How to Configure Harmony Endpoint Security Policies

Check Point Harmony Endpoint uses a unified policy model that consolidates threat prevention, access control, and compliance settings into a single management interface. This guide walks you through configuring security policies in the Infinity Portal to protect your organization's endpoints.

Prerequisites

Before configuring policies, ensure you have:

• Infinity Portal access with Policy Administrator permissions
• Harmony Endpoint license with EPMaaS (Endpoint Management as a Service)
• Deployed endpoints appearing in Asset Management
• Virtual groups created for policy assignment (recommended)

Understanding the Unified Policy Model

Harmony Endpoint's unified policy consists of several components:

Policy Type	Purpose	Key Settings
Threat Prevention	Protect against malware, ransomware, exploits	Anti-Malware, Anti-Bot, Anti-Ransomware, Threat Emulation
Access Policy	Control network and application access	Firewall, Application Control, URL Filtering
Compliance	Enforce security standards	OS updates, encryption, software requirements
Data Protection	Prevent data loss	Full Disk Encryption, Media Encryption

Policies are organized as rules within rule sets. Each rule can target specific virtual groups and have different settings.

Configuring Threat Prevention Policy

The Threat Prevention policy is the core of Harmony Endpoint protection, defending against malware, ransomware, and advanced threats.

Step 1: Access Threat Prevention Settings

1. Log in to the Infinity Portal at https://portal.checkpoint.com
2. Navigate to Harmony Endpoint from the left menu
3. Go to Policy > Threat Prevention
4. Click Policy Capabilities to view and configure protection modules

Step 2: Choose a Policy Mode

Check Point offers predefined policy modes for quick configuration:

Mode	Description	Use Case
Detect Only	Logs threats without blocking	Initial deployment, testing
Tuning	Balanced detection with minimal blocking	Pilot phase
Optimized	Full prevention with Check Point best practices	Production deployment
Custom	Manual configuration of each capability	Advanced tuning

To select a mode:

1. In Policy Capabilities, click the mode dropdown at the top
2. Select your desired mode
3. Review the automatic settings applied to each capability
4. Click Save and then Install Policy

Step 3: Configure Individual Capabilities

For custom configuration, adjust each capability individually:

Anti-Malware

1. Click Anti-Malware in the capabilities list
2. Configure settings:
   • Operation Mode: Detect, Prevent, or Off
   • Real-time Protection: Enable for continuous file scanning
   • Scheduled Scan: Configure daily or weekly scans
   • Archive Scanning: Scan inside compressed files
   • Scan on Access: Scan files when opened
3. Click Save

Anti-Bot

1. Click Anti-Bot in the capabilities list
2. Configure settings:
   • Operation Mode: Detect or Prevent
   • Bot Categories: Select which bot types to block
   • DNS Tunneling Protection: Enable to detect DNS-based C&C
3. Click Save

Anti-Ransomware

1. Click Anti-Ransomware in the capabilities list
2. Configure settings:
   • Operation Mode: Detect or Prevent
   • Behavioral Analysis: Monitor for ransomware behavior
   • Automatic Backup: Enable shadow copy protection
   • File Type Protection: Select protected file extensions
3. Click Save

Threat Emulation

1. Click Threat Emulation in the capabilities list
2. Configure settings:
   • Operation Mode: Detect, Prevent, or Off
   • Emulation Location: Local or Cloud
   • File Types: Select file types to emulate (Office, PDF, etc.)
   • Archive Depth: How deep to scan nested archives
3. Click Save

Zero-Phishing

1. Click Zero-Phishing in the capabilities list
2. Configure settings:
   • Operation Mode: Detect or Prevent
   • Corporate Password Protection: Block password reuse on external sites
   • URL Reputation: Block access to known phishing sites
3. Click Save

Step 4: Install the Policy

After configuring capabilities:

1. Click Save to preserve changes
2. Click Install Policy at the top of the page
3. Confirm the installation
4. Monitor deployment status in the policy installation log

Configuring Access Policy

The Access Policy controls network traffic, applications, and web access on endpoints.

Firewall Rules

1. Go to Policy > Access Policy > Firewall
2. Click Add Rule to create a new firewall rule
3. Configure rule settings:
   • Name: Descriptive rule name
   • Source: Virtual groups or specific endpoints
   • Destination: IP addresses, networks, or any
   • Service: Ports and protocols
   • Action: Accept, Drop, or Ask
   • Track: Log, Alert, or None
4. Drag rules to set evaluation order (top rules match first)
5. Click Save and Install Policy

Example firewall rules:

Rule Name	Source	Destination	Service	Action
Allow DNS	Any	DNS Servers	UDP/53	Accept
Allow Web	Any	Any	HTTP, HTTPS	Accept
Block Telnet	Any	Any	TCP/23	Drop
Default Allow	Any	Any	Any	Accept

Application Control

1. Go to Policy > Access Policy > Application Control
2. Click Add Rule
3. Configure application control:
   • Applications: Select from Check Point's application database
   • Categories: Block entire application categories
   • Action: Allow, Block, or Limit bandwidth
   • Logging: Enable for visibility
4. Click Save and Install Policy

Common application control scenarios:

Scenario	Configuration
Block P2P	Block category "P2P File Sharing"
Limit Streaming	Set bandwidth limit for "Streaming Media"
Block Gaming	Block category "Games"
Allow Business Apps	Explicitly allow specific business applications

URL Filtering

1. Go to Policy > Access Policy > URL Filtering
2. Configure URL categories:
   • Blocked Categories: Malware, Phishing, Adult Content, Gambling
   • Allowed Categories: Business, Technology, News
   • Custom URLs: Add specific URLs to block or allow lists
3. Configure user notifications for blocked sites
4. Click Save and Install Policy

Configuring Compliance Policy

The Compliance policy ensures endpoints meet your security standards.

Step 1: Access Compliance Settings

1. Go to Policy > Access & Compliance > Compliance
2. Click Add Rule to create a compliance rule

Step 2: Define Compliance Checks

Configure checks for:

Operating System:

• Minimum OS version
• Required patches/updates
• Service pack level

Security Software:

• Antivirus signature age
• Required security applications
• Endpoint encryption status

System Configuration:

• Firewall enabled
• Screen lock timeout
• Password requirements

Step 3: Configure Non-Compliance Actions

Define what happens when endpoints fail compliance:

1. Warn: Display a notification to the user
2. Restrict: Limit network access to remediation resources
3. Quarantine: Block all network access except for compliance portal

Step 4: Set Remediation Guidance

Configure user-facing messages that explain:

• What compliance requirement failed
• Steps to remediate the issue
• Contact information for IT support

Creating Policy Rules for Different Groups

Step 1: Create Virtual Groups

1. Go to Asset Management > Virtual Groups
2. Click Add Virtual Group
3. Define group criteria:
   • Computer name patterns
   • IP address ranges
   • Operating system type
   • Active Directory OU
4. Name the group descriptively (e.g., "Finance Workstations", "Development Servers")
5. Click Save

Step 2: Create Group-Specific Rules

1. Go to Policy > Threat Prevention > Policy Capabilities
2. Click Add Rule
3. Configure the rule:
   • Name: Descriptive name (e.g., "Server Protection Policy")
   • Scope: Select target virtual groups
   • Capabilities: Configure settings for this rule
4. Position the rule in the rule order
5. Click Save and Install Policy

Best Practices for Rule Organization

Rule Type	Position	Scope
Exception rules	Top	Specific endpoints or groups
Server rules	Upper	Server virtual groups
Department rules	Middle	Department-specific groups
Default rule	Bottom	All endpoints

Server Optimization Settings

For Windows Server endpoints, enable server-specific optimizations:

Step 1: Enable Server Optimization

1. In the policy rule, click Advanced Settings
2. Enable Endpoint for Server Optimization
3. Select the servers or server groups

Step 2: Configure Server Roles

Check Point automatically applies optimizations based on detected server roles:

• SQL Server: Excludes database files and processes
• Exchange Server: Excludes mail stores and transport services
• File Server: Optimizes file scanning settings
• Domain Controller: Excludes AD-related processes

Step 3: Review Applied Exclusions

1. Go to Policy > Threat Prevention > Exclusions Center
2. View Server Role Exclusions
3. Review Microsoft and Check Point recommended exclusions
4. Add custom exclusions if needed

Policy Testing and Validation

Test Policy Changes Before Production

1. Create a Test Virtual Group with pilot endpoints
2. Create test policy rules targeting only this group
3. Set capabilities to Detect mode initially
4. Monitor events in Logs & Events
5. Review detected items for false positives
6. Add exclusions as needed
7. Switch to Prevent mode when confident
8. Expand to production groups

Monitor Policy Effectiveness

1. Go to Dashboards > Security Overview
2. Review key metrics:
   • Threats prevented
   • Policy compliance rate
   • Detection trends
3. Go to Logs & Events for detailed event analysis
4. Create custom reports for stakeholders

Troubleshooting Policy Issues

Policy Not Installing

Symptoms: Install Policy shows errors or hangs.

Solutions:

1. Check for syntax errors in custom rules
2. Verify no conflicting rules exist
3. Review policy installation log for specific errors
4. Ensure you have Policy Administrator permissions

Endpoints Not Receiving Policy

Symptoms: Endpoints show outdated policy version.

Solutions:

1. Verify endpoint is connected (green status in Asset Management)
2. Force policy download from endpoint system tray
3. Check network connectivity to Infinity Portal
4. Review endpoint logs for policy download errors

False Positives

Symptoms: Legitimate applications being blocked.

Solutions:

1. Review blocked events in Logs & Events
2. Identify the blocking capability
3. Create targeted exclusions (see exclusions guide)
4. Consider using Detect mode while tuning
5. Report persistent false positives to Check Point

Performance Impact

Symptoms: Endpoints running slowly after policy deployment.

Solutions:

1. Enable Server Optimization for servers
2. Review real-time scanning settings
3. Add exclusions for high-I/O applications
4. Adjust Threat Emulation to cloud-only mode
5. Review scheduled scan timing

Best Practices Summary

1. Start with Detect mode during initial deployment
2. Use virtual groups for granular policy assignment
3. Create exceptions before general rules
4. Enable server optimization for server endpoints
5. Monitor events regularly for false positives
6. Document changes in rule descriptions
7. Test in pilot groups before production deployment
8. Review policies quarterly for effectiveness

Next Steps

After configuring policies:

1. Set up exclusions - Configure antivirus exclusions for business applications
2. Enable threat hunting - Activate EDR capabilities
3. Configure alerts - Set up notifications for critical events
4. Create reports - Build custom dashboards for security visibility
5. Train users - Communicate security policies to end users

Additional Resources

• Harmony Endpoint Policy Configuration Guide
• Threat Prevention Policy Guide
• Check Point Best Practices
• Check Point CheckMates Community

---

Need help optimizing your Harmony Endpoint policies? Inventive HQ offers expert Check Point security consulting to help you configure policies that balance protection with performance. Contact us for a free consultation.