SASE User Rollout

This chapter describes the steps to roll out Check Point SASE to the workforce. Make sure the initial setup is complete, networks are configured, resources are connected, the team is invited, and agents are deployed.

Note - If running a small pilot, see SASE Pilot Checklist.

Configuring Access Policies and Firewall Rules

Before bringing users online, translate organizational security requirements into Check Point SASE configuration.

  1. Set up cloud firewall rules (Private Access): Define which users and groups can access each internal resource, such as on-premises servers, cloud data centers, or SaaS applications. Start with least-privilege access and expand as required. See Private Access

  2. Configure agentless access (Zero Trust Application Access): For BYOD users, contractors, or temporary workers, configure browser-based access to specific applications (HTTP/HTTPS, RDP, SSH, VNC). Do not require the full agent or network-level access. See Applications.

  3. Configure device posture checks: Set up device posture profiles to verify that devices meet security requirements before access is granted. See Posture Check

Preparing Devices

  1. Remove legacy VPN clients: Running a VPN with the Check Point SASE Agent can cause connectivity conflicts. Disable or uninstall legacy VPN software.

  2. Confirm agent deployment: If the agent is not distributed through MDM with silent installation, deploy it. See the silent installation guide for token-based deployment.

  3. Verify Identity Provider (IdP) and SCIM provisioning: If an Identity Provider is used, confirm that SCIM synchronization is active. This ensures that user and group memberships remain synchronized with the directory.

Rolling Out in Phases

  1. Start with a small group: Select a department or team that can provide useful feedback. Monitor the user experience before expansion.

  2. Expand department by department: After the initial group is stable, bring the next group online. Each group acts as a mini-pilot and requires validation.

  3. Validate at each stage: Before expansion, confirm that policies work, users connect successfully, and no access issues remain unresolved.

Communicating with Users

Send a short message to each rollout group. Include:

  • What is changing

  • When it takes effect

  • How to connect

  • Where to get help

  • Keep the message short and non-technical.

Monitoring the Deployment

Use the Check Point SASE Administrator Portal to monitor the rollout:

  • Dashboard: Monitor active sessions, licenses, agent counts, bandwidth, and operating system and device distribution

  • Active Sessions: View agent connections and Zero Trust Application access sessions

  • Device Inventory: Verify agent installation status across devices

  • Logs and Activity Reports: Review member activity, web activity, firewall events, and administrator activity

Watch for:

  • Low adoption (agents deployed but few sessions - check user communication and legacy VPN status)

  • Connection failures (review tunnel status and firewall events)

  • Recurring support tickets (commonly authentication issues or VPN conflicts)

Help Options

  • Sent an email to SASE support or start a live chat.

  • Reach out to your Technical Account Manager* for assistance.

    * Available for qualifying plans only