Check Point Quantum Force (NGFW) Reviews

It's just enterprise firewalls, firewall clusters for redundancy to secure the company network from the internet, and as well as a data center firewall, for example, if you want to split up subnets to control traffic between them.

The management is very handy and intuitive, and it has a lot of features. I think it's one of the products in this market which has the most possibilities.

I saw some other firewall vendors or firewall solutions from other vendors. And maybe I like it because I'm very familiar with Check Point and the management of the Check Point gateways. So, probably, I'm just not aware of how other solutions work and how to use them. 

We also see or have a lot of customers with Palo Alto. That's also a solution we see a lot, but we have been a Check Point partner for more than seven or eight years since the beginning of our company. We have done a lot of research on firewall solutions. 

In our opinion, it's one of the best because the management is very handy. So it's easy to implement every possible configuration, and you have a good oversight of your rule set. 

If I compare it with Cisco Meraki, for example, if the rules grow, then it's very hard to get oversight or to have oversight over the whole rule set. So then it becomes hard to manage.

With Check Point, it's easy because even when you have 200 or more rules, it's still very user-friendly, and you can still quickly manage your whole rule set.

What I like about Meraki is the whole cloud-managed feature, where it can configure gateways in the cloud and preconfigure it as well. So I don't need to have access to the device or create a configuration in the cloud. 

And as soon as the firewall comes online connected to the internet, then it downloads its configuration from the cloud. I think Check Point does also have such a solution, but I'm not aware that it's as easy as Cisco Meraki. Sometimes it would be nice if they would have the same possibilities.

I have been using it for about five years now. 

I have not yet faced any challenges with performance or stability. Sometimes when we implement core firewalls, there are applications that have longer session timeouts than the Check Point firewalls in the default settings. 

Windows has a default session timeout for about two hours, I think, and Check Point's is one hour. So, it's not a performance issue, but the application will not run as well as before the security gateway analyzes and blocks traffic. So, it depends.

Scalability  is a very good point of Check Point's solution. They can scale very well and very large.

The technical support is also very well and specific. It's very useful to have technical support from Check Point.

Positive

I have experience with Nutanix Flow. It's also possible to enable training in Nutanix Flow where you can redirect the traffic to Check Point gateways. I think that's a very useful feature if you need layer seven traffic analysis and blocks. But I don't have any customers, or we don't have any customers, who use chaining. We also don't have any customers who use a micro-segmentation solution from Check Point. So, I'm not aware if they have a comparable solution like Flow.

For the initial setup, you need a good knowledge of the operating system, Gaia OS. It needs some knowledge to get started, but if you've done it once, then it's easygoing.

Normally, we check the customer's requirements. Then we start to deploy the gateway and start with a basic rule set so the customer is able to refine it for their needs. If we are in charge of creating a complete rule set, we will bring all the requirements into a concept and then create a rule set in a more suitable way.

Some customers have very basic requirements. If it's just to deploy the gateways, then it's very easy and quick. You just need maybe a few days and a maintenance window outside of business hours. But there are also customers who have a lot more requirements, like scanning or analyzing the traffic for subnets inside of the network. 

For example, a core firewall can be very time-consuming. You need to do a lot more research and concepts or write concepts on how to achieve that. That can take a few months.

For maintenance, you need to know what you do. It can be difficult if you don't know what you want to achieve. If you are not aware of network security, then probably it's not that easy, and you may run into configuration errors or mistakes. It's easy to manage, but you have to know what you do.

Check Point is not the cheapest vendor in the market, but it has everything you need compared to other solutions. So that's probably the main reason for the cost or the prices. I think it's probably on the same level as Palo Alto.

I would recommend Check Point to other users who are looking into implementing it.

I would advise others to compare or write down their requirements and have a look to see if Check Point is able to fulfill all the requirements.

Overall, I would rate it a nine out of ten.

The primary use case of many organizations is to protect their environments from outside cyber threats across multiple layers of infrastructure. For example:

1. At a perimeter level, it protects the network at the parameter; many organizations use this firewall.

2. It provides scalability and seamless traffic flow in a network. 

3. It has all-in-one next-generation features, so many organizations save money using this firewall.

Check Point NGFW helps in many ways, including:

1. Using the application filter feature, I can block all the unwanted applications which are not used in the organization. Due to this, less bandwidth is used in the network. This leads to a cost cut in the ISP bill. 

2. With the help of URL filtering, I can block very easily. If this is not blocked, users may surf malicious websites or download malicious files.                             

3. Evaluation licensing helps us to conduct POCs and explain all features to customers. 

I love the application filter, as the user cannot access any applications that are not relevant to them. This reduces the likelihood that someone may access an application that contains a malicious link or file that the user may download, which in turn reduces ransomware attacks and DDoS attacks.

They just need to improve the technical support and professional services in India. We have received many complaints about them from clients and also face the same issue ourselves. 

For the past one and half years I have been using Check Point Firewall for security.

We have a good impression of stability. 

The performance is very good; there is no issue with performance.

I've only deployed Check Point Firewalls and have used other older Check Point devices that reached EoL.

The initial set up is simple. Users just need to run the wizard to set up, and they are done.

I deployed the solution for many customers in the banking sector.

Costing and licensing are high as compared to other OEMs.

I mostly work on Check Point; others which I have evaluated include Cisco and Fortigate.

Mostly enterprise customers use it for their system security as their main firewall. For example, some customers have multiple backup connections, including fiber connections, for redundancy. 

They use Check Point as the main firewall, and others use it for email scanning and file scanning to detect any vulnerabilities.

The firewall scanning, like antivirus scanning and malware scanning, are very good. Blocking the user is also very easy. If you want to block a user, we can just do it within the solution.

The reporting is quite easy and good, and you can see traffic in real-time. But compared to Sophos, Sophos is still better. There are still areas in Check Point that need to be improved.

It's actually quite good, but the only problem we faced was during COVID when people wanted to work from home. 

We had to use third-party software to give users access because the Check Point option didn't work as expected. So we used Check Point in the front, but we used third-party software for the virtualization of the applications and everything.

When using redundant connections, sometimes there are issues like one connection going down and switching to another connection. Also, breaking rules can be complicated. 

For example, if you want to make a rule for a specific connection, like assigning some users to one ISP and other users to another ISP, you have to use another device, like a third-party firewall intervention and routing, to get the desired results. Other than that, it's good performance-wise.

I've been working with Check Point for the past six or seven years. We always work with the latest version.

It's very stable. No issues there.

It's scalable.

Our clients have raised questions to technical support. They all have accounts, so we give them the login details. They send an email to support and get a support request. But normally, we try to handle everything on our own. 

If there's something we can't handle, like a firmware-level issue, only then do we get support from Check Point.

It depends on the client requirements also. Some government agencies need Check Point, and some clients need others like Cisco or Sophos. After Cisco, a lot of clients have changed to Sophos. So, we provide solutions depending on the client's requirements.

The initial setup is straightforward, just like any other normal firewall. 

• Deployment strategy: 

The deployment process depends on the client. For example, if it's an existing customer with an existing firewall, we first see what their current requirements are from the existing firewall, what they need to implement but cannot, or what challenges they are having. 

Then we compare the features of the existing firewall and Check Point firewall, and we tell them what the rules will be, like incoming and outbound rules. We try to see what is the fastest way, without any downtime, how we can point or configure the checkpoint. 

Then, after that, we do the testing, because almost all of the offices need that. So, normally, once we set it up, we give them one month for testing. Normally, for a better line or something, we just use a certain IT department or a sub-department for testing. After that, if it's okay, we hand it over.

In a nutshell:

Requirement Analysis →  Feature Comparison  → Rule Definition → Testing and Validation → Phased Rollout → Client Acceptance

• Deployment time: 

Normally, for a site, more or less, less than one month. It depends on the number of users. If there are a very large number of users, like 600,000, then it will take around one month or more.

• Deployment resources: 

Normally, we have two technicians working. One is from the Philippines, trained in Sophos and Check Point. We don't need many more staff for the implementation.

• Maintenance: 

It's very easy. Only the licensing. Every year, we have to pay, but sometimes clients talk about the cost. Also, very recently, there was a ransomware issue. The only issue is, for example, if it's ransomware, and it doesn't get detected by Check Point and gets infected from another source, we have to prove that it's not from the outside but from the inside. Because there are a lot of case scenarios like this, those are the things mostly.

• Integration capabilities: 

Integration is a little bit challenging. It's much easier for integration with other applications and domains. When integrating with a domain, there are still some small issues. For example, when applying a group from the domain controller, we sometimes need to test a firewall and do some reporting. There are small issues like that for the integration of LDAP. Other than that, it's good. It can pull up the users and groups, but there are some minor issues when we apply them.

It's effective and good.

Compared to Sophos and others, Check Point pricing is good for the current market.

In terms of features, Check Point and other firewalls are almost the same. There are no special or advanced features.

I can recommend it to other people. Overall, I would rate it a seven out of ten. 

Currently, we utilize Check Point firewalls, IPS, site-to-site VPN, and remote access VPN features for our various client operations.

We have implemented a cloud firewall for one of our customers and primarily handle perimeter security using Check Point firewalls for multiple customers.

We also handle POCs, implementation, upgrades, and daily security operations as part of our services.

We are distributor partners who also distribute Check Point products to our customers. We recently convinced our clients to use Check Point firewall services and signed a contract with them.

We have not received any issues from any clients using Check Point services so far. It is really great to use and up-to-date. In Check Point, we have never seen it hit any vulnerabilities like other products.

Also, the TAC support from Check Point is excellent. I really appreciate it when dealing with complex issues. It allows us to easily obtain vendor support without many issues compared to other products.

Certifications and training from Check Point are valuable. I recently attended a boot camp and found it both knowledgeable and enjoyable.

Recently, I came across the Check Point Infinity AI feature in one of the Check Point webinars, which I believe is unique and will be very useful in the future.

Also, Check Point Harmony and Quantum deliver uncompromising performance with advanced threat prevention, policy management, remote access VPN IoT security, SD-WAN, and more.

Infinity Threat Prevention is an innovative management model. It provides zero-maintenance protection from zero-day threats and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.

The upgrade process of Check Point could be simplified to match other products.

For some of the MSSP partners, Check Point should personally go and give demos to them. This way, the MSSP can show their clients what Check Point is capable of and what kind of new technologies and features Check Point is coming up with.

Adding automation for upgrades and hotfix installation would be a beneficial new feature for administrators from an operations standpoint. Additionally, Check Point should pay more attention to endpoint security; they are currently lacking in that area compared to other competitors.

I've been using Check Point products for more than eight years.

The solution is 100% stable. 

The solution offers 100% scalability.

Technical support is very good.

Positive

No; we have multiple clients, so we use multiple products.

The setup is fine; I've only faced issues during upgrades.

The expertise of the vendor is excellent. I'd rate them ten out of ten.

The ROI is really good.

In terms of cost, pricing, and licensing, Check Point is not very expensive or complex.

We did not evaluate other options. 

My overall experience is really good. I am enjoying working with Check Point products, especially on the firewall. It's much easier compared to other firewalls.

Our customers have been using it for the network security.

Unlike Fortinet, where the log loading process can take up to a month, Check Point stands out for its efficiency. While other solutions may only provide logs for a short period, such as one or two months, Check Point impressively retains logs for up to six months on some machines and at least three months on others. This extended log retention period is a significant advantage for our customers, providing them with valuable insights and enhancing their overall security posture.

One of the most advantageous features of Check Point firewall is its multi-interface capability. While traditional firewalls typically have a single interface, Check Point stands out by offering tools with multiple interfaces. This capability, now known as SmartConsole, allows users to manage policies, security objects, and routing points all from one dashboard. This contrasts with other firewalls where users often have to log in separately to access different functionalities. The hierarchical structure of communication and management in Check Point firewalls adds complexity, making it more challenging for attackers to exploit vulnerabilities. Additionally, Check Point introduced SD-WAN functionality in December 2013, further enhancing its capabilities and staying ahead of the curve in network security.

There's a significant area for improvement when it comes to pricing. While frequent updates and patches are released, which is commendable and adds significant value, the loading time for SD-WAN updates can be excessively long.

The feature we're eager to see enhanced in Check Point is reporting, particularly in terms of highlighting past reports. Currently, if we create a rule for a report in the morning, we expect to receive an email highlighting it. While we can set this up, the issue lies in segregating the project into separate reports.

I have been working with it for five years.

Occasionally, we face certain issues and downtimes. Downtime varies depending on the type of changes or updates being made. For instance, a version upgrade typically requires only fifteen minutes for reboots. However, for patch updates or version updates, downtime can extend to at least one hour. In some cases, especially in custom environments, downtime may exceed two to three hours.

It provides good scalability. Despite having only three customers, I've implemented the firewall for over a thousand users. These users are situated in factory environments, meaning there are thousands of endpoints, including those connected via VPN.

I am relatively satisfied with the level of technical support provided. We primarily work with Indian support teams, and while some technical engineers are exceptionally intelligent and quick to resolve issues within ten to fifteen minutes, others may take longer. However, the crucial aspect is that they eventually provide an answer or escalate the issue if needed. When I contact support, I first inquire about the assigned person, and if I am familiar with them, I proceed with the interaction. Otherwise, I prefer to escalate the query to another region to avoid wasting time. I would rate it eight out of ten.

Positive

We have experience working with Fortigate and Palo Alto in the past. In Sri Lanka, Check Point has a strong marketing presence, which influences customer decisions.

The initial setup can be complex and may pose a challenge, especially for those without prior experience. Setting it up for the first time requires careful attention and a level of expertise to navigate effectively.

The deployment process begins with configuring the firewall's IP and other settings. Once this initial configuration is complete, we proceed to the AI portal. In the AI portal, the first step is to configure the interfaces. After configuring the interfaces, we proceed to install the created interface. Next, we move on to the SmartConsole. To access the SmartConsole, we download it from the app portal. Once the SmartConsole is installed, we can easily create rules for logging purposes, manage objects, configure networking, and VPN, and other technical tasks from the SmartConsole. Routing and related tasks are typically handled in the data portal. One individual is enough for the deployment. The duration of the setup process varies depending on factors such as the complexity of the customer's environment and the site architecture. For instance, in a relatively simple scenario with just two VLANs and a couple of VPNs, the configuration could be completed within a few working days. Maintenance is essential, with upgrades and patch updates being mandatory at least once every six months. This ensures the system remains up-to-date and secure.

Our customers are pleased with the return on investment. The occasional bugs and updates, common to all firewalls including Check Point, are being addressed promptly. The platform is regularly updated to ensure optimal performance.

The price is on the higher side.

While the cost may be a consideration, the level of security provided by Check Point is exceptional. In my experience, I have not encountered any cyber attacks. The only negative experience was not related to the firewall but rather to customer issues with the router. It's important to remember that compromising security for cost savings can ultimately lead to vulnerabilities. Therefore, investing in high-security solutions like Check Point is worthwhile. Overall, I would rate it eight out of ten.

Historically, the primary uses for these gateways were perimeter security and internet filtering. However, we now push all our internal traffic through the gateways for LAN segregation and to isolate obsolete operating systems.

Our isolated operating systems and LANs only allow specific traffic from a specific source to access them, making these critical production/business systems more secure. It's not a simple case of just replacing these legacy operating systems but replacing the industrial machinery that they control - which would require an investment of tens of millions of pounds.

Isolating obsolete operating systems wasn't in the scope when implementing the gateways originally. However, it has enabled us to secure Windows XP/Windows 7/2003/2008 machines which are end of support yet are still required to run industrial software and interface with large machines, which are not easy to replace.

Isolating machines and networks, along with SSL inspection, wasn't in scope when the gateways were spec'd. That said, five years later, they are still rock solid, and along with the Threat Cloud intelligence service, this ensures that our firewall is equipped with up-to-date threat intelligence, enhancing its ability to detect and mitigate emerging threats.

One of the strengths of Check Point Firewall lies in its granular policy management capabilities. We can define security policies based on a variety of criteria, including user identity, application, and content type. This level of granularity allows us to enforce security policies that align with our specific needs and compliance requirements.

One of the standout features of our Check Point Gateways is the user-friendly interface. Smart Console (management console) is well-designed and intuitive and provides administrators with a centralized hub for monitoring and configuring security policies. The web version isn't quite there yet, so to get the most out of it, the console needs to be installed, but it allows users to tailor it to their specific needs, and the menu structure is logical, making navigation a breeze for both novices and experienced administrators.

2FA on login would assist us with compliance however at the moment, it's not a major factor for us - yet may be in the future.

It would be nice to have comprehensive documentation and training resources that can help users and administrators better understand and utilize the full range of Check Point's capabilities. We ended up having to travel to London to sit through lots of training as we didn't find the information readily available.

Finding the costs associated with a particular blade can be challenging. This isn't specific to Check Point, but sometimes we need a ballpark cost quickly and don't have the time to speak to a reseller.

The company has been using Check Point gateways for around five years, myself about two years.

Hardware has been 100%; software has been slightly less as we had an issue where the gateways would failover. 

We run a pair of Gateways in HA mode, this solution has worked for us, and there have been no cases of downtime. Adding additional gateways should in theory be quite simple however for us there is no need.

Support has been quick to respond to any questions or issues.

Positive

The company used to sue Cisco Firepower. I wasn't with the company when switching.

The setup was straightforward; the implementation team went on the CCSA and CCSE courses.

We handled the setup initially in-house.

We ran these gateways for five years and will look to do the same with the replacements.

Work with Check Point's presale team and complete the scoping document. If you are an existing customer, use the CPSizeME. 

The company also evaluated Palo Alto.

We have run Check Point Security Gateways for five years and have had very few issues; they have been rock solid, and the hardware has been 100%.

The primary objective was to replace the Cisco ASA firewalls with Check Point NGFWs. In addition to their firewall functions, these NGFWs also provide features like Web Application Firewall and Network Data Security. We used this approach to consolidate security measures into a single, comprehensive solution, much like having a master key at the main entrance rather than separate keys for each window and door. This streamlines security management and ensures a more efficient and robust overall security strategy.

There are several crucial advantages to using Check Point NGFW including its ease of use, as it provides a unified interface for managing multiple security functions. It offers impressive scalability to meet the demands of a large organization and can handle substantial traffic. Its simplified management, enhanced remote support capabilities, and the ability to facilitate secure VPN connectivity for numerous offices and employees are highly beneficial.

The current model is predominantly hardware appliance-based, which can incur substantial costs. These appliances must be purchased separately, contributing to a significant investment.

Our most recent engagement with Check Point NGFW was a year ago when we implemented it for one of your financial sector clients.

The stability of the firewall has been exceptional, with very minimal disruptions. There was only one instance of downtime, and it wasn't attributed to any fault in the firewall itself or the hardware, but due to a configuration issue. I would rate it eight out of ten.

The scalability of Check Point firewalls is a notable strength. These firewalls can handle a substantial number of connections. For instance, they can manage up to one million connections on the NDSW server. Regarding its VPN capacity, it can support around 5,000 to 8,000 users per box, which is quite impressive. This scalability makes Check Point firewalls well-suited for organizations with high connection and user requirements. I would rate it eight out of ten.

Their support team has demonstrated an approximately 24-hour turnaround time, which is considered quite good. We have rarely needed to engage with Check Point support because most issues are resolved internally. Typically, we turn to OEM support only when we encounter challenges that are beyond our capabilities.

I also have experience with Fortinet and Cisco, both of which have made significant developments recently. They have introduced software-based firewall and system solutions, which have garnered attention from customers. This shift in the competitive landscape has led to changes in customer preferences, with more organizations considering Fortinet as a viable option for their security needs.

This process can be a bit complex at times, mainly because it depends on the specific client architecture and how they want to set it up.

The deployment process can be rated at about six in terms of complexity. Several factors influence this complexity, but getting the infrastructure ready is often the most challenging aspect. To successfully deploy, you need to account for downtime, ensure proper backups are in place, and ideally test it in a sandbox environment before going live. After deployment, thorough checks and adjustments are necessary. It typically requires at least two days of parallel operation, where both the new and old equipment run simultaneously. In an environment with no existing infrastructure to replace, the process is generally smoother. Deployment typically involves a team of 2 or 3 people working full-time for 4 to 5 days, equivalent to nine hours a day. Maintenance is handled by a networking team, which includes a Network Operations Center. The team consists of approximately eleven people managing various network components, including L1, L2, and L3 devices.

When considering a POC for a security solution, it's essential to assess the various use cases and functionalities it offers, such as NDSW which is particularly useful for protecting sensitive data. Check Point NGFW is not solely a firewall; it's a comprehensive security solution with various capabilities. It can address a wide range of security requirements, making it a valuable and versatile asset for organizations looking to enhance their security posture. I would rate it eight out of ten.

I do not use them, I just sell them, but customers are using them to protect on the edge and at the core.

It brings value to their clients as everybody is concerned with security. Firewalls are the first line of defense. Check Point's support is probably the best of the major players in that space. Check Point is more complex than the other players, but it is also more powerful.

A lot of the other players have a more robust best-of-suite offering versus the best-of-breed offering. Check Point's capabilities are limited from a firewall perspective. Other players are acquiring companies and offering add-ons like CASB or VPN-type capabilities.

I have had experience with Check Point Next Generation Firewall for seven or eight years.

Their code is a little bit finicky as of late, but that's just because they just released this product line.

It depends on what you're deploying. Maestro is more scalable than standalone firewalls.

The support depends on what support model you buy. Customers that have dedicated support teams get more attention than the traditional support, however, a lot of other companies are offshoring their support.

Positive

Cisco is not a true security company, but Check Point is where they grew up, so I think they are a little more mature.

The initial setup depends on the environment and can take weeks. It is not different than the rest of the players in terms of maintenance.

It's basic engineers, usually one to two people.

It is pretty difficult to determine ROI with firewalls because they are more of an insurance policy. However, it helps with security. The cost of a breach versus having some of these measures in place is the real comparison.

There is a lot of price parity between all the players. Everybody is within plus or minus ten percent. Check Point is probably more expensive than some of the other players out there, but it is incremental.

I evaluated Palo Alto and Fortinet.

I would recommend Check Point Next Generation Firewall to others. I would put them in the upper echelon.

I'd rate the solution nine out of ten.