How to Manage Email Quarantine in Harmony Email & Collaboration

Check Point Harmony Email & Collaboration quarantines suspicious emails based on your security policies, protecting users from phishing, malware, and spam. This guide covers managing the quarantine system, configuring end-user notifications, and handling restore requests efficiently.

Prerequisites

Before managing quarantine settings, ensure you have:

• Harmony Email & Collaboration connected to Microsoft 365 or Google Workspace
• Administrator access to the Check Point Infinity Portal
• Protection policies configured for email scanning
• Learning mode completed (initial 48-hour calibration period)

Understanding the Quarantine System

Harmony Email quarantines emails based on several security engines:

Security Engine	Quarantine Reason	Default Action
Anti-Phishing	Detected phishing attempt	Quarantine
Anti-Malware	Malicious attachment detected	Quarantine
Anti-Spam	Spam or bulk email	Move to Junk (configurable)
DLP	Sensitive data violation	Quarantine (outbound)
Click-Time Protection	Malicious URL detected	Block access

Step 1: Access the Quarantine Dashboard

1. Sign in to https://portal.checkpoint.com
2. Navigate to Harmony > Email & Collaboration
3. In the left menu, click Quarantine
4. The dashboard displays all quarantined items across your organization

Quarantine Dashboard Overview

The quarantine interface shows:

• Total quarantined items in the selected time period
• Breakdown by threat type (phishing, malware, spam, DLP)
• Pending restore requests requiring administrator action
• Recently restored items for audit purposes

Step 2: View and Search Quarantined Emails

Filter Quarantined Items

1. In the Quarantine section, use the filter options:

   • Time Range: Select last 24 hours, 7 days, 30 days, or custom range
   • Threat Type: Filter by phishing, malware, spam, or DLP
   • Status: Show all, pending review, or restored
   • User: Search for specific recipient mailboxes

2. Click Apply Filters to update the view

Search for Specific Emails

1. Use the Search bar to find emails by:

   • Sender email address
   • Subject line keywords
   • Recipient address
   • Message ID

2. Click on any quarantined item to view details:

   • Original sender and recipients
   • Subject and timestamp
   • Threat classification and confidence level
   • Detection engine that flagged the email

Step 3: Configure Unified Quarantine (Microsoft 365)

Unified Quarantine consolidates emails quarantined by both Microsoft and Check Point into a single view.

Enable Unified Quarantine

1. Go to Security Settings > SaaS Applications
2. Click Configure next to Office 365 Mail
3. Scroll to Unified Quarantine section
4. Enable Show Microsoft quarantined emails in Check Point portal
5. Click Save

Benefits of Unified Quarantine

Feature	Without Unified Quarantine	With Unified Quarantine
Admin view	Separate Microsoft and Check Point portals	Single Check Point portal
End-user digest	Separate reports	Combined daily report
Restore workflow	Different processes	Unified restore process
Visibility	Fragmented	Complete quarantine visibility

Step 4: Configure Daily Quarantine Digest

The daily digest email notifies users about their quarantined messages.

Enable the Digest Report

1. Navigate to Security Settings > User Interaction
2. Click Quarantine Digest
3. Enable Send daily quarantine report to users
4. Configure the digest settings:

Digest Configuration Options

Setting	Description	Recommendation
Send Time	When to deliver the daily digest	Start of business hours
Include Spam	Include spam emails in digest	Enable for visibility
Include Phishing	Include phishing emails in digest	Enable with caution
Include Microsoft Items	Include Microsoft-quarantined emails	Enable for Unified Quarantine
Preview Links	Allow users to preview emails	Enable for informed decisions

Customize Digest Appearance

1. Scroll to Digest Branding section
2. Upload your company logo (recommended size: 200x50 pixels)
3. Customize the email header text
4. Set the support contact email for user questions
5. Click Save

Enable Email Preview (2025 Feature)

Allow users to safely preview quarantined emails before requesting restore:

1. In the Quarantine Digest settings, locate Preview Options
2. Enable Include a Preview link checkbox
3. Users can now click preview links in their digest to view email content
4. Preview opens in a secure portal without releasing the email

Tip: Email preview reduces false restore requests by letting users see message content before deciding to request release.

Step 5: Configure Restore Request Workflow

Set up how end-user restore requests are handled.

Configure Restore Policies

1. Go to Security Settings > User Interaction
2. Click Restore Workflow
3. Configure settings for each threat type:

Spam Emails

1. Select Spam category
2. Choose restore behavior:
   • Auto-restore: Users can restore without approval
   • Require approval: Admin must approve each request
3. Click Save

Phishing Emails

1. Select Phishing category
2. Recommended setting: Require administrator approval
3. Enable Notify admin on restore request
4. Click Save

Malware Emails

1. Select Malware category
2. Recommended setting: Require administrator approval
3. Consider enabling Block restore for confirmed malware
4. Click Save

Process Restore Requests

When users submit restore requests:

1. Go to Quarantine > Restore Requests

2. Review pending requests showing:

   • Requesting user
   • Original sender and subject
   • Threat type and confidence level
   • Request timestamp

3. For each request, choose an action:

   • Approve: Release email to user's inbox
   • Deny: Reject request (optionally notify user)
   • Approve and Allow-List: Release and prevent future blocking of this sender

4. Click Apply to process the selected requests

Bulk Processing

For multiple similar requests:

1. Select multiple items using checkboxes
2. Click Bulk Actions
3. Choose Approve Selected or Deny Selected
4. Confirm the action

Step 6: Manage Quarantine Retention

Configure how long quarantined emails are retained.

Set Retention Period

1. Go to Security Settings > Data Retention
2. Locate Quarantine Retention settings
3. Configure retention period:
   • Minimum: 7 days
   • Default: 30 days
   • Maximum: 90 days (license dependent)
4. Click Save

Automatic Deletion

Emails exceeding the retention period are automatically deleted. Consider:

• Longer retention for compliance requirements
• Shorter retention to reduce storage usage
• Retention needs for legal hold situations

Step 7: Configure Administrator Alerts

Set up notifications for quarantine events.

Enable Admin Alerts

1. Go to Security Settings > Alerts
2. Configure notification triggers:
   • High-volume quarantine: Alert when quarantine rate spikes
   • Restore requests: Alert for pending approvals
   • Malware detection: Immediate notification for malware
3. Enter administrator email addresses
4. Click Save

Alert Frequency Options

Alert Type	Frequency Options
Malware detected	Immediate, Hourly digest
Phishing detected	Immediate, Daily digest
Restore request	Immediate, Daily summary
Quarantine threshold	When threshold exceeded

Step 8: Review Quarantine Analytics

Monitor quarantine trends and patterns.

Access Quarantine Reports

1. Navigate to Reports > Quarantine Analytics
2. View available metrics:
   • Quarantine volume over time
   • Breakdown by threat type
   • Top targeted users
   • Restore request trends

Export Quarantine Data

1. In the Quarantine section, click Export
2. Select format: CSV or PDF
3. Choose time range and filters
4. Click Download

Use exported data for:

• Compliance audits
• Security incident reports
• Trend analysis
• User training prioritization

Troubleshooting Common Issues

Users Not Receiving Digest Emails

Symptoms: End users report not receiving daily quarantine reports.

Solutions:

1. Verify digest is enabled in Security Settings
2. Check user's email address matches their UPN (User Principal Name)
3. Confirm digest emails aren't being filtered by other security tools
4. Check if user has any quarantined items in the reporting period

Restore Requests Not Processing

Symptoms: Approved restore requests remain pending.

Solutions:

1. Verify mail flow rules are correctly configured
2. Check the connection status to Microsoft 365 or Google Workspace
3. Confirm the original email hasn't exceeded retention period
4. Re-authorize the platform connection if needed

Unified Quarantine Not Showing Microsoft Items

Symptoms: Microsoft-quarantined emails don't appear in Check Point portal.

Solutions:

1. Verify Unified Quarantine is enabled in SaaS application settings
2. Check Microsoft 365 permissions include quarantine access
3. Re-authorize the Microsoft 365 connection
4. Contact Check Point support if issue persists

Best Practices

1. Enable email preview: Allow users to view quarantined content before requesting restore to reduce unnecessary requests
2. Require approval for phishing: Always require admin approval for phishing email restores
3. Use auto-restore for spam: Allow users to self-restore spam to reduce admin workload
4. Monitor trends: Review quarantine analytics weekly to identify targeted users
5. Train users: Use quarantine reports to identify users who need security awareness training
6. Document exceptions: Track any allow-list additions and review periodically

Next Steps

After configuring quarantine management:

1. Configure anti-phishing policies: Fine-tune phishing detection settings
2. Set up URL protection: Enable click-time protection for malicious links
3. Enable threat emulation: Configure attachment sandboxing
4. Review security reports: Monitor overall email security posture

Additional Resources

• Managing Quarantine Documentation
• End-User Daily Quarantine Report
• Unified Quarantine Blog Post

---

Need help managing your email quarantine? Inventive HQ provides expert configuration services for Check Point Harmony Email & Collaboration. Contact us for a security assessment.