This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
WiliRGasparetto
MVP Diamond
MVP Diamond
‎2026-03-29 03:41 PM

Harmony Browse  Engineering-grade Policy Implementation

Below is a Harmony Browse implementation runbook focused on risk control, operational predictability, and exception governance. The goal is to avoid two classic failure modes: a rollout that turns into a ticket storm, and an overly aggressive policy without enough visibility/telemetry.

Licensing/scope note (important): in general, advanced DLP and GenAI Security may require the Advanced package and/or be available depending on your tenant/version. To confirm what is enabled in your environment, validate in the Infinity Portal and in the SKs listed at the end.

0) Mental model (what you are really deploying)

Control plane (policy + identity + governance)

  • Policies (Internet access, DLP, Download protection, etc.), group scoping, exceptions, reporting, and audit in the Infinity Portal.

Data plane (browser enforcement)

  • The extension enforces decisions (block/allow/Ask/Justify, submits files for analysis, generates events) on the endpoint/browser.

If you don’t stabilize connectivity + identity + scope, enforcement becomes “random” and troubleshooting becomes expensive.

 

1) Technical prerequisites (before any pilot)

1.1 Browser inventory and baseline

At minimum, map:

  • Browsers/versions: Chrome / Edge / Firefox / Brave / ChromeOS (and whether there is a Manifest V3 transition).

  • Endpoint types: workstations, VDI, kiosk/shared, admin/jump.

  • Existing controls: proxy, SSL inspection, EDR, DLP, CASB/SWG, corporate browser extensions.

1.2 Connectivity (the #1 rollout killer)

  • Ensure endpoints can reach all required Harmony Browse destinations (FQDNs/ports).

  • Don’t guess—use sk179690 (Harmony Browse Client Connectivity Requirements) as the source of truth for:

    • required FQDNs/domains

    • ports/protocols

    • proxy / SSL inspection specifics

Field note: many “policy not applied” issues are actually proxy authentication problems, SSL inspection breaking TLS handshakes, or blocked URL categorization/telemetry traffic.

1.3 Identity and segmentation (without this, you can’t control risk)

Define your segmentation strategy:

  • SCIM / IdP / corporate groups (where applicable)

  • Rollout rings:

    1. Pilot-IT (high tolerance)

    2. Pilot-Business (real workflows)

    3. Wave 1 (20–30%)

    4. Wave 2 (50–70%)

    5. Full

TAC rule: only advance a ring if the previous ring is within KPIs (crashes/tickets/noise/performance).

 

2) Extension distribution (controlled deployment)

2.1 Distribution method (enterprise standard)

  • Windows: GPO / Intune / MDM (per your operating model)

  • macOS: Jamf / MDM

  • ChromeOS: Admin Console

  • Firefox/Brave: corresponding policy/MDM method

2.2 Mandatory settings (avoid drift)

  • Pin/fix extension version where supported (per corporate policy).

  • Prevent user removal if required by your security model.

  • Define update behavior (controlled vs automatic) aligned with your maintenance windows.

 

3) Policy design (what to enable, in what order, and why)

The sequence below minimizes noise and gives you telemetry before you enforce aggressively.

Phase A — Visibility and anti-phishing (low friction, high ROI)

  1. Zero-Phishing / Anti-phishing

  • Start with Prevent for high-confidence phishing (high signal).

  • Define UX: Block vs Ask/Justify (Ask improves auditability but increases friction).

  1. URL Filtering (baseline)

  • “Corporate-safe” blocks (malware/phishing/high-risk).

  • Avoid “block the world” on day 1.

Phase A KPIs

  • Active vs inactive user ratio

  • detections per user/day

  • top blocked domains + justifications (if Ask is used)

Phase B — Download protection + sandbox/emulation (where tickets are born)

  1. Download protection + Threat Emulation/Extraction

  • Start in a mode that preserves operations (e.g., detect/log for sensitive groups) and harden by waves.

  • Define behavior for “unscannable / analysis failure / encrypted” based on risk appetite.

  • Validate impact on:

    • dev tools (zip, packages, artifacts)

    • legacy portals/ERPs generating non-standard downloads

Don’t state size/format limits from memory—these vary by version/service. Confirm via official documentation/portal and “What’s New” (sk179610) plus the admin guide.

Phase C — DLP (governance and scope first, blocking later)

  1. DLP (uploads, forms, copy/paste, etc.)

  • Model data using Data Types / Data Groups (e.g., national IDs, financial data, credentials, source code).

  • Start with Detect/Monitor (or Ask) by ring; move to Prevent only when:

    • false positives are under control

    • exceptions are governed

  • If applicable and available in your tenant/license: integrate Microsoft Purview Sensitivity Labels for label-based decisions.

DLP/GenAI: this is typically where the Advanced package matters. Validate in your tenant/license and in “What’s New”.

Phase D — GenAI Security (control risk without killing productivity)

  1. GenAI Security

  • Prioritize: exfiltration, sensitive-data paste, uploads, prompt leakage.

  • Segment by groups:

    • Engineering (less blocking, more audit)

    • Finance/Legal (stricter controls)

  • Use Ask/Justify where the business needs flexibility, but keep an auditable trail.

Additional controls (enable only after baseline stability)

  1. Password reuse / credential protections

  2. Incognito control (if required for compliance/risk)

  3. IOC/Indicators (Infinity IOC) for rapid blocking of malicious URLs/artifacts during incidents

 

4) Acceptance testing (pre-go-live) — what to validate “for real”

Build a checklist per ring:

Functional

  • Phishing: block + user notification

  • URL filtering: category match + exception behavior

  • Download: benign file, suspicious file, “problem” file (encrypted/uninspected)

  • DLP: SaaS uploads (M365/Google/Slack/etc.), copy/paste, forms

  • GenAI: normal usage + attempt to paste sensitive data (restricted group)

Operational

  • Does the extension report events? Do users show as Active?

  • Do events arrive in dashboards under the correct category?

  • Can the team explain “why it was blocked” with evidence?

Compatibility

  • Certificate-pinning apps (critical): implement bypass only when needed (explicit, reviewed policy).

 

5) Exception governance (without it, the environment degrades)

Every exception must have:

  • Scope (specific group)

  • Justification

  • Validity (review date)

  • Owner (approver)

Avoid global permanent exceptions for a single app. Prefer function-scoped exceptions (e.g., Dev vs Finance).

 

6) Continuous operations

Recommended cadence:

  • Weekly: top detections, top categories, top overrides

  • Monthly: exception review and policy tuning

  • Quarterly: scope audit (groups, changes, drift)

 

7) Most common failures (and how to avoid them)

  • “Client looks OK but no events” → almost always connectivity/proxy/SSL inspection (go back to sk179690).

  • “Critical app broke” → certificate pinning / poor bypass design.

  • “DLP false positives exploded” → scope too broad without Detect/Monitor phase first.

  • “GenAI turned into witch hunting” → no risk segmentation and no justification trail.

 

References (official)

  • sk179610 — Harmony Browse: What’s New

  • sk179690 — Harmony Browse Client Connectivity Requirements

0 Kudos
0 Replies
Upcoming Events

    Sort by:
    CheckMates Events