2026

• Split Tunnel Subnet Exceptions by IP/CIDR

  Administrators can now define exceptions for included subnets using specific IP addresses or CIDR ranges when Split Tunnelling is configured in Include mode. This enhancement provides more granular routing control by explicitly excluding selected traffic from the tunnel.

  Minimum Agent Version: 12.7

• SASE Connector – High Availability (HA)

  The SASE WireGuard Connector now supports high availability (HA). During installation, administrators can deploy the connector in one of the following modes:

  • Standalone mode

  • HA mode, using two machines configured as active and standby

  HA mode is supported for all existing standard networks, including existing tunnels.

  Note - Requires a network version deployed on or after 1 March 2026.

  For more information, see WireGuard Connector Tunnel.

• Web RDP with Network Level Authentication – General Availability (GA)

  Web RDP with Network Level Authentication (NLA) is now generally available to all tenants. Administrators can provide browser-based RDP access to resources that require NLA.

  Note - Requires a network version deployed on or after 1 March 2026, or networks upgraded after that date.

• Windows ARM SASE Agent Support

  The Check Point SASE Agent for Windows ARM devices is now available on the Downloads page for tenants running agent version 12.7 or later.

  Notes - Currently supports Private Access (ZTNA) only. Internet Access (SWG) support is planned for a future release.

  For more information, see Downloads.

   

• Updatable Objects for Split Tunnelling – General Availability (GA)

  Updatable Objects are now generally available for use in Split Tunnelling rules. Administrators can reference dynamically updated address objects in split tunnel configurations, ensuring policies remain current without manual updates.

• Platform Rebranding – Check Point SASE

  All platform UI elements, images, email templates, and API references now reflect the updated Check Point SASE branding.

• User Profiles – Agent Uninstall Control

  Administrators can now control agent uninstall permissions independently of sign-out behaviour using a dedicated toggle in User Profiles.

  For more information, see User Configuration Profiles.

• Agent Security Event Notification Control

  Administrators can control whether the SASE agent displays security event notifications to end users through a new toggle in User Profiles.

  Minimum Agent Version: 12.6

• Tenant Restrictions – Save Disabled Rules

  Tenant Restrictions rules can now be saved in a disabled state. This allows administrators to prepare rules in advance without enforcing them immediately.

  For more information, see Tenant Restrictions.

• Routes – Export to CSV

  The Routes page now includes an Export to CSV option, enabling administrators to download route configurations for offline review and reporting.

• User Applications Page – Improved Name Display

  Long application names on the User Applications page now wrap to two lines instead of being truncated.

• Web RDP – NLA Authentication Support

  End users accessing Web RDP applications with NLA security mode are now prompted to enter RDP credentials directly in the browser. Supports both Standard and Enhanced Networks.

  Requires a new network or upgrade to the latest version. SASE Administration Guide

• Enhanced Network IPsec Redundancy

  Admins can now create dynamic IPsec tunnels with multiple terminations in the same region, enabling active-active HA setups.

  Not supported with Quantum/Spark devices. Requires a new network or upgrade to the latest version.

• Block Websites with Invalid Certificates

  Admins can enforce blocking of websites with expired, revoked, self-signed, or untrusted certificates, preventing end users from accessing potentially unsafe sites.

  Minimum Agent Version: Windows/macOS v12.6

• Security Events Notification Control

  Admins can now disable end-user security event notifications and enforce this setting across the organization. By default, users receive notifications and can toggle this setting individually until it is enforced.

  Minimum Agent Version: Windows/macOS v12.6

• Updatable Objects Support for Internet Access

  Updatable Objects, which are dynamically maintained and automatically updated objects managed by Check Point, are now supported in Internet Access policies. This extends Updatable Objects support beyond Split Tunneling (introduced February 2026).

  Minimum Agent Version: Windows/macOS v12.6

• Canada Data Residency

  Check Point SASE now supports Canada as its fifth data residency region (joining US, EU, IN, and AU). Canadian organizations can process and store SASE data locally, including traffic inspection, session data, logs, metadata, and configuration. Full platform access includes Private Access (ZTNA), Internet Access (SWG), and SaaS Security.

• New Check Point SASE Point of Presence – Perth

  Check Point SASE has expanded its regional coverage with a new Point of Presence (PoP) in Perth, Australia.

• SaaS + SASE Integration

  Admins can now access a unified view of SaaS Security and SASE in a single location within the SASE platform, providing SaaS visibility and controls alongside Private Access and Internet Access.

• Unified Internet Access Policy with Quantum – General Availability (GA)

  The unified Internet Access policy with Quantum is now generally available, enabling consistent web security policy enforcement across SASE and Check Point Quantum gateways from a single policy definition.

• Enhanced Networks – Regional Expansion

  Enhanced Networks are now available in Hong Kong, Istanbul, and Taipei.

• Check Point SASE Rebranding

  The platform has been rebranded from Check Point SASE to Check Point SASE, aligning with the broader Check Point Portal rebranding.

• Tenant Restrictions – Failed Login Attempt Logging

  Failed login attempts blocked by Tenant Restrictions rules are now logged, providing better visibility into unauthorized access attempts.

  Minimum Agent Version: 12.7

• HTTPS Inspection – Bypass Traffic Logging

  Admins can now view logs for traffic excluded from HTTPS inspection, providing visibility into bypassed traffic.

  Minimum Agent Version: 12.7

• IOC – Infinity Portal Integration

  IOC management is now supported through the Infinity Portal, enabling centralized handling of indicators of compromise across the SASE platform.

  Minimum Agent Version: 12.7

• Security Profiles – Full Threat Emulation Event Logging

  Admins can now log all Threat Emulation verdicts, including non-malicious files, providing full visibility into file inspection outcomes.

  Minimum Agent Version: 12.7

• Updatable Objects Support in Split Tunneling
  Split Tunneling rules can now reference Updatable Objects, which are dynamically maintained network objects that automatically update based on vendor-managed or predefined feeds. This enhancement eliminates manual IP address and FQDN maintenance and ensures that Split Tunneling policies remain accurate as vendor endpoints change.
  Minimum Agent Version: Windows: 12.5

  For more information, see Updatable Objects.

• Pre-Login Authentication for Windows
  Administrators can now enable a secure tunnel before OS login using second-device authentication. This enables seamless access to private organizational resources, such as Active Directory, when users work remotely or outside the corporate network.
  Minimum Agent Version: Windows: 12.5
  For more information, see Pre-Login Tunnel Connection for Windows

• New Built-in Role – Security Manager
  A new Security Manager built-in role is now available in Check Point SASE. This role enables organizations to delegate security operations and monitoring. It is available to both direct and MSSP customers.
  Users assigned with this role can:

  • Access Internet Access configuration

  • Define Data Loss Prevention (DLP) policies

  • Manage Objects configuration (Addresses and Custom URLs)

  • View and investigate Security Events

  For more information, see Member Roles and Permissions.

• New Check Point SASE Point of Presence – Hong Kong

  Check Point SASE has expanded its regional coverage with a new Point of Presence (PoP) in Hong Kong.

  For more information, see Regions and Point-of-Presence.

• Public API Support for FQDN Object Type

  Administrators can now manage Fully Qualified Domain Name (FQDN) address objects through the Public API.

  This enhancement enables:

  • Programmatic creation of FQDN objects

  • Retrieval of FQDN object configurations

  • Updates to existing FQDN objects

  • Deletion of FQDN objects

  For more information, see the API documentation.

• Tunnel Down Notification via Playblocks

  Administrators can now configure automated notifications when a network tunnel goes down.

  Notifications can be delivered through:

  • Slack

  • Microsoft Teams

  • Email

  • SMS

  Supported capabilities include:

  • Immediate alerts when a tunnel state changes

  • Consolidated summary notifications at configurable intervals

  • Configurable silence windows to reduce alert noise

  • Exclusion of specific tunnels from monitoring

  Availability: Available for Infinity Portal tenants in US and EU regions.

Tenant Restrictions – Domain Validation

Tenant Restriction rules now enforce the use of domain values in entries.

This enhancement:

• Prevents the use of invalid formats

• Improves policy consistency

• Reduces configuration errors

• Strengthens enforcement accuracy

For more information, see Tenant Restrictions.

• Firewall Logging Granularity

  Administrators can now configure logging per firewall rule, enabling logs for both Allowed and Blocked rules. This provides deeper visibility and improved troubleshooting of firewall policies.

  Notes: New customers automatically receive firewall logging granularity. Existing customers without firewall logging enabled can now enable it with granularity. Firewall logging is not supported for gateways created in the past with one CPU. Firewall logging granularity requires coordination with support engineer for deployment.

• Granular Role Support for MSSP Parent Users – General Availability (GA)

  The Check Point Portal now supports granular SASE service roles for MSSP Parent users, expanding beyond the previous admin-only model. MSSPs can assign roles directly or via Infinity User Groups, enabling least-privilege access and clearer separation of duties. Supported roles include:

  • Security Manager

  • Network Manager

  • User Manager

  • Admin

• Infinity Audits for SASE – General Availability (GA)

  SASE now integrates with Infinity Audits, making member activity and administrator actions visible directly in the Infinity Portal.

  When Infinity Event Forwarding is enabled, these audit events are also exported to your SIEM alongside other security events.

• SCIM Sync User Duplication Prevention with Entra ID – General Availability (GA)

  Enhanced SCIM mapping for Azure/Entra ID allows SASE to consistently identify users using the Entra ID unique identifier during provisioning and login.

  This ensures that changes to user attributes such as email or UPN do not result in duplicate user records. As a result, existing access and group memberships are preserved, providing more reliable SSO behavior and reducing operational overhead for teams managing Entra ID–based environments.

• Idle Member Automatic Sign-Out

  Administrators can now automatically sign out users from idle or unattended devices, reducing exposure from inactive sessions and strengthening endpoint security.

• Device Posture Check – Certificate Issuer & Root CA Validation

  Device Posture Check (DPC) now includes an additional validation for device certificates, verifying the certificate issuer, validity, and matching private key. This strengthens device trust and compliance posture.

• Agent Reset Button Control

  Administrators can now control whether the Reset Agent button is visible to end users, helping prevent accidental resets and improving manageability in controlled environments.