https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252749#M10645 <P>Hi,</P><P>Historically, when performing version upgrades on Check Point Harmony Endpoint, we temporarily moved selected endpoints into a deployment group associated with a higher-priority Software Deployment rule. This rule allowed endpoints to upgrade to the latest version and temporarily activated the Remote Access VPN blade. After testing, endpoints were returned to their original groups, applying a different deployment rule configured with an earlier software version and with the VPN blade explicitly disabled. Previously, this correctly disabled the VPN blade.</P><P>However, since upgrading to Harmony Endpoint version 88.70.0326, we've noticed that when endpoints move back to their original group (associated with the software deployment rule that explicitly disables the VPN blade), the VPN blade remains active despite the correct rule assignment. This behavior differs from earlier Harmony Endpoint versions where the VPN blade correctly reverted to the disabled state based on the software deployment rule.</P><P>I'm aware that creating an additional deployment group specifically configured to disable the VPN blade would be a workaround but I'd like to understand why this behavior has changed.</P><P>Thanks!</P> Tue, 08 Jul 2025 11:55:49 GMT user856328 2025-07-08T11:55:49Z https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252749#M10645 <P>Hi,</P><P>Historically, when performing version upgrades on Check Point Harmony Endpoint, we temporarily moved selected endpoints into a deployment group associated with a higher-priority Software Deployment rule. This rule allowed endpoints to upgrade to the latest version and temporarily activated the Remote Access VPN blade. After testing, endpoints were returned to their original groups, applying a different deployment rule configured with an earlier software version and with the VPN blade explicitly disabled. Previously, this correctly disabled the VPN blade.</P><P>However, since upgrading to Harmony Endpoint version 88.70.0326, we've noticed that when endpoints move back to their original group (associated with the software deployment rule that explicitly disables the VPN blade), the VPN blade remains active despite the correct rule assignment. This behavior differs from earlier Harmony Endpoint versions where the VPN blade correctly reverted to the disabled state based on the software deployment rule.</P><P>I'm aware that creating an additional deployment group specifically configured to disable the VPN blade would be a workaround but I'd like to understand why this behavior has changed.</P><P>Thanks!</P> Tue, 08 Jul 2025 11:55:49 GMT https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252749#M10645 user856328 2025-07-08T11:55:49Z https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252760#M10646 <P>It is best to open a support call for this issue: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A></P> Tue, 08 Jul 2025 12:54:33 GMT https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252760#M10646 _Val_ 2025-07-08T12:54:33Z https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252763#M10647 <P>I second what Val said, definitely best thing to do.</P> <P>Andy</P> Tue, 08 Jul 2025 13:17:51 GMT https://community.checkpoint.com/t5/Endpoint/VPN-Blade-not-disabled-after-endpoint-moves-to-different/m-p/252763#M10647 the_rock 2025-07-08T13:17:51Z