relevant past and is only recently completely switching vendors to Palo Alto.

All current Check Point hardware is destined for the recycle bin. There is a pretty low ROI.

Most firewall vendors, Check Point included, make the selection of hardware easy enough based on projected usage. Likewise setup on many vendors in greenfield environments is simple enough and should not require professional services.

I was not involved with the initial deployment of Check Point in our environment as it was before my time. However, each subsequent deployment I have been involved in with Check Point was used based on the existing relationship. Once the issues became too impactful and we realized we had no hope of seeing any improvements we began efforts to rip out the existing Check Point equipment.

Do not let Check Point's past success lure you into their current state of bottom of the barrel.

We are using the Check Point firewall for our perimeter security.

The security solution works as well on-premise and in the Azure Cloud. We are using central management to configure the security policy of both gateways.

We are also using a Site2Site VPN for connecting our locations. This VPN is also realized with the same firewall systems.

In order to simplify the process of generation reviews of actual security incidents, we have implemented SmartReport for generating automated and special customized security reports for our documentation department.

Since the security policy of all firewall gateways can be defined centrally on the Check Point firewall management server, it is a lot easier to generate a secure and safe policy for all locations.

Since we can define policy operators for dedicated traffic selections, some of the lower IT staff can easily allow or block services or servers or create their own policy without interfering or compromising the rest of the security policy.

This makes the administration and coordination of the policy a lot easier for us

Since the log files of all services are collected on the management server there is an easy and good view of all actual connections, attacks, or security risks.

In addition, when using the SmartEvent software blade, you get the possibility to have an easy to configure event correlation system, which will automatically fire mail alerts or can even block IP addresses if there are network or security anomalies detected on the firewall system.

This is also possible if the services are allowed - for example, if there are flooding attacks on server systems.

For example, this has prevented our Citrix Netscaler from being taken down during attacks.

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

I've used the solution for more than ten years.

We do not have any problems with stability.

There is a hardware solution for every type of throughput. It is very good that in the datasheets you get the throughput of the different types of network traffic.

It is better not to choose solutions bigger than needed, or to have some resources left over.

Most of the support calls are answered very quickly. However, if you have a problem and you have to get development involved, the response gets slower.

Most of the time, you will find all necessary information in the Support Center or on the collaboration sites.

Neutral

We were using Cisco firewalls before. We had the need to implement Universal Threat Protection and the configuration of the Firepower system of Cisco was more complicated than the integrated policy configuration of Check Point.

The setup is straightforward. The documentation is very good.

We have implemented it completely in-house.

ROI is really hard to pinpoint. However, if we were using another security solution, our personal efforts to maintain it would double.

It is very hard to compare different firewall solutions and get a comparable price. Check Point tends to be very expansive, however, if you have a deeper look at other vendors, the costs are almost the same.

Due to the good integration and central management, Check Point is easier to maintain than other solutions.

In addition, there are good small office boxes from CheckPoint with a very good price - the features of these boxes are enough for small enterprises or branch offices.

We have evaluated Cisco Firepower and the FortiGate firewall solutions in the past.