The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Harmony Connect - What's New?
Technical Level
Solution ID
sk155574
Technical Level
Product
Harmony Connect
Version
Cloud
Date Created
09-Jun-2019
Last Modified
12-Mar-2023
Solution
The web management and enforcement engine of Harmony Connect are delivered over the cloud. New features are added dynamically and provided to all customers.
Harmony Connect now supports Google Workspace as an Identity Provider. This integration is currently available for early access for new tenants, and will be gradually available for all tenants during Q2.
Please contact us to check the eligibility of your tenants with Google Workspace IDP integration.
Once the Google Workspace integration option is enabled, you can access the configuration wizard via global settings in the Infinity Portal.
Feb 28th, 2023
Event forwarding is now available for Harmony Connect. The feature allows customers to synchronize their Harmony Connect logs with their SIEM using Syslog (Session recording logs of Harmony Connect Application Access are not included.) The feature is available for tenants that were created from February 2022 onwards.
For older tenants, the feature will be gradually available. To enable it now for these tenants, please open a support ticket to upgrade the tenant to our Harmony Connect latest version.
Event Forwarding rules can be configured through Global Settings --> Event Forwarding.
For mode details on this feature, please refer to this section in the Infinity Portal admin guide.
Feb 1st, 2023
POP is Spain is now available.
The POP is based on AWS infrastructure and fully supports the following services:
Harmony Connect is now available with data residency in US.
Starting from 1/1/2023, new Harmony Connect tenants, that are created on Infinity Portal US region, will have their data stored in the US. The data residency covers Harmony Connect policy, settings, logs and reports
With this new addition, Harmony Connect now supports data residency in these three regions: EU, US and Australia
All Harmony Connect functionality is supported with US data residency, including internet access, network remote access as well as application remote access.
Harmony Connect tenants, which were created on Infinity Portal US region before 1/1/2023, will continue to have their data hosted in the EU. We do not have an option to migrate tenants data from EU to the US. This means that customers who wish to move data residency from EU to the US, will need to create a new Harmony Connect tenant under Infinity Portal US region, and re-configure the product.
SmartConsole Management for Harmony Connect is available.
This new feature allows customers to manage their Harmony Connect policy using SmartConsole, giving them access to new capabilities and policy granularity.
Some things you can do with SmartConsole Management:
Configure UserCheck - Configure the UserCheck page to deliver customized multi-language interaction with users when communication is blocked by the policy
Use Updateable Objects – allow access rules that update dynamically – e.g. enforce access to dynamic cloud services such as AWS
Use Domain objects - define applications in the policy by their domain
Gain full control over threat prevention settings
Control blade settings - e.g. enforce Safe Search for Google
Define access rules with a time-limit
Define new data-types for content awareness
Define custom SmartView views and reports with custom widgets
And much more…
Important: It’s a one-way-street: Once SmartConsole management is enabled, there is no way to revertto managing the policy from Infinity Portal. The option to manage Harmony Connect from SmartConsole is only available for tenants created in October 2022 or later.
Enabling SmartConsole Management In Harmony Connect admin portal:
Select Settings > Management Mode
Select “Manage your policy using Smart Console”
Follow the instructions on the configuration page and in the Admin Guide
Notes:
It’s a hybrid management experience
When opting to manage from SmartConsole, some settings are still managed from infinity portal – e.g. defining branches, local users, IDP integration, …
We do not yet support unified management with Quantum gateways Managing Harmony Connect requires a specific SmartConsole release that connects to a dedicated cloud management, that is separate from the customer Smart-1/Quantum GW management
Not all SmartConsole features are available Customers may encounter some SmartConsole features that have been disabled (e.g. gateway object, NAT rules, …) This is mostly because some features are not applicable to Harmony Connect’s cloud gateways Harmony Connect logs continue to be stored in the cloud.
September 20th, 2022
Mac client is officially GA and available for all customers.
The first client version MAC OS is 1.2.8 which can be downloaded here. Known Limitations
No check is made if antivirus is installed for Mac users
In some cases, can be a conflict with Endpoint or other OpenVPN products
August 15th, 2022
China POP is officially available for all customers.
The POP enables traffic from roaming users and branch offices to data centers and the internet.
The traffic that goes through the POP is subject to the great firewall of China regulation. We’re working on a premium solution with a 3rd party provider to allow international traffic going out of China, which complies with the Chinese regulation.
There are two locations in China based on AWS solution: China North China North-West
SK177806: “Harmony Connect - Cloud PoP locations, current and planned” was updated with the above.
August 4th 2022
Harmony Connect cloud PoPs in the following geographic regions, are now fully functional:
Switzerland
Norway
Netherlands
US Central
US South
Canada - North-East
UAE
South Korea – South
Australia - Central
Australia – South
India – Central
India – South
he above PoPs now support all Harmony Connect functionality, including support for roaming users and for VPNaaS which where not available till now. We do not support application-level (clientless) access in these locations.
Connector Monitoring is now GA. You can monitor the status of Connectors installed for Network-Level and Application-Level access to identify disconnected Connectors and resolve the connection issue.
The status includes connection state of a site, live Connectors, traffic, throughput and more.
Network-Level Remote Access is now GA. The new Network-Level Access extends Harmony Connect’s Remote Access with new and powerful layer-3 VPN-as-a-Service. This provides client-based network-level access to corporate resources, controlled by your organization’s Zero-Trust access policy. Access to corporate resources is secured by Check Points market-leading threat prevention, protecting corporate applications from the attacks and exploits
This feature is currently only available to customers with new Harmony Connect tenants (created after Feb 12th 2022) . We plan to make the feature available to all tenants by end of Q1 -2022.
To reduce risk for sensitive environments accessed remotely, the new device posture validation feature checks devices are managed (domain membership) and the presence of up-to-date anti-virus software.
This feature is currently only available to customers with new Harmony Connect tenants (created after Feb 12th 2022) . We are working to make the feature available to all tenants.
Cloud PoPs in 14 new regions
We are extending Harmony Connect’s global cloud network by adding 13 points of presence (PoPs), with new locations launched in Switzerland, Norway, Netherlands, US Central, US South, Canada - North-East, UAE, South Korea - South, Australia - Central, Australia - South, India - Central, India - South., Indonesia. We are plan to add addional locations in the coming months, including China - North, China - North-West, , Austria, Israel, and more.
The new PoPs are currently only available to customers with new Harmony Connect tenants (created after Feb 12th 2022) . We are working to make the feature available to all tenants. Indonesia PoP is available to all tenants.
For full information on PoP locations, please refer to sk177806
Native RDP connectivity for clientless access
Offering a better user experience than the webified RDP option, Harmony Connect Application-Level Access now offers a new option to connect to remote desktops and servers via the user’s native RDP software (clientless layer 7 access), with no VPN client required.
New ‘Getting Started’ admin page
We’ve improved the experience to be more intuitive, accurate and clean - to help streamline first-time deployments of the product.
Enhanced log visibility
We added visibility to “Site Name” in traffic log to enable analyzing traffic based on the site which initiated it. And added more VPN-related logs
Mac client - public EA
Supporting network level access (VPN-as-a-service) and internet access for remote users, Harmony Connect client now supports Mac systems - Mac OS 10 (Big Sur) or later. Mac support is currently in public EA, and is planned for release as GA by the end of Q1.
Connector monitoring dashboard (EA)
New dashboard for monitoring the connectivity and health status for each of the organization's data-center Connectors, to enhance visibility provide more granular control over operations, including connector connectivity status, throughput and CPU load per service component.
October 4th, 2021
Changing naming conventions
To better clarify the content and capabilities of the different features, we want to define the following names and start using them throughout the product and documentation:
Network Level Access – formerly known as “VPNaaS”, “Back Home”. Full L3 VPN tunnel to the corporate network. Feature is in private EA, and we are gradually adding customers. To join the program, fill out this form.
Application Level Access – formerly known as “Remote Access”, “Clientless access”, Odo product. Clientless access to selected application in the corporate network.
This is reflected in the Harmony Connect portal in line with the changes as follows:
Assets
“Sites” will be changed to “Branches and Data centers”
“Data Center & Cloud” will be changed to “Application Sites”
Policy
“Trusted applications” will be changed to “Application Access”
Logs
“Internet Access” will be changed to “Internet & Network Access”
“Trusted applications” will be changed to “Application Access”
Settings
“Trusted applications” will be changed to “Application Access”
Additional features
Windows 8.1 support GA - for internet access
Mac client EA - feature is in EA for internet access.
We welcome more customers who would like to join this EA program. Please fill in this form to join.
Added Firewall Session logs - added to all tenants
MaaS Migration EA -
Harmony Connect platform gradually migrates to be MaaS. New accounts are already created with the new platform, and by GA time we will provide seamless migration for existing accounts.
Added features: policy revisions, rule number is logs, unified logging with other Infinity portal services.
New policy exceptions EA
Ability to create an exception consisting of a full blade (Anti Bot, IPS)
Application-Level Access is now available automatically in all new Harmony Connect accounts
When setting up a new Harmony Connect account, Application-Level Access (i.e. clientless access) will be available automatically.
Existing accounts (set up last week or prior) that don’t already have clientless access should contact support to have the feature enabled.
Admins are now able to change their account name at Settings > Application Access > Access tab.
To allow this flexibility, portal URLs have been changed to a new format - https://REGION.connect.checkpoint.com/ACCOUNT. This change is backwards compatible so that the old format (https://ACCOUNT.connect.checkpoint.com) is still supported.
Read-Only API Key for Application-Level Policies
Admins are now able to generate API key for read-only access for Harmony Connect Application Level.
Coming up next month:
Client posture check (EA) - ability to check devices with Harmony Connect clients for AV and domain membership
RDP Native (EA) - Remote Desktop in a clientless way using the existing RDP software rather than the browser
Network Level Access (EA) - Public EA, ability to turn off internet access while using NLA.
June 27, 2021
Settings
You can now verify your identity provider integration configuration from Settings > Identity Provider
May 26, 2021
Harmony Connect Agent for Remote Users for Windows 10 is now Generally Available (GA)
New connectivity sounds when the app connects and disconnects.
May 13, 2021
Assets
Connecting data centers for clientless corporate access is now self-service!
Add a data center or cloud network and get the instructions to deploy the Check Point Connector.
Please make sure to store these instructions, because they cannot be retrieved later.
In case your Infinity Portal account does not have secure clientless corporate access, fill out this form.
Branch Sites now show status per tunnel: up, not set (or “undefined”), or down.
Tunnel can be down if the branch device no longer responds, if the IPsec initiation has failed, or if no traffic was sent in the last hour including no IPsec renegotiations.
Other Improvements
Managing the Access Control policy of Harmony Connect from SmartConsole now supports updatable objects and wildcard objects.
Adding Harmony Connect from Azure AD is now simpler by selecting the Harmony Connect template from Azure gallery! Get it from this page.
May 6, 2021
Harmony Connect Agent for Remote Users
Harmony Connect Agent is available in Japanese.
Improved zero-touch deployment for end users with an identity provider, by automatically collecting the corporate domain name from the end user's managed device. See sk172550.
Logs & Events
The Access Control overview page now includes the total source IP addresses for the selected time period.
Other Improvements
Fixed an issue where new deployments with Full SSL Inspection enabled may get several valid websites appear as untrusted at the web browser.
Improved the search functionality for users at Internet Access Policy for customers with Azure AD, Okta or PingID as their identity provider.
April 28, 2021
Policy
Create custom service objects and use them at the Internet Access Policy.
All users are automatically synchronized with Harmony Connect and available for selection as source objects at the Internet Access Policy.
The feature is available for Azure AD, Okta and PingID identity providers. An alternative option is creating New User Object at the Access Control policy and specifying the user's email address.
Settings
Administrators can choose to automatically turn off Harmony Connect Agent when at corporate offices using ICMP requests or HTTP requests to resources that are only available at the office (in addition to custom TCP services).
REST API
Harmony Connect API Version 1.4 has been published. The API to get locations has changed from /regions to /locations. Note: The previous commands for /regions continue to work in this version but will be deprecated by July 28, 2021.
March 22, 2021
Assets
Our cloud service location selection in Japan is now split between Japan-East and Japan-West.
Policy
Import URL lists from .csv and .txt files and use them at the Access Control and SSL Inspection policies.
Settings
Stability fixes when configuring bypass destination and deactivation codes at Harmony Connect Agent.
Harmony Connect Agent for Remote Users
Harmony Connect Agent is now available in French and Italian.
March 10, 2021
Secure Client-Less Access To Corporate Applications
Getting Started now consists of 3 flows: secure Internet access for remote users, and secure Internet access for branch offices, and the new secure access to corporate applications.
Connect your data center or cloud infrastructure at Assets > Data Center & Cloud.
Assets > Users & Devices now enables users to get secure Internet access, secure corporate access, or both.
Access Control Policy now consists of 2 sub-pages: Internet Access, and the new Trusted Applications. Use the new Trusted Applications page to define your corporate applications and apply the security policy.
Manage your user groups (in case you do not use an identity provider), your remote server keys (for secure client-less SSH and RDP based access) or define security policies based on tags of applications from Policy > Access Control > Trusted Applications.
The new Settings > Trusted Applications provides additional control of the end-user portal, automatic discovery of cloud assets, and logging options.
Note: These capabilities are being gradually rolled out to all customer accounts. It may take some time to reach all accounts. If you would like to get earlier access, please fill this form.
Sites
Improved user experience when adding branch sites. The default site address is automatically calculated from the external IP address of the device or from the admin’s machine location. The default location of the cloud service is automatically set as the optimal location fit for the site address.
Harmony Connect Agent for Remote Users
Significant network performance improvements when using Harmony Connect Agent for secure Internet access.
February 28, 2021
Public Beta - Securing Remote Users
Secure your users' Internet Access with Harmony Connect Agent for Windows 10.
Follow the steps at Getting Started to add your users, define the policy, and configure app-specific settings.
Manage your remote users with the new Assets > Users & Devices page.
The new Trust column at Policy > Access Control allows access conditions for all users compared to only users running Harmony Connect Agent.
The new Settings > Harmony Connect Agent page contains important restrictions for remote users such as domains and IP addresses that should be accessed outside of Check Point's cloud, behavior of the app when users are at corporate offices, and restrictions to deactivate or uninstall the app for the end users.
General
The new Getting Started page enables a step-by-step onboarding for securing branch offices and remote users.
February 23, 2021
Infinity Portal
Infinity Portal now reflects Check Point's product re-organization as new families: Quantum, CloudGuard, Harmony, and Infinity Vision. Previously named CloudGuard Connect, now Harmony Connect, is Check Point's solution for up to date Access Control and Threat Prevention for branch offices and remote users delivered as a service.
Policy
Creation of access control policy rules based on users and user groups is now available.
Settings
The Identity Provider settings now include an option to set automatic sync of user groups. Administrators can see all user groups and select them at the Access Control Policy. This feature is available for Azure AD, Okta and PingID identity providers. An alternative option is creating New User Group object at the Access Control Policy and specifying the Group Identifier as appearing at the identity provider.
REST API
Harmony Connect API Version 1.3 has been published. The changes are renaming the solution from CloudGuard Connect to Harmony Connect. There are no breaking changes at this version.
February 17, 2021
Policy
New objects: Office365 Domains of type URL List and Office365 Address Ranges of type Network List are now available to select at Access Control and SSL Inspection.
Both objects are automatically periodically updated.
A common use case is selecting both of these objects at SSL Inspection under Do not inspect the following.
Administrators can release locks from objects and rules by navigating to Policy > Policy Revisions and selecting the new Discard Policy Revision button for revisions that are in progress.
Discarding in-progress revisions is available for administrators that have the new role Manage Admin Sessions. Assign this new role to one or more administrators at Global Settings > Users.
February 1, 2021
Policy
Threat Prevention configuration is now available. Exclude IPS protections, set reminders for reviewing your exceptions as well as automatic expiration dates.
December 30, 2020
Policy
New URL List object HTTPS Inspection - Recommended Bypass is now part of the default exclusion list at the HTTPS Inspection Policy. An additional URL List object HTTPS Inspection – Optional Bypass is available for selection. Both objects are automatically periodically updated. Contents of the objects are available at sk163595.
Global Settings
Navigate to Global Settings - Users and assign the new Support Contact Point role for one or more administrators that should be contacted over email in case of emergency, proactive support, planned or unplanned service maintenance. In case none of the administrators at your Infinity Portal account have the Support Contact Point role, all administrators will be contacted. This is a service-specific role for Harmony Connect.
November 10, 2020
Settings
Added support for PingID as Identity Provider.
November 5, 2020
Sites
New options for creating sites with branch device type set to Aryaka, Nuage, Oracle (Talari), Versa and Asavie. Available at the Sites page and at the REST API.
Logs
The new Cloud Applications tab provides an overview of cloud applications and file sharing use for your connected users.
The Logs tab has reordered columns, emphasizing users going to applications.
Search for Login and Logout operation logs and find your connected users.
Settings
Added support for OneLogin as Identity Provider.
REST API
Harmony Connect API Version 1.2 (appearing as CloudGuard Connect API) has been published. The changes include additional options for Device Type when creating, updating or viewing a Site. There are no breaking changes at this version.
September 11, 2020
Global Settings
Visibility for your contract is now available. Navigate to Global Settings > Contracts, associate your User Center account, and your Harmony Connect SKUs will be associated to your Infinity Portal account, impacting the expiration date, threat prevention package and number of seats.
Sites
After enabling Harmony Connect, the creation time of the first site has been reduced to 25 minutes. Creation of other sites is now between 5 to 18 minutes.
July 2, 2020
Sites
New automatic integration with Microsoft Azure Virtual WAN. Check Point automatically creates sites and secures traffic for each resource marked as secured at your Azure portal. See this CheckMates topic for detailed steps.
REST API
Harmony Connect API Version 1.1 (appearing as CloudGuard Connect API) has been published. The changes include additional options for Device Type when creating, updating or viewing a Site. There are no breaking changes at this version. A Postman collection is now available and will be available in all future API versions.
May 26, 2020
Sites
New cloud service locations in Italy and South Africa.
May 14, 2020
Global Settings
The new Partner Settings page allows partners and MSSPs to create child-accounts for their customers and manage them centrally.
Partner Mode allows customers to become a partner in either one of two modes:
Distributor/Reseller Partner - can create child accounts, but cannot access their security
MSSP Partner - can create child accounts, log into the accounts and manage their security
Enable Partner Mode by navigating to Global Settings -> Account Settings.
April 26, 2020
Sites
Sites with dynamic IP addresses and multiple ISP's are now supported. You can now create Sites, assign them with a pair of FQDN and pre-shared key for every network interface, and set up tunnels between each of your dynamic network interfaces to the two destination endpoints provided by Check Point's Harmony Connect.
February 24, 2020
Policy
DLP is now available!
Enable it from the Access Control policy by clicking the column headers and selecting the new Content column.
You can now allow or block traffic based on file types, such as source control files, or contents, such as certificates or insurance records. Combined with application-aware rules you can create more granular access rules.
Sites
Stability improvements when creating large number of sites, for example when using Harmony Connect API.
January 23, 2020
Settings
Identity Awareness is now available! Connect your identity provider with Harmony Connect and get your end user names shown up at the logs.
Other Improvements
Silver Peak, a leading SD-WAN vendor, now has a Check Point Harmony Connect page, allowing you to get Check Point security as a service without leaving the SD-WAN management dashboard. See this CheckMates topic for detailed steps.
January 6, 2020
Sites
You can now create sites with a dynamic IP address.
New cloud service locations in France, Sweden, Hong Kong and Bahrain.
Policy
Stability improvements for Full HTTPS Inspection.
Logs
Additional fields at threat prevention log cards: referrer URL, user agent, HTTP method.
Automatic emails are now sent to each customer, explaining the next steps, at the events of: Harmony Connect dashboard is ready; the first site was created successfully; and traffic was passed through the first site.
Customers that have more than one Infinity Portal account can switch between their accounts at the top-level navigation.
November 10, 2019
Global Settings
Administrators can now have a read-only or read-write role.
November 6, 2019
Policies
Review your changes before installing them with a new changes panel.
Undo and redo each change.
Settings
View which changes are currently in-progress by other administrators and which changes were previously installed with a new Revisions page. Note: The new change management features refer to changes made at the Policy: access control and HTTPS Inspection rules and objects. These changes need to be installed after you make them. Changes made to Sites or Global Settings don’t require a policy install and are activated right away. For a full list of all changes across Infinity Portal, refer to Global Settings > Audits
Sites
We added new optional fields, Estimated Number of Users and Device Type, in order to operate our cloud service towards specific usage patterns.
August 29, 2019
Settings
The new SmartConsole page lets you choose to manage your security policy from SmartConsole. For more, see sk156632.
August 27, 2019
Policies
Introducing rule and object locks.
Previously, any change made by one person was immediately visible for editing by another.
From now on, objects and rules that are modified by one administrator appear as locked for editing to other administrators.
Only after the administrator completes an Install, other administrators can edit the newly-changed rules and objects.
You can now discard changes that you made but that were not yet installed.
Global Settings
Improved user experience for the global settings pages: Administrators, Audits, API Keys, Account Settings, as well as the product menu
August 12, 2019
Sites
Added support for ISP Redundancy. You can now create Sites with multiple external IPs, and set up tunnels between each of your external IPs to the two destination endpoints provided by Check Point's Harmony Connect.
July 18, 2019
Logs
Administrators can receive a weekly Security Report by email. Unsubscribe by visiting Settings > Reports & Logs.
Other Improvements
Fixed an issue where in some circumstances, end users browsing to a malicious website receive a browser error instead of the page blocked by company policy page.
All configuration changes are logged at the Audits page.
June 26, 2019
Policy
You can now receive policy installation alerts from the new notification menu. Test Check Point's advanced threat prevention immediately after receiving the Policy Installation Completed alert.
Other Improvements
The new API Keys page, available in Global Settings, lets users automate creation of sites. Contact us if you are interested in the API for Harmony Connect.
June 13, 2019
Improvements
Fixed issues occurring when administrators upload their organization's certificate in order to have Full HTTPS Inspection.
Stability improvements with policy installation process.
May 27, 2019
Logs
Improved our Security Report, showing prevented attacks as well as application visibility in a format available for PDF Export.
Other Improvements
Stability improvements when adding sites.
May 15, 2019
Full HTTPS Inspection is now available
Not inspecting HTTPS traffic exposes you to 70% of the Internet and the majority of cyberattacks.
Use the web management to switch from Basic HTTPS Inspection to Full HTTPS Inspection and manage the exceptions. The regulatory-dependent categories are excluded by default.
Sites
Onboarding is now easier. Newly-created sites now appear with the status waiting for traffic. Only after a Site receives packets from the branch does the status of the Site change to active.
We added official instructions for connecting with CloudGenix.
Logs
Improved our Cyber-Attack View, highlighting prevented attacks that relate to Internet traffic.
Other improvements
Japanese user interface is now available.
Fixed issues with browser compatibility for Safari on Mac.
April 24, 2019
Sites
Added official instructions for connecting with Citrix SD-WAN, Aruba, and Check Point Gateways. We fixed the instructions for VeloCloud. Email us for information about about integration with other vendors.
In addition to managing your sites in Card Mode and Table Mode, you can now manage them over a world map.
Logs
Traffic logs now show the name of the application for accepted traffic.
Updates from before April of 2019 are available upon request.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?