2026

• Updatable Objects Support in Split Tunneling
  Split Tunneling rules can now reference Updatable Objects, which are dynamically maintained network objects that automatically update based on vendor-managed or predefined feeds. This enhancement eliminates manual IP address and FQDN maintenance and ensures that Split Tunneling policies remain accurate as vendor endpoints change.
  Minimum Agent Version: Windows: 12.5

  For more information, see Updatable Objects.

• Pre-Login Authentication for Windows
  Administrators can now enable a secure tunnel before OS login using second-device authentication. This enables seamless access to private organizational resources, such as Active Directory, when users work remotely or outside the corporate network.
  Minimum Agent Version: Windows: 12.5
  For more information, see Pre-Login Tunnel Connection for Windows

• New Built-in Role – Security Manager
  A new Security Manager built-in role is now available in Harmony SASE. This role enables organizations to delegate security operations and monitoring. It is available to both direct and MSSP customers.
  Users assigned with this role can:

  • Access Internet Access configuration

  • Define Data Loss Prevention (DLP) policies

  • Manage Objects configuration (Addresses and Custom URLs)

  • View and investigate Security Events

  For more information, see Member Roles and Permissions.

• New Harmony SASE Point of Presence – Hong Kong

  Harmony SASE has expanded its regional coverage with a new Point of Presence (PoP) in Hong Kong.

  For more information, see Regions and Point-of-Presence.

• Public API Support for FQDN Object Type

  Administrators can now manage Fully Qualified Domain Name (FQDN) address objects through the Public API.

  This enhancement enables:

  • Programmatic creation of FQDN objects

  • Retrieval of FQDN object configurations

  • Updates to existing FQDN objects

  • Deletion of FQDN objects

  For more information, see the API documentation.

• Tunnel Down Notification via Playblocks

  Administrators can now configure automated notifications when a network tunnel goes down.

  Notifications can be delivered through:

  • Slack

  • Microsoft Teams

  • Email

  • SMS

  Supported capabilities include:

  • Immediate alerts when a tunnel state changes

  • Consolidated summary notifications at configurable intervals

  • Configurable silence windows to reduce alert noise

  • Exclusion of specific tunnels from monitoring

  Availability: Available for Infinity Portal tenants in US and EU regions.

Tenant Restrictions – Domain Validation

Tenant Restriction rules now enforce the use of domain values in entries.

This enhancement:

• Prevents the use of invalid formats

• Improves policy consistency

• Reduces configuration errors

• Strengthens enforcement accuracy

For more information, see Tenant Restrictions.

• Firewall Logging Granularity

  Administrators can now configure logging per firewall rule, enabling logs for both Allowed and Blocked rules. This provides deeper visibility and improved troubleshooting of firewall policies.

  Notes: New customers automatically receive firewall logging granularity. Existing customers without firewall logging enabled can now enable it with granularity. Firewall logging is not supported for gateways created in the past with one CPU. Firewall logging granularity requires coordination with support engineer for deployment.

• Granular Role Support for MSSP Parent Users – General Availability (GA)

  The Check Point Portal now supports granular SASE service roles for MSSP Parent users, expanding beyond the previous admin-only model. MSSPs can assign roles directly or via Infinity User Groups, enabling least-privilege access and clearer separation of duties. Supported roles include:

  • Security Manager

  • Network Manager

  • User Manager

  • Admin

• Infinity Audits for SASE – General Availability (GA)

  SASE now integrates with Infinity Audits, making member activity and administrator actions visible directly in the Infinity Portal.

  When Infinity Event Forwarding is enabled, these audit events are also exported to your SIEM alongside other security events.

• SCIM Sync User Duplication Prevention with Entra ID – General Availability (GA)

  Enhanced SCIM mapping for Azure/Entra ID allows SASE to consistently identify users using the Entra ID unique identifier during provisioning and login.

  This ensures that changes to user attributes such as email or UPN do not result in duplicate user records. As a result, existing access and group memberships are preserved, providing more reliable SSO behavior and reducing operational overhead for teams managing Entra ID–based environments.

• Idle Member Automatic Sign-Out

  Administrators can now automatically sign out users from idle or unattended devices, reducing exposure from inactive sessions and strengthening endpoint security.

• Device Posture Check – Certificate Issuer & Root CA Validation

  Device Posture Check (DPC) now includes an additional validation for device certificates, verifying the certificate issuer, validity, and matching private key. This strengthens device trust and compliance posture.

• Agent Reset Button Control

  Administrators can now control whether the Reset Agent button is visible to end users, helping prevent accidental resets and improving manageability in controlled environments.