Check Point Quantum Force (NGFW) Reviews

Generally speaking, it's like any other NGFW. It's quite a versatile solution for many aspects. It's not like a separate solution for firewalling, but a separate solution for web access. It's just very convenient to have everything in one box. On the other hand, when you need something, like a very top-rank solution for very specific things, like network intrusion prevention or network intrusion detection as a component of NGFW, I would say it looks weaker compared to the well-designed solution for its purpose. It has the same issue as many other versatile or unified solutions, so it's really convenient.

From our point of view, including me and my colleagues, I would say it's really good that they have a lot of integrations with third-party companies. Integrations with third-party companies are really convenient. API offers many convenient ways to integrate with open-source solutions. It's very, very good when you have everything in one package and one bundle.

If you check each and every point from this part, you will find some flow in an area, or you will discover another flow in another area. It's unfortunate, and not a usual situation and it is not just for NGFW but for any other tool, making it a disadvantage where improvements are required.

For the next release, I would prefer the tool to be more flexible in terms of general deployments because some additional companies must be deployed as a basic one. For those who have been working with their solutions for a relatively short amount of time, it would be better for the tool to offer an adequate knowledge base, not just very superficial information, or maybe not too much in that spot, something like average stuff. The tool should be more flexible in terms of deployment, and a more adequate knowledge base should be available.

About the UI, it is hard to comment because it has been more or less the same for many years. Professionals have already been using the tool's interface for many years. From a contemporary angle, the tool's interface looks a bit outdated from a UI point of view. The UI has been more or less static in terms of changes for the last couple of years. People can get to the UI and work with it in a couple of months, but compared to any other solutions on the market, which are more flexible and more rapidly evolving, I would say that UI should be considered for improvement.

I have been using Check Point NGFW for two to two and a half years. My company is a partner and reseller of the solution.

For stability in high-load networks, I rate the solution a six to seven out of ten.

Scalability-wise, I rate the tool an eight to nine out of ten.

There could be some performance issues under the heavy deployments and heavy load, but generally, if you are talking about the general scalability, it is quite good.

The tool is suitable for large and very large enterprise businesses. From our company's practice, I would say it is meant for banks and financial institutions. It is also quite popular in heavy industries. I would say it has a more or less wide list. It is more or less very popular in banking.

The tool can be scaled up, but even despite high scalability, it requires a lot of extra companies to bear a high-load environment and high-load networks, making it a bit unfair, especially when comparing some of the numbers with the real-world statistics it likes too far from reality.

The solution's technical support is fine. I rate the technical support a nine to ten out of ten.

If ten means easy, I rate the product's initial setup phase a six to seven out of ten. It is not a plug-and-play solution. It requires much more skill and effort for the specialist to set it up properly. Even if there are any PoCs, you can easily discover the difference between the easy setup process and the more difficult setup phases, and I would say that Check Point falls under the latter category as it takes much more time and effort. Sometimes, it could be buggy, and you just need to fix some other firmware or software update.

The solution is deployed on an on-premises model for large and very large enterprises.

The time to deploy the solution depends on the stage because you can talk about the initial deployment or you can talk about the deployment, including the integrations. I would say that the integrations would be really time-consuming. For the initial deployment, I would say it is a couple of days if it is not really a large installation and a couple of weeks are needed for the initial deployment.

ROI is like an artificial point in connection to a solution like Check Point NGFW, and its numbers are quite questionable.

Suppose the company has too many different solutions from different vendors. In that case, it becomes a greater burden in terms of support and everything, especially in terms of management of these solutions. I would say that Check Point would be a good choice if they are planning to migrate. If it is something like a choice between one NGFW from a vendor and you want to move into the Check Point NGFW, it becomes a bit more tricky. It becomes really hard to say about the ROI because it is just like a different approach. If you are moving between a lot of different solutions from different companies, then ROI will be really good and attractive.

The tool's price is reasonable in case you are not using it in a high-load environment. If you are not expecting significant increases or peak increases in loading, it should be fine. If it is a really highly loaded VLE environment, and if you try to rely on the tool's official numbers, I would say you can put your environment and network in jeopardy because it becomes really unstable. For the last couple of years, the situation has changed, and it has become really tricky to understand why the tool's official numbers aren't aligned with real-world numbers, which is a big problem for the VLE customers because when they are just trying to consider their official stats and official scalability numbers, it might be tricky. VLE customers should have, like, a 20 to 30 percent extra, or else, at this point, it becomes much more expensive.

The tool's prices don't make any sense because we are not talking about MSRP prices for VLE. We are talking about the discounted prices, which could be a really, really huge gap between the MSRP and the discounted price. I don't think these numbers will highlight any beneficial aspect of the price for you.

There needs to be accuracy in terms of scalability. It should be well-designed, and if the customer does not have enough resources or their own resources, it is better to involve an adequate number of SIs. The system integrator will do the trick, and if a person is experienced, then everything can be really good in terms of the certifications, the statistics, and everything else. The system integrator should do everything properly, but it will be quite expensive, especially if we are talking about large and very large enterprises. For mid-sized businesses, it should be fine because it is less tricky, and even the normal specialized person on the customer side should be fine with using it, as it can be quite easy. In any case, scalability is a bottleneck here.

I rate the tool a seven out of ten.

I used Check Point NGFW to secure the data centers of medium to large enterprise companies. In many cases, it serves as a perimeter firewall, though its use can vary based on specific needs. Primarily, it functions as a defensive firewall.

The GUI is not very user-friendly, and configuring it can be challenging. The management console often has issues, sometimes requiring high CPU usage on your FTP or Windows system to open or manage sessions. It can be resource-intensive. Additionally, when viewing or monitoring logs, they sometimes do not appear immediately and may be outdated or missing.

I have been using Check Point NGFW for two years.

It is a stable device.

They support a range of enterprises, from small to large. Their solutions can accommodate environments with as few as 50 users to those with thousands or more. So, handling a large number of users is not an issue.

Support is very good.

Positive

The initial setup is not straightforward and can be more complex than that of other devices like Palo Alto or Fortinet firewalls. The setup for the CMA and management center requires careful implementation. Additionally, integrating components such as MDM and other security devices, including sandboxes, can be challenging to achieve a cohesive and secure environment.

The time required for deployment depends on the amount of configuration needed. Typically, it might take a full day, but with sufficient time, a basic configuration can often be completed in about eight to ten hours.

I have worked with both on-premises and VM versions. The CMA is typically deployed as a VM on a server, while the firewall is a physical device. 

I have already deployed many times by myself, so there is no need for many people.

It is a cheaper device than what other vendors offe.

For security features, I typically use the templates or standards provided by the vendor. Based on my experience over the past three years, I haven’t encountered any significant complaints from customers about attacks or major issues while using the firewall to protect their data centers.

Google has a premium partnership with Check Point, involving extensive verification processes for major customers. This strong partnership indicates a significant level of collaboration between the two companies.

I haven’t handled any maintenance, but the support center has been very helpful. They provided excellent support and demonstrated strong knowledge whenever I reached out for assistance. They are proficient in various languages and have a good grasp of Linux, which is essential for effective support.

They provide good step-by-step implementation guides, similar to what is available for Fortinet's FortiGate. However, I find the implementation process for other vendors to be easier. Pricing varies among the three vendors, so there are differences in cost. Palo Alto offers the best options for sizing, though I haven’t worked operationally.

I recommend it, but you should know Linux and its commands to work effectively with this device.

Overall, I rate the solution a six out of ten.

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

Currently, we utilize Check Point firewalls, IPS, site-to-site VPN, and remote access VPN features for our various client operations.

We have implemented a cloud firewall for one of our customers and primarily handle perimeter security using Check Point firewalls for multiple customers.

We also handle POCs, implementation, upgrades, and daily security operations as part of our services.

We are distributor partners who also distribute Check Point products to our customers. We recently convinced our clients to use Check Point firewall services and signed a contract with them.

We have not received any issues from any clients using Check Point services so far. It is really great to use and up-to-date. In Check Point, we have never seen it hit any vulnerabilities like other products.

Also, the TAC support from Check Point is excellent. I really appreciate it when dealing with complex issues. It allows us to easily obtain vendor support without many issues compared to other products.

Certifications and training from Check Point are valuable. I recently attended a boot camp and found it both knowledgeable and enjoyable.

Recently, I came across the Check Point Infinity AI feature in one of the Check Point webinars, which I believe is unique and will be very useful in the future.

Also, Check Point Harmony and Quantum deliver uncompromising performance with advanced threat prevention, policy management, remote access VPN IoT security, SD-WAN, and more.

Infinity Threat Prevention is an innovative management model. It provides zero-maintenance protection from zero-day threats and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.

The upgrade process of Check Point could be simplified to match other products.

For some of the MSSP partners, Check Point should personally go and give demos to them. This way, the MSSP can show their clients what Check Point is capable of and what kind of new technologies and features Check Point is coming up with.

Adding automation for upgrades and hotfix installation would be a beneficial new feature for administrators from an operations standpoint. Additionally, Check Point should pay more attention to endpoint security; they are currently lacking in that area compared to other competitors.

I've been using Check Point products for more than eight years.

The solution is 100% stable. 

The solution offers 100% scalability.

Technical support is very good.

Positive

No; we have multiple clients, so we use multiple products.

The setup is fine; I've only faced issues during upgrades.

The expertise of the vendor is excellent. I'd rate them ten out of ten.

The ROI is really good.

In terms of cost, pricing, and licensing, Check Point is not very expensive or complex.

We did not evaluate other options. 

My overall experience is really good. I am enjoying working with Check Point products, especially on the firewall. It's much easier compared to other firewalls.

The solution is used to provide firewall security to cloud integrations.  

The spoofing prevention feature is the most valuable feature.

The solution provider needs to upgrade the IPSec VPN port because VPN branch-to-branch configuration can be easily implemented at our company, but several difficulties arise in a cloud environment like AWS or Azure cloud. The aforementioned cloud providers often need to create VPN interfaces, but in a few cases, these teams don't have the knowledge for configuration or IP points; their knowledge remains limited to the architecture of the clouds on a networking level. 

In future releases of the solution, a remote access VPN feature should be added. Our organization expects the aforementioned feature because we have a secure validated configuration in our remote access VPN, and the feature would allow easy configuration.

For instance, if a customer wants to connect a VPN to a particular domain laptop, our company can integrate the domains with our network's remote access VPN, but the user is unable to connect with other personal laptops.

I have been using Check Point NGFW for five years. 

I would rate the stability of the solution as seven out of ten. The tech support is not operational sometimes, and in a few cases, the tech team of the vendor is unable to provide support with a proper explanation or resolution. Check Point NGFW fails to provide workarounds for certain issues and thus leads to huge time consumption for a single task. The support team of Check Point NGFW on a few occasions takes five to ten hours to resolve an urgent VPN issue which impacts the stability. 

At our company, if we raise an RMA for Check Point NGFW, it takes immense time, which is around 15 to 30 days, to obtain the box, whereas other vendors offer it within five to seven business days. Due to the aforementioned issue, our organization needs to implement a test device on the environment and purchase temporary licenses for that device so that the customers in a stand-alone environment can access the internet. 

In Check Point NGFW, sometimes the logs consume excess storage, and even the storing or indexing process is not implemented correctly. 

I would rate the scalability a seven out of ten. 

Support is available for Check Point NGFW, but the support team, in most cases, is unable to provide an effective and on-time solution after collecting logs. I would rate tech support a seven out of ten. 

Neutral

I worked with Palo Alto previously before transferring to Check Point NGFW. I wanted to learn about Check Point NGFW in-depth as it's considered a difficult solution compared to others, so I ventured into it. 

In our company, we have the option for both cloud-based and on-prem deployment of the solution. The management server integration is different for the aforementioned options. If the traditional management server is present locally, in that case, at our company, we are using the solution for integration, but if a cloud is involved, some keys need to be integrated with the cloud management to let the firewall have internet access. 

Almost every time when the management server reaches or expands to another country in our organization, we face difficulty with integrations. The deployment time of Check Point NGFW depends upon customer requirements, but it takes approximately 15 to 30 days. More feature integrations demand the involvement of more teams in the deployment process. In my area of business, about 50 to 70 customers are using Check Point NGFW. 

If the solution is in a cluster environment, a maintenance window is not required and most of our customers are using the solution in a clustering or stand-alone mode. 

It's an expensive solution. 

Most of our organization's customers are using Check Point NGFW for networks, as enhancing the firewall's performance is not required; if the firewall goes inactive, total protection decreases. Our organization's customers don't want to depend on any particular product and are thus investing in multiple security products. 

On a few occasions, integrating a RADIUS configuration with Check Point NGFW has been difficult because some versions are not supported. I have also faced trouble regarding authentication when integrating Check Point NGFW with Azure EAD. 

Recently, Check Point NGFW has been integrated with zero-threat AI security features. In our organization, we are installing the solution on the Blade architecture, where the aforementioned features function well enough. I would recommend Check Point NGFW to others. I would rate Check Point NGFW overall a six out of ten. 

Our customers find that the Check Point NGFW highly effective for data center deployments. Additionally, smaller models are well-suited for branch locations where local internet breakout is necessary. These smaller models streamline internet access at remote sites, eliminating the need for third-party service providers and reducing costs. The 26000 and 28000 series excel in securing DMZs, while the lower-end versions are ideal for branch-level internet breakout, allowing direct cloud connectivity without intermediary networks. It offers cost savings and efficient security solutions tailored to various deployment scenarios.

Some of the most valuable features are URL filtering, web filtering, and content filtering. Typically, customers would need to invest in cloud web security solutions for local internet breakout. However, by deploying Check Point firewalls, which include these functionalities built-in at each site, the need for separate cloud-based solutions is eliminated. This consolidation reduces costs significantly, as one product serves multiple purposes: routing, switching, and next-generation security features such as timeboxing and malware filtering.

Check Point could enhance its capabilities further by focusing on global threat intelligence, particularly in addressing zero-day attacks and other unknown threats. If I were to suggest improvements for this firewall, it would involve enhancing its core features. Currently, there are many additional licenses available for purchase, such as DDoS protection, URL filtering, and global threat intelligence. These additional licenses increase the overall cost significantly, as they are add-ons to the base model. It would be beneficial if Check Point included more licenses bundled with the base model, reducing the need for additional subscription charges for essential functionalities.

I have been working with it for one year.

I would rate its stability capabilities eight out of ten. I'm uncertain about its performance in large enterprises, where stability is paramount. It's crucial that the firewall can handle high throughput, accommodating multiple gigabytes of bandwidth, alongside additional firewall features like web filtering, content filtering, and sandboxing. In my experience with capacities ranging from one hundred to two hundred megabytes, focusing solely on web and content filtering, the product has proven to be stable.

There is room for improvement in scalability. Adding more firewall features can impact the performance of the device, particularly in terms of processor capacity. I would rate it six out of ten. Our customers typically fall within the medium-sized business category.

All manuals are accessible on the website, ensuring comprehensive documentation is readily available. The publicly available documentation is satisfactory, covering a wide range of information. However, certain documents not accessible to the public are provided to partners through a partner sign-in portal. This access ensures that all necessary documentation is available within our organization.

The initial setup was quite straightforward. It involved basic configuration, which I would rate as an eight out of ten in terms of simplicity.

The deployment took approximately five hours. The process can be executed in various methods. I typically perform a remote login from the console. The deployment involves three main steps: IP configuration, security configuration, and DNS setup, including any necessary DNS protection configurations.

It falls in a moderate price range, not as inexpensive as some alternatives but not as costly as Palo Alto. I would rate it seven out of ten. There are numerous additional licenses required for advanced security features, leading to additional costs.

Check Point has introduced several SD-WAN and IoT features, among others. I would suggest exploring the zero-trust features offered by Check Point. Additionally, if interested in incorporating SD-WAN or IoT capabilities, these features are readily available within the product. It's important to note that in today's landscape, Check Point offers more than just a traditional firewall; it's a comprehensive and advanced solution. Overall, I would rate it eight out of ten.

We use Check Point Quantum Network Gateways for all our on-site firewalls. It protects the network edge, network core, data center, and our AWS direct connect. 

We are a payment facilitator and security is one of our core requirements. 

We have implemented VSX which enabled us to reduce the hardware footprint. 

We have implemented 6700NGFW, 6600NGFW, and 6400NGFW in different network segments. We have enabled basic firewall, ClusterXL, and IPS licensing. 

Due to the nature of the traffic, we do not use Application Control or URL Filtering.

With our previous firewall solution, we had no automated compliance tools. Now, with the Check Point Quantum Network Gateways, we have the ability to automate compliance reports for both GDPR and PCI3.2, and by using VSX (Virtual System Extension) we have reduced our data center footprint. This will lead us to become a more sustainable organization. 

We have found the central management (Smart Console) to be very helpful in managing all the firewalls and keeping the software/hotfix versions up to date.

By implementing VSX (Virtual System Extension), we were able to reduce our hardware footprint, reducing both direct and indirect costs. This also enables us to quickly scale up or down to meet business needs.

We have also found that the Intrusion Prevention System implemented on Check Point Quantum Network Gateways is robust, efficient, and very easy to implement. Being able to add it later as a software feature is a real boon. The customization options enabled us to zero in on our specific use case.

Due to our unique environment, we have to implement BGP on our firewalls, and the way that BGP is implemented on Check Point Quantum Network Gateways is not intuitive and requires additional custom configuration. This caused a significant delay in our migration. The way that NAT is implemented was also not intuitive and required additional custom configuration.

We have also run into an interface expansion limitation, and thus it would be helpful if products lower in the stack would offer more interface expansion options.

The solution has been in use for one year.

During the first year of operation, we have seen 100% up-time.

Due to the VSX implementation, I would conclude that it is highly scalable.

Customer service and support from the vendor have been excellent. They have assisted in communicating issues back to Check Point and the subsequent response from Check Point has been very good.

Positive

We used Cisco ASA 5500 series firewalls, but these have reached the end of life and needed to be replaced.

The initial setup and migration was complex and we had a vendor team assisting.

The expertise of the vendor team is excellent; I'd rate their services nine out of ten.

It is important to carefully consider your needs. Additional features can be activated easily - for additional licensing costs. However, opting for extended licensing can provide cost savings through discounts.

In looking at replacing the existing firewalls we considered Cisco, Palo Alto, and Check Point. 

Check Point Quantum Network Gateways offered us a more favorable price point without compromising on functionality.

We use the solution for threat protection in the banking and finance sectors.

Check Point NGFW is popular because of the protection it offers. 

The pricing and UI need to be improved. 

The enterprise is quite expensive. There are small boxes that are competitive enough.

I have been using Check Point NGFW for a year.

The product is stable.

I rate the solution’s stability a nine-point five out of ten.

The solution can scale up to enterprises.

I rate the solution’s scalability a nine-point five out of ten.

The initial setup is easy, but maintenance is very difficult. Deployment and fine-tuning take a day.

There were no glitches or issues. We were able to achieve a positive ROI for our business. It saved them a significant amount of money that would otherwise have been spent on dealing with ransomware activities.

The product is expensive and costs around one-point-five million.

I rate the product’s pricing an eight out of ten, where one is cheap, and ten is expensive.

Thorough planning is essential when implementing a Check Point NGFW. You need a checklist outlining what policies to establish. While the installation is straightforward and does not require much effort beyond obtaining a license, creating and configuring policies can be time-consuming. Therefore, allocating sufficient time and resources to policy creation is crucial to ensure effective security management.

Overall, I rate the solution a nine out of ten.