Check Point Harmony Endpoint Reviews

We wanted to consolidate a several-point solution to one endpoint. With so many new cyber threats and having a growing environment, what we had in place had too many gaps or grey areas between solutions and vendors. 

Also, with a rapid transition to hybrid working, we needed to reconsider our end point protection. Having used Check Point NGFW for five years, it seemed like a good fit. Also, the experience and long term position of Check Point in the security market gave us good confidence. This mature position in the market also helped with finding several resellers and experience.

There is one pane of glass to all end points, events, and incidents which is providing our team with a clear picture of the environment. We have already experienced several items that previously just got lost in the greyness of a multi-solution environment.

The rollout and management of devices were very simple. It allowed for a rollout of 200+ devices - all remote - in just a couple of weeks. Having cloud-based management also really helped get started, as, within the day, we had a POC running and just started to grow from there.

Cloud management and reporting are great. The management interface is very simple and easy to navigate. Just getting a logon to start is very helpful. The Check Point support at this stage was great. While it was very simple and intuitive, having someone talk over the defaults provided recommendations that helped us jump forward very easily.

Again, the cloud management service has a several inbuilt default reports which are easy to customize and provide more visibility than we have had previously with several solutions. 

The web filter service could be improved. It would be great to have a self-service user request for sites. An administrator would still need to approve, however. 

The block screen could have a nicer screen or allow it to be customized.

The list of exceptions for URLs could be improved with a separate screen for a large list of exceptions. Having the same exception list for mobile and endpoints would be great. 

We are hoping to transition to the SOC based service. Think this is still new; we're looking forward to get more information and test.

We just transitioned to Check Point Harmony, and have been running it now for six weeks.

Stability seems very strong, however, it's early days.

Scalability seems very strong, however, it is early days.

We don't know yet.

Positive

The move to hybrids has been working well during Covid.

The initial setup was not complex. 

We did both - we implemented through a vendor and in-house.

The product offers a great lower cost than previous solutions.

I'd advise users to talk to your Check Point partners or find a good one.

We spent a long time reviewing the marketplace and comparison sites however, we did not test anything.

I am very positive in terms of the solution and Check Point in general.

Our SOC team uses this solution to observe any unusual behavior or processes running on the endpoint. For example, it is used for phishing detection.

The data is ingested to Splunk.

One of the problems with assessing this type of product is that you don't always know when it's working. You will see when something is wrong, where no threat has been detected. If nothing has happened then you don't know if there was no threat, or instead, the protection was quite good. Also, if no threat is found then it may be that the solution is not good enough to detect these types of malicious activities.

The set of features is quite comprehensive.

The Endpoint security solution integrates with the Check Point firewall services, so it's a combined approach to security.

A unique feature with this product is that it will detect if the user is entering their password on a website, and then block it.

Check Point users a pattern-based security module, which is something that can be improved. Pattern-based security is not the latest architecture and it is insufficient because every day, there are approximately 380,000 new vulnerabilities and threats. Using patterns is difficult because the threats can hide.

I have been using Check Point Harmony Endpoint since I joined the company, several months ago. The company has been using it for longer.

From a stability perspective, I can say that we have had absolutely no problems.

We have not experienced any issues with scalability. We have more than 10,000 users in the company. The users are across a variety of roles. It's used by everybody. As our company grows, the usage also increases.

At this point, there is nowhere we can extend its usage.

I do not have personal experience with technical support so I can't assess them. However, I have heard that it is quite reasonable, so I think that it's fine.

We also use Microsoft Defender for Endpoint.

I am building my own opinion of which is better, between the Check Point product and the Microsoft product. Depending on where you do your research, you get different opinions, although much of that is supplier-driven.

In my former organization, I was using CrowdStrike. It has much better performance when looking only at processes.

I was not part of the implementation because it was in place when I joined the company. 

I have done research on several similar products to try and determine the best-in-class.

From my point of view, I can't see that any features are missing. My primary complaint is that it relies on patterns for threat detection. It does the job, we get our logs, and we get the relevant warnings. Overall, it's a good product.

I would rate this solution an eight out of ten.

There have been improvements in the way our organization functions, as, from an administrative perspective, and being available and taking upgrades out of our court if our users need it, it's going to be out there hanging off of AWS's internet or environment. There is no downtime.  

Theirs (AWS) is probably more highly available than ours. Other than that, it's supposed to be the same product that we were using. It's a Check Point Management Station to a Check Point Management Station in the cloud. Basically, it's not that much of a difference. We have upgraded all the clients since, and we're on one of the later versions of the VPN clients that are supported by the new Management Station. The old Management Station wasn't supporting the newer clients anymore.

The new clients seem to be faster and more stable. Those are improvements that everyone in the company can appreciate. They can VPN and connect faster. They're more resilient. I've noticed that they try to reconnect. If our internet goes out for 20 minutes and you VPN'd in, it will actually reconnect on its own at the same token, which is amazing. Before, if only the slightest instability of the internet connection disconnected you from VPN, you were then required to put in your RSA token and password, and username. That is annoying for people as a lot of people's WiFi's aren't that great and/or they're in some airport or something and might momentarily disconnect.

We love that we don't have to upgrade it anymore. They take care of that.

The upgrade process was nice with the new Management Station compared to the old one. I like how they have the clients already available. I didn't have to download them and upload them as I did with the old Management Station.

We're happy with the solution overall as it takes away the administrative overhead of operating it and patching it and being able to also sign in through the web browser anywhere as opposed to just having to VPN back to our work and connect to the Management Station in order to use it. We can just use the Check Point portal and just use any browser anywhere. That gives us more options, which we like. 

I've noticed they're constantly updating the interface and making it easier to use, which I appreciate. When we first started using it, it was really laggy and it was really slow and it was hard to sort some of the computers and users, however, they make updates almost every time that I log in. It gets better and better every day. It has gotten better and it's not as slow as it was.

There seem to be constant improvements happening, which you can't say for everything. We don't have to upgrade to get the benefits of the improvements, either. That takes a lot off of our plate and allows us to focus on other things. We're taking the good with the bad and the bad seem to be one-offs and we're looking forward to the future.

Therefore, the most valuable feature is its ability to take the management and the administration of the product off of our plate and onto their plate. We don't have to worry about upgrading it, creating downtime, working off-hours, doing all the research and stress of seeing if it's compatible, if there are problems, letting them test it. That's nice. Previously, we would upgrade our products or patch them maybe two to four times a year, depending on if there's a security vulnerability. Each time we do something like that, it was about three to four hours of downtime. Now, that process doesn't exist. 

Before, with on-premise, we had two Management Stations. One was primary, one was secondary and there were two different data centers in case one data center was down. The other one would come up and be the Management Station for all of the clients. Now, in this case, we only have one. It's in their cloud. Their cloud is in AWS. It's a great thing. It's resilient by design and it provides redundancy in a single source of administration for us. We like that too

It would be ideal if they had a migration tool of some sort.

There were some caveats that we encountered on the new Management Station. For example, they had some features that were not supported by older clients. There are the clients that are running on the laptops, and there are the Management Stations, and then we had one on-premise, which was older in terms of the clients that we were running. Then we had the new Management Station in the Cloud that Check Point is administering as it is a SaaS, which is a benefit.

The newer Management Station has features that it enforced on the clients that the clients weren't able to support. For example, Windows Service or Windows Subsystem Linux. Everyone in my company that uses Windows Subsystem Linux, which is about 15 or 20 people, that need it on a daily basis, were running the older clients of course, as they were migrated over the new Management Station and they weren't allowed to use that. It was being blocked automatically due to the fact that that was the new policy being enforced that was literally a tick box in the new Management Station that I didn't set. Even if I enabled WSL, it didn't matter. The older clients couldn't take advantage of the new newer Management Station telling them to use it. That was annoying trying to troubleshoot that and figure it out. tNo one at Check Point really knew that was the problem. It took a while to resolve. We finally figured out upgrading may solve the problem. When we did that, we upgraded those users, however, that created a little bit of an issue in the company, as we upgraded those users. We like to test them with a small group and make sure they're stable and make sure nothing weird happens. We were forced to upgrade them without testing first. 

One thing they still haven't improved on from the old Management Station to the new Management Station, which should totally be an improvement, is when you create a Site List for the VPN clients and you deploy it from the Management Station, you are not able to get that Site List. You have to play around with something called the Track File, which is a miserable process. You have to download the client, decrypt the Track File, edit it, then upload it again to the Management Station and download the client a second time and then test it and make sure the Track File's in the right order of sites as well, due to the fact that it's kind of random how it decides to order the Site List. The Site List is what the clients use to connect to the VPN Gateway, and if you have more than one gateway, for example, for disaster recovery, which we do, then they'll need that list.

It's something they've never improved on, which I was hoping by going to the cloud and having this whole thing recreated. Since it's more advanced I thought they'd have that ability to edit the Site List with the initial download. You should be able to just add the sites and then that's it. That kind of sucks that you can't. 

Other than that, the only other thing I could complain about was that they did this process where they did some type of certificate update on the backend of all of their staff solutions. That created downtime for our VPN clients and they didn't notify us of the certificate update. We're using the product in their cloud as opposed to their product on-premise, which seemed to be more stable in that regard. They didn't communicate that out. However, when we spoke to support after about a week, they told us there was this thing they did the past week, and that's the reason why we had that problem. Everyone that had that product had that problem. That really wasn't ideal.

I've been using the solution for about a year. Maybe a little bit more. 

We've been a Check Point shop for approximately 15 years. We're very well versed in Check Point.

Seeing that it's in the Cloud, I think it's very scalable and I am impressed with that aspect of it.

For this solution, in particular, we are using 100% of the Cloud VPN Management Station and all users are phoning home up into the cloud. We're going to stick with it unless they have some severe outages or certificate updates without telling us like they did last time. Right now, there's no reason for us to change and I'm very pleased with the product.

To set it up, we relied heavily on technical support as it was new. That said, it's really the same ball of wax, so we're good now. It was just the initial setup we needed help with as it was new to us. We hadn't done much. We had to learn how to connect our software clients to the cloud. We had to use special cloud keys that were proprietary to Check Point. It's like learning a new suite from Check Point. 

We literally got on this as it was cutting edge. We're like one of their first customers using their SaaS. We were using their VPN and Smart-1 Cloud before most people. When we were setting it up, we're setting it up with their actual product engineers or whatever. It was interesting.

They changed it a lot since we started setting it up. 

I'd call them to their support and they didn't even know about anything due to the fact that the support wasn't even trained on the cloud yet. They weren't even trained on their Smart-1. They would just say "we don't know about that yet and/or we can't help you." It was kind of funny. I told our sales team that and they got pissed.

They called them and they're like, no one should ever tell the customer that you don't know about this yet and it became a big deal in Check Point. 

That said, I'd rate their service as pretty high. I respect those in the endpoint or firewall department as they largely understand what's going on. At the same time, they do need to get people more people trained up. They don't seem to have trouble keeping people around for a few years so that they learn.

After signing up with Check Point, the migration of users took about a month and a half. 

We had to build out the Management Station in Check Point too and that took from probably January to almost July as we had to build it from scratch. They didn't have a migration tool for our current policy, as it enforces firewall policy on the endpoints locally on the local firewall and that wasn't ideal. We had to build that whole Management Station from scratch.

I had to go back and forth between the on-premise Management Station and the Cloud Management Station and literally look at every single feature, every single function, every single rule. I had to recreate every single object. I had to recreate every single everything. That took a very long time.

It was very manual. It's literally two screens and comparing items. That took a couple of months while doing other things, of course. However, that was my priority for about a month and a half. I worked on that a lot. I wish they had a migration tool, like a migrate export for the policy and the features. Once that was created, however, everything pretty much worked. That said, there were a couple of caveats. 

We're customers of Check Point.

I've been working on setting it up and migrating users from the on-premise platform since January of this year. This is their Cloud Endpoint, VPN Management Station versus their on-premise VPN Management Station for Endpoint. We had to migrate the users from the on-premise version using a special tool that you have to ask them to make, which is kind of weird, however, their product is so new that that's the way that they do it. I had to deploy that tool to all the users in our company and that switched them over to their Cloud Management Station.

I'd rate the solution at an eight out of ten. There's room for improvement, however, I respect it and it works well.

Check Point Endpoint Security is to protect our employee endpoints as we're currently working from home. The user is totally unaware of the cyber threats, so the basic functionality of endpoint security provides a lot more security. With it, any threat attack can be rebuffed. Any user downloading any suspicious data from the web will first have Check Point scan it deeply. If there's malware then it quarantines it. Otherwise, the user can access it. We're using it on a primary basis. We don't have any other solutions in place apart from the Check Point.

Harmony Endpoint is a complete endpoint security solution built to protect the remote workforce from today's complex threat landscape. 

It prevents the most imminent threats to the endpoint such as ransomware, phishing, or drive-by malware, while quickly minimizing breach impact with autonomous detection and response. That's how our organization improved its security. Before that, we didn't have the security to prevent such threats as ransomware, phishing, etc. Due to that, our IT environment is more secure and business has also increased.

The product offers advanced anti-malware and antivirus protection to protect, detect, and correct malware across multiple endpoint devices and operating systems. Proactive web security is available to ensure safe browsing on the web. Data classification and data loss prevention are there to prevent data loss and exfiltration.

SandBlast Agent defends endpoints and web browsers with a complete set of real-time advanced browser and endpoint protection technologies, including Threat
Emulation, Threat Extraction, Anti-Bot, and Zero Phishing. 

The zero-day prevention is very valuable.

Personally, I'm looking forward to separating server management policies. They could improve memory consumption. Once we installed a CP agent in our system, we found that it was consuming more memory. Even a normal configuration system can be hung.

Malware detection is an add-on plan that can't be added on. It's the most important part of endpoint security. There's a forensic addon which is very important after threat hunting against attacks.

I've been using this solution for two years.

 I haven't seen any corruption on the agent side. It's stable.

It's scalable. It always updates its malware database for security concerns on a daily basis

Technical support is good. You can raise a ticket with the CP support portal and a technician will contact you based on the severity.

Positive

I didn't have that much experience with anything else. When I was joined, our company was using the same solution.

The solution's initial setup is straightforward. Even new users can handle the process with help of online guidelines.

We used a vendor team and they were experts in what they were doing.

As a security solution, of course, it gives back lots of return on investment.

The setup cost is nothing. The licensing is costly due to the fact that, in return, it's giving the best security.

We started using the product months before the start of the pandemic. It is a robust solution for the protection of endpoints. It contains the classic antivirus, however, it has anti-bot and disk encryption functions (FDE) as well as the integration of a sandboxing for the consultation and download of files in a safe way (whether they are downloaded from a page or from an email).

It is a very complete tool for users who need to be able to connect from home or some other public access point since it has a VPN service, in addition to different layered-in security solutions.

The addition of Check Point's Harmony Endpoint as the main security tool for the company's collaborators has represented a reliable source of security since updates can be executed automatically or manually, as may be required. 

There's the possibility of being able to do the administration from the Check Point portal, maintaining control and visibility of the different security events at all times. 

Admin users are able to access an adjustable dashboard that shows the most relevant information about the status of the endoints and the statistics of threats found.

Without a doubt, the best security feature is Full Disk Encryption (FDE). In cases where the endpoint is stolen or lost, you are sure that the information will not be accessible without the access password being the correct, maintaining the confidentiality of files at all times.

In addition, if someone tries to extract the physical disk and places it as a removable disk in a PC, they will not have access to the information either, since the files are still encrypted, ensuring that this method of extracting the information does not work without the decryption key. 

They could be focused on the analysis of USB devices. It has the ability to block the use of USB storage memories until it is completely scanned for any virus or threat. We need to ensure that the USB device will not be available until the scan has been completed, however, this may represent a malfunction when using other tools such as Rufus, as, by blocking access to USB drives, Harmony Endpoint will block access to these drives, thus Rufus will not be properly detecting USB drives and therefore it cannot operate properly.

I've used the solution for one year and eight months.

I have had almost no problems with the execution of the software agent and it is very useful when I need to do research on the internet.

It is fully scalable by scheduling updates from the console. When the agent is updated it will be necessary to update the PC, however.

As a user, I have not had contact with the manufacturer's technical support.

Neutral

We did not use a different solution.

Although it is an intuitive configuration, due to the variety of blades available, it may take some time to complete the configuration. Everything will depend on the number of blades a company needs to configure.

We handled the implementation in-house.

Licensing is based on sizing and based on the number of users and the desired security blades. All versions include access to the Check Point web portal for administration.

We did not evaluate other options.

By acquiring this tool, companies will have a robust and reliable solution for endpoint protection.

This solution handles AV, malware, VPN, ransomware and so much more. It's a solution for all of our endpoints. We have 250 users spread out over the southeast US and they all connect back to corporate for onsite ERP. 

Most of our workforce is remote in offices or homes in Georgia, Alabama, Florida, and Tennessee. We also have technicians that work in plants with limited or no internet connectivity so when they get to a hotel or other public internet hotspots. The auto-connect to VPN is critical to them having a secure connection to our corporate network.

The solution has provided enhanced security on all endpoints for URL filtering, VPN, media encryption, and scanning. One of the most common responses from our clients is that they love the auto-connect of the VPN, yet hate that we scan all USB devices they plugin. 

When our technicians are working at a plant with no internet and they go to a public hot spot, the VPN auto-connecting to corporate secures their data back to corporate without them having to do anything. 

The scanning of ransomware has stopped dozens of attempts from malicious websites.

The anti-ransomware blade is great. It stops device encryption automatically and has caught hundreds of cases on client laptops. 

One of the coolest features is that it provides an HTML report on the laptop and the endpoint console for the administrator. It will show you the forensic report of where it came from and if it spread to other systems that have the endpoint client installed. 

The best thing is it never gets past the first client as it looks for bad behavior. If needed, you can open the console and allow it.

The product updates are a manual process for my administrator and can take several hours out of his day. I understand this is partially due to the Windows version limitations. When you do need to update the client version it is pretty easy. Usually, it's a case of the end-user not being online to accept the push of the software. That is where it can take up a few hours of my administrator's time. The administrator has to wait and email for our technicians to go to an internet available area. It is usually not a big deal, however, it can take time.

I've been using the solution for five years.

Kaspersky is suitable for small and medium-sized businesses (SMB), while Harmony is for enterprise segments. There are different requirements for enterprises versus SMBs. At an SMB, one administrator handles the firewall, network, and endpoints. You have more specialization in an enterprise. So at a larger scale, where you have a 5,000 or 10,000 users use case, Harmony helps pinpoint where security is lacking on a particular machine. 

Harmony's endpoint sandboxing is really good.

I haven't had any difficulty deploying Harmony for up to 5,000 users.

Check Point support is really good.

Harmony is very easy to deploy.

Check Point Harmony is definitely pricier compared to other endpoints.

I rate Check Point Harmony 10 out of 10. It's a unique product. It's the best in this class. I feel that Harmony is better than Crowd Strike or any other similar solution in that class. However, I would like to see more competitive pricing and better training for partners. 

We primarily use the solution for anti-malware. We installed it on around 300 systems. Since we required some application to safeguard ourselves in this situation of work from home, so we were evaluating Antimalware products. 

After some research, we finalized Check Point and took a demo. The product seems fine as per our scenario and fits current conditions. We were evaluating it for work-from-home situations. it had a multifeatured tool that helps in safeguarding the current digital attack vector for organizations of all types.

It helps in safeguarding our infra from malicious attacks. However, initially, we faced lots of challenges while implementation as the vendor who was implementing it made blunders, which resulted in chaos for the organization. 

Our team worked almost 24/7 for 3 to 4 weeks to resolve the issues. We haven't requested the encryption feature, yet they implemented it. Our laptops were already encrypted, so it started decryption and re-encryption, which was a nightmare for us. We are still facing a few challenges for which we couldn't find any reason for the issues we've since found that were not there before installation.

We found all features valuable - other than the encryption since we were already using that feature. Since we required some application to safeguard ourselves in this work from home situation. We were evaluating anti-malware products specifically. 

There can be scenarios where this encryption feature will be applicable and fruitful if it is implemented with proper planning and organized with respect to a particular organization. There have to be proper requirements gathering and a plan to work effectively.

There are improvements required in terms of accuracy. It gives you an alert for malicious sites, which, after searching on the Google database, don't come out to be the same.

There can be scenarios where specific planning will be required before even giving thought to implementing it into an organization - be it small, medium, or large. Everything needs to be organized with respect to each particular organization. There has to be proper requirement gathering and a plan for the SOW to work accordingly. 

I would suggest that the Check Point team always allocates an SME to all the vendors before implementation as it will improve the first impression. In my case, I had pretty much faced disaster after implementation that I would not suggest anybody go with the product.

The product needs to improve the security infra.

I've been using the solution for three months.

In terms of stability, I would rate it at a five out of ten. There were issues like once a version was installed and was not working properly, even the checkpoint team couldn't uninstall it and as a result, we had to format the system. few cases were reported for software installed but was not visible in the control panel.

The scalability is good.

Our ROI has been neutral.

Cost-wise it's cheaper than other options.

We did evaluate another solution. However, I can't reveal the name.