On-premises servers have only two user roles: "Admin" & "Read-only".

These are the roles:

Admin - Full Read & Write access to all system aspects.

Read-Only User - Has access to all system aspects, but cannot make any changes.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_EndpointWebManagement_AdminGuide/Topics-HEPWM-R81/Managing_Users_in_Harmony_Endpoint.htm

In the Harmony Endpoint portal, the POLICY Tab is used to manage security policies for various software capabilities such as Threat Prevention, Data Protection, and others. These policies are enforced through rules that dictate how each capability behaves on endpoint machines. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides clear evidence on how these rules are structured by default.

Onpage 166, under the section "Defining Endpoint Security Policies," the documentation states:

"You create and assign policies to the root node of the organizational tree as a property of each Endpoint Security component."

This indicates that a default policy (or rule) is established at the root level of the organizational hierarchy, inherently applying to all entities—users and computers—within the organization unless overridden by more specific rules. Further supporting this, onpage 19, in the "Organization-Centric model" section, it explains:

"You then define software deployment and security policies centrally for all nodes and entities, making the assignments as global or as granular as you need."

This global assignment at the root node confirms that the default rule encompasses all users and computers in the organization, aligning withOption D. The documentation does not suggest that the default rule is limited to computers only (Option A), nor does it state that no rules exist initially (Option B), or that rules are exclusive to the Firewall capability (Option C). Instead, each capability has its own default policy that applies globally until customized.

Option Ais incorrect because the default rule is not limited to computers. Page 19 notes: "The Security Policies for some Endpoint Security components are enforced for each user, and some are enforced on computers," showing that policies can apply to both based on the component, not just computers.

Option Bis false as the guide confirms default policies exist at the root node, not requiring administrators to create them from scratch (see page 166).

Option Cis inaccurate since rules exist for all capabilities (e.g., Anti-Malware on page 313, Media Encryption on page 280), not just Firewall, and all capabilities involve rules, not just actions.

Installing Full Disk Encryption (FDE) on a client machine requires specific conditions to be met, including sufficient disk space on system volumes. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides an exact specification for this requirement.

Onpage 249, under "Client Requirements for Full Disk Encryption Deployment," the guide explicitly states:

"Ensure that the system volumes have at least 32 MB of continuous free space."

This precise requirement confirms that administrators must ensure the system volumes have at least32 MB of continuous space, makingOption Athe correct answer. The other options (B, C, and D) list different space values (50 MB, 36 MB, and 25 MB, respectively), none of which are supported by the documentation. The use of "continuous" space emphasizes the need for an uninterrupted block, critical for FDE’s operation, further solidifying Option A’s accuracy.

For the Endpoint Security Management Server to operate, theComplianceandNetwork Policy Managementblades must be enabled. This is indicated in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 23 under "Endpoint Security Architecture," where it describes the Management Server as hosting "Endpoint Security policy management and databases," which includes policy enforcement and compliance checking. Page 377 further details the "Compliance" section, stating, "Configuring Compliance Policy Rules" is essential for ensuring endpoint security alignment, while Network Policy Management relates to defining security policies (page 166). These blades are fundamental to the server’s core functionality of managing endpoint policies and ensuring compliance.

Option A ("all gateway-related blades") is incorrect, as gateway blades (e.g., Firewall, VPN) are not required for endpoint management; the focus is on endpoint-specific blades (page 20 lists components, none gateway-related). Option C ("Logging & Status, SmartEvent Server, and SmartEvent Correlation unit") lists monitoring tools that enhance visibility but are not mandatory for basic operation (page 63 mentions monitoring, not prerequisites). Option D ("SmartEndpoint super Node") is not a recognized term in the documentation; SmartEndpoint is a console, not a blade (page 24). Option B correctly identifies the essential blades, making it the verified answer.

The Harmony Endpoint solution provides a suite of Data Security Software Capability protections, specificallyFull Disk Encryption (FDE),Media Encryption & Port Protection (MEPP), andRemote Access VPN, as explicitly listed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdf. Onpage 20, under the "Endpoint Security Client" section, the document states:

"Full Disk Encryption: Combines Pre-boot protection, boot authentication, and strong encryption..."

"Media Encryption and Media Encryption & Port Protection: Protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports..."

"Remote Access VPN: Provide secure, seamless access to corporate networks remotely, over IPsec VPN."

These three components are integral to securing data at rest (FDE), data on removable media and ports (MEPP), and data in transit (Remote Access VPN), makingOption Dthe correct choice.

Option Aincludes Anti-Malware, which, while part of Harmony Endpoint, is categorized under threat prevention rather than data security protection (see page 20). Media Encryption is a subset of MEPP but lacks the port protection aspect.

Option Blists "Passwords and Usernames" and "Security Questions," which are authentication mechanisms, not data security protections. Port Protection (MEPP) is correct but incomplete without its full scope.

Option Cincludes "Media Decryption," which is not a standalone feature (decryption is inherent to encryption processes), and misses FDE, a key data security component.

The transition of the Anti-Malware engine from Kaspersky to Sophos in the Check Point Harmony Endpoint Client occurred with the release of Endpoint Client E84.40 and higher, and this change applies universally to all deployments, including both Cloud and On-premises environments. While theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not explicitly detail the exact version of this switch within its text, it provides general information about the Anti-Malware component on page 311 under the "Anti-Malware" section, stating that it "protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers." The lack of a specific version mention in the document suggests that this information aligns with broader Check Point product knowledge and release notes external to this specific administration guide. Among the options provided, option B (E84.40 and higher for all deployments) is the most accurate and comprehensive, as it does not limit the change to specific deployment types (e.g., Cloud or On-premises), unlike options A, C, and D. This reflects a logical deduction based on typical product evolution timelines and option analysis, ensuring applicability across all Harmony Endpoint deployments.

Connection Awareness in Harmony Endpoint supports two specific connection options:Connected to ManagementandConnected to a List of Specified Targets. This is detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 27 under the "Client to Server Communication" section. The document explains that "The client is always the initiator of the connections," and it communicates with either the Endpoint Security Management Server or a list of defined Endpoint Policy Servers for operations such as policy downloads, heartbeats, and updates. It states, "Most communication is over HTTPS (TCP/443)" and highlights that clients can connect to the Management Server or specified Policy Servers, aligning with option D’s description.

Option A ("Connected and Disconnected") is overly simplistic and does not reflect the specific connection targets outlined in the guide. Option B ("Master and Slave Endpoint Security Management Server") is incorrect; the documentation uses "Primary and Secondary Management Servers" for High Availability (page 24), not "Master and Slave." Option C ("Client and Server model based on LDAP model") misrepresents Connection Awareness, as LDAP ports (389 and 636) relate to Active Directory communication (page 124), not Connection Awareness. Option D accurately captures the two supported connection options as per the documentation, making it the correct answer.