Check Pointintermediate

How to Configure URL Click-Time Protection in Harmony Email

Learn to configure URL rewriting, click-time protection, and link security settings in Check Point Harmony Email & Collaboration.

11 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Check Point Harmony Email & Collaboration includes Click-Time Protection, which rewrites URLs in emails and performs real-time security checks whenever users click links. This guide covers configuring URL protection policies, managing exceptions, and optimizing link security for your organization.

Prerequisites

Before configuring Click-Time Protection, ensure you have:

  • Harmony Email & Collaboration connected to Microsoft 365 or Google Workspace
  • Administrator access to the Check Point Infinity Portal
  • Protection policies enabled for email scanning
  • Understanding of your URL security requirements

Understanding Click-Time Protection

Click-Time Protection provides multiple security layers:

Protection LayerDescriptionWhen Applied
URL RewritingReplaces URLs with Check Point safe linksEmail delivery
Reputation CheckChecks URL against ThreatCloud databaseClick time
URL EmulationSandboxes suspicious URLs for analysisClick time
Redirect AnalysisFollows redirect chains to final destinationClick time
User TrackingIdentifies users who click malicious linksAfter click

Why Click-Time Protection Matters

Phishing attacks increasingly use time-delayed weaponization:

  1. Attacker sends email with clean URL
  2. Email passes initial security scans
  3. Attacker changes URL destination to malicious site
  4. User clicks link and reaches malicious content

Click-Time Protection defeats this by checking URLs when clicked, not just when delivered.

Step 1: Access Click-Time Protection Settings

  1. Sign in to https://portal.checkpoint.com
  2. Navigate to Harmony > Email & Collaboration
  3. Go to Security Settings in the left menu
  4. Click Security Engines
  5. Locate Click-Time Protection and click Configure

Step 2: Enable URL Rewriting

Configure which URLs are rewritten in emails.

Enable the Protection Engine

  1. In Click-Time Protection configuration, verify the engine is Enabled
  2. Configure URL rewriting scope:
OptionDescriptionRecommendation
All URLsRewrite every URL in emailsMaximum protection
External URLs onlySkip internal domain URLsBalanced approach
Suspicious URLs onlyRewrite flagged URLs onlyMinimal user impact
  1. Select All URLs for comprehensive protection
  2. Click Save

Configure URL Format

Choose the rewritten URL format:

  1. Scroll to URL Format section

  2. Select format version:

    • V1 (Legacy): https://protect.checkpoint.com/...?url=original
    • V2 (Current): https://protect.checkpoint.com/v2/___original_url___encrypted_blob

  3. V2 is recommended for improved security and compatibility

  4. Click Save

Step 3: Configure URL Protection Policy

Create policies that define how URL protection works.

Create a Click-Time Protection Policy

  1. Navigate to Policy in the left menu
  2. Click Add a New Policy Rule
  3. Under Choose SaaS, select your email platform:
    • Office 365 Mail for Microsoft 365
    • Gmail for Google Workspace
  4. Under Choose Security, select Click-Time Protection
  5. Click Next

Configure Policy Scope

  1. Rule Name: Enter a descriptive name (e.g., "URL Protection - All Users")
  2. Email Direction: Select scope:
    • Inbound: Protect incoming emails (recommended)
    • Outbound: Protect outgoing emails
    • Internal: Protect internal communications
  3. Apply to: Select users or groups
  4. Click Next
  1. Under Links Replacing, choose where to replace URLs:
LocationDescriptionRecommendation
Email BodyURLs in email text and HTMLYes
AttachmentsURLs inside Office documents, PDFsYes
Calendar InvitesURLs in meeting invitationsYes
SignatureURLs in email signaturesOptional
  1. Enable all locations for comprehensive protection
  2. Click Next

Configure Actions

  1. Under When malicious URL is detected at click time:

    • Block Access: Prevent navigation to malicious site (recommended)
    • Warn User: Show warning, allow user to proceed
    • Alert Only: Log event but allow access (testing only)

  2. Configure user notification:

    • Show block page: Display explanation when blocked
    • Custom message: Add organization-specific guidance

  3. Click Save

Step 4: Enable URL Emulation

Configure sandbox analysis for suspicious URLs.

Access Emulation Settings

  1. In Security Engines, click Configure for Click-Time Protection
  2. Scroll to URL Emulation section
  3. Enable URL Emulation inspection

Configure Emulation Behavior

SettingDescriptionRecommendation
Emulate all URLsSandbox every clicked URLMaximum security, may slow access
Emulate suspicious URLsSandbox flagged URLs onlyBalanced performance
Emulation timeoutMaximum analysis time30-60 seconds
  1. Select Emulate suspicious URLs for balanced protection
  2. Set appropriate timeout based on user tolerance
  3. Click Save

How URL Emulation Works

  1. User clicks rewritten URL
  2. Check Point checks ThreatCloud reputation
  3. If URL is suspicious or unknown:
    • Opens URL in isolated sandbox environment
    • Analyzes page behavior, downloads, redirects
    • Checks for credential harvesting, malware delivery
  4. Returns verdict: Safe, Suspicious, or Malicious
  5. Allows or blocks user access based on verdict

Step 5: Configure URL Hiding

Prevent users from bypassing protection by extracting original URLs.

Enable URL Hiding

  1. In Click-Time Protection configuration, scroll to URL Hiding

  2. Enable Hide original URL from rewritten links

  3. Configure hiding behavior:

    • Full hiding: Original URL not visible at all
    • Partial hiding: Domain visible, path hidden

  4. Click Save

Why Hide URLs?

Without URL hiding, users can:

  1. View the rewritten URL in their email client
  2. Extract the original URL from the Check Point link
  3. Navigate directly to the original URL, bypassing protection

URL hiding encrypts the original URL, preventing manual extraction.

Step 6: Configure Click-Time Exceptions

Manage URLs that should be allowed, blocked, or ignored.

Access Exception Settings

  1. Navigate to Security Settings > Exceptions
  2. Click Click-Time
  3. View exception types:
    • Allow-List: URLs that bypass checking
    • Block-List: URLs always blocked
    • Ignore-List: URLs not rewritten

Create Allow-List Entry

For trusted URLs that should bypass Click-Time checking:

  1. Select Allow-List from dropdown

  2. Click Add Exception

  3. Configure:

    • Name: Descriptive name (e.g., "Trusted Partner Portal")
    • URL/Domain: Enter URL or domain pattern
    • Match Type: Exact match, Contains, or Regex

  4. Click Save

Match TypeExampleMatches
Exacthttps://portal.partner.comOnly this exact URL
Containspartner.comAny URL containing this string
Domain*.partner.comAll subdomains of partner.com

Warning: Allow-listed URLs bypass security checks. Use sparingly and document all exceptions.

Create Block-List Entry

For URLs that should always be blocked:

  1. Select Block-List from dropdown
  2. Click Add Exception
  3. Configure URL pattern to block
  4. Click Save

Block-listed URLs are blocked regardless of reputation or emulation results.

Create Ignore-List Entry

For URLs that should not be rewritten (but still scanned at delivery):

  1. Select Ignore-List from dropdown

  2. Click Add Exception

  3. Configure:

    • URL pattern: URLs to exclude from rewriting
    • Reason: Document why URLs shouldn't be rewritten

  4. Click Save

Common ignore-list candidates:

  • Internal application URLs
  • SSO/authentication redirects
  • URLs that break when rewritten

Step 7: Configure User Click Tracking

Monitor which users click potentially malicious links.

Enable Click Tracking

  1. In Click-Time Protection configuration, scroll to User Tracking
  2. Enable Track user clicks on rewritten URLs
  3. Configure tracking scope:
    • All clicks: Track every URL click
    • Suspicious clicks: Track only flagged URLs
    • Malicious clicks: Track only blocked URLs

View Click Analytics

  1. Navigate to Reports > Click Analytics
  2. View metrics:
    • Total clicks on rewritten URLs
    • Clicks by threat verdict (safe, suspicious, malicious)
    • Users with most malicious clicks
    • Click patterns over time

Identify High-Risk Users

Use click tracking to identify users who need security training:

  1. Go to Reports > User Risk
  2. Sort by Malicious Link Clicks
  3. Export list for security awareness training

Click-Time Protection uses browser cookies to track users:

  1. When user clicks a rewritten URL, a cookie is placed
  2. Subsequent clicks within 30 days are linked to that user
  3. All future clicks within 365 days are attributed to the user
  4. Provides accurate tracking even for shared or forwarded emails

Step 8: Configure Protection for Collaboration Tools

Extend URL protection beyond email.

Microsoft Teams

  1. Go to Policy > Add a New Policy Rule
  2. Select Microsoft Teams under Choose SaaS
  3. Select Click-Time Protection under Choose Security
  4. Configure URL replacement for:
    • Chat messages
    • Channel posts
    • Meeting invites
  5. Click Save

SharePoint and OneDrive

  1. Create policy rule for OneDrive or SharePoint
  2. Enable Click-Time Protection
  3. URLs in shared documents are rewritten
  4. Protection applies when documents are opened or downloaded

Google Drive and Chat

  1. Create policy rules for Google Workspace apps
  2. Enable URL protection for:
    • Google Chat messages
    • Google Docs links
    • Calendar event URLs

Step 9: Test Click-Time Protection

Verify URL protection is working correctly.

Send Test Emails

  1. Send an email containing various URL types:

    • External website link
    • Internal application link
    • Known safe URL
    • Suspicious/test URL

  2. Verify URLs are rewritten in received email

  3. Click rewritten URLs and verify protection:

    • Safe URLs: Transparent redirect to destination
    • Suspicious URLs: May see brief analysis page
    • Malicious URLs: Block page displayed

Verify Click Logging

  1. Go to Events > Click-Time Protection
  2. Filter for recent activity
  3. Verify test clicks appear in event log
  4. Review event details:
    • Original URL
    • User who clicked
    • Verdict (safe, suspicious, malicious)
    • Action taken

Troubleshooting Common Issues

URLs Not Being Rewritten

Symptoms: URLs appear in original form in delivered emails.

Solutions:

  1. Verify Click-Time Protection policy is enabled
  2. Check policy scope includes the affected users
  3. Confirm URL location (body, attachment) is enabled
  4. Verify URL isn't on the Ignore-List
  5. Check if email is from an internal sender (may be excluded)

Legitimate URLs Being Blocked

Symptoms: Safe URLs are incorrectly blocked.

Solutions:

  1. Check if URL is flagged in ThreatCloud (false positive)
  2. Add URL to Allow-List for immediate resolution
  3. Report false positive to Check Point for database correction
  4. Review emulation results for the URL

Slow URL Access

Symptoms: Clicking rewritten URLs takes a long time.

Solutions:

  1. Check if URL emulation is enabled for all URLs
  2. Consider emulating only suspicious URLs
  3. Reduce emulation timeout setting
  4. Verify network connectivity to Check Point cloud

Rewritten URLs Breaking Applications

Symptoms: Certain applications don't work with rewritten URLs.

Solutions:

  1. Identify the problematic URL pattern
  2. Add to Ignore-List to exclude from rewriting
  3. Test application functionality after exclusion
  4. Document exclusion with security justification

Best Practices

  1. Enable for all users: Apply URL protection organization-wide
  2. Protect all locations: Include email body, attachments, and calendar
  3. Use URL hiding: Prevent users from extracting original URLs
  4. Monitor click analytics: Identify users needing security training
  5. Document exceptions: Track all allow-list and ignore-list entries
  6. Review monthly: Audit exceptions and click patterns
  7. Test regularly: Verify protection is working as expected

Next Steps

After configuring Click-Time Protection:

  1. Configure threat emulation: Enable attachment sandboxing
  2. Set up anti-phishing: Configure phishing detection policies
  3. Enable DLP: Protect sensitive data in URLs
  4. Review security reports: Monitor URL threat trends

Additional Resources

Need help configuring URL protection? Inventive HQ provides expert email security implementation services. Contact us for a security assessment.

Frequently Asked Questions

Find answers to common questions

When a user clicks a Check Point rewritten URL, they're redirected through Check Point's cloud service which performs real-time reputation checks, URL emulation, and threat analysis. If the URL is safe, the user is transparently redirected to the original destination. If malicious, a block page is displayed explaining the threat.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Firewall Rules in Check Point SmartConsole

Learn how to create and manage firewall rules in Check Point SmartConsole. Step-by-step guide covering access control policies, services, and best practices.

Read More →

How to Configure Anti-Phishing Policies in Harmony Email

Step-by-step guide to configure anti-phishing protection, confidence thresholds, and exception lists in Check Point Harmony Email.

Read More →

How to Configure DLP in Harmony Email & Collaboration

Learn to configure Data Loss Prevention (DLP) policies in Check Point Harmony Email to protect sensitive data in emails and attachments.

Read More →
Back to Check Point