topic Re: Harmony Endpoint/Connet vs SASE in Endpoint

Harmony Endpoint/Connet vs SASE

Michael_Rolbin — Wed, 12 May 2021 12:45:45 GMT

1. How we can implement the SASE solution with Harmony - can we with Harmony Connect or Harmony Endpoint?

2. Is it possible to do with Harmony Endpoint/Connect or just with "Conventional" Endpoint?

Can we implement the following features:

Compliance Policy

Replace current SCV checks with Harmony Endpoint compliance checks
Configure compliance policy (Domain, patching, certificates, etc)
Test compliance policy and update where necessary
Document compliance policy settings

Endpoint Firewall

Use cases: Location awareness, IT remote administration of endpoints (User or IP address based inbound rules), administration of endpoint firewall, etc

Remote Access VPN Policy

Setup Harmony Endpoint policy for VPN sites
Setup certificate (host-based authentication) always-on VPN. In addition or replaces current MFA (User-based authentication)?
Pre-authentication to Active Directory configured via policy
Setup DHCP Infoblox configuration for VPN clients
VPN re-establishes after the laptop has been in sleep mode
Configure VPN to not connect when the laptop is at Corporate campuses
Configure and test visitor mode functions as expected
VPN will be split tunnel
Prevent laptops from connecting to the VPN (lost, stolen, employee leaves the company)

Re: Harmony Endpoint/Connet vs SASE

PhoneBoy — Fri, 14 May 2021 21:44:57 GMT

You can run Harmony Connect and Harmony Endpoint on the same PC, FYI, but they're really complimentary solutions that solve somewhat different problems.

All of the requirements you list are mostly done with Harmony Endpoint (new name for SandBlast Agent and friends).
Where Harmony Connect comes in handy is in the situation where you'd normally route Internet traffic back to your datacenter for visibility/security reasons.
Instead of doing that, traffic is secured/inspected in the cloud.

Re: Harmony Endpoint/Connet vs SASE

Michael_Rolbin — Sun, 16 May 2021 04:25:32 GMT

Thank you for your reply.

Some missing points for me:

1. Lack of Harmony Connect documentation related to SASE. I found the Betta version is available but cannot find any instructions on how to configure connections from Endpoints via Harmony Cloud to DCs - the classic SASE architecture.

2. How to assign a certificate (host-based authentication) always-on VPN and policy per VPN site.

Re: Harmony Endpoint/Connet vs SASE

PhoneBoy — Sun, 16 May 2021 05:06:02 GMT

We are about to GA Harmony Connect.
Right now I don’t believe you can route traffic from client to cloud to DC.
@Tomer_Sole will have to comment on roadmap for that.

For Harmony Endpoint, host-based Auth involves using R80.40+ and machine certificates.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121173&partition=Basic&product=Quantum

Always-Connect feature can be configured to be enabled/disabled in SmartConsole > Global Properties > Remote Access > Endpoint Connect > 'Connect mode'.
It is then enforced on all the clients that connect to the site.

Re: Harmony Endpoint/Connet vs SASE

Cathy_Cheng — Thu, 16 Apr 2026 23:45:34 GMT

@Michael_Rolbin

I was wondering if you have achieved all of the following using the Harmony Endpoint. We have similar requirements and need to use Harmony Endpoint:

VPN automatically re-establishes after the laptop wakes from sleep
VPN does not connect when the laptop is on corporate campuses
VPN automatically connects when the laptop is outside the corporate network
When outside the corporate campus and the VPN is not connected, internet access is blocked except for a few specific URLs