Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Rolbin
Contributor

Harmony Endpoint/Connet vs SASE

1. How we can implement the SASE solution with Harmony - can we with Harmony Connect or Harmony Endpoint?
2. Is it possible to do with Harmony Endpoint/Connect or just with "Conventional" Endpoint?
 
Can we implement the following features: 
 
Compliance Policy
  • Replace current SCV checks with Harmony Endpoint compliance checks
  • Configure compliance policy (Domain, patching, certificates, etc)
  • Test compliance policy and update where necessary
  • Document compliance policy settings

 Endpoint Firewall

  • Use cases: Location awareness, IT remote administration of endpoints (User or IP address based inbound rules), administration of endpoint firewall, etc

Remote Access VPN Policy

  • Setup Harmony Endpoint policy for VPN sites
  • Setup certificate (host-based authentication) always-on VPN. In addition or replaces current MFA (User-based authentication)?
  • Pre-authentication to Active Directory configured via policy
  • Setup DHCP Infoblox configuration for VPN clients
  • VPN re-establishes after the laptop has been in sleep mode
  • Configure VPN to not connect when the laptop is at Corporate campuses
  • Configure and test visitor mode functions as expected
  • VPN will be split tunnel
  • Prevent laptops from connecting to the VPN (lost, stolen, employee leaves the company)
0 Kudos
3 Replies
PhoneBoy
Admin
Admin

You can run Harmony Connect and Harmony Endpoint on the same PC, FYI, but they're really complimentary solutions that solve somewhat different problems.

All of the requirements you list are mostly done with Harmony Endpoint (new name for SandBlast Agent and friends).
Where Harmony Connect comes in handy is in the situation where you'd normally route Internet traffic back to your datacenter for visibility/security reasons.
Instead of doing that, traffic is secured/inspected in the cloud. 

Michael_Rolbin
Contributor

Thank you for your reply.

Some missing points for me: 

1. Lack of Harmony Connect documentation related to SASE. I found the Betta version is available but cannot find any instructions on how to configure connections from Endpoints via Harmony Cloud to DCs - the classic SASE architecture.

2. How to assign a certificate (host-based authentication) always-on VPN and policy per VPN site. 

 

0 Kudos
PhoneBoy
Admin
Admin

We are about to GA Harmony Connect.
Right now I don’t believe you can route traffic from client to cloud to DC.
@Tomer_Sole will have to comment on roadmap for that. 

For Harmony Endpoint, host-based Auth involves using R80.40+ and machine certificates.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Always-Connect feature can be configured to be enabled/disabled in SmartConsole > Global Properties > Remote Access > Endpoint Connect > 'Connect mode'.
It is then enforced on all the clients that connect to the site.

0 Kudos