Check Point SASE Internet Access is designed to protect employees wherever they connect from—office, home, or on the road—without forcing all traffic back through a central data center. Instead of choosing between an on‑prem appliance or a cloud service, Internet Access combines both on‑device and cloud-based components that work together: - **On-device protection**: Security runs directly on the user’s device, so users stay protected even when they are not connected to the corporate network. This is especially useful for remote workers and employees using public Wi‑Fi. - **Cloud-based protection**: When traffic goes through the corporate network, the cloud-side component adds another layer of security and lets admins enforce consistent, network-wide policies. This dual approach means: - No need to backhaul Internet traffic through an on‑prem location just to apply security. - Users remain protected even when split tunneling or web bypass rules are used to improve performance. - Corporate devices are defended whether they are on or off the company network. In short, Internet Access helps IT teams maintain continuous web protection for all corporate users, without sacrificing performance or flexibility.

Check Point SASE Internet Access brings together several layers of web security and threat prevention so you can tailor protection to different users, groups, and networks. Key capabilities include: 1. **Secure SSL inspection on the device** - SSL inspection happens locally on the user’s device, so encrypted traffic can be inspected without decrypting sensitive company data in an external environment. 2. **Granular web filtering and policy control** - User-centric controls let you define website access rules by user, group, or time of day. - Example: block social media during work hours for most employees, while allowing access for the social media or marketing team. - Category-based blocking (e.g., gambling, malicious sites, hate content) can be applied in both device and cloud modes. - You can apply stricter policies when users are on the corporate network, such as blocking social networks or high‑risk categories to support productivity and reduce misconduct risk. 3. **Network-aware policy (differentiate by network)** - Internet Access is part of a converged network security platform that supports multiple, self-contained networks within one company. - For example, you can create one network for sales and another for the rest of the organization, each with its own filtering rules and security posture. 4. **Advanced threat prevention engines** - **Malware protection**: Scans legitimate web traffic for malicious software, including threats delivered via ads, trojans, or zero-day exploits. - **Threat emulation**: Runs suspicious files in a secure cloud sandbox to detect zero-day and advanced attacks that may bypass traditional defenses. If a file is found malicious, it is blocked for the originating user and further downloads are prevented. - **Anti-bot**: Blocks command-and-control URLs by assessing website reputation and preventing infected devices from reaching malicious servers. 5. **SaaS security controls** - **Static IP allowlisting**: Lets you restrict SaaS access so only users logged in from the corporate network can reach specific SaaS applications. - **Application Control**: Allows admins to block or allow specific SaaS apps. - **Tenant Restriction**: Prevents users from logging into platforms like Microsoft 365 or Google Workspace with personal accounts instead of corporate identities. 6. **Visibility and management** - A single-pane-of-glass management console for all functions. - Visibility into users’ web activity through filtering events and logs. Together, these capabilities help you reimagine how you enforce consistent, risk-based security policies across users, locations, and applications.

Check Point SASE Internet Access is built to fit into different network and security architectures without forcing a single deployment pattern. **Deployment flexibility** - **Device-only mode**: Run protection directly on user devices, ideal for remote or mobile users and organizations that want to avoid routing traffic through a central location. - **Cloud-only mode**: Use the cloud-side component to secure traffic that passes through the corporate network. - **Combined device + cloud mode**: Use both together to double up protection—on the endpoint and in the network—while keeping policies consistent. There is no requirement for traditional on-prem deployment, management, or maintenance. You can provide secure, direct-to-Internet connectivity without backhauling traffic, which helps maintain performance. **Policy flexibility** - **Different policies by network**: Enable multi-network deployments, each with its own security policies (e.g., separate networks and rules for sales, contractors, or general staff). - **Context-aware rules**: Apply stricter policies when users are on the corporate network and more flexible ones when they are remote, while still keeping core protections in place. - **Time-based policies**: Configure rules based on working hours or other time windows (for example, limiting access to certain categories during business hours). - **Consistent SaaS and web controls**: Use the same platform to manage SaaS access, web filtering, and threat prevention. This combination of deployment and policy options allows you to reshape how you deliver Internet security—aligning protection with user needs, locations, and risk profiles, rather than forcing everyone into a single network path.