Q: What's the official product site ?
A: Harmony SASE | Datasheet | Status
Q: Where can I find documentation ?
A: Knowledge Base | What's New | Search | Highlights | Product Walktrough | Glossary
Q: What is SASE ?
A: Secure Access Service Edge
Q: What is Check Point's SASE offering ?
A: Check Point provides a single-vendor SASE solution, consisting of Harmony SASE + Quantum SD-WAN (Datasheet).
Q: What is Harmony SASE ?
A: Hybrid SASE solution
Harmony SASE > Private Access
Advanced zero-trust network access providing secure access for users, applications and networks to cloud and on-prem resources.
Private global network |
Private & public DNS servers |
Wi-Fi security |
Cloud firewall |
Wireguard and IPsec Support |
IDP integration |
Full mesh connectivity |
Agent/-less access to resources |
Management API |
Full / Split tunnelling |
Device posture validation |
|
Harmony SASE > Internet Access
Cloud-based Secure Web Gateway, provides super-fast internet access security for users. Double your protection
Private global network |
URL Filtering |
On-device protection |
DNS Filtering |
Threat prevention |
TLS Inspection |
Q: What are the key advantages of Harmony SASE ?
A: Key advantages:
Easy to use
Instant deployment + simple management
Low TCO
Low latency = fast Internet access
Correct localization
Easy licensing per user
Highly responsive 24/7 support chat
Central web management (single pane of glass)
SSL traffic is opened on the client and not in the cloud (i.e. no man-in-the-middle de-/encryption)
Supports almost all identity providers
Seamless SSO integration
Highly available, encrypted, secure access to any resource via the SASE network
Contextual Zero Trust and policy-based auth tied to device, user and location
DNS Filtering to ensure users cannot access malicious content
Device posture check ensures user devices are fully compliant
Multi-tenant & multi-regional cloud NaaS + SaaS platform
Compliant with international privacy & security standards
Dedicated gateways with static IPs
High performance connections (each gateway offers 1Gb/s bandwidth)
Highly scalable
Q: How is Harmony SASE licensed ?
A: Private Access & Internet Access are licensed per user.
Q: How can users connect to the SASE network ?
A: Agent-less or via agents on these OS's:
Q: Where are security checks performed ?
A: Hybrid on the SASE agents (client-side) and in the cloud.
Client side checks: SWG (Malware protection, Web filtering), SSL Inspection, Device posture checks, ..
Cloud side checks: DNS Filtering, Full / Split Tunneling, Segmentation, ..
Q: Where are the POPs located ?
A: Regions and Gateways | More planned in 2024
Q: Where can I find webinars or videos ?
A: CheckMates TechTalk | P81 | Perimeter 81 in Action
Q: Which regulatory compliances is Harmony SASE compliant with ?
A: ISO 27001 | HIPAA | SOC 2 Type 2 | GDPR
Q: What cloud provider(s) is Harmony SASE running on ?
A: See Global DataCenter Backbone
Q: When ist the next tech. training ?
A: CPX 2024 (post-event training) In-person
A: SASE Tech Bootcamp, Zurich, Switzerland (Jan. 30, 2024) In-person, led by @Igor_Moskowitz
A: SASE Tech Bootcamp, Geneva, Switzerland (Jan. 31, 2024) In-person, led by @Igor_Moskowitz
A: Get Smart About SASE, Seattle, USA (Feb. 23, 2024) In-person
Q: How do I connect my Check Point gateway to the SASE network ?
A: Via VPN as described here.
Q: Where can I download SASE agents for my clients ?
A: SASE agents are available here for Windows, Mac, Linux, iOS and Android / Chromebook.
A: Within your SASE portal, agents are available at workspace.perimeter81.com/devices/downloads
Q: What's SWG?
A: Secure Web Gateway.
Hybrid SWG
Web filtering and malware protection on client device and in the cloud.
Advantages:
Direct cloud access for remote users (no backhauling to on-prem servers required)
SaaS service (no hardware deployment, maintenance, patching or hardware refresh)
Protect bypassed traffic (protects users on and off the corp. network or split tunnel)
Perform SSL decryption locally on the user device
Apply network-wide rules in the cloud and user/group-specific on device
Malware protection: zero deployment, zero configuration, zero time to protect (easy to deploy and use)
Malware detection methods:
Signature based, Generic, Emulation, Heuristics, Machine Learning
Comprehensive malware protection:
Known & unknown malware
Modified malware (polymorphic)
Zero-day exploits
Q: Is there a feature overview ?
A: See below.
Features |
Windows, Mac, Linux |
iOS / Android |
Select default protocol |
|
|
Use VPN services |
|
|
Always-on VPN capability |
|
|
Auto-reconnect |
|
|
Agent dyn. IP assignment |
|
|
Agent static IP assignment |
|
|
Web Filtering |
|
|
Device Posture Check |
|
|
Assign devices to users |
|
|
Least Privilege Access |
|
|
FWaaS |
|
|
SWG |
|
|
DNS Filtering |
|
|
Full / Split tunneling |
|
|
Public / Private DNS |
|
|
ZTNA |
|
|
CASB |
|
|
2FA |
|
|
IPv6 Support |
|
|
Q: Is there a list of known limitations ?
A: There is no official list at the moment, so we'll keep track of known limitations here:
Function |
Limitation |
SASE Network |
Initially configured private network (default or custom) can't be changed. |
Web Filter Rules + Bypass Rules |
Only working for Windows & Mac clients. No web filtering on mobile devices. No section titles available. Time condition can't be adjusted to a specific time zone. No direct log view separately for each rule available. Wildcards are not supported for URLs. Customization of user block pages is not supported. |
Address Objects |
Can't be edited while used in a rule. |
Devices |
Only dynamic IP assignments supported. Devices can't be assigned a static IP from the SASE network. Devices can't be assigned to users / members. DPC helps as a partial workaround. Device inventory only shows devices. No management of devices available. |
Device Posture Check |
Only supports rules for Windows, Mac, Linux clients. Mobile devices can only be generally allowed/denied with no further checks. |
Private Gateways |
IPsec S2S tunnels support pre-shared keys (PSK) only. No cert-based VPNs. |
Identity Sharing |
Not yet available in Harmony SASE. |
Q: Why don't some address objects not show an edit button ?
A: This is a current limitation. Objects that are in use within a rule can't be edited.
Workaround: Duplicate an object you'd like to edit, perform your edit and replace the original object with your edited duplicate.
Q: How can device posture checks used to secure networks access ?
A: Access to internal and cloud resources can be restricted based on: Groups, Date & Time, Geo-location, Operating Systems, Web Browsers.
Q: How do I verify URL categorization ?
A: URL categories can be verified here. P81 uses Open Text's BrightCloud as 3rd party provider for URL categorization.
Q: How can I customize block pages for users ?
A: This is not supported yet. Raise a RFE.
Q: How many users can I add to a rule ?
A: Max. 5 users accounts. For more, add them to a group.
Q: How do I set up a VPN tunnel between my Check Point security gateway and my SASE network ?
A: Follow this configuration guide.
Q: Can I also add a VPN tunnel to a dynamically assigned IP address (DAIP) gateway ?
A: Yes. Configure the VPN tunnel with the current IP address of your Check Point DAIP gateway as if it was a static IP. Verify that the VPN tunnel is working. Create an API script the checks every minute if the dynamic IP of the DAIP gateway matches the one configured in your SASE environment and, if required, updates it.
Q: What are best practices for the support access functionality ?
A: Only allow support access as long as required by the SASE support team.
A: Create a separate support account for the SASE support team to assure log validity.
If you grant support access with your personal account, then logins from different countries appear in the log:
Q: Why does Microsoft MFA authentication fail after Azure AD has been set up as Identity Provider ?
A: Verify that you followed this guide step by step. In case your login still fails, recreate the client secret.
Q: Why does authentication via Email and Password fail if another, domain-based, Identity Provider is enabled as well ?
A: Authentication is automatically redirected to an Identity Provider if the domain matches.
Make sure you don't lock out yourself by using the same email domain for Email and Password and a domain-based Identity Provider that might not be working because of misconfiguration or connectivity issues.
Q: Why doesn't Limit access by group for my Identity Provider show any groups other than All Users ?
A: To automatically provision user groups from your Identity Provider into your SASE workspace via SCIM, purchase a license that includes SCIM functionality (recommended).
Otherwise you could test to limit authentication into Perimeter 81 by creating user groups beforehand in your SASE workspace with the same name (case sensitive) as configured in your Identity Provider.
Q: Are all SASE configurations officially supported ?
A: Only configurations documented in the Knowledge Base are officially supported.
Q: Do Check Point Endpoint Security client and Harmony SASE (P81) client work well together on the same machine ?
A: Check the Release Notes for your specific SASE desktop client (Windows, Mac, Linux) and create an exception in your Check Point EPP for perimeter81.updater.exe and perimeter81.cli.exe
Q: How do I completely uninstall the Harmony SASE (P81) client from my Windows Desktop ?
A: Uninstall the Perimeter 81 application and Microsoft Windows Desktop Runtime.
Q: What can I do if my Harmony SASE (P81) client doesn't start ?
A: Completely uninstall the client, download the latest client version and install it. If that doesn't work, contact Check Point Support.
Q: How will I be notified of planned maintenance windows of the SASE portal ?
A: The SASE portal shows a notification box several days in advance.
Q: Why do I get an error on Sign In after fresh installation of the Harmony SASE (P81) client ?
A: Verify that your workspace is correct. Manually correct it or click on Change Your Workspace.
Q: Why do pricing plans differ between P81 and Check Point's product catalog ?
A: P81's legacy pricing plan was valid for P81 customers until P81 was acquired by Check Point.
A: New Check Point Harmony SASE customers purchase via Check Point's pricing plan:
Private Access
|
Essentials |
Premium |
Complete |
Private Global Network |
|
|
|
Agent-based access to resources |
|
|
|
Wireguard and IPsec Support |
|
|
|
Full mesh connectivity |
|
|
|
Wide device support |
|
|
|
Cloud Edge Gateway instance for every 100 users ordered |
|
|
|
Agentless access to applications |
20 Applications |
50 Applications |
Unlimited Applications |
Cloud Firewall |
- |
|
|
Device posture check |
- |
3 Profiles |
Unlimited Profiles |
Always-on
|
- |
|
|
Wi-Fi security
|
- |
|
|
Solution architect
|
- |
|
|
Management APIs
|
- |
- |
|
SCIM |
- |
- |
|
Internet Access
|
Essentials |
Private global network |
|
On-device network protection |
|
DNS filtering |
|
URL filtering |
|
TLS inspection |
|
Threat prevention |
|
Q: What's included in a user license ?
A: Each user license can use up to 5 devices concurrently.
A: For each 100 users ordered, one cloud edge gateway is automatically entitled.
Q: How many users per cloud edge gateway are supported ?
A: There is no user limit in terms of support. Check Point suggests not to have more than 50 users per gateway in a standard use-case where the customer would have one or more site-2-site tunnels connected to the same gateway. Additionally, the gateway bandwidth is set to 1Gbps, so it is important to take that into calculation as well.
Q: When are configuration changes transferred to the SASE agent ?
A: Almost instantly. The SASE agent doesn't even need to be connected to the SASE network to receive updates.
Q: Who queries my private DNS server if I configure my SASE network to use it ?
A: The SASE cloud acts as a DNS proxy for your SASE agents and queries your private DNS from dyn. IP addresses.
No matter what DNS is configured on the clients, as long as the SASE agents are connected to the SASE cloud, it will resolve DNS requests for them via your private DNS. You'll also need to configure a DNS rule in your SASE firewall rules allowing DNS requests from your SASE users.
-- Partner Resources --
Q: Where are the partner portals ?
A: Partner portal | Support portal
Q: Where can I find docs for partners ?
A: Introduction | Partner webinar | Customer presentation
Q: Where can I find training for partners ?
A: Sales training | Technical training | Demo environment
-- Documentation --
Q: Where can I find more docs on Harmony SASE ?
A: Unified Management Platform
A: Agentless Zero Trust Network Access (ZTNA)
A: Malware Protection
A: Hybrid Secure Web Gateway (SWG)
A: Securing Azure Access
A: Securing AWS Access
A: Securing GCP Access
A: Secure Access With SaaSPass
A: Internet Access: Double Your Protection
A: Device Posture Check
A: Checklist