Hi!
I am sending you a photo of my assets. I don't see the isolate machine blade in capabilities. How can I install it?

hi @earomero 

Select the machine to know which blade is not showing

hi @earomero 

You have to install the firewall blade

Thanks for the reply. Is it necessary to have XDR to deploy the firewall blade?

Saludos!

NO 

OK! Thanks!
How can I install the firewall blade without having to reinstall the entire harmony on the endpoints?

Genius, idol, crack!
Thank you very much!
I send you a big hug in the best Argentine style, with the warmth that it deserves!

This might be considered potentially harmful advice without explaining the significant implications it may have.

Selecting to install a new blade via. deployment policy will result in the following:

• Devices affected by the policy will immediately start to download the required packages, while this shouldn't be too significant for just the Firewall blade, we have had customer environments simply collapse if too many devices at once started pulling updates
• The reconfiguration of blades on an installed systems WILL result in a reboot. Yes by default the client policy permits the user to postpone the operation, but once finished there will be a 2 minute timer to reboot without option of cancel. A notification should be done to users in most cases and some thinking should be done on when to deploy

Seeing as you don't appear to be too familiar with the Firewall blade keep in mind this WILL disable your existing Firewall (Windows Defender Firewall) and the DEFAULT policy for Check Point local Firewall is essentially Any Any Allow, meaning by just installing the Firewall blade without prior configuration of policy CAN and WILL reduce your over-all security posture.

Honestly, with how genuinely BAD the local firewall blade is to configure, I'd personally just deal with not having an isolate option.

Local firewall in its current iteration is embarrassing

• It is in no way, shape or form Application Aware. Yes there is Application Control, but there is such a high barrier of entry to configuring that it's just not something you can manage in most environments
• For an ENDPOINT product you really, genuinely should be able to do rules with "PROCESS NAME" as the Source field
• There are no dynamic objects (not even one for EPMaaS for example)
• You can't negate rules (for example using RFC1918 network group negated as a way to define the "Internet" isn't a thing you can do; you effectively have one network group you can negate by abusing the "Trusted" zone mechanic)
• Sometimes rules don't catch if they're too precise and you resort to doing funky *ANY* rules just to get basic functionality

For a company whose bread and butter is the firewall the local firewall blade on Harmony Endpoint really needs to step up, because currently it's an outright downgrade of out-of-the-box Windows Defender Firewall with the only real perk being the Isolate functionality