Check Point Quantum Force (NGFW) Reviews

Our organization implements, maintains, and operates Check Point's firewall. 

Check Point solutions were implemented by our organization in accordance with the project documentation and further adjusted at the request of the customer. 

We ourselves also use a Check Point firewall in conjunction with a firewall from another vendor - both to protect our network perimeter and to test various functions and new emerging firewall capabilities and identify various bugs before they reach customers in the product environment.

We and our customers use almost the entire palette of capabilities of the firewall solution from Check Point. We use almost every feature, from anti-spoofing and network segmentation to URL filtering and intrusion prevention systems. We also willingly use virtual private networks from Check Point, both site to site and client to site. We also leverage the antivirus blade and anti-DDoS attacks. Some of our customers use Check Point capabilities for mobile devices, which are also successfully implemented in the firewall.

We found a very successful implementation of the virtual private network client, since, for some time now, everyone has been working from home. With the firewall from Check Point, this function is implemented very conveniently and securely. 

A convenient new version of the firewall management console, which, starting with the R80 version, has become standard for many Check Point blades, however, unfortunately, not for all. You still need to use older consoles to manage some features. For example, to access the monitoring blade, I need the old console, but the new console should start it.

You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.

I've used the solution for six years.

There is room for improvement in terms of stability.

The scalability is great.

Technical support could sometimes be better.

Neutral

I have used and still use solutions from Sophos, however, in Check Point, some functions are implemented more conveniently. For example, work with logs.

Before installing, I recommend to go through the training.

I handled the implementation myself.

The ROI is good.

Working in an MSP environment, there are more than a hundred firewalls and we use Check Point NGFW firewall which is mainly implemented as perimeter security and internal segmentation firewall. 

Due to our requirements, we implement site-to-site VPN between clients and cloud providers (AWS/Goggle/Azure). The centralized managed infrastructure makes it simple for the IT staff to operate and monitor the firewalls. 

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues.

The Smart Console provides a single pane of glass that allows the IT staff to easily manage the environment and troubleshoot issues. 

The UI decreases the hours required to complete a task. It also incorporates compliance and audit control validation into the system. 

IT staff can construct a single policy across all enforcement points in the Infinity architecture. 

There's a unified policy table that combines threat prevention and segmentation policies. 

SmartEvent allows consolidated event management and export.

The Identity-Based Inspection Control gives us the ability to leverage the organization’s Microsoft AD, LDAP, RADIUS, and Cisco pxGrid. 

The Terminal Servers group membership allows policies to automate typical processes (user moves/add/changes) and decrease configuration changes required on the firewall, which is tremendously beneficial. This limits the integration with the identity store to just one interface, and we still get broad security coverage based on a single set of identity policies. 

We leverage the combination of identity and application awareness, which is mandatory in order to build scalable security policies that protect the business without compromising user experience. This feature is extended to the SmartEvent console.

The SmartEvent blade has a huge number of security events/logs. We are trying to find correlation with the help of the SmartEvent blade, however, it may impact the performance of our Check Point management server. It requires additional licenses for Check Point management servers. It should be inbuilt within the management server.

With the increase of volume of traffic, the required resource/hardware to properly run goes up. Therefore, the hardware engineering to architecture flow has to be more efficient.

I've used the solution actively since 2008.

There were moments of where it did struggle when the rules were not properly maintained meaning that rules clean up exercise has to be performed annually to prune out rules no longer being use to allow the firewall to function more efficiently.

Overall, the product handles a production workload like a champ.

Customer service was pleasant.

Positive

Working in an MSP, we have multiple vendors/principals of NGFWs.

You have to work with a sales account manager to get the best price.

You need to work with a vendor that is overall quite knowledgeable. 

The solution should be evaluated and a trial run should be done in the lab as Check Point provides VM instances that can be installed on an open server box. Make sure to check with sales about the features and if they require additional licenses before purchasing.

Working in MSP, we have looked at various NGFWs. Check Point is one of them.

What can you do about threats that get past simple packet inspection by a regular firewall? You could have a layer 3 firewall inspect the protocol and block known threats from certain URLs, however, what if it comes from a URL that has not been reported and is a socially engineered exploit designed to hijack your data? This is where a Layer 7 firewall will be able to inspect the application, known as payload inspection.

While this is possible to do with a Layer 3 firewall, it can be difficult due to the number of protocol messages in Layer 7. You would need to create a signature for each application you wanted to protect; however, network signatures tend to block legitimate data and increase your MTTR (mean time to resolve an issue).

Plus, having these signatures makes it hard to manage and keep up with by the IT staff. Relying on the power of AI and the cloud in order to leverage the Layer 7 firewall is key. The advantage of Layer 7 is its protocol awareness, which allows it to differentiate between different network traffic (application knowledge) and not just packets or flows that identify ports and IPs (Layer 3).

Let's say most of the traffic nowadays goes through HTTP, your web browser.

When you browse the web, what do you suspect happens? Your browser sends HTTP requests to servers around the world, and in return, you receive a response. Big data packets originate from business applications as well, such as file transfer protocols (FTP) or web services such as MapReduce or Twitters API. Oftentimes, a breach happens through these protocols, whereby a Layer 3 firewall could potentially let the threat in (such as SQL injection by default) without explicitly denying these requests.

The solution's best features include:

• A packet-filtering firewall that examines packets in isolation and does not know the packet's context.
• A stateful inspection firewall that examines network traffic to determine whether one packet is related to another packet.
• A proxy firewall (aka application-level gateway) that inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
• A Next-Generation Firewall (NGFW) that uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

One of the main features that need improvement is the rule filter export. All of the other vendors can export the filtered IPS as a PDF or CSV file, however, with the smart dashboard, it’s just not possible. One can only export the whole rule base and then search for the IPS, which is super time-consuming as you can’t send the whole rule base to a customer. You would get weird questions about certain rules such as why they are deployed or configured as they are, and maybe even get unwanted tips on how to change them.

I've used the solution for four years.

We did not previously use a different solution.

The costs involved depend on your needs and budget.

We did not evaluate other options.

I protect customers and other types of data by ensuring a secure environment. Check Point allows me to deploy quickly and securely, along with using more advanced detection and prevention. By securing multiple sites and various infrastructure elements, I have reduced my overall workload.

I'm using a lot of permanent tunnels and protecting them to ensure that monitoring customer infrastructure is not compromised in any way, shape, or form.

Various hardware has been deployed at proper sizing for customers and the equipment is stable without the need for a lot of custom configuration

By deploying Check Point, it has made it easier to manage everything from a single interface. The management dashboard and policies are on its single pane of glass. This has allowed for faster resolution of problems during deployment.

Being able to look at log events and sort quickly for information in regards to problems with connectivity or traffic makes it easier to troubleshoot and gain other insights into traffic-related problems.

Overall, the insights provided also allow for data to be presented to customers to give them an overall perspective of their security.

The management interface is well designed and easy to understand. It reduces the time for deployment, changes, and onboarding new customers.

The logging facility is amazing and gives great insights into traffic. Although Event Management is also amazing, it can be cost-prohibitive for other companies to onboard.

The ability to deploy VPN communities makes onboarding new sites easy. Multi-site configurations can be deployed with very little oversight and with minimal additional work after the initial deployment is successful.

I would like to see better Data Leakage protection options and easier-to-understand deployment models for this. I have been working with DLP for a while now and find that other vendors seem to be doing better at this. That said, having to deploy another solution adds other costs.

Some error messages could be better and more specific. The days of generic error messages should be over by now to allow faster, better insights into fixes for any traffic-related problems.

Some of the sizings of firewalls for deployment seem not exact and require some tweaking based on real-world traffic and connectivity types (for example, PPPoE).

I have been deploying Check Point firewalls for about 12 years and still work with them on many projects. I trust them to protect my infrastructure along with other tools.

I will continue to use Check Point as long as they keep pace with the innovation currently in place without sacrificing customer service.

The product is very stable once deployed.

So far, no issues with scalability have been detected - other than hardware replacement on the growth of traffic

The initial setup has some come complexities, however, that is the nature with multiple types of connectivity and different customer requirements.

Check Point firewalls are/were deployed in various parts of our network to achieve perimeter defense and internal network segmentation. 

In addition to the firewall functionality, each appliance also leveraged Check Point's IPS blades. The perimeter Check Point appliances were also responsible for terminating any and all site-to-site VPN connections with third parties. 

All traffic from remote locations, remote VPN users, and egress traffic to the internet is filtered through the Check Point equipment at some point in our network.

Check Point has not improved our organization. We have observed a sharp decline in the quality of both products and support. 

Over the last several years, there has not been a single week where we have not had an outstanding issue open with Check Point support's advanced tier teams. 

Initially, we had incredibly impactful issues regarding their scalable platform hardware (which is being discontinued in favor of Maestro) to the point we were forced to rip them out due to them being completely unreliable. 

Check Point support has also seen a significant drop in quality, despite my organization even being a Diamond Support customer with Check Point. We fully believe it would be a wiser investment of time to call Geek Squad rather than Check Point.

The only area that Check Point still seems to excel in is their logging. Reviewing logs on Check Point is a snappy and intuitive process that allows the end-user to filter down traffic to specifically what they're looking for very easily and even with little knowledge of Check Point. 

The ability to create filters on the fly in the GUI with simple clicks to various areas of the log is fantastic and allows one to find exactly what they're looking for with very little effort. Note that this is probably the only thing Check Point still has going for it.

Check Point's support, at all levels, needs a complete overhaul. The Check Point support staff aren't even shy about telling you how understaffed, underpaid, and underappreciated they are. Any engineer with a hint of talent is pulled from general support to higher tiers, and then, once they reach a level of competency above that of your average acorn, they leave for better-paying jobs elsewhere. 

My organization witnessed this first hand fighting through the lower tiers of support and working frequently with the scalable platform team. When we switched to Diamond Support we saw no significant improvement in support save for shorter hold times.

I have personally used Check Point solutions for nearly ten years. My organization has used Check Point for 15+ years.

The solution is absolutely unstable. My organization follows vendor best practices exactly and has every deployment vetted by multiple levels within the vendor. Despite this, Check Point hardware has repeatedly proved unreliable at best, sometimes resulting in total outages for our company. 

My current organization has used Check Point for the relevant past and is only recently completely switching vendors to Palo Alto.

All current Check Point hardware is destined for the recycle bin. There is a pretty low ROI.

Most firewall vendors, Check Point included, make the selection of hardware easy enough based on projected usage. Likewise setup on many vendors in greenfield environments is simple enough and should not require professional services.

I was not involved with the initial deployment of Check Point in our environment as it was before my time. However, each subsequent deployment I have been involved in with Check Point was used based on the existing relationship. Once the issues became too impactful and we realized we had no hope of seeing any improvements we began efforts to rip out the existing Check Point equipment.

Do not let Check Point's past success lure you into their current state of bottom of the barrel.

It is a bit expensive according to the required blades but it is a platform that is worth having as security in a corporate.

I have worked for several years with the Check Point platform (NGFW) and it is by far the most stable in hardware and software.

It is a very friendly platform and easy to configure. It is true that it is a bit expensive (according to the required blades), however, it is a platform that is worth having as security in a corporate environment. 

I've used the solution for more than five years.

I use the NGFW as a Firewalling device, for VPN tunneling, and for virtual patching. My environment is a two-tier network environment. I also use the Check Point NGFW as an IPS.

It really has improved my organization in terms of protecting my network against intrusion and zero days. I have been able to explicitly configure the blocking of certain attack vectors using Check Point NGFW.

The firewalling feature and the VPN functionality are excellent. With the firewalling functionality, I have been able to ward off intrusion from outside the network. With the VPN functionality, I have been able to allow secure remote connections from external customers and staff. 

CheckPoint would do good to add new features such as UEBA(User and Entity Behavior Analytics). 

They should also improve on the effectiveness of their antivirus. It should be more effective than competitors.                                                                                                                                                                                                                                                                                                                                                                                                                                                       

I have been using Check Point NGFW for five years.

The product is very stable with no crashing or configuration corruption.

The solution is highly scalable and responsive.

The vendor is very professional and has the know-how.

Positive

I used to use the Cisco ASA 5500 series firewalling device.

The initial setup was straightforward.

The product was implemented through a third-party vendor.

We saw an ROI within one year.

It is very competitive relative to others on the market.

I was shown the POC and I fell in love with the fact that the Check Point NGFW has a GUI that allows for easy configuration. It also does firewalls very well. Therefore, I did not look at other options.

It is an awesome product!

The environment in which it was deployed is a financial institution that requires high availability, confidentiality, and integrity of information within the supporting infrastructure. The NGFW is used specifically for the VPN, firewalling and it also serves as virtual patching in the event of zero-day vulnerabilities that are very common within some well know client desktop computers and servers.

Initially, I was using the Cisco ASA5500 series firewall. I never believed there could be better firewall devices in terms of ease of setup and management. The NGFW from Check Point has increased my confidence in terms of performance and ease of configuration with its intuitive interface. It supports the VPN configuration without any unnecessary latency and packet dropping.                                                                                                                              

It blocks over 97% of threats!                                          

VPN, firewalling, and virtual patching are the most valuable aspects for me. The NGFW is so effective that I can go to sleep and vacation. Check Point products rarely have vulnerabilities that put the whole organization at risk, unlike some other firewall products.

The VPN tunnels are very effective in terms of stability and quick connection.

Virtual patching is useful as a workaround for zero-day vulnerabilities.                           

It offers excellent filtering of URLs.

The interface can be more user-friendly in terms of the design and location of critical and commonly used icons.

They could add a web user Interface.

I have been using the Check Point NGFW since 2018 when it was deployed in my company.

The stability is awesome and it puts me in a no-worries mood!

The scalability is awesome.

Technical support is friendly and awesome.

Positive

I did use Cisco ASA. The administration was grueling coupled with some nefarious vulnerabilities and the cost of ownership.

The initial deployment was demanding due to my network architecture, not because of the product.

The implementation was done through a vendor.

We've seen ROI at 6 months to 1 year.

However, the ROI was realized within weeks of deployment.

The solution is reasonably priced relative to some other brands.

We did not evaluate other options.

It is the best amongst the rest.