Hi,

Historically, when performing version upgrades on Check Point Harmony Endpoint, we temporarily moved selected endpoints into a deployment group associated with a higher-priority Software Deployment rule. This rule allowed endpoints to upgrade to the latest version and temporarily activated the Remote Access VPN blade. After testing, endpoints were returned to their original groups, applying a different deployment rule configured with an earlier software version and with the VPN blade explicitly disabled. Previously, this correctly disabled the VPN blade.

However, since upgrading to Harmony Endpoint version 88.70.0326, we've noticed that when endpoints move back to their original group (associated with the software deployment rule that explicitly disables the VPN blade), the VPN blade remains active despite the correct rule assignment. This behavior differs from earlier Harmony Endpoint versions where the VPN blade correctly reverted to the disabled state based on the software deployment rule.

I'm aware that creating an additional deployment group specifically configured to disable the VPN blade would be a workaround but I'd like to understand why this behavior has changed.

Thanks!