Check Point Quantum Force (NGFW) Reviews

Generally speaking, it's like any other NGFW. It's quite a versatile solution for many aspects. It's not like a separate solution for firewalling, but a separate solution for web access. It's just very convenient to have everything in one box. On the other hand, when you need something, like a very top-rank solution for very specific things, like network intrusion prevention or network intrusion detection as a component of NGFW, I would say it looks weaker compared to the well-designed solution for its purpose. It has the same issue as many other versatile or unified solutions, so it's really convenient.

From our point of view, including me and my colleagues, I would say it's really good that they have a lot of integrations with third-party companies. Integrations with third-party companies are really convenient. API offers many convenient ways to integrate with open-source solutions. It's very, very good when you have everything in one package and one bundle.

If you check each and every point from this part, you will find some flow in an area, or you will discover another flow in another area. It's unfortunate, and not a usual situation and it is not just for NGFW but for any other tool, making it a disadvantage where improvements are required.

For the next release, I would prefer the tool to be more flexible in terms of general deployments because some additional companies must be deployed as a basic one. For those who have been working with their solutions for a relatively short amount of time, it would be better for the tool to offer an adequate knowledge base, not just very superficial information, or maybe not too much in that spot, something like average stuff. The tool should be more flexible in terms of deployment, and a more adequate knowledge base should be available.

About the UI, it is hard to comment because it has been more or less the same for many years. Professionals have already been using the tool's interface for many years. From a contemporary angle, the tool's interface looks a bit outdated from a UI point of view. The UI has been more or less static in terms of changes for the last couple of years. People can get to the UI and work with it in a couple of months, but compared to any other solutions on the market, which are more flexible and more rapidly evolving, I would say that UI should be considered for improvement.

I have been using Check Point NGFW for two to two and a half years. My company is a partner and reseller of the solution.

For stability in high-load networks, I rate the solution a six to seven out of ten.

Scalability-wise, I rate the tool an eight to nine out of ten.

There could be some performance issues under the heavy deployments and heavy load, but generally, if you are talking about the general scalability, it is quite good.

The tool is suitable for large and very large enterprise businesses. From our company's practice, I would say it is meant for banks and financial institutions. It is also quite popular in heavy industries. I would say it has a more or less wide list. It is more or less very popular in banking.

The tool can be scaled up, but even despite high scalability, it requires a lot of extra companies to bear a high-load environment and high-load networks, making it a bit unfair, especially when comparing some of the numbers with the real-world statistics it likes too far from reality.

The solution's technical support is fine. I rate the technical support a nine to ten out of ten.

Positive

If ten means easy, I rate the product's initial setup phase a six to seven out of ten. It is not a plug-and-play solution. It requires much more skill and effort for the specialist to set it up properly. Even if there are any PoCs, you can easily discover the difference between the easy setup process and the more difficult setup phases, and I would say that Check Point falls under the latter category as it takes much more time and effort. Sometimes, it could be buggy, and you just need to fix some other firmware or software update.

The solution is deployed on an on-premises model for large and very large enterprises.

The time to deploy the solution depends on the stage because you can talk about the initial deployment or you can talk about the deployment, including the integrations. I would say that the integrations would be really time-consuming. For the initial deployment, I would say it is a couple of days if it is not really a large installation and a couple of weeks are needed for the initial deployment.

ROI is like an artificial point in connection to a solution like Check Point NGFW, and its numbers are quite questionable.

Suppose the company has too many different solutions from different vendors. In that case, it becomes a greater burden in terms of support and everything, especially in terms of management of these solutions. I would say that Check Point would be a good choice if they are planning to migrate. If it is something like a choice between one NGFW from a vendor and you want to move into the Check Point NGFW, it becomes a bit more tricky. It becomes really hard to say about the ROI because it is just like a different approach. If you are moving between a lot of different solutions from different companies, then ROI will be really good and attractive.

The tool's price is reasonable in case you are not using it in a high-load environment. If you are not expecting significant increases or peak increases in loading, it should be fine. If it is a really highly loaded VLE environment, and if you try to rely on the tool's official numbers, I would say you can put your environment and network in jeopardy because it becomes really unstable. For the last couple of years, the situation has changed, and it has become really tricky to understand why the tool's official numbers aren't aligned with real-world numbers, which is a big problem for the VLE customers because when they are just trying to consider their official stats and official scalability numbers, it might be tricky. VLE customers should have, like, a 20 to 30 percent extra, or else, at this point, it becomes much more expensive.

The tool's prices don't make any sense because we are not talking about MSRP prices for VLE. We are talking about the discounted prices, which could be a really, really huge gap between the MSRP and the discounted price. I don't think these numbers will highlight any beneficial aspect of the price for you.

There needs to be accuracy in terms of scalability. It should be well-designed, and if the customer does not have enough resources or their own resources, it is better to involve an adequate number of SIs. The system integrator will do the trick, and if a person is experienced, then everything can be really good in terms of the certifications, the statistics, and everything else. The system integrator should do everything properly, but it will be quite expensive, especially if we are talking about large and very large enterprises. For mid-sized businesses, it should be fine because it is less tricky, and even the normal specialized person on the customer side should be fine with using it, as it can be quite easy. In any case, scalability is a bottleneck here.

I rate the tool a seven out of ten.

I used Check Point NGFW to secure the data centers of medium to large enterprise companies. In many cases, it serves as a perimeter firewall, though its use can vary based on specific needs. Primarily, it functions as a defensive firewall.

The GUI is not very user-friendly, and configuring it can be challenging. The management console often has issues, sometimes requiring high CPU usage on your FTP or Windows system to open or manage sessions. It can be resource-intensive. Additionally, when viewing or monitoring logs, they sometimes do not appear immediately and may be outdated or missing.

I have been using Check Point NGFW for two years.

It is a stable device.

They support a range of enterprises, from small to large. Their solutions can accommodate environments with as few as 50 users to those with thousands or more. So, handling a large number of users is not an issue.

Support is very good.

Positive

The initial setup is not straightforward and can be more complex than that of other devices like Palo Alto or Fortinet firewalls. The setup for the CMA and management center requires careful implementation. Additionally, integrating components such as MDM and other security devices, including sandboxes, can be challenging to achieve a cohesive and secure environment.

The time required for deployment depends on the amount of configuration needed. Typically, it might take a full day, but with sufficient time, a basic configuration can often be completed in about eight to ten hours.

I have worked with both on-premises and VM versions. The CMA is typically deployed as a VM on a server, while the firewall is a physical device. 

I have already deployed many times by myself, so there is no need for many people.

It is a cheaper device than what other vendors offe.

For security features, I typically use the templates or standards provided by the vendor. Based on my experience over the past three years, I haven’t encountered any significant complaints from customers about attacks or major issues while using the firewall to protect their data centers.

Google has a premium partnership with Check Point, involving extensive verification processes for major customers. This strong partnership indicates a significant level of collaboration between the two companies.

I haven’t handled any maintenance, but the support center has been very helpful. They provided excellent support and demonstrated strong knowledge whenever I reached out for assistance. They are proficient in various languages and have a good grasp of Linux, which is essential for effective support.

They provide good step-by-step implementation guides, similar to what is available for Fortinet's FortiGate. However, I find the implementation process for other vendors to be easier. Pricing varies among the three vendors, so there are differences in cost. Palo Alto offers the best options for sizing, though I haven’t worked operationally.

I recommend it, but you should know Linux and its commands to work effectively with this device.

Overall, I rate the solution a six out of ten.

The solution is used to provide firewall security to cloud integrations.  

The spoofing prevention feature is the most valuable feature.

The solution provider needs to upgrade the IPSec VPN port because VPN branch-to-branch configuration can be easily implemented at our company, but several difficulties arise in a cloud environment like AWS or Azure cloud. The aforementioned cloud providers often need to create VPN interfaces, but in a few cases, these teams don't have the knowledge for configuration or IP points; their knowledge remains limited to the architecture of the clouds on a networking level. 

In future releases of the solution, a remote access VPN feature should be added. Our organization expects the aforementioned feature because we have a secure validated configuration in our remote access VPN, and the feature would allow easy configuration.

For instance, if a customer wants to connect a VPN to a particular domain laptop, our company can integrate the domains with our network's remote access VPN, but the user is unable to connect with other personal laptops.

I have been using Check Point NGFW for five years. 

I would rate the stability of the solution as seven out of ten. The tech support is not operational sometimes, and in a few cases, the tech team of the vendor is unable to provide support with a proper explanation or resolution. Check Point NGFW fails to provide workarounds for certain issues and thus leads to huge time consumption for a single task. The support team of Check Point NGFW on a few occasions takes five to ten hours to resolve an urgent VPN issue which impacts the stability. 

At our company, if we raise an RMA for Check Point NGFW, it takes immense time, which is around 15 to 30 days, to obtain the box, whereas other vendors offer it within five to seven business days. Due to the aforementioned issue, our organization needs to implement a test device on the environment and purchase temporary licenses for that device so that the customers in a stand-alone environment can access the internet. 

In Check Point NGFW, sometimes the logs consume excess storage, and even the storing or indexing process is not implemented correctly. 

I would rate the scalability a seven out of ten. 

Support is available for Check Point NGFW, but the support team, in most cases, is unable to provide an effective and on-time solution after collecting logs. I would rate tech support a seven out of ten. 

Neutral

I worked with Palo Alto previously before transferring to Check Point NGFW. I wanted to learn about Check Point NGFW in-depth as it's considered a difficult solution compared to others, so I ventured into it. 

In our company, we have the option for both cloud-based and on-prem deployment of the solution. The management server integration is different for the aforementioned options. If the traditional management server is present locally, in that case, at our company, we are using the solution for integration, but if a cloud is involved, some keys need to be integrated with the cloud management to let the firewall have internet access. 

Almost every time when the management server reaches or expands to another country in our organization, we face difficulty with integrations. The deployment time of Check Point NGFW depends upon customer requirements, but it takes approximately 15 to 30 days. More feature integrations demand the involvement of more teams in the deployment process. In my area of business, about 50 to 70 customers are using Check Point NGFW. 

If the solution is in a cluster environment, a maintenance window is not required and most of our customers are using the solution in a clustering or stand-alone mode. 

It's an expensive solution. 

Most of our organization's customers are using Check Point NGFW for networks, as enhancing the firewall's performance is not required; if the firewall goes inactive, total protection decreases. Our organization's customers don't want to depend on any particular product and are thus investing in multiple security products. 

On a few occasions, integrating a RADIUS configuration with Check Point NGFW has been difficult because some versions are not supported. I have also faced trouble regarding authentication when integrating Check Point NGFW with Azure EAD. 

Recently, Check Point NGFW has been integrated with zero-threat AI security features. In our organization, we are installing the solution on the Blade architecture, where the aforementioned features function well enough. I would recommend Check Point NGFW to others. I would rate Check Point NGFW overall a six out of ten. 

We use Check Point Next Generation Firewall both as a perimeter firewall and as an internal firewall. 

For customers, we recommend using the open platform, which is the software installed on your own server. We usually find that you get a lot more performance out of the software that way. Also, a lot of energy companies use it as well.

Check Point Next Generation Firewall helps us with routing failover, setting up a web dashboard for better management of the platform, and ensuring the stability and availability of our firewalls with its backup features.

The price point is good. You get a lot more features for the cost. How it's bundled and packaged is very simple to order. All the features are bundled with the product, and it's just a matter of checking a box to turn it on or off. 

Performance is usually better on OpenServers, where we provide the server on the Check Point platform.

The operating system and platform could be more tightly integrated. Some features are better done on the OS side of the platform. Integrating all features into one dashboard should avoid switching between the new and old dashboards.

Check Point Next Generation Firewall is quite stable. For features like backup and data, I would rate it highly.

Check Point Next Generation Firewall offers excellent scalability. With OpenServer, it's just a matter of purchasing licenses that enable more CPUs to be used. We can increase the RAM on the box and allow for more network traffic and customers onto our platform.

The support is great. I usually get it online and it meets our needs effectively.

Positive

Setup is easy. I would give it an eight out of ten.

The pricing is fair and more competitive than many competitors. On a scale of one to ten, with ten being the most expensive, I would rate it around a three in its category.

Cisco does not support SSL inspection, and its detection capabilities are limited. I would say Check Point is comparable with Palo Alto in terms of features and detection capabilities.

I would recommend Check Point Next Generation Firewall because of its detection capabilities, which ensure protection by identifying malicious files and suspicious activities. The price point is also lower compared to Palo Alto for the same features.

I'd rate the solution nine out of ten.

Primarily, it's used for customers who want to add their network security.

The IPS protection is the most useful feature that I found from Check Point. It has a feature called WatchTower, which helps you manage the device using a mobile. That's the most used feature. 

Other than that, it's quite simple. All the other features are what you find in all other firewalls. So the best feature that I find from Check Point is WatchTower.

The setup is a little complex compared to its competitors. That's what makes it stand out. Other than that, it could always be done by another product, but they have a lot of IoT products. This is definitely something like a Check Point Quantum device.

I have been using it for two years. The version I use is R8x series. I'm not exactly sure, but it's the latest version.

It is a stable product. 

It is a very scalable solution. 

The customer service and support have been good.

Positive

I used Sophos XG. We (my company) still use Sophos, Check Point, and FortiGate. We use all three firewalls in our environment.

Check Point has a really good feature where they give us a subscription for IoT device protection, which other vendors don't have. Sophos, I don't think they have it. 

Fortinet charges for it separately, so that's an additional cost, but with Check Point, the feature is built in. It's not an additional license.

Moreover, Check Point has started promoting a lot. It's well known here in our region.

The initial setup is complex. It's pretty easy to maintain.

We deployed it for customers. So maybe if we do a big deployment, it could be difficult.

The pricing is reasonable compared to the features that you get.

I highly recommend it to users who have a lot of IoT devices.

It all comes down to one simple thing:

"If you have IoT devices, I highly recommend Check Point NGFW. If you don't, it's a bit complex compared to Fortinet and Sophos."

But once you get the hang of it, you can quite easily configure the device.

Moreover, Check Point has a certification program if you want, and you can learn with that. They also have a separate certification program that you can take, a paid certification program.

I am satisfied with the documentation by Check Point. 

Overall, I would rate the solution a nine out of ten. 

Our company undertook a network transformation and instead of implementing a separate IPS solution, we've opted for the NGFW of Check Point. We've leveraged the different security blades available in the Check Point NGFW. Besides the IPS blade, we've also leveraged the anti-malware threat intelligence blades for our gateways, especially for the perimeter. 

We've also enabled the IPS blade for our remote offices as part of the additional security layer for our smaller international offices and used both the IPS and anti-malware for our bigger offices. 

We've managed to reduce the CAPEX cost of the network transformation when we leveraged the versatility of the Check Point NGFW solution. 

Instead of purchasing separate solutions for the IPS, anti-malware, and threat intelligence, the security blades of the Check Point NGFW were just enabled. 

The software subscription cost is already included in the annual software and hardware maintenance cost which made the solution more cost-effective than having separate solutions wherein we need to maintain a separate subscription for each. 

Besides the basic firewall feature of the Check Point NGFW, we find the IPS and anti-malware security blades to be most valuable for our current implementation.

The IPS and anti-malware solutions have successfully identified and blocked potential threats from our perimeter. 

Though we are also using threat intelligence, we see more validation of the successful use of the IPS an anti-malware. 

The successful performance of the security blades has shown the value of the investment along with the comparable success of leveraging the NGFW over a separate specialized security solution. 

Overall, we are satisfied with the performance of the NGFW both from the functional and operational perspective. The solution has been proven effective in detecting and blocking potential and intentional threats to the company's internal network without impacting the performance of the appliance. 

What can be improved though is the capability of providing an executive summary report that can highlight the performance and operational effectiveness of the implemented security solution. The current reporting capability needs to be parsed and edited to be appreciated by leadership.

We've been using Check Point NGFW for more than 4 four years.

Check Point NGFW has been very stable and very rarely do we encounter any performance issues due to hardware or software issues. 

The solution is very scalable and easy to manage.

Customer service and support are very responsive, and we get quick and fairly consistent turnaround times for the resolution. 

Positive

We previously used Cisco Firepower, however, we were not satisfied with its performance both functional and operational. 

The initial setup was straightforward since the deployment is just the typical high-availability active standby implementation. 

We implement through a vendor team. The vendor team is very competent and has consistently displayed their expertise in the technology. 

Unfortunately, our team does not have visibility on the ROI.

If the implementation would require multiple gateways, consider leveraging the Infinity Total Protection. 

We no longer evaluated other options. 

The customer purchased Check Point 6200 Firewalls to replace their aging Cisco ASA firewalls on the perimeter of their sites. The Cisco Firewalls must be replaced due to insufficient capacity.

It is envisioned that the initial migration will be a direct replica of the ASA configuration, with the client expanding the solution post-migration, with Check Point NGFW features.

This project consisted of the following deliverables:
• Rule base is migrated like for like, in which ASA Firewall zone-based rules will be converted to Check Point Parent/Child layered rules.
• Firewall zones to be imported and reviewed post migration by client.
• NAT rules will be migrated “as-is”.
• Geo-location rules from FTD will be honored and mapped into Check Point.
• Client-based blacklisting will be migrated into the solution, using external feeds via URL.
• A single IPS profile consisting of a clone of the vendor's “out-of-box” balanced profile (optimized).
• 1X site-to-site VPN.
• Integration into Client’s Cisco ISE solution for RADIUS-based admin authentication.
• NGFW licensing and blades to be installed on firewall devices, to allow features to be enabled in the future and expand the solution.

The Client wishes for the ASA firewalls to be replaced with a Check Point systems solution, which consists of 6200 Plus Appliances. 

The initial requirement was to migrate the configuration in an “as-is” state, with the necessary licensing purchased and installed to enable expansion of the solution with next-generation feature sets in the future.

The solution was able to meet and exceed the client's requirements thereby improving the client's environment.

The management server is software-based.

Firewalls and licensing include:
• FW
• IPS

The solution provides a single pane of glass management of rules/logging.

The solution supports IPsec tunnels FOR 1X IPsec VPNs.

The solution integrates with the client’s Cisco ISE RADIUS solution for administrative access.

The compute power of the appliance is great. The Check Point appliances are considered NGFW devices and can process both the ASA and FTD requirements on a single instance, removing the requirement for an expansion SSD module and/or additional hardware.

We'd like an option that can convert other vendors' NGFW configurations to supported Check Point NGFW config for ease of migration.

Check Point configuration options can be very enormous and overwhelming.
Check Point comes with a very lean learning curve even though they offer a robust knowledge base. 

A lot of configuration cannot be accomplished via the web interface or the smart dashboard software and must be done manually via the command line interface.

I'd like to see some built-in automation for the firewall alerts/events to trigger an automated response or recovery.

I've used the solution for three years.

The solution is stable with frequent version and management updates.

The solution is highly scalable and expandable.

The solution offers great customer support.

Positive

We used a different solution and needed more processing power and functionality which this had compared to industry competitors.

The setup was straightforward yet third-party device migration contained a lot of manual configuration conversions.

I implemented this myself.

Pricing can be relatively more expensive when compared to industry peers, however, the functionality makes up for the price difference.

We also evaluated:

• Cisco NGFW
• Fortigate NGFW
• Palo Alto NGFW

This is a great overall solution.

We use the solution for our data center firewall on-premises. We have deployed a VSX Cluster that currently holds three virtual firewalls. We have several site-to-site VPNs established with our partners and hundreds of policies applied. 

We had a custom configuration in our previous policy for which we were passing traffic from one VPN tunnel to another transparently. With Check Point we had to create a new virtual firewall in order to keep it working, so from one firewall we ended up with two rerouting traffic from one firewall to another and changing NAT in order to keep this solution running. 

Finally, we created another (third) virtual firewall and configured it to be only a remote access SSL VPN firewall and to be used as a backup if our primary in our HQ fails while the other two firewalls handle production traffic. 

We selected this solution in order to replace the Cisco ASA we used to have. 

The features the CP firewall has combined with a very attractive price led us to this decision. The migration was smooth and all the features we needed have been configured easily and worked as expected. Additionally, the SmartConsole and the Log Event viewer made our every day to day tasks easier. 

Also, we were provided with a trial license for the compliance blade and the IPS which are truly amazing. I believe that the compliance blade will be used soon by our company in order to assist with the ISO certificate we are trying to get. 

Since we have already deployed an AWAF on our premises we didn't use the IPS but the features presented definitely would increase the security level. 

Although we use it as our data center firewall, it would be ideal for our HQ Office with all the security features it provides.

I appreciate the Smart Console for its ease of use and clarity in managing configurations. It's user-friendly and free of software bugs. Smart Console simplifies the management of current policies and objects, making it effortless to track an object's usage or identify unused objects, thus ensuring a tidy configuration. 

Additionally, the hit count feature proves highly valuable, enabling policy prioritization based on usage frequency and facilitating verification of traffic alignment with newly created policies. Furthermore, implementing 2FA for SSL VPN users was a straightforward process, notably without the need for additional costs, unlike the FortiTokens required for our primary SSL VPN.

Additionally, the quick and seamless option to revert to a previous configuration revision is highly valuable. The logs tab serves as a helpful tool for troubleshooting. 

It's worth noting that we've experienced no CPU or memory issues, and the system is highly responsive.

The only downside is that we are not able to have redundant VPN tunnels with our cloud environments. We tried many guides suggested by the CheckMates community and have not been able to easily capture packets in a PCAP file as we used to do with the ASDM Packet Capture Wizard.

Finally, in the past year, we faced severe downtime that lasted many days due to a misconfiguration. Support wasn't able to detect it. We are allowed to add an automatic NAT in an object and install it in all three virtual firewalls that we have. I cannot imagine a real case that needs this option. This option should be totally removed. 

The destination MAC address for this object was flapping between the three virtual MAC addresses of the FW leading to a packet loss in our service up to 30%. Our manager found the root cause at the end.

I've used the solution for three to four years.

In the past four years that we have had Check Point, we haven't faced any stability issues. It is a stable solution.

Our cluster is oversized for our needs so we haven't reached any system limits in order to face an issue or at least observe its behavior. Our solution covers our current needs and can easily handle any additional load.

Technical support is average. From my last experience, it was my manager who found the root cause of the downtime. 

Positive

As noted earlier, our transition to this solution marked a shift from our previous Cisco ASA Cluster setup. Check Point's prominent position in the network industry and the compelling price point offered made it too appealing to overlook.

The initial setup and the configuration migration were done by an integrator who specializes in such migrations. It was complex enough yet very well-planned and organized.

The implementation was done by a very qualified vendor team.

Since I am in the engineering department, I can't evaluate the actual income or costs of handling our production traffic with this solution.

I'm not sure what was evaluated. It depends on the company's unique existing infrastructure and needs.

We evaluated offers for Cisco, Fortinet, and Palo Alto solutions.