topic Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall in Endpoint

Possible to use Harmony Endpoint Application Control capability without activating the Firewall one?

dt7 — Fri, 23 Jan 2026 02:05:16 GMT

Dear all,

I am seeking some clarifications on how the Harmony Endpoint Application Control & Firewall capabilities can be used from experts in the community.

I would like to use Application Control in my context to manage allowed/blocked applications in production environment, but I don't really have a need to use the Firewall capability in Harmony Endpoint. The firewall part is already managed in a separate way (MS GPOs, etc.) and I do not want / need to activate the Firewall capability in Harmony Endpoint, only the Application Control part, is that possible?

From what I understand (based on the admin guide and my experience with the product), both seem to be merged together under the same blade and it does not seem to be possible... unless I am missing something:

Under software deployment the capabilities are enabled together, I do not know any way to just enable Application Control for example
Both seem to rely on a service called "Check Point Endpoint Security Network Protection", which only appears on the endpoint when the combined blade above is enabled.

Even if the Firewall capability must be activated, I do not see any way in the Harmony management console to disable it, you can only edit the Firewall inboud/outbound rulebase or manage objects.. If you have no choice but to enable it together to use Application Control, how to negate its effects? Disable all rules in the rulebase and it will not do anything or interfere in any way with the Windows firewall / Defender on the machine? Or it will anyway override and take over the Windows Firewall as long as it is enabled?

In short, is there a way to bypass / disable the Firewall capability and just use Application Control only?

I have attached a couple of screenshots as well to illustrate the point.

Thank you for your help.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Fri, 23 Jan 2026 02:15:39 GMT

Hey @dt7 You asked:

In short, is there a way to bypass / disable the Firewall capability and just use Application Control only?

I am fairly sure there is no way to bypass it. For the lack of better term, I would call them as a bundle "Network protection"

You are more than welcome to verify with TAC, but Im 99.99% sure they will tell you the same. I will leave 0.01% I am wrong...would not be first OR last time lol

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

dt7 — Fri, 23 Jan 2026 02:20:07 GMT

@the_rock Noted..

In that case, do you know how to negate the impact of having Firewall enabled? Does it deactivate the Windows firewall by default as long as the Firewall feature is enabled or there is a way to ignore the processing in Harmony and leave it to the OS as it was?

For example:

Disable all the rules under Firewall inbound / outbound?/
Use any/any allow in both?

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Fri, 23 Jan 2026 02:23:35 GMT

Yes, you can do that. Technically, it would be same as in say regular CP firewall, or any fw, for that matter, you can always create rules to allow/bypass specific subnets/ports. But then, it begs the question, why even have the blade enabled or use the firewall?

I get your dilemma (for the lack of the better word), but it sure sounds if you totally disabled the blade, then you would need to rely on windows built in firewall to allow/block specific services on the PC.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

dt7 — Fri, 23 Jan 2026 03:26:30 GMT

Yes but this is fine, I already manage the necessary via built-in Windows firewall / GPOs, I basically just want to use Application Control and do not want to enable Firewall in Harmony Endpoint ideally.

The problem is that it seems you cannot just enable Application Control without enabling Firewall in Harmony, so how to basically make sure it does not interfere with the builtin Windows firewall even if it is enabled, as I don't plan on using that capability (ideally) in Harmony.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Fri, 23 Jan 2026 03:34:05 GMT

I totally get what you are saying now. Thats a bit of "catch 22" situation, if you will. Does not appear those blades can be "separated", so technically, best thing to do would be enable it, and then keep making exceptions as needed via policy.

Makes sense?

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

dt7 — Fri, 23 Jan 2026 04:22:52 GMT

Yes makes sense, as long as enabling the Firewall capability in Harmony does not completely override the built-in Windows firewall managed by GPOs, do you know if that's the case?

For example, if you enable Harmony Endpoint antimalware blade, it auto-disables Windows Defender. If the same thing happens when enabling Firewall in Harmony, then making exceptions or allowing "any" in Harmony Firewall will actually create a security hole in the previous configuration instead..

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Fri, 23 Jan 2026 04:36:25 GMT

Im fairly certain that enabling fw blade on harmony endpoint would effectively override windows defender built in firewall and your GPO rules would also be affected.

Maybe best to open TAC case to confirm.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

TurgutKaplanogl — Fri, 23 Jan 2026 09:03:26 GMT

Hello,

Technically, you must deploy to both blades simultaneously; you can not unselect FW or App blade from deployment rules or package export rules. You can do this while editing the FW blade policies. To bypass the firewall functionality, you can configure the Inbound and Outbound policies as Any–Any–Allow and disable logging.

Thank you

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

lluner — Sat, 24 Jan 2026 13:30:22 GMT

Honestly, with the Checkpoint firewall you have the possibility to create many more features than the Windows firewall, besides log management and subnet management.

Among the possibilities:

1- Better rule management
2- Log visualization
3- Subnet microsegmentation

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Sat, 24 Jan 2026 13:31:32 GMT

I was hoping you would reply...I was going to tag you, but then could not remember your username.

Thanks @lluner

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Wed, 28 Jan 2026 00:46:08 GMT

Hey mate,

Please let us know if you were able to sort this out? It would be good to know if anyone else encounters the same dilemma.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

dt7 — Wed, 28 Jan 2026 07:17:43 GMT

Are you able to manage the different zones in Harmony Firewall as well? Such as domain firewall, private and public? This can be done by GPO, but I am not sure how the same thing can be achieved using Check Point firewall, if you have any inputs that would be great.

In addition, what do you mean exactly by 3- Subnet microsegmentation? Is it the fact that all traffic will go through the Check Point firewall on the client and so you can also isolate the device within its own connected subnet for example to block traffic from machines in the same subnet?

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

lluner — Wed, 28 Jan 2026 10:00:19 GMT

@dt7

R:.You can do this on the Checkpoint firewall; it works as both inbound and outbound.

R:. You can do it all

The granularity of the firewall is up to your imagination.

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

dt7 — Thu, 29 Jan 2026 04:12:15 GMT

Hello, I haven't fully tested this part yet, but I will eventually in order to validate what has been discussed. If I have more helpful information on this, I will try to post it at a later date yes so that it can help others.

Thank you 🙂

Re: Possible to use Harmony Endpoint Application Control capability without activating the Firewall

the_rock — Thu, 29 Jan 2026 04:13:24 GMT

Excellent, thanks for letting us know!