SASE / security vendor
Check Point
Check Point sources evidence SASE platform with Zero Trust Access, CASB and optimized SD-WAN performance/steering.
Netify profile
Check Point in depth
Platform and architecture
Check Point's SASE is Harmony SASE, built on the Perimeter 81 acquisition: cloud-delivered access from a global PoP network with lightweight agents, plus Quantum gateway integration for sites. SD-WAN capability is delivered through Quantum SD-WAN on Check Point gateways, steering applications across links with security inline. Management converges under the Infinity portal with ThreatCloud AI intelligence shared across the estate.
Security and SASE capability
Security pedigree is the draw: ZTNA, SWG, full-mesh private access, malware prevention and DLP backed by one of the longest-standing threat research operations. Harmony SASE emphasises fast deployment and identity-led access; Quantum provides mature NGFW, IPS and sandboxing on premises. Infinity AI Copilot assists operations. SD-WAN routing depth is younger than network-heritage rivals, so test complex WAN topologies.
Service, support and channel
Strong global channel including UK distribution and security-led MSPs; managed Harmony SASE offers exist through partners. Support runs 24x7 with professional services and incident response available. Co-managed security with customer-held policy is a common pattern for Check Point estates.
Commercials and the Netify verdict
Per-user SASE licensing plus gateway subscriptions, quote based, generally positioned below the premium security rivals. The Netify verdict: shortlist Check Point when an existing Quantum estate makes Infinity consolidation natural, when security operations want one threat intelligence spine across site and cloud, or when fast ZTNA rollout matters more than deep WAN routing capability.
Questions
Check Point: common buyer questions
Is Harmony SASE the old Perimeter 81?
Yes. Check Point acquired Perimeter 81 and rebuilt it as Harmony SASE, adding ThreatCloud AI intelligence, deeper malware prevention and Infinity portal integration. The fast, agent-led deployment model remains a hallmark.
Can Check Point handle the SD-WAN side alone?
Quantum SD-WAN steers applications across links on Check Point gateways and suits security-led branches. For complex routing, multi-region overlays or heavy MPLS coexistence, network-heritage SD-WAN vendors remain stronger; dual-vendor designs are reasonable.
Who should pick Check Point for SASE?
Organisations standardised on Check Point Quantum or Harmony products, security teams valuing a single threat intelligence and management spine, and buyers needing rapid ZTNA rollout across hybrid workforces with moderate WAN complexity.
Key differentiators
- Harmony SASE combines Check Point security heritage with cloud-delivered SASE and optimised SD-WAN performance.
- Strong story for organisations already running Check Point firewalls who want to extend into SASE.
- Available via Microsoft Azure marketplace for buyers wanting consolidated cloud procurement.
Best fit for
- Existing Check Point customers extending firewall investment into SD-WAN and SASE.
- Mid-market enterprises consolidating security and SD-WAN under one vendor.
- Buyers prioritising security maturity over network-platform maturity.
Watch-outs
- Native SD-WAN capabilities (path selection, QoS, packet loss remediation) have limited public evidence relative to SD-WAN-led vendors.
- Smaller SD-WAN deployment footprint than category leaders; validate scale references.
- Managed delivery is partner-led.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Partial | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Partial | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Partial | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Partial | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Partial | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Partial | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Partial | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Partial | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Unknown | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Partial | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Partial | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Partial | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Partial | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Partial | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based subscription; Microsoft marketplace listing exists but enterprise deployments normally require quote.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.