2025

• SCIM Sync User Duplication Prevention with Entra ID

  Enhanced SCIM mapping for Azure AD/Entra ID to prevent user duplication when connected via Entra ID identity provider.

• Infinity Integration with Quantum Services

  Identity and Trust is now integrated with Quantum Services. This allows SASE to share identity information via Identity and Trust to Quantum Security Gateway to enable identity-based rules across SASE and Quantum services.

• SASE Audit Logs integrated with Infinity Audits

  SASE audit logs are now part of, and integrated into Infinity Platform Audits. You can now export these logs via Infinity to SIEM systems.

• Internet Access Threat Prevention Security Profiles

  Administrators can now define enforcement behavior and configure Threat Prevention blades (including Malware Protection, Anti‑Bot, Threat Emulation) to match their security posture and operational needs.

  Minimum agent version required:

  • Windows: 12.3.0.10

  • macOS: 12.3

• Internet Access Threat Prevention Exceptions

  Administrators can now define granular exceptions for specific URLs or files using SHA‑256 identifiers. This capability reduces false positives while maintaining strong enforcement.

  Minimum agent version required:

  • Windows: 12.4

  • macOS: 12.3

• New Role - Security Manager

  A new Security Manager role is now available in the platform to support more granular role-based access control. Users with this role can:

  • Manage Internet Access configurations

  • Define Data Loss Prevention (DLP) policies

  • Monitor and investigate security events

• MSSP / Infinity – Granular Role Support for MSSP Parent Users

  The Check Point Portal now supports additional SASE service roles for MSSP Parent users, enabling granular, role-based access beyond the previously Admin-only model. This enhances security and governance through least-privilege access and clearer separation of duties. With this release, MSSPs can assign the following SASE roles to their users, either directly or via Infinity User Groups:

  • Security Manager

  • Network Manager

  • User Manager

  • Admin

• New SASE Points of Presence (PoPs)

  SASE expanded global coverage with new PoPs in:

  • Istanbul (Turkey)

  • Auckland (New Zealand)

  • Montréal (Canada)

• Enhanced Networks

  Enhanced Networks is now available in US,EU, and AU data residencies and on-demand in India (IN). This feature provides:

  • Higher network scale

  • Improved resilience

  • Simplified networks and tunnels management

  For more information, see Enhanced Network.

• DLP Enhancements

  Data Loss Prevention (DLP) now includes:

  • Data Type Manager – Browse built-in data types (such as PII and payment data) and create custom data types.
    Minimum agent version required:

    Windows and macOS: 11.7

  • Services column in the DLP policy – Configure more granular DLP rules for web categories, custom URLs, applications.

  • Apply DLP policy on downloaded files.

  For more information, see Data Loss Prevention.

• Okta SCIM App – Regional Support Expansion

  SASE’s Okta application (SCIM integration) now supports India (IN) and Australia (AU) regions. Customers whose SASE tenant resides in these regions can connect their Okta IDP (with SCIM enabled) using the built-in Okta app.

• Web Categories – New Gen AI Category

  A new URL Filtering (URLF) Gen AI web category is now available. This category:

  • Supports all policies that allow categories selection (Access, Bypass, DLP)

  • Provides visibility for generative‑AI destinations

• Internet Access Rules – UX Improvements

  Improvements to Internet Access policy management aimed at large enterprise rule sets, including:

  • Safer defaults to reduce new rule misconfiguration

  • Faster access to detailed rule view (quick access / one-click view)

  • Easier management of large selectors

• Trusted Networks – Certificate Validation Hardening

  Trusted Networks configuration has been strengthened by removing the option to skip certificate validation, reducing risk from weak or misconfigured trust settings.

• Agent UI Controls

  Administrators can now hide the Reset Agent button from end-users on SASE Windows and macOS agents.

• Operational Events – General Availability (GA)

  Operational events and tunnel logs are now available across all regions in Events & AIOps, giving administrators unified visibility and faster troubleshooting for their SASE deployment.

• Tenant Restrictions – General Availability (GA)

  Tenant Restrictions are now in GA, enabling organizations to limit access to approved SaaS tenants only. This feature prevents users from signing in to personal or untrusted tenants. The supported applications are:

  • Microsoft Office 365

  • Google Workspace

  For more information, see Tenant Restrictions.

• Data Loss Prevention (DLP) for File Uploads – General Availability (GA)

  DLP for file uploads is now in GA on all environments. Administrators can detect and block sensitive data being uploaded to cloud services, helping protect confidential information and support regulatory compliance. For more information, see Data Loss Prevention.

• Improved Split Tunnelling Resilience

  When Split Tunnelling is enabled, network configuration changes now occur more smoothly, significantly reducing the chance of VPN interruptions during maintenance operations.

  Note - This feature is available on Windows and macOS agents, version 12.2 or higher.

• Scalability and Performance for Large Deployments

  Multiple backend and UI optimizations improve performance and responsiveness in large environments, including:

  • Faster loading of route tables and network routes.

  • More efficient handling of tenants with very large firewall rule sets.

  These improvements help administrators manage complex environments with less waiting and fewer timeouts.

• Stronger Device Posture

  • Device Posture Check - Added Microsoft Defender to the list of supported Endpoint Security products for macOS, improving device compliance validation options.

• Better Renewal Experience

  The in-product renewal banner now appears 45 days before subscription renewal, giving administrators more time to plan renewals and avoid service disruption.

• Parent-MSP Access:
  SASE now supports administrative access inheritance from a parent MSSP Infinity account to its child accounts through User Groups.

  Note - Currently supports Admin roles only, via Global or Service-Specific Roles.

• Operational events and tunnel logs are now integrated to and available in Events & AIOps.

• Device Posture Check (DPC) Empty State Improvements:

  Added an interactive DPC widget to the Device Inventory dashboard, offering quick links and guidance to help users enable Device Posture Check.

• Public API Support for Split Tunnelling:

  Added support for managing split tunnelling configurations via Public API.

• Desktop devices are now labeled as Computer to align with industry standards.

N/A

• Operational events and tunnel logs are now integrated to and available in Events & AIOps.

• A new Device Posture Check (DPC) feature offers full device certificate validation. Administrators can now verify authenticity, validity, and private key matching to strengthen overall device security and compliance. This feature requires Windows agent version 12.0.

• SaaS API in SASE is now available in Australia and India.

• Introduced Tenant Restrictions to control user access to approved Office 365 and Google Workspace tenants. For more information, see Tenant Restrictions.

• Improved handling of disconnection issues during network configuration updates.

• UI changes to support large-scale organizations.

• Data Loss Prevention (DLP) Support for File Uploads

  Added Data Loss Prevention (DLP) support for file uploads to detect and block sensitive data exfiltration.

• Enhanced Application Control

  Enhanced granularity in Application Control with new actions to block file uploads to Box and Google Drive.

N/A

• Support for enterprise clients

  Admins can now manage members in large groups, exceeding 500 users.

• Support for device isolation

  (Available for Windows and macOS devices with agent version 11.6 and higher)

  Admins can now add an extra preventive security layer for devices by blocking all local network (LAN) traffic when the device is connected to the VPN. This isolates the device from nearby devices, reducing risks such as lateral movement or exposure to unsafe local traffic. Outbound communication to external resources and the public internet remains unaffected. For more information, see Device Isolation.

• Firewall logs location change

  Firewall logs have moved to the new Unified Logs/Security Events page in Events & AIOps, which allows users to:

  • View logs across all Check Point products in a centralized location

  • Search, filter, and analyze events for faster threat detection and response

  • Automate workflows using Playblocks and Event Forwarding

  • Send automated notifications for SASE via email, SMS, Slack, and Microsoft Teams using Playblocks

  • Export events using Check Point Infinity's Event Forwarding

• Check Point Enterprise Browser with Surf Security Integration

  This release introduces SSO connectivity from SASE to the Surf Security admin platform, along with browser-level Zero Trust Access (ZTA) enforcement. Surf Security provides agentless protection for unmanaged devices, offering features such as session recording, screen capture prevention, and device posture checks.

  For more information, see:

  • Enterprise Browser

  • SASE_enterprise_browser_fov.pdf

  • SASE_enterprise_browser_wpr.pdf

• Internet Access - Tenant Restrictions

  Added support for tenant restrictions in Office 365 and Google Workspace. This feature allows access only to organization-approved tenants, blocking personal and unauthorized corporate accounts to prevent data leakage and unapproved external collaboration.

  For more information, see Tenant Restrictions.

N/A

• Increased Active Directory (AD) domain support in Device Posture Check (DPC) from 2 to 10 domains.

• Renamed the Unified Logs page to Security Events.

• New Point-of-Presence (PoP) in Taipei, expanding coverage and enhancing performance.

  For full list of cloud locations, see Regions and Point-of-Presence.

• Revised Members page - Added support for large-scale user management.

• A new panel for user and group selection is now available on the right side of the interface, providing better support for large directories and an enhanced search experience.

• You can now add up to 10 individual users per firewall rule. For larger groups, use user groups for easier management.

• Added New Data Residencies: Australia and India

  SASE is now available in the Check Point Portal in two new data residencies, Australia and India, in addition to the existing US and EU options. This expansion supports customers with regional data residency requirements and broadens our global reach. See the blog post.

• New iOS Agent with Harmony Mobile Protect available on the App Store

  The latest iOS agent is now live on the App Store and available from the Downloads page in SASE. The new version:

  • Integrates Mobile Security Protect security features with SASE Private Access connectivity.

  • Requires a Mobile Security Protect license.

• Internet Access – Allow Logs now available
  Administrators can now view Allow logs for Internet Access policies, in addition to existing block and alert logs. This enhancement improves visibility of permitted user activity and helps with auditing and troubleshooting. Available on agent version 11.5 or above.

  Note - This feature may generate a high volume of logs.

• Internet Access Logs integrated with Events & AIOps and SIEM Export Support

  • All security engines in Internet Access, such as URL Filtering, Anti-Virus, and Anti-Bot, now send logs to Infinity Events, providing centralized and real-time visibility across your SASE deployment.

  • You can now export logs to your SIEM solution via Syslog from Events & AIOps. This enables streamlined incident response, threat hunting, and compliance reporting by integrating SASE logs into your existing security workflows.

    Note - Configuration for SIEM export is available in the Check Point Portal. For more information, see the Infinity Portal Administration Guide.

• Agent Anti-Tampering

  Anti-tampering is now supported (available on agent version 11.5 and above). Uninstalling the agent requires a code, preventing unauthorized removal.

• Internet Access Transparent Installation
  A new transparent install capability allows Internet Access protection to be applied immediately upon agent installation, without requiring user login. This ensures instant security for internet traffic. For more information, see Transparent Internet Access Installation.

• Trusted Networks Enhancement

  Trusted networks can now be identified using an HTTPS server, providing more flexible and secure detection mechanisms.

• Unified Log View

  SASE introduces a redesigned log screen that aligns with Events & AIOps, delivering a unified and consistent log experience across platforms to enhance visibility and simplify analysis.

Improved security visibility by capturing only events blocked by firewall rules

Key features:

• Improved Visibility - Only events that are blocked by firewall rules are logged, helping you quickly identify and troubleshoot unauthorized access attempts.

• Network-Level Control - Logging can be enabled or disabled at the network level directly from the Firewall configuration page, allowing for granular logging based on specific network needs.

• Log Access - You can view the logged events in:

  • SASE Unified Logs

  • Infinity Events page

  To enable firewall logs, contact Check Point Support.

• Added API support for managing Zero Trust applications. For more information, refer to the API documentation.

• Updated the default bypass rules in SASE to align with the standard configuration used in Check Point Quantum Security Gateway. See sk163595.

• SASE network or user managers inherit their role from Check Point Check Point Portal. We now support service roles for network and user managers.

• Firewall events are now presented in the Events & AIOps application in the Check Point Portal (Early Availability). This enables customers to consolidate logs from all Check Point Portal applications in a single location.

• SASE strengthens security for locally defined users by enabling two-factor authentication (2FA) by default for newly created tenants.

• Group naming becomes more flexible now, allowing names to include special characters for groups synced via SCIM.

• Firewall policy action names and images are aligned with Check Point’s terminology and standards, using Drop and Accept, instead of Deny and Allow.

Early availability programs for upcoming SASE enhancements:

1. Agent 11.5 – Enhanced Security, Control, and Usability

   The latest Agent 11.5 update introduces multiple improvements to security, policy enforcement, and user experience.

   What's New:

   • New Threat Prevention Policy – Includes threat emulation, anti-bot, and malware protection, with the flexibility to enable or disable as needed.

   • Trusted Networks via HTTPS Server – Define trusted networks based on an HTTPS server, enhancing security posture.

   • URL Filtering Log Support – Enables logging for better visibility and analysis of URL filtering actions (Allow or Deny).

   • Application Control Enhancements – Administrators can now regulate the use of SaaS applications, ensuring compliance and security by allowing, blocking, or restricting specific applications based on policies. This helps prevent unauthorized access, control bandwidth usage, and enforce corporate security guidelines.

   • Transparent Internet Access Installation – This is a simplified deployment with seamless internet access configuration. For more information, see Deploying the Harmony SASE Agent.

   • Enhanced Anti-Tampering Protection – Agent exit code protection now also applies to uninstallation, preventing unauthorized removal.

   • These updates enhance security, visibility, and ease of management for administrators.

2. Site Security - Strengthening protection and policy enforcement for remote locations.

3. Next-Generation Networking (NGN) – Advancing network performance and security for modern enterprise needs. Admins can now gain early access to NGN capabilities and provide feedback before the general release. To participate, contact your Check Point representative.

   What's New:

   • Single Public IP per Region – Simplifies management by eliminating the need to handle individual gateway IPs.

   • Enhanced IPSec Tunnels – Supports up to eight parallel tunnel legs for improved redundancy, link aggregation, and streamlined IPSec configuration.

• New Point-of-Presence (PoP) in Zurich, Switzerland, expanding coverage and enhancing performance.

• SASE now features a redesigned log screen that matches the look and feel of Events & AIOps. This update provides a seamless and consistent experience across platforms, enhancing visibility and simplifying log analysis.

• New PoP in Brussels - Launched a new Point of Presence (PoP) in Brussels, Belgium, expanding coverage and enhancing performance.

• Hybrid-Split Tunneling Enhancement - Administrators are now guided to configure automatic split tunneling for optimal traffic routing. Existing configurations are migrated automatically with no impact on current networks.

• Microsoft Outlook is now excluded by default from Internet Access bypass rules.

• Administrators can now manage the multi-monitor settings for ZTA RDP applications.

• Improved security warning when disabling 2FA for local users. Administrators can now see a clear notification highlighting the security risks before confirming the action.

• The new Hybrid Split Tunneling functionality automates tunneling of private traffic only, ensuring an optimized end-user experience along with full connectivity (Currently available in Early Availability)

• Added two new predefined member roles, Network Manager and User Manager, for simplified management. These roles simplify permissions setup, enhance security, and improve access control. For more information, see Member Roles and Permissions.

• Added the new Explore Harmony SASE page that helps customers discover and understand Harmony SASE features. It guides them to enhance their security posture, manage SASE effectively, and follow best practices with video guides and tips.

• Harmony SaaS is now accessible through Harmony SASE, offering enhanced security for your SaaS applications. Make sure you have the appropriate license to fully utilize Harmony SaaS. For more information, refer to the Harmony SaaS solution brief (Currently available in Early Availability)
  

• Wildcard support is now available for URL Filtering rules, offering greater flexibility and efficiency. Use the * wildcard to match multiple URLs with similar patterns (for example, *.example.com covers all subdomains and paths under example.com). For more information, see the blog post.

N/A