Check Point Harmony Endpoint Room for Improvement
Network Security Engineer at a financial services firm with 51-200 employees
It would be ideal if they had a migration tool of some sort.
There were some caveats that we encountered on the new Management Station. For example, they had some features that were not supported by older clients. There are the clients that are running on the laptops, and there are the Management Stations, and then we had one on-premise, which was older in terms of the clients that we were running. Then we had the new Management Station in the Cloud that Check Point is administering as it is a SaaS, which is a benefit.
The newer Management Station has features that it enforced on the clients that the clients weren't able to support. For example, Windows Service or Windows Subsystem Linux. Everyone in my company that uses Windows Subsystem Linux, which is about 15 or 20 people, that need it on a daily basis, were running the older clients of course, as they were migrated over the new Management Station and they weren't allowed to use that. It was being blocked automatically due to the fact that that was the new policy being enforced that was literally a tick box in the new Management Station that I didn't set. Even if I enabled WSL, it didn't matter. The older clients couldn't take advantage of the new newer Management Station telling them to use it. That was annoying trying to troubleshoot that and figure it out. tNo one at Check Point really knew that was the problem. It took a while to resolve. We finally figured out upgrading may solve the problem. When we did that, we upgraded those users, however, that created a little bit of an issue in the company, as we upgraded those users. We like to test them with a small group and make sure they're stable and make sure nothing weird happens. We were forced to upgrade them without testing first.
One thing they still haven't improved on from the old Management Station to the new Management Station, which should totally be an improvement, is when you create a Site List for the VPN clients and you deploy it from the Management Station, you are not able to get that Site List. You have to play around with something called the Track File, which is a miserable process. You have to download the client, decrypt the Track File, edit it, then upload it again to the Management Station and download the client a second time and then test it and make sure the Track File's in the right order of sites as well, due to the fact that it's kind of random how it decides to order the Site List. The Site List is what the clients use to connect to the VPN Gateway, and if you have more than one gateway, for example, for disaster recovery, which we do, then they'll need that list.
It's something they've never improved on, which I was hoping by going to the cloud and having this whole thing recreated. Since it's more advanced I thought they'd have that ability to edit the Site List with the initial download. You should be able to just add the sites and then that's it. That kind of sucks that you can't.
Other than that, the only other thing I could complain about was that they did this process where they did some type of certificate update on the backend of all of their staff solutions. That created downtime for our VPN clients and they didn't notify us of the certificate update. We're using the product in their cloud as opposed to their product on-premise, which seemed to be more stable in that regard. They didn't communicate that out. However, when we spoke to support after about a week, they told us there was this thing they did the past week, and that's the reason why we had that problem. Everyone that had that product had that problem. That really wasn't ideal.
Network Technical Specialist at a manufacturing company with 10,001+ employees
We do like the product, although there are quite a few things that we're asking our Check Point account team to enhance, where we think we probably could get more features from it.
We use a couple of Check Point products, like SmartEvent, and SandBlast Agent is not really integrated into that. We haven't gotten the reports working yet. We are working with the account team and trying. As I said, it's still relatively new in terms of what we're trying to achieve. We probably should have had more Professional Services come and help us. But, from our company's point of view, especially at this time in the market, the finances are just not there. But from what I've seen so far, I don't think there's enough integration into SmartEvent. That's something that I've asked our account team to try to focus on in the next versions or as an enhancement request.
Integration and deployment are probably the weakest points, and maybe service as well, although they are still at the high end. Would we go out to market and buy this on its own? Probably not, is the honest answer. But because it is a Check Point product and the licensing comes as part of it, it gives us this time to go and prove that, when it's together with all the other products that we have from Check Point, it certainly integrates very well. Would I go and buy this just as a standalone service if we didn't have Check Point firewalls? Probably not.View full review »
The Threat Hunting module is not available for on-premises deployment.
The user has to connect using the VPN to take Policy Server updates when the solution is hosted on-premises. This adds overhead, as the user has to connect to the corporate network to get the policy.
In the case of a hybrid setup where the Policy and Management Server is on the cloud, the Sandbox appliance has to be on-premises.
Policy configuration and deployment are complex.
The application control and URL filtering features are not very strong.
Application Control databases are generated locally and it does not provide any visibility to the admin on which applications are installed on the endpoint.
The solution is supported only on Windows and MAC and not any other platform.View full review »
Check Point Harmony Endpoint
Learn what your peers think about Check Point Harmony Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
635,987 professionals have used our research since 2012.
The only two bug bearers of Check Point SandBlast that I have come across are as follows:
Sometimes, the Cloud Management Portal can become unresponsive or take a long time to process a query. This in turn will cause the browser to freeze, which will require closing and reopening of your browser.
The second is that getting useful "administrator" information requires digging into the policy rules via a second management agent installed on your computer. However, once installed, it is easy to navigate and use so is more of a slight inconvenience than a major issue.
Some areas of improvement could be :
1. Making the user interface on the server more intuitive and user-friendly.
2. Making it easier for the user to do tuning and configuration to the server or the client application. For example, to turn off notifications, the user should be able to do that with some clicks on the user interface instead of searching and reading about how to do it in the knowledge base first and then trying to do it.
3. Our application version is quite old, and Check Point already released a newer version for endpoint protection, which includes a cloud version. After doing some trials, we see that Check Point already made many improvements to the features and user interface.View full review »
Endpoint vulnerability management is one of the modules I believe is missing and it is something that is required. I recommend adding this feature in an upcoming release as it will provide complete visibility of endpoint vulnerabilities.
Endpoint Patching is another good feature that could be added and is required to mitigate vulnerabilities.
Currently, the DLP Module is not available and it is one of the requirements from an endpoint perspective. It would be good to add in an upcoming release.
There needs to be improved integration with the on-premises/Azure AD.
Software deployment needs to be added.View full review »
We'd like it if the solution continued to add new features. For example, what would be specifically useful to us is a feature that allows threat hunting. They may be already working on that or have something available, however, we need something robust and effective.
I'm not sure if they need to improve anything right now. They are already developing new aspects that are quite innovative.
The only thing that our customers want, is lower prices.View full review »
It is a very complete product but you have to know how to parameterize it well to avoid high CPU consumption.
SandBlast Agent had moments in which it had a high load, we escalated it to the CheckPoint support that helped us to stabilize it. We had a problem with the parameterization of the solution. Once corrected by following the CheckPoint instructions, everything worked normally again.
It is also missed that it does not have a Linux client since some administrators use this type of operating system.
They could be focused on the analysis of USB devices. It has the ability to block the use of USB storage memories until it is completely scanned for any virus or threat. We need to ensure that the USB device will not be available until the scan has been completed, however, this may represent a malfunction when using other tools such as Rufus, as, by blocking access to USB drives, Harmony Endpoint will block access to these drives, thus Rufus will not be properly detecting USB drives and therefore it cannot operate properly.View full review »
IT Manager at First National Bank in Philip
The Infinity Portal login is "iffy" at times. I would like to restrict it to only US traffic, however, due to the hosting in the cloud, it sometimes retrieves data from the EU and across seas.
Also, if there was a way to simplify the SmartConsole login more, there could be an opportunity to take away some clicks to log in. Navigating back to the browser to log in through that portal site just makes for a more extended login transition. Just have the MFA capability right there on the local application and be done with it.View full review »
Some problems that I have had with this and other Check Point tools in the cloud is when entering the portal since it stops responding or takes a long time to process a query and this causes delays and efficiency.
They should also add new functions such as threat hunting.
Finally, it should be able to implement with and have a good integration and interaction with Azure in the management of vulnerabilities, and data management that between the two can be integrated 100% with Check Point Harmony Endpoint and thus be able to make good automated management.View full review »
Support's service and the response times can be improved. The triaging of the tickets takes a long time and the tickets are only resolved with escalations.
With respect to the product, we feel Endpoint vulnerability management is one of the modules that is missing and it is something that is required. Adding this will strengthen the product and help in taking proactive steps towards protecting the environment.
DLP Module & Patching are required from an endpoint perspective. It would be good to add those in an upcoming release/version.View full review »
Head of Security and Operational Risk at Medianet
It would also be great to include DLP capabilities for the endpoint so that we do not have to deploy additional agents on servers or PCs or use additional products.
It would also be great to include FIM capabilities for the Endpoint so that we do not have to deploy additional agents on servers or PCs or use additional products.
It would be great if we could have additional DLP capabilities to identify personal information or any kind of information to comply with regulations that require information protection.View full review »
IT Manager at a renewables & environment company with 51-200 employees
The web filter service could be improved. It would be great to have a self-service user request for sites. An administrator would still need to approve, however.
The block screen could have a nicer screen or allow it to be customized.
The list of exceptions for URLs could be improved with a separate screen for a large list of exceptions. Having the same exception list for mobile and endpoints would be great.
We are hoping to transition to the SOC based service. Think this is still new; we're looking forward to get more information and test.View full review »
IT Security Manager at a manufacturing company with 1,001-5,000 employees
Unfortunately, the web (cloud) management system and log search performance are quite bad. Sometimes it takes longer to perform simple tasks and scrolling the results of the log is annoying due to frequent refreshes.
The exception management was always the Achilles' heel of Check Point products. It was a bit improved in Harmony, still, you can't for example exclude a site from anti-phishing form checks (which could take a few secs) while not excluding it from attachment scanning.
The forensics module still doesn't allow for HTTPS URLs entered by users. You are limited to DNS search or IP lookup. This doesn't make sense from a technical standpoint as the URLs are passing Harmony checks so they are known to the solution.
Anti-phishing cannot scan a form located inside an HTML e-mail attachment (which is a common practice in real-life attacks).
Senior Security Specialist at Tech Mahindra Limited
The solution has limitations if it's hosted on-premise or as a SaaS. You need to plan accordingly on the model that suits the organization. On-Premise, for example, does not support threat hunting. Hosting on the cloud will have an impact on the user who is connecting to a central location for internet access as it will add infra cost.
We also need to look over the expertise of the support executives who require more training and focus as well in this service area and if we can think over the cost of the product.View full review »
Personally, I'm looking forward to separating server management policies. They could improve memory consumption. Once we installed a CP agent in our system, we found that it was consuming more memory. Even a normal configuration system can be hung.
Malware detection is an add-on plan that can't be added on. It's the most important part of endpoint security. There's a forensic addon which is very important after threat hunting against attacks.View full review »
We did have some early compatibility issues, which I hope Check Point has since resolved.
As each project varies, anything that may be missing, in terms of features, would become obvious during a POC. Check Point has pretty much everything, however, it could be better in terms of working with Mac products. However, this is typical of other solutions and Apple.View full review »
CISO, CIO, AVP at CIANS ANALYTICS PVT. LTD
There are improvements required in terms of accuracy. It gives you an alert for malicious sites, which, after searching on the Google database, don't come out to be the same.
There can be scenarios where specific planning will be required before even giving thought to implementing it into an organization - be it small, medium, or large. Everything needs to be organized with respect to each particular organization. There has to be proper requirement gathering and a plan for the SOW to work accordingly.
I would suggest that the Check Point team always allocates an SME to all the vendors before implementation as it will improve the first impression. In my case, I had pretty much faced disaster after implementation that I would not suggest anybody go with the product.
The product needs to improve the security infra.View full review »
Engineer at Harbers ICT
It would be useful if you could also mark blocks as safe from a client. Now users always have to ask an admin to make exclusions.
In addition, it is also very desirable that there is support for Windows Server core machines.
In addition, it would also be useful if administrators could create exclusions directly from logging into the admin portal, instead of only being told where and how to add the exclusion. This will save work.
It would also perhaps be useful if you could connect from one endpoint directly to another tenant. Instead of having to roll out the endpoint again.View full review »
Chief Technology Officer at a tech services company with 11-50 employees
Technical support needs to be improved, along with the response time. The technical team or any product team should liaise with us and help to deploy the solution to the first few customers so that we can roll out to the rest of the customers.
They need to improve the licensing process as well so that it is easier for the end user. At present, we have to wait one to two weeks to get a license, which is not productive. The process is not very smooth or convenient for the end user because Check Point Harmony Endpoint provides two login portals. One is for licensing, and the other is for management.
In the future, I would like to the management portal and the licensing portal be integrated or changed to a single sign-on because that will be good for both the panel and the user. If they can make it very convenient for deployment and monitoring, it would be good.
If we could get technical support in Singapore, then it will be helpful for our customers.View full review »
Manager of IT Security at a healthcare company with 5,001-10,000 employees
Check Point users a pattern-based security module, which is something that can be improved. Pattern-based security is not the latest architecture and it is insufficient because every day, there are approximately 380,000 new vulnerabilities and threats. Using patterns is difficult because the threats can hide.View full review »
CEO / direktor at S3Next
We need a higher maximum file size in the sandboxing feature.
Maybe the exceptions could be made much more understandable and easy to use.
There should be an option added to temporarily disable the protection of all or some blades for testing reasons.
The email and Office solution could have some options for exceptions, for example: don't scan e-mails sent to the local PDF scanner e-mail address.
Maybe an option to auto-upgrade the client version to the next stable release of the client software would be nice.
A D C R
Cloud Support - Security Admin at a tech company with 1-10 employees
We have few disadvantages or improvement points. However, the Infinity Portal sometimes requires more performance. It is a small detail. However, it could be improved.
On the other hand, it is also essential that the manufacturer improves the public documentation so that users can better understand how it can be implemented with best practices.
Finally, at the support level, we believe that Check Point can improve. Sometimes the answers are provided at dawn, which makes it more challenging to solve.View full review »
I still don't have a clear opinion of the possible improvements that the tool may need. There are still functionalities that I have not been able to try completely and I would like to spend more time using the tool before offering an opinion to the IT Central community on this point.
Something that is very important to me is the remediation or recovery capabilities after an attack. From what I have seen so far, this tool maintains the quality line of Check Point products and is always ahead of the needs of the market.View full review »
Mobile users are reluctant to actually use the solution.
Check Point should focus on providing more compliant solutions, such as compliant for cloud-specific solutions. The digital footprint can be minimized, and then the Legacy VPNs can also be streamlined. As of now, most of the connectivity partners use Legacy VPNs to connect to their DC or their service partners. Legacy VPNs and digital footprints should be minimized.
Brand Manager at Corporation Sekiura S.A.C.E.I.
The Check Point Harmony Endpoint is a very complete solution. Even in the most basic version, it already includes EDR, which today is very important and something that all endpoint solutions should consider having from the most basic versions. We would like to have one more step and that's to give and have full-disk encryption.
Compared to other brands, we would like a dedicated anti-spam to be included in order to close the full circle. We could have it with Check Point Endpoint, mobile, cloud, or firewall. An all-in-one console would be great.View full review »
Field Services IT Desktop Support Supervisor at a government with 5,001-10,000 employees
The solution is mostly very good. The reason why I'm trying to compare it with FireEye is due to the fact that it's supposed to be a mandate by the State. We are trying to justify the fact that we don't need to change our environment. For example, if the only thing that they want is to provide reports for the State, then that's a different story. We can customize the reports based on what they're asking for. We don't need to change or want to, however, the State may require us to.
Technical support can be a bit slow at times.View full review »
It is one of the best, however, with respect to its support on iOS and Android, it can improve a little more.
Something worth mentioning is the need for support in Spanish and better representation for teams in the Latin American area, where there is a growing demand for these IT services and new technologies.
Its guides are identical to the existing ones. These guides should be updated, and they should improve their design.
Let people try it, and it will quickly remote users.View full review »
Project Manager at SANDETEL
After using Harmony for six months, I still don't have a clear vision of the possible improvements that the tool may need. There are still functionalities that I have not been able to fully test and I would like to spend more time using the tool before offering an opinion to the IT Central community on this point. What is very important, in my opinion, is the remediation or recovery capabilities after an attack. From what I have seen so far, this tool aligns with the quality of Check Point products and the evolution it has is correct and logical. Check Point is always ahead of the needs of the market.View full review »
Head of IT Operations at Puerta de Hierro Hospitals
There needs to be compatibility with the most recent versions of the various operating systems. They need to be up-to-date with the signatures of new viruses and the latest ramsonware. With the encompassing of all its solutions in one platform, there should be artificial intelligence for specific analysis to thus be able to anticipate and detect unique risks to the organization.
To be able to count on the administration console on any device and online cloud would be ideal. We would like there to be no need to install clients as executables.View full review »
Support at a tech services company with 51-200 employees
The improvements that can be mentioned are few. The solution and its architecture are very well done.
The Check Point Infinity Portal sometimes has some latency or performance issues that are slightly worse, affecting user management. It cannot be improved by the customer.
We would also like to make the documentation for more modern solutions like the Harmony family easier to find. That way, we can implement these solutions with the best practices recommended by the manufacturer.View full review »
Security Analyst at Infosys Ltd
More development in Linux may help, however, the fact that the product could also have some more documentation as suggestions on what to do may also help.
The product may take some time to navigate at first but apart from that the log ingesting and working on getting a client installed may take some time.
I would like to see more automation.
Also, encryption management is not made available in all versions but if it could be extended that would be great. Sometimes it may take some slight delay, however, it's nothing too bad.View full review »
The product is fine. They can perhaps improve the way they provide the documentation or the Check Point technical support could be a little faster. For example, how Microsoft handles the support to its customers is great. At least the cloud part is quite fast, effective, and global.
They could provide greater ease for the issue of cost. Only through a partner is it possible to solve these concerns.
It would be quite good to publish a little more on the website and thus provide more information to the client.View full review »
I would suggest that the Check Point team always allocates an SME to all the vendors before implementation. This will help when the endpoint agent cannot integrate with another product or third party. It could expand the functionalities too. In addition to security functionality, they could incorporate Mobile Device Management (MDM) functionalities such as remote device management, administration of installed applications, et cetera.
The solution needs more alerts to warn of attacks.View full review »
Manager, IT Infrastructure and Security at Control Southern Inc.
The product updates are a manual process for my administrator and can take several hours out of his day. I understand this is partially due to the Windows version limitations. When you do need to update the client version it is pretty easy. Usually, it's a case of the end-user not being online to accept the push of the software. That is where it can take up a few hours of my administrator's time. The administrator has to wait and email for our technicians to go to an internet available area. It is usually not a big deal, however, it can take time.View full review »
IT Security Officer at a tech services company with 1,001-5,000 employees
Sometimes the portal loads slowly which should be improved.
There should be an easy option for the administrator to turn off or disable malware protection on a specific asset or computer instead of adding a specific asset in a Disable group as that will make it easy for the admin to disable if and when required for some testing purpose. I would like this feature to be added.
Logs searching also needs to be more quick and enhanced and more metadata should be stored in the logs for Endpoint for a better view for admins.View full review »
Supervisor Tecnico at Grupo MCoutinho
The lack of time setting for policy application, for example, from 8 am to 9 am, to have a policy applied and then from 9 am to 10 am for another one.
A more responsive UI would be nice. Sometimes, with a lot of clients (1,000) the UI is a bit sluggish.
The operation of reinstalling a machine also requires a bit of work since we have to delete the object before installing the app on a formatted operating system. It should be able to lock settings and licenses to the machine ID that never changes with an OS installation.View full review »
CISO at a financial services firm with 51-200 employees
Everything can always be improved. Specifically, there are gaps when it comes to security.View full review »
Check Point Harmony Endpoint could improve by allowing it to work on older systems by reducing the system requirements. Since our systems are dated we can only use the antivirus module features.
Engineer at a tech services company with 51-200 employees
We cannot integrate this product with other solutions, which is something that should be improved. I believe that it is in the roadmap.
Other vendors have some non-security-related features in their endpoint protection solutions that should be implemented in this one.View full review »
The price of the product could be more friendly.View full review »
Assitant Manager - IT Support at a outsourcing company with 1,001-5,000 employees
Tech Support must be better. Whenever we log a case for any issue it takes too much time to get it sorted. There should be escalation by default. If the case is not being sorted quickly, it must get internally escalated to the team who are experts and they should be empowered to jump in to get the issue fixed. Many times, we have to be on it for weeks to come to a proper resolution.
Website blocking and endpoint levels are still a challenge and there needs to be a more sophisticated solution. We are looking forward to having this product work more efficiently.View full review »
Check Point Harmony Endpoint could improve mobile device management (MDM).View full review »
Pre-Sales Engineer at a tech services company with 51-200 employees
The solutions agent could have better performance, it is a little slow sometimes.View full review »
Cybersecurity Architect at a computer software company with 201-500 employees
The management in Check Point Harmony Endpoint could be improved.
In a future release, the solution could add more threat intelligence features.View full review »
Technical Engineer at a tech services company with 11-50 employees
An additional feature I would like to see involves the VPN.View full review »
Check Point Harmony Endpoint
Learn what your peers think about Check Point Harmony Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
635,987 professionals have used our research since 2012.