Check Point Quantum Force (NGFW) Reviews

We are using Check Point NGFW for controlling the traffic on our entire network. It controls the traffic and access of the networks and also the traffic outside of our network. The firewalls are used in and HA-Setup.  

The features we use are application and URL-filtering, anti-bot/virus, and sandboxing functions. It is also used for Site2Site VPNs and endpoint VPNs. For us, the Check Point NGFW is the center of network traffic and security. 

We use the new features of Check Point to reduce standalone systems. 

In the past few years, the attacks and risks have grown. That's why we introduced a NGFW. All the securtiy risks can be minimized with the product. Especially if you route the whole network trafiic over the firewall. You can filter malicious sites and traffic and can analyze the entirety of traffic. The URL filter works much better and is much stronger than our other previous solution. 

In the case of migrating or patching, it is very easy due to the fact that you can transfer the whole ruleset and settings from your old device. Patching is very easy and we've never had problems.

If you have an HA Setup you will have zero downtime. Teams and VoIP traffic will also not get stuck; you would notice anything while switching to the backup module. 

The quality of the patches and hotfixes is great. We never had any issues during or after patching. All patches and hotfixes are well documented and if you have any issues the KB is very helpful. 

The log is very clear and can be filtered very easily. If you need to analyze not only the connection you can use the CLI to dump TCP packets. 

The activation of additional features is very easy and well documented.

Sometimes, the firewall has its peculiarities which you have to know especially when you want to set up a Site2Site VPN with a third-party vendor - specifically if you want to set up IKEv2. 

The debugging of VPN tunnels is very stressful. Sometimes you don't know what the firewall negotiates with the other site, so you have to use the command-line for the VPN debugging. However, if you use both sites, the setup is very easy. 

The speed could be better when installing policy changes. In the beginning, we didn't have all features active. Now, it is all active and it takes some time to install. This is sometimes annoying if you forget a small change.

We've been using this solution for several years. This is our 3rd Check Point firewall.

The environment in which it was deployed is a financial institution that requires high availability, confidentiality, and integrity of information within the supporting infrastructure. The NGFW is used specifically for the VPN, firewalling and it also serves as virtual patching in the event of zero-day vulnerabilities that are very common within some well know client desktop computers and servers.

Initially, I was using the Cisco ASA5500 series firewall. I never believed there could be better firewall devices in terms of ease of setup and management. The NGFW from Check Point has increased my confidence in terms of performance and ease of configuration with its intuitive interface. It supports the VPN configuration without any unnecessary latency and packet dropping.                                                                                                                              

It blocks over 97% of threats!                                          

VPN, firewalling, and virtual patching are the most valuable aspects for me. The NGFW is so effective that I can go to sleep and vacation. Check Point products rarely have vulnerabilities that put the whole organization at risk, unlike some other firewall products.

The VPN tunnels are very effective in terms of stability and quick connection.

Virtual patching is useful as a workaround for zero-day vulnerabilities.                           

It offers excellent filtering of URLs.

The interface can be more user-friendly in terms of the design and location of critical and commonly used icons.

They could add a web user Interface.

I have been using the Check Point NGFW since 2018 when it was deployed in my company.

The stability is awesome and it puts me in a no-worries mood!

The scalability is awesome.

Technical support is friendly and awesome.

Positive

I did use Cisco ASA. The administration was grueling coupled with some nefarious vulnerabilities and the cost of ownership.

The initial deployment was demanding due to my network architecture, not because of the product.

The implementation was done through a vendor.

We've seen ROI at 6 months to 1 year.

However, the ROI was realized within weeks of deployment.

The solution is reasonably priced relative to some other brands.

We did not evaluate other options.

It is the best amongst the rest.

Several enterprises, from financial institutions to hospitals, use this product mainly as edge solution. In most cases, the setup was based on a redundant configuration. Other cases which have been rolled out are based on smaller devices in office locations and larger devices in the central datacenter of the customer. As an MSSP we trust the reliability of the solutions, since we cannot risk having our reputation being harmed. Our team is perfectly able to manage the devices on a day by day basis using the central management solution.

The tension of being well protected from the outside world has decreased due to the sturdiness and reliability of the solution. 

Results are predictable and managing everything is easy with the right tooling. The management solutions are easy to use and make it possible for our administrators to manage numerous amounts of devices in one console. 

Software updates/upgrades contain valuable additions and it is clear that Check Point has the right focus on the requirements of what should be added as functionality.

Trustworthiness and stability are the key aspects when looking at these products. 

The up to date-ness of the threat intelligence and the underlying network of devices adding value to it is good. 

With many of their own investigators adding their findings to the threat database, Check Point has become a leader in having their product in the higher ranks of the spectrum of efficiency. 

The different hardware models focus on a wide spectrum of the market, so any company can choose a model that makes sense for them from the range.

The world is changing rapidly, and even though Check Point is delivering security solutions on many levels such as endpoints, cloud, and on-premise. 

A more centric solution would be preferable. They should take all existing products and make them a part of a suite that is easily manageable from one platform. This would leverage the use of the different products since no administrator wants many interfaces to manage the complete environment. 

Pricing needs to be lowered from start, this would be more effective than lowering it during negotiations.

We've used the solution for more than 10 years products and have been delivering the solution to our customers.

The product is very stable.

The solution is less scalable when using hardware-based solutions. Especially the smaller models have limited possibilities to expand on port / performance level. Both issues can be resolved using the Maestro solution, but that is limited to specific models.

Technical support is very good and easily accessible.

Positive

We previously used Cisco and Fortinet. Check Point is a long-lasting vendor that we use, based on trust.

The initial setup is pretty straightforward, especially when working with preset best practice profiles.

We handled it on our own. 

In the end, the ROI is good once a company knows the protection level on offer.

Pricing and licensing are not the best within the market. That said when you get to know the products they offer you will be happy to pay a bit more.

We also looked at Palo Alto previously.

We primarily use the solution for central administration and management of a lot of locations worldwide. That's the main task for this solution for our Central IT Team. Central logging and troubleshooting are 2nd level topics that are great to handle with the SmartDashboard and other tools.

We started in the past with base features and checked the NGFW features. Application Control gives us the option to permit applications and not just some IP address lists. Before we had so much manual work for dealing with firewall rules.

For some topics, we've given the Service Desk permissions and it's working great.

We have so many standalone firewalls. The central management of Check Point with different sessions/permissions is great. We can administrate all topics smoothly. The Application Control brings us to the next level of controlling cloud apps and other stuff.

Anti-Bot and the IPS are good features to check/defend our servers and company. We can prevent servers easily for vulnerabilities from/to the public internet and we can see what traffic/actions is active on our lines. 

Our Security Operation Center is very happy about the solutions too due to the fact that they have so much transparency.

QoS, Anti-Bot, IPS, and Application Control are the main features we're using.

The QoS blade is very good for controlling traffic such as Windows patches, mail traffic and other stuff. In the past, sometimes we had no control and couldn't help when too much traffic had occurred.

Anti-Bot is great at preventing our clients and corporate network from calling the central control.

IPS is good in protecting our systems in DMZ zones when patching of servers sometimes can't be done.

Application control for controlling Cloud Apps like MS Teams, M365 Apps, or others, is perfect. Previously, we had only IP Lists for stuff like this.

Administration of the routing and system settings should be moved to the central dashboard. It's not good to go to all GAIA Interfaces to change settings there.

The client for the central tools is very big - maybe using web access in future releases, similar to other vendors should be possible.

The firmware for the Check Point Firewalls is very big. It takes a long time when we are using small lines for data transfers. Other vendors have updates lower than 100MB. For Check Point often we need a minimum of 2GB.

I've used the solution for nine years.

The scalability is great.

We previously used Watchguard. It was not so good with different vendors for some features.

We are a Critical Access hospital with close to 1,000 endpoints and hundreds of users. We currently have multiple ISPs coming into the hospital for internet redundancy. There are multiple buildings on our campus that are connected with copper and fiber. We have had clinics in multiple cities attached to our network at various times. 

We installed the Check Point NGFW in our environment to act as our main firewall and gateway. This allows us to keep several of the vendor devices (lab analyzers and other third-party equipment) segregated on different VLANs so they have no access to our production VLAN. This system is also our VPN concentrator for several site to site VPNs and remote software VPN connections.

In the past 15+ years that I have run these firewalls, we have been able to make huge strides in increasing our security posture. This has been evidenced by our annual Security Risk Assessments run by a third party. Check Point is always coming out with new features that help make it easer to manage our security posture. We have received multiple comments from other organizations praising us for the speed and accuracy of setting up new site-to-site VPNs with the proper access. This is all possible because of the intuitive Check Point software.

There are many great features, however, with our last upgrade, we now have a web GUI that allows us to pull up multiple facets of the firewall environment. This feature has been very handy. There have been times we have a connectivity issue, and both sides are blaming each other. If I'm away from my desk and don't have my laptop, I can quickly bring up the interface on my phone and search through the logs, rule base, and VPN communities to help quickly troubleshoot the problem. I can't say it enough - this has been invaluable.

Overall, this is a great system, and I'm struggling to come up with things that I think should be improved. 

I have had some issues in the past with the desktop client being slow to come up for logging in, and then slow to respond to screen changes, however, overall, it really hasn't been too bad. 

For additional features in the next release, I would like to see more change functions available in the new Web GUI version. This is still a new offering from the company, therefore, I can only assume it will get better as customers make suggestions/requests.

I've used the solution for over 15 years.

This system has been rock solid in our environment. I have even run beta software to try out new features. I trust the company and their top-notch support staff to keep us running smoothly.

This system has been very scalable. Check Point offers multiple security 'blades' that let you start out small, and increase as needed without having to drop a bunch of money on new hardware.

I rarely have critical issues, however, when I do, I can call and get an engineer rather quickly. For most of my issues, I utilize the online support portal and/or knowledge base articles.

Positive

We had engineers online with us to help us get everything setup. They have done this many times, and they were able to give us a lot of information to help prep the environment. This left us with minimal downtime.

We used Check Point for implementation, and they are top-notch. They know the hardware and software better than anyone.

That is difficult to calculate. We have had hospitals and clinics drop like flies to ransomware, DDOS attacks, and other issues. The financial impact of something like that would be huge. You can't put a price on safety. 

We are trying to do the best we can in an ever-changing landscape of cyber dangers, and we feel that Check Point has been a great name to hang our safety on. In the 15+ years I've been working with Check Point, I have only changed out the hardware twice. We pay an annual fee to cover licenses and support. In general, this is a great investment.

We purchased this through a VAR, so your mileage may vary when it comes to cost and initial service for setup. 

The licensing can be a bit tricky when you have more than one appliance. That said, they are very open and explain how it all works. They give the ability to set up trials of all the different license 'blades' to let you try before you buy.

We first deployed Check Point for our clients. Our first client wanted to deploy the security appliances in a cluster solution for their network infrastructure solution. The NGTW chosen was the 5800 series and it was deployed as a software solution on clients' servers. Everything is going smoothly and the client seems happy with our proposal.

For our client, it is extremely important to protect the internal network infrastructure from any malicious attempt to break into their critical data. The NFGW cluster has been a step towards greater visibility in regards to their internal operations. The logs give a very detailed panorama of risks.

URL filtering, Application Control, and the Intrusion Prevention System are the features that almost every client wants to be guaranteed by their security appliances. 

Check Point NGFW also generates very helpful reports based on the logs of the activated features, including the features mentioned (URL filtering, Application Control, and the Intrusion Prevention System, as well as anti-bot and anti-spam). 

Sandblast is also a great feature, soon to be added to this solution through endpoints.

The appliances are quite intuitive and easy to be used. The hotfixes are useful and often released with notifications sent to the client.

There have been a few requests/issues about the Identity Awareness feature. The connection to AD, which was a request from the user, required the TAC team's support. 

I've been using the solution for more than 3 years.

This solution is stable and its replacement will not be needed for some time. Security is a need, and as such, it should be a permanent investment.

It seems pretty scalable. Scalability is one of the features that make Check Point different from other vendors. Most of the Quantum series are usable with the Maestro solution, where the client can practically add up other appliances on top of the previous one, without replacing it.

Cases don't always get a resolution immediately, however, the TAC team is supportive and through continuous interactions and suggestions, all cases have been resolved (within 1-2 weeks when they are not urgent).

Positive

For our own infrastructure, Check Point was the first vendor chosen.

The implementation is straightforward. The setup is clear and simple, much like any other software nowadays.

We did an in-house implementation.

The biggest investment is the initial one when you purchase the solution. It needs very little maintenance, and the automation it offers makes it easy to maintain.

The setup is easy and intuitive, and licensing has good coverage to meet the needs for most of the clients. Price is the least favorite element regarding Check Point. Its products aren't the cheapest ones in the market, however, the ratio of value to money is fair.

Fortinet was considered as an option as well.

We use our Check Point NGFW firewall mainly for perimeter security. Those firewalls are placed at many sites distributed over Europe. We love the firewall management and think it's still the golden standard for creating a rule base and we go more and more in the direction of identity bases user access to secure our environment.

The other firewall blades, such as Anti-Bot, Application and URL-Filtering, and IPS, are used on all sites. It's easy to deploy, as the firewall is able, with the latest version, to learn from the traffic and adapt the IPS policy.

Check Point NGFW has improved our organization with more security and easier deployments. There is a smaller amount of workload in the supporting area. We find a lot of documentation for the products and benefit from a big community. The Check Point support is much better than what we have seen from other vendors. The firewall policy is easy to deploy and we can do a more granular separation of specific user groups. We feel much more secure with this product - especially the API support - and possible automation has saved us a lot of time in our team and organization.

The most valuable features are the identity-based access and high-quality intrusion prevention functionalities. 

One of the most valuable aspects is the central management, which includes a large wide range of API calls. With the central management, we can define a reasonable security policy for many sites and not only for network segments but for user and AD groups. This gives us a bit more "Zero Trust" in our network.

It's enabled us to move away from basic LAN to LAN segmentation to a more powerful user separation approach.

One area which is still lacking is the site-to-site VPN solution. This is still an area that could be improved, although the features have gotten much broader and I really have seen an improvement over the last 10 years of working with the product. The separation from encryption domains between the tunnels came recently as a new feature to the product. This really helps a lot. Yet, we are still seeing a lack of compatibility with other devices, even though this is the case with many vendors. Especially with IKEv2, we are struggling with many vendors to set up perfectly running tunnels.

I'm working with Check Point for 10 years.

If you go by best practice recommendations from Check Point the stability is very good.

Scalability is really good. Check Point has the Maestro solution, where you can really scale easily without wasting resources.

They are really anxious to solve issues as fast as possible. They also try to get in actual contact with you via phone or chat to fully understand the issue.

Positive

In some areas we were using Cisco, however, we changed to Check Point to centralize things.

The setup is pretty straightforward, at least for the basic setup. Even with more complicated configurations, you have good support and experts at Check Point in the background that can help.

We did it ourselves.

Check Point is definitely not the cheapest solution, but the better security makes it worth the price. The licensing model is pretty easy, especially when it comes to the extension for many environments.

We looked at Cisco, Barracuda, and Fortinet.

I'd advise teams to give it a try!

The solution is primarily used for firewall protection for an enterprise environment, The Check Point firewalls are implemented on the perimeter (DMZ) and Secure Access Domain (SAD) environments. 

We use physical VSLS clusters but have many virtual systems (Vsys) configured for different sub purposes. The Entire management domain is protected by Check Point firewall virtuals running on multiple physical boxes.

We have multiple virtual routers configured on the physical firewalls which connect L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone Environments 

Check Point firewalls have helped our organization to securely promote the traffic flow in a secure way that is fast and swift.

There's faster identification of customer traffic issues identifies via a smart view tracker and centralized management of rules. It has an ease of access policy and a human-readable format.

We have multiple virtual routers configured on the physical firewalls which connect with L3 connectivity to other domains. The Perimeter DMZ firewall protects the boundary zone environments.

Dashboards for rules management and trackers for firewall logs capture are useful.

Traffic flow in Check Point is very structured so that it is easy to understand the path it checks to understand which elements come first and which elements come later.

The smart log compiles from multiple CMAs is an important feature that is very attractive. 

The MDM dashboard is very organized compared to other vendors. The use of CLI tools like TCPDUMP and FW monitor are very useful in verifying the traffic logs.

Objects search and tracker logs are useful.  

To combine CLI routing and GUI application in a way that both interact together would be ideal.

The pricing could be better. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

In the CLI, while viewing configs, there is no easy way to snapshot configs. 

I've used the solution for more than 15 years.

The product is very stable.

The solution is scalable.

Technical support is super.

We switched from Cisco to Check Point. Cisco was CLI-based and cumbersome with rulesets.

The setup is straightforward as there are many videos available on the net to practice with.

We had vendor involvement.

It serves the purpose and primarly gets the best output.

The pricing is high. In general, the Check Point solutions are not cheap, however, you could try to negotiate on the overall contract, especially if you are purchasing a lot of hardware.

Yes, the vendor ran through the options and based their decision on the company security standards.

We are satisfied with the product and support.