Create a Post
Showing results for 
Search instead for 
Did you mean: 
Champion Champion

Harmony SASE FAQ

Author: Danny Jung

Q: What's the official product site ?
A: Harmony SASE | Datasheet | Status

Q: Where can I find documentation ?
A: Knowledge Base | What's NewSearch | Highlights | Product WalktroughGlossary

Q: What is SASE ?
A: Secure Access Service Edge


 What is Check Point's SASE offering ?
A: Check Point provides a single-vendor SASE solution, consisting of Harmony SASE + Quantum SD-WAN (Datasheet).

Q: What is Harmony SASE ?
A: Hybrid SASE solution

     Harmony SASE > Private Access
     Advanced zero-trust network access providing secure access for users, applications and networks to cloud and on-prem resources.

image.png  Private global network image.png  Private & public DNS servers image.png  Wi-Fi security
image.png  Cloud firewall image.png  Wireguard and IPsec Support image.png  IDP integration
image.png  Full mesh connectivity image.png  Agent/-less access to resources image.png  Management API
image.png  Full / Split tunnelling image.png  Device posture validation  

     Harmony SASE > Internet Access
     Cloud-based Secure Web Gateway, provides super-fast internet access security for users. Double your protection

image.png  Private global network image.png  URL Filtering
image.png  On-device protection image.png  DNS Filtering
image.png  Threat prevention image.png  TLS Inspection

What are the key advantages of Harmony SASE ?
A: Key advantages:

        image.png  Easy to use
        image.png  Instant deployment + simple management
        image.png  Low TCO
        image.png  Low latency = fast Internet access
        image.png  Correct localization
        image.png  Easy licensing per user
        image.png  Highly responsive 24/7 support chat
        image.png  Central web management (single pane of glass)
        image.png  SSL traffic is opened on the client and not in the cloud (i.e. no man-in-the-middle de-/encryption)
        image.png  Supports almost all identity providers
        image.png  Seamless SSO integration
        image.png  Highly available, encrypted, secure access to any resource via the SASE network
        image.png  Contextual Zero Trust and policy-based auth tied to device, user and location
        image.png  DNS Filtering to ensure users cannot access malicious content
        image.png  Device posture check ensures user devices are fully compliant
        image.png  Multi-tenant & multi-regional cloud NaaS + SaaS platform
        image.png  Compliant with international privacy & security standards
        image.png  Dedicated gateways with static IPs
        image.png  High performance connections (each gateway offers 1Gb/s bandwidth)
        image.png  Highly scalable

How is Harmony SASE licensed ?
A: Private Access & Internet Access are licensed per user.

Q: How can users connect to the SASE network ?
A: Agent-less or via agents on these OS's:

Q: Where are security checks performed ?
A: Hybrid on the SASE agents (client-side) and in the cloud.

     Client side checks: SWG (Malware protection, Web filtering), SSL Inspection, Device posture checks, ..
     Cloud side checks: DNS Filtering, Full / Split Tunneling, Segmentation, ..

Q: Where are the POPs located ?
A: Regions and Gateways | More planned in 2024

Q: Where can I find webinars or videos ?
A: CheckMates TechTalk | P81 | Perimeter 81 in Action

Q: Which regulatory compliances is Harmony SASE compliant with ?
A: ISO 27001 | HIPAA | SOC 2 Type 2 | GDPR

Q: What cloud provider(s) is Harmony SASE running on ?
A: See Global DataCenter Backbone

Q: When ist the next tech. training ?
A: CPX 2024 (post-event training) In-person
A: SASE Tech Bootcamp, Zurich, Switzerland (Jan. 30, 2024) In-person, led by @Igor_Moskowitz 
A: SASE Tech Bootcamp, Geneva, Switzerland (Jan. 31, 2024) In-person, led by @Igor_Moskowitz 
A: Get Smart About SASE, Seattle, USA (Feb. 23, 2024) In-person

Q: How do I connect my Check Point gateway to the SASE network ?
A: Via VPN as described here.

Q: Where can I download SASE agents for my clients ?
A: SASE agents are available here for Windows, Mac, Linux, iOS and Android / Chromebook.
A: Within your SASE portal, agents are available at

Q: What's SWG?
A: Secure Web Gateway.

     Hybrid SWG
     Web filtering and malware protection on client device and in the cloud.


        image.png  Direct cloud access for remote users (no backhauling to on-prem servers required)
        image.png  SaaS service (no hardware deployment, maintenance, patching or hardware refresh)
        image.png  Protect bypassed traffic (protects users on and off the corp. network or split tunnel)
        image.png  Perform SSL decryption locally on the user device
        image.png  Apply network-wide rules in the cloud and user/group-specific on device
        image.png  Malware protection: zero deployment, zero configuration, zero time to protect (easy to deploy and use)

     Malware detection methods:

        image.png  Signature based, Generic, Emulation, Heuristics, Machine Learning

     Comprehensive malware protection:

        image.png  Known & unknown malware
        image.png  Modified malware (polymorphic)
        image.png  Zero-day exploits

Q: Is there a feature overview ?
A: See below.

Features Windows, Mac, Linux iOS / Android
Select default protocol image.png image.png
Use VPN services image.png image.png
Always-on VPN capability image.png image.png
Auto-reconnect image.png image.png
Agent dyn. IP assignment image.png image.png
Agent static IP assignment image.png image.png
Web Filtering image.png image.png
Device Posture Check image.png image.png
Assign devices to users image.png image.png
Least Privilege Access image.png image.png
FWaaS image.png image.png
SWG image.pngimage.png image.png
DNS Filtering image.png image.png
Full / Split tunneling image.png image.png
Public / Private DNS image.png image.png
ZTNA image.png image.png
CASB image.png image.png
2FA image.png image.png

Is there a list of known limitations ?
A: There is no official list at the moment, so we'll keep track of known limitations here:

Function Limitation
SASE Network Initially configured private network (default or custom) can't be changed.
Web Filter Rules
+ Bypass Rules
Only working for Windows & Mac clients. No web filtering on mobile devices.
No section titles available.
Time condition can't be adjusted to a specific time zone.
No direct log view separately for each rule available.
Wildcards are not supported for URLs.
Customization of user block pages is not supported.
Address Objects Can't be edited while used in a rule.
Devices Only dynamic IP assignments supported.
Devices can't be assigned a static IP from the SASE network.
Devices can't be assigned to users / members. DPC helps as a partial workaround.
Device inventory only shows devices. No management of devices available.
Device Posture Check Only supports rules for Windows, Mac, Linux clients.
Mobile devices can only be generally allowed/denied with no further checks.
Private Gateways IPsec S2S tunnels support pre-shared keys (PSK) only. No cert-based VPNs.
Identity Sharing Not yet available in Harmony SASE.

Q: Why don't some address objects not show an edit button ?
A: This is a current limitation. Objects that are in use within a rule can't be edited.
Workaround: Duplicate an object you'd like to edit, perform your edit and replace the original object with your edited duplicate.

Q: How can device posture checks used to secure networks access ?
A: Access to internal and cloud resources can be restricted based on: Groups, Date & Time, Geo-location, Operating Systems, Web Browsers.

Q: How do I verify URL categorization ?
A: URL categories can be verified here. P81 uses Open Text's BrightCloud as 3rd party provider for URL categorization.

Q: How can I customize block pages for users ?
A: This is not supported yet. Raise a RFE.

Q: How many users can I add to a rule ?
A: Max. 5 users accounts. For more, add them to a group.

Q: How do I set up a VPN tunnel between my Check Point security gateway and my SASE network ?
A: Follow this configuration guide.

Q: Can I also add a VPN tunnel to a dynamically assigned IP address (DAIP) gateway ?
A: Yes. Configure the VPN tunnel with the current IP address of your Check Point DAIP gateway as if it was a static IP. Verify that the VPN tunnel is working. Create an API script the checks every minute if the dynamic IP of the DAIP gateway matches the one configured in your SASE environment and, if required, updates it.

Q: What are best practices for the support access functionality ?
A: Only allow support access as long as required by the SASE support team.
A: Create a separate support account for the SASE support team to assure log validity.
If you grant support access with your personal account, then logins from different countries appear in the log:

Q: Why does Microsoft MFA authentication fail after Azure AD has been set up as Identity Provider ?
A: Verify that you followed this guide step by step. In case your login still fails, recreate the client secret.

Q: Why does authentication via Email and Password fail if another, domain-based, Identity Provider is enabled as well ?
A: Authentication is automatically redirected to an Identity Provider if the domain matches.
Make sure you don't lock out yourself by using the same email domain for Email and Password and a domain-based Identity Provider that might not be working because of misconfiguration or connectivity issues.

Q: Why doesn't Limit access by group for my Identity Provider show any groups other than All Users ?
A: To automatically provision user groups from your Identity Provider into your SASE workspace via SCIM, purchase a license that includes SCIM functionality (recommended).
Otherwise you could test to limit authentication into Perimeter 81 by creating user groups beforehand in your SASE workspace with the same name (case sensitive) as configured in your Identity Provider.

Q: Are all SASE configurations officially supported ?
A: Only configurations documented in the Knowledge Base are officially supported.

Q: Do Check Point Endpoint Security client and Harmony SASE (P81) client work well together on the same machine ?
A: Check the Release Notes for your specific SASE desktop client (Windows, Mac, Linux) and create an exception in your Check Point EPP for perimeter81.updater.exe and perimeter81.cli.exe

Q: How do I completely uninstall the Harmony SASE (P81) client from my Windows Desktop ?
A: Uninstall the Perimeter 81 application and Microsoft Windows Desktop Runtime.

 What can I do if my Harmony SASE (P81) client doesn't start ?
A: Completely uninstall the client, download the latest client version and install it. If that doesn't work, contact Check Point Support.

Q: How will I be notified of planned maintenance windows of the SASE portal ?
A: The SASE portal shows a notification box several days in advance.

Q: Why do I get an error on Sign In after fresh installation of the Harmony SASE (P81) client ?
A: Verify that your workspace is correct. Manually correct it or click on Change Your Workspace.

Q: Why do pricing plans differ between P81 and Check Point's product catalog ?
A: P81's legacy pricing plan was valid for P81 customers until P81 was acquired by Check Point.
A: New Check Point Harmony SASE customers purchase via Check Point's pricing plan:

Private Access

  Essentials Premium Complete
Private Global Network image.png image.png image.png
Agent-based access to resources image.png image.png image.png
Wireguard and IPsec Support image.png image.png image.png
Full mesh connectivity image.png image.png image.png
Wide device support image.png image.png image.png
Cloud Edge Gateway instance
for every 100 users ordered
image.png image.png image.png
Agentless access to applications 20 Applications 50 Applications Unlimited Applications
Cloud Firewall - image.png image.png
Device posture check - 3 Profiles Unlimited Profiles
- image.png image.png
Wi-Fi security
- image.png image.png
Solution architect
- image.png image.png
Management APIs
- - image.png
SCIM - - image.png

Internet Access

Private global network image.png
On-device network protection image.png
DNS filtering image.png
URL filtering image.png
TLS inspection image.png
Threat prevention image.png

Q: What's included in a user license ?
A: Each user license can use up to 5 devices concurrently.
A: For each 100 users ordered, one cloud edge gateway is automatically entitled.

Q: How many users per cloud edge gateway are supported ?
A: There is no user limit in terms of support. Check Point suggests not to have more than 50 users per gateway in a standard use-case where the customer would have one or more site-2-site tunnels connected to the same gateway. Additionally, the gateway bandwidth is set to 1Gbps, so it is important to take that into calculation as well.

Q: When are configuration changes transferred to the SASE agent ?
A: Almost instantly. The SASE agent doesn't even need to be connected to the SASE network to receive updates.

Q: Who queries my private DNS server if I configure my SASE network to use it ?
A: The SASE cloud acts as a DNS proxy for your SASE agents and queries your private DNS from dyn. IP addresses.
No matter what DNS is configured on the clients, as long as the SASE agents are connected to the SASE cloud, it will resolve DNS requests for them via your private DNS. You'll also need to configure a DNS rule in your SASE firewall rules allowing DNS requests from your SASE users.

-- Partner Resources --

Q: Where are the partner portals ?
A: Partner portal | Support portal

Q: Where can I find docs for partners ?
A: Introduction | Partner webinarCustomer presentation

Q: Where can I find training for partners ?
A: Sales training | Technical training | Demo environment

-- Documentation --

Q: Where can I find more docs on Harmony SASE ?
A: Unified Management Platform
A: Agentless Zero Trust Network Access​ (ZTNA)
A: Malware Protection
A: Hybrid Secure Web Gateway (SWG)
A: Securing Azure Access
A: Securing AWS Access
A: Securing GCP Access
A: Secure Access With SaaSPass
A: Internet Access: Double Your Protection
A: Device Posture Check
A: Checklist

19 Replies

Has perimeter 81 self study training platform for partner been integrated to checkpoint e-learning?

0 Kudos
Champion Champion

Yes, it's Check Point's Harmony SASE demo environment.



Great Summary, Thanks!


Now that it is available in Infinity Portal, how will it work for MSPs?

When I giver permission to an admin in the infinity account, it automatically creates a new user in the members list and uses a license. However these are not users, these are external administrators that will manage the product, but will not connect to anything.

0 Kudos
Champion Champion

Check Point is working very hard to implement Quantum SASE within their Infinity Portal.
As you can see, the P81's support chat is already available, so chances are high that the P81 portal (visuals + functionality) gets implemented 1:1 within Infinity Portal in the first step. For MSPs this would then work the same way it already does within the P81 portal.

Current status: Not yet available for all regions. US region: available. EU region: Planned for early Q2 2024.


Hi Danny,

very useful FAQ, thank you very much 


Congrats @Danny

Always bringing excellent content to the community.


Great content to get started on that new offering.


I enjoyed reading this article! It provided valuable insights and information.


This is fantastic!!!

CEO & Founder, Indeni

Nice post,



Good stuff... thanks Danny for putting this together!


Thanks for this consolidated thread.


Outstanding Contribution.




hello ,

does a bundled IA + PA considered in the future ?



0 Kudos
Champion Champion

Bundling Private Access (PA) + Internet Access (IA) with a special bundle price sounds like a good idea.
I'll add to this FAQ as soon as Check Point offers SASE license bundles.
To receive the update subscribe to this SASE FAQ (the three dots on the top right corner of the FAQ).


Good reference.
Thank you for your sharing!


Great summary. One page say it all.  @Danny Champion 👍



Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events