Managing a Network

Editing a Network

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click and then click Edit Network.

   

   The Edit Network window appears.

   

4. Make the required changes and click Save.

Adding Regions

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click and then click Add Regions.

   

   The Add Region window appears.

   

4. From the Region list, select the region to deploy the Harmony SASE gateway.

5. In the Number of Gateways field, enter the number of private gateways you want to deploy in the region.

6. To add another region, click Add Region and repeat steps 4 and 5.

7. To activate the gateway for users, select the Activate Gateways For Users checkbox.

8. Click Add Region.

Managing Access

Manage Access allows you to select the member groups who can access the network.

To manage access to a network:

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click and then click Manage Access.

   

   The Manage Access window appears.

   

4. From the list, select the member groups who can access the network.

5. To remove a member group, click Remove.

6. Click Apply.

Firewall Rules

Firewall Rules allows you to set the firewall access rules for your network.

To set the rules, see Creating a Firewall Access Rule.

Split Tunneling

Split tunneling allows you to choose the traffic that should pass through the tunnel and the traffic that should bypass the tunnel and access the resource directly.

Private network traffic is always tunneled through the cloud, based on your network tunnels and routing table settings.

To route additional addresses through the Harmony SASE cloud, such as public cloud resources you wish to access through Harmony SASE using whitelisting, you must specify them manually.You also need to specify any addresses you want to exclude when routing all internet traffic through the tunnel.

Notes: Split tunneling by FQDN is supported only for Harmony SASE Agents 10.1.x and higher. With older agent versions, split tunneling by FQDN is ignored and reverts to full tunneling. The recommended setting is not to tunnel traffic internet through the cloud to minimize latency while keeping connectivity to private resources.

To configure split tunneling for a network:

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select your network.

3. Click and then click Split Tunneling.

   

   The Hybrid SASE Settings window appears.
   

4. Select one of these:

   • Tunnel all internet traffic except: Routes all internet traffic through Harmony SASE, except the destinations you specify. These destinations bypass the tunnel

   • Do not tunnel any traffic except: Routes only private network traffic through Harmony SASE. Internet traffic is sent directly to the internet, except the destinations you specify. These destinations are tunneled.

5. In the Except for the Following Destinations, search for objects.

6. In All Exceptions, select the required objects:

   1. Assigned: Displays the objects currently selected for this network.

   2. Subnet: Select subnet-based destination objects.

   3. IP: Select individual IP address objects.

   4. List: Select predefined lists that contain multiple IPs, subnets, or FQDNs.

   5. FQDN: Select fully qualified domain name (FQDN) objects for domain-based split tunneling rules.
      For more information on creating Subnet, IP, List, and FQDN objects, see Addresses.

   6. Updatable Objects: Select dynamic object groups that automatically update their IP ranges.
      For more information, see Updatable Objects.
      Note - Microsoft Azure services, Amazon Web Services (AWS), and Geolocation-based Updatable Objects are not supported for Split Tunneling.

7. Verify the selected objects under the Assigned tab.

8. Click Apply Changes.

   Note - The processing time depends on the system resource. It takes up to 3 seconds for every 500 subnets.
   

Private DNS

Notes - You cannot enable Regional DNS and Private DNS at the same time. Only one DNS option can be active per network or region.

A private DNS allows you to use your local DNS to resolve host names into IP addresses.

Harmony SASE supports DNS at two levels:

• Network - Allows you to utilize your organization’s DNS server and local domain names.

• Region - Allows your users to resolve resources through a local DNS server rather than waiting for a remote server response.

Notes - Do not use Public DNS 8.8.8.8, 8.8.4.4, 1.1.1.1, and 1.0.0.1 for your private DNS. If your private DNS server does not have a public IP address, then Check Point recommends to use the IPSec or WireGuard connector tunnel.

To configure a private DNS for a network:

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. To add a private DNS:

   • For a network, click and then click Private DNS.

     

   • For a region, in the Regions section, click and then click Regional Private DNS.

     

   The Add Private DNS window appears.

   

4. Turn on the Enable Private DNS toggle button.

5. If your Private DNS Server(s) supports DoT, from the Port list, select Over TLS (otherwise your requests are sent over HTTPS).

   

   Note - You can configure multiple private DNS servers for load balancing. Make sure that the DNS endpoint has zone sharing or zone forwarding enabled. This is supported by both cloud-based and on-premises DNS resolvers.

6. In the Server IP Address field, enter the IP address of your DNS servers. You can enter up to four IP addresses.

7. In the Search Domains field, enter the suffix for the DNS query.

   For example, if the domain is checkpoint.com, if your enter support, then the system automatically redirects to support.checkpoint.com.

8. Click Apply.

   Wait for the network status to change from Deploying... to Active.

DNS Filtering

DNS Filtering allows you to manage internet access for members in your network by blocking or allowing websites using allow-list and block-list.

Best Practices - Make sure that you have the list of URLs to block and allow. Make sure that the DNS filter settings work as expected.

00:00: 00:05: DNS filtering allows you to manage internet access in your network by 00:09: blocking or allowing specific domains or domain categories. 00:12: This video shows how to enable DNS filtering in your network. 00:18: Log in to checkpoint Infinity Portal and access Harmony sass. 00:23: Go to networks and select your network. 00:26: Click the three dots and then click DNS filtering. 00:29: Turn on the enabled DNS filter toggle button. 00:32: From the blocked domain categories list select the domain categories you want 00:36: to block? 00:37: In the blocked domains field enter the domains you want to block or upload 00:41: a CSV file with the domain list note that the domain you enter follows 00:45: the domain.com format without any prefix such as wwwhttp 00:51: or https prefix. And if you upload a CSV file, 00:55: you can enter a maximum of 1,000 domains. 00:58: In the exclusion list field enter the domains you want to exclude From the Block 01:02: domains and categories or upload a CSV file with the domain 01:06: list. 01:07: Click apply 01:10: Once the settings are applied a tooltip shows that DNS filtering 01:14: is activated in your network. 01:16: Now when a user enters a domain blocked by your DNS filtering settings. 01:21: Access to the page is blocked, and the user gets a warning message. 01:25: Thank you for watching the video. 01:28:

To configure DNS filtering for a network:

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click and then click DNS Filtering.

   

   The DNS Filtering window appears.

   

4. Turn on the Enable DNS Filter toggle button.

5. From the Blocked Domain Categories list, select the website categories you want to block.

6. In the Blocked Domains field, enter the domains you want to block or upload a .CSV file with the domains.

   Make sure that the .CSV file:

   • Contains all the entries in a single column.

   • Each cell contain only one entry.

   • The number of entries does not exceed 1000.

   • Each entry is in the form domain.com, without www, HTTP, HTTPs prefixes.

     

   Note - When you block a domain, the system blocks the related sub-domains as well.

7. In the Exclusion list field, enter the URLs you want to exempt from the blocked domains list or upload a .CSV file with the domains.

8. Click Apply.

   After the settings are applied, a tooltip shows that DNS filtering is activated in your network.

   

   The changes are enforced the next time when the member connects to your network using the Harmony SASE Agent.

Routes Table

Routes Table shows the routes created for the tunnels in your network.

To add a new route to a tunnel in your network:

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click at the right end of the network and then select Routes Table.

   

4. Click Add Route.

   

5. Enter all the subnets on the remote side of the tunnel and then click Add Route.

   

   For cloud-based resources, enter these values for your vendor.

   Tunnel Type	Subnets
   Amazon AWS
   AWS Single Tunnel - Transit Gateway	CIDRs of the attached VPCs (The VPCs to which you want to gain access)
   AWS Single Tunnel - Virtual Gateway	Subnets you want to reach on the AWS side of the tunnel.
   AWS Redundant Tunnels - Transit Gateway	Subnets you want to reach on the AWS side of the tunnel. Note - Ensure that the added route matches the route transmitted by BGP. Any discrepancies, such as incorrect subnetting or supernetting, are strictly prohibited.
   AWS Redundant Tunnels - Virtual Private Gateway
   Google Cloud Platform
   Single Tunnel	From the GCP console, copy the subnets of the regions where your resources are installed.
   Redundant Tunnels
   Microsoft Azure
   Single Tunnel - Virtual Network Gateway	Subnets of the regions where your resources are installed.
   Redundant Tunnels - Virtual Network Gateway
   Redundant Tunnels - Virtual WAN

6. Click Apply Configuration.

   

Deleting a Network

1. Access the Harmony SASE Administrator Portal and click Networks.

2. Select the network.

3. Click and then click Delete Network.

   

4. Click Delete.