April

  • Published on May 4, 2026
  • 2 minute(s) read
  • R
 Prev Next

Early Availability

Split Tunnel Subnet Exceptions by IP/CIDR
Administrators can now define exceptions for included subnets using specific IP addresses or CIDR ranges when Split Tunnelling is configured in Include mode. This enhancement provides more granular routing control by explicitly excluding selected traffic from the tunnel.
Minimum Agent Version: 12.7

New Features

  • SASE Connector – High Availability (HA)
    The SASE WireGuard Connector now supports high availability (HA). During installation, administrators can deploy the connector in one of the following modes:

    • Standalone mode

    • HA mode, using two machines configured as active and standby

    HA mode is supported for all existing standard networks, including existing tunnels.

    Note - Requires a network version deployed on or after 1 March 2026.

    For more information, see WireGuard Connector Tunnel.

  • Web RDP with Network Level Authentication – General Availability (GA)
    Web RDP with Network Level Authentication (NLA) is now generally available to all tenants. Administrators can provide browser-based RDP access to resources that require NLA.

    Note - Requires a network version deployed on or after 1 March 2026, or networks upgraded after that date.

  • Windows ARM SASE Agent Support
    The Check Point SASE agent for Windows ARM devices is now available on the Downloads page for tenants running agent version 12.7 or later.

    Notes -

    • Currently supports Private Access (ZTNA) only.

    • Internet Access (SWG) support is planned for a future release.

    For more information, see Downloads.

  • Updatable Objects for Split Tunnelling – General Availability (GA)
    Updatable Objects are now generally available for use in Split Tunnelling rules. Administrators can reference dynamically updated address objects in split tunnel configurations, ensuring policies remain current without manual updates.

Enhancements

  • Platform Rebranding – Check Point SASE
    All platform UI elements, images, email templates, and API references now reflect the updated Check Point SASE branding.

  • User Profiles – Agent Uninstall Control
    Administrators can now control agent uninstall permissions independently of sign-out behaviour using a dedicated toggle in User Profiles.

    For more information, see User Configuration Profiles.

  • Agent Security Event Notification Control
    Administrators can control whether the SASE agent displays security event notifications to end users through a new toggle in User Profiles.
    Minimum Agent Version: 12.6

  • Tenant Restrictions – Save Disabled Rules
    Tenant Restrictions rules can now be saved in a disabled state. This allows administrators to prepare rules in advance without enforcing them immediately.

    For more information, see Tenant Restrictions.

  • Routes – Export to CSV
    The Routes page now includes an Export to CSV option, enabling administrators to download route configurations for offline review and reporting.

  • User Applications Page – Improved Name Display
    Long application names on the User Applications page now wrap to two lines instead of being truncated.

Resolved Issues

  • Improved DNS resolution reliability, preventing sporadic failures when SASE agents reconnect.

  • Ensured users remain signed in to the agent when the sign-out timeout is disabled.

  • Prevented duplicate user records during provisioning via Entra ID SCIM integration.

  • Ensured Internet Access and Device Posture policies are applied correctly after JWT token renewal.

  • Resolved errors when editing Enhanced Networks IPsec tunnel configurations.

  • Ensured network traffic is distributed correctly across tunnels when ECMP is enabled.

  • Ensured existing routes are preserved when adding new routes to tunnels.