LICENSE GUIDE Enterprise Solutions

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings The Power-1 appliance family enables organizations to maximize security in high-performance environments such as large campuses or data centers. It combines integrated One on the License is per model. License is for firewall, IPSec VPN, and intrusion prevention with advanced SmartCenter unlimited users.Includes FireWall-1, Check Point Power-1 acceleration technologies, delivering a high-performance CPPWR-APP No 2 and another VPN-1, FloodGate-1, SecureXL, Security appliance security platform that can block application layer threats in on the ClusterXL, MultiCore, and SplatPro. multi-Gbps environments. Even as new threats appear, device) Prices do not include shipping costs. Power-1 appliances maintain or-due to their open architecture-increase performance while protecting networks against attacks. Check Point UTM-1™ appliances plus Total Security – 1 year or 3 years complete Unified threat Management License is per model. License is for including: unlimited users. Includes 5 Remote - SmartDefense Services, Content Inspection access users (either SecureClient or (Antivirus and URL Filtering), and Messaging SNX), SmartPortal, SmartDirectory, CPUTM-APP- Total Security UTM-1 Security. SmartView Monitor and express No 1 Device TS Appliances - Software subscription, reports. The 450 & 1050 models can - Entitlement to reduced product support rates. manage 3 sites including - Check Point FireWall-1 including Application themselves. The 2050 model can Intelligence for unlimited users mange up to 5 sites including itself. - VPN – IPSec Remote Access, Site-to-Site VPN, Prices do not include shipping costs. and SSL VPN (see product specification) included License is per model. License is for Check Point UTM-1™ appliances deliver proven, tightly unlimited users. Includes 5 Remote integrated security features to provide the perfect blend of access users (either SecureClient or simplicity and security. UTM-1 appliances offer a complete SNX), SmartPortal, SmartDirectory, set of security features including firewall, intrusion SmartView Monitor and express CPUTM-APP UTM-1 appliance No 1 Device prevention, antivirus, anti-spyware, Web application firewall, reports. The 450 & 1050 models can VoIP security, instant messaging (IM) and peer-to-peer manage 3 sites including (P2P) blocking, URL Filtering, as well as secure site-to-site themselves. The 2050 model can and remote access connectivity mange up to 5 sites including itself. Prices do not include shipping costs.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings A unified threat management hardware appliance that provides all-in-one security including firewall, VPN, SmartDefense Service, IPS and Antivirus for enterprise Licensed per number of concurrent branch offices and remote offices. All appliances are connections. The SKU is a product CPUTM-EDGE VPN-1 UTM Edge equipped with a serial port, 4 LAN ports, 1 WAN port and 1 No N/A Device key tied up to the MAC address of DMZ/WAN2 port. The appliances are available with built-in the appliance. Prices do not include secure wireless access point and/or ADSL modem. All shipping costs wireless and/or ADSL models include a USB port used as a print server. Security enforcement point includes Firewall, VPN, intrusion prevention, and antivirus protection and URL filtering for a ClusterXL for Load Sharing (CXLS) specified number of users; It also includes VPN-1 Check Point VPN-1 license additionally required for load CPUTM-VUG SecuRemote for a defined number of users: the unlimited No 1 Gateway UTM Gateway sharing implementations; Licenses gateway includes 1,000 VPN-1 SecuRemote users. VPN-1 per number of users. UTM Gateways are managed by SmartCenter UTM, SmartCenter Power or Provider-1. Security enforcement point for high availability deployments includes FireWall-1, VPN-1, intrusion prevention, and License must match the antivirus protection. Must be used with an existing VPN-1 number of users in the existing VPN- CPUTM-VUG- Secondary VPN-1 UTM UTM Gateway of the same size. Additional HA VPN-1 UTM No 1 Gateway 1 UTM Gateway license. License HA Gateway Gateways can be added to increase the size of the cluster. must be used on a gateway in a VPN-1 UTM Gateways are managed by SmartCenter UTM, cluster object. SmartCenter Power or Provider-1. VPN-1 Power Gateways provide the most comprehensive and powerful security for the enterprise. VPN-1 Power Gateways are managed by SmartCenter UTM, SmartCenter ClusterXL for Load Sharing (CXLS) Power Check Point VPN-1 license additionally required for load CPPWR-VPG or Provider-1. All VPN-1 Power Gateways include FireWall- No 1 Gateway Power Gateway sharing implementations; Licensed 1, VPN-1, FloodGate-1, SecureXL, SmartDefense, per number of users. ClusterXL for High Availability, and VPN-1 SecuRemote for a defined number of users: the unlimited gateway includes 5,000 VPN-1 SecuRemote users. Additional enforcement point for high availability or load sharing deployments, including FireWall-1, VPN-1, Must be used with an existing VPG FloodGate-1 and SecureXL, offering protection for a CPPWR-VPG- Secondary VPN-1 license of the same size. License specified number of users. VPN-1 Power Gateways are No 1 Gateway HA Power Gateway must be used on a gateway in a managed by SmartCenter UTM, SmartCenter Power or cluster object. Provider-1. Additional HA VPN-1 Power Gateways can be added to increase the size of the cluster.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings A combination of performance and simplicity- an all-in-one platform that includes the VPN-1 UTM features with the acceleration provided by the VPN-1 Power line. VPN-1 UTM Power Gateways are managed by SmartCenter UTM, ClusterXL for Load Sharing (CXLS) Check Point VPN-1 SmartCenter Power or Provider-1. All VPN-1 UTM Power license additionally required for load CPUTM-VUP No 1 Gateway UTM Power Gateway Gateways include FireWall-1, VPN-1, FloodGate-1, sharing implementations; License SecureXL, SmartDefense, AntiVirus, URL filtering, per number of users. ClusterXL for High Availability, and VPN-1 SecuRemote for a defined number of users: the unlimited gateway includes 5,000 VPN-1 SecuRemote users. Additional enforcement point for high availability or load sharing deployments, including FireWall-1, VPN-1, Must be used with an existing VPN-1 CPUTM-VUP- Secondary VPN-1 UTM FloodGate-1, SecureXL, SmartDefense, AntiVirus and URL UTM Power license of the same No 1 Gateway HA Power Gateway filtering offering protection for a specified number of users. size. License must be used on a Additional HA VPN-1 UTM Power Gateways can be added gateway in a cluster object. to increase the size of the cluster. Check Point UTM provides comprehensive enterprise-class SmartCenter Check Point UTM - security for organizations. It includes SmartCenter UTM or SmartCenter license is per number CPUTM-CKP SmartCenter and SmartCenter for a specified number of sites, one VPN-1 No 1 or 2 SmartCenter of managed sites. VPN-1 Gateway Gateway Bundle UTM Gateway protecting specified number of users, and and License is per number of users. VPN-1 SecuRemote for a specified number of users. Gateway Provides comprehensive enterprise security. Includes SmartCenter Power with SmartDashboard, SmartUpdate, SmartCenter SmartMap, SmartDirectory, SmartLSM, SmartCenter High Check Point Power - or SmartCenter license is per number Availability, SmartView Tracker, SmartView Monitor and CPPWR-CKP SmartCenter and No 1 or 2 SmartCenter of managed sites. VPN-1 Gateway SmartPortal. Also includes a single VPN-1 Power Gateway Gateway Bundle and License is per number of users. for specified number of users (including FireWall-1, VPN-1, Gateway FloodGate-1, SecureXL, and VPN-1 SecuRemote), and SmartDefense. Provides comprehensive enterprise security. Includes SmartCenter Power with SmartDashboard, SmartUpdate, SmartCenter SmartMap, SmartDirectory, SmartLSM, SmartCenter High Check Point UTM or SmartCenter license is per number Availability, SmartView Tracker, SmartView Monitor, CPUTM-CKPP Power – SmartCenter No 1 or 2 SmartCenter of managed sites. VPN-1 Gateway SmartPortal. Also includes a single VPN-1 UTM Power and Gateway Bundle and License is per number of users. |Gateway for a specified number of users (including Gateway FireWall-1, VPN-1, FloodGate-1, SecureXL, and VPN-1 SecuRemote), Antivirus URL Filtering and SmartDefense

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Extends the scale of the security system to meet the most demanding performance and reliability requirements of enterprise customers. The VSX Gateway enforces up to 250 discrete VPN-1 Power security policies on a single machine. Each VS (Virtual System) is associated with a VLAN, which Check Point Power is attached to an internal interface of the VSX Gateway. The Licensed based on virtual number of CPPWR-VSX Virtual Security additional Virtual Security Gateway enables automatic high Yes 1 Gateway systems running on a VSX gateway Gateway - VSX availability by providing an additional Virtual Security Gateway. SecureXL™ is provided with every VSX Gateway for enhanced VPN and firewall performance. SecurePlatform Pro is included. Virtual Security Gateways require existing SmartCenter UTM, SmartCenter Power or Provider-1 for SmartCenter. Secondary VPN-1 License must be of the same size as CPPWR-VSX- Power VSX gateway Realize non-stop security with a second Virtual System the primary VSX in the cluster. Yes 1 Gateway HA for Load Sharing and Extension for high availability implementations. License must be used in a VSX High Availability cluster. Web Intelligence is an add-on to VPN-1 Power, VPN-1 UTM Licensed by the number of protected and UTM-1 that provides Web application firewall Web Intelligence Add- Web servers (per IP address). In CPMP-WIT technology and capabilities. When combined with VPN-1, Yes 1 SmartCenter on for VPN-1 Gateway case the Web server is behind HA Web Intelligence provides protection for the entire Web GW – one license is needed. environment. Secondary Web Web application firewall add-on to VPN-1 Power, VPN-1 Must be used with a Web CPMP-WIT-HA Intelligence Add-on for UTM and UTM-1 enforcement points for a high availability Yes 1 SmartCenter Intelligence license of the same size VPN-1 Gateway deployment. installed on other cluster members Add Quality of Service to VPN-1 Gateways. Provides policy SmartCenter based Quality of Service to optimize network performance Per new CPUTM-QOS FloodGate-1 Add-On by assigning priority to business critical applications and Yes 1 Licensed per site. Works with NGX license for end-users. QOS license includes in VPN-1 UTM Power only NGX gateways. Enables load sharing by distributing traffic between clusters ClusterXL for Load of redundant gateways so that the computing capacity of CPMP-CXLS Yes 1 SmartCenter Sharing Add-on multiple machines may be combined to increase total Licensed per site/ number of users throughput. Enables Wire-Speed VPN with SecureXL technology and Licensed per gateway. Included in CPMP-PPK SecureXL multi-CPU licenses through software based acceleration. No 1 Gateway VPN-1 Power. For use with FireWall-1 and VPN-1. Enables increased server capacity via automatic application CPFW-CC ConnectControl Add-on 1 Gateway Licensed per gateway. server load balancing. SecurePlatform Pro expands SecurePlatform adding dynamic routing and multicast support for VPN-1 gateways. CPOS-SPRO SecurePlatform PRO Yes 1 SmartCenter Supported dynamic routing protocols: –RIP, RIPv2, OSPF, Licensed per Gateway and BGP. Supported multicast protocols – PIM-SM, PIM-

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings DM, and IGMP. Priced per gateway. Includes also Centralized administrator SmartCenter through RADIUS authentication

IPS-1 appliance includes a 1-year hardware warranty. Sensor 50 Check Point IPS-1 is a dedicated intrusion detection and requires physically resetting some prevention appliance that delivers mission critical protection switch configurations inside the Check Point IPS-1 CPIS-IPS against worms, automated malware and other hybrid threats N/A 1 SmartCenter appliance when changing from Sensor both known and unknown, with unmatched management, passive IDS mode to inline forensic analysis and flexibility. prevention with fail pass thru mode and vice versa. Prices do not include shipping costs The IPS-1 Management Server is an add-on to Check Point SmartCenter, provided based on your SmartCenter SKU (3, CPMP-IPS Management server for Yes 1 SmartCenter 5 or Unlimited Gateways). The license is installed on the IPS-1 sensors server running IPS-1 Management Server. Internal Security Gateway that blocks the spread of worms and attacks inside the network and provides network zone segmentation. InterSpect is built specifically for internal network security. With InterSpect, organizations can protect their network with a complete internal security solution. Included in CPIS-INSP Check Point InterSpect InterSpect is designed for non-disruptive deployment into No N/A Licensed per device the device existing network environments, with a SmartCenter interface tailored for internal security. All models include: SmartDashboard for InterSpect, SmartView Monitor for InterSpect, and Eventia Reporter for InterSpect , and one year of SmartDefense subscription Check Point Connectra is a complete Web Security Gateway Appliance that provides both SSL VPN and integrated Web Security in a single, unified security solution. Connectra provides secure Web-based connectivity by Connectra Web combining easy SSL VPN and network-level access with Included in Licensed per concurrent user. Prices CPWS-CRA No N/A Security Gateway unmatched protection for the entire Web environment. the device do not include shipping costs. Connectra can be purchases as an Appliance or as Software. All models include: Application Intelligence, Web Intelligence, SSL Network Extender, and a 1 year subscription to SmartDefense. Connectra Web Requires an existing Connectra Included in CPWS-CRA-HA Security Gateway for Additional Connectra appliance for High Availability. No N/A Appliance of the same size. Prices the device High Availability do not include shipping costs.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings An innovative solution to mitigate the risks posed by non-IT Must match the number of users in controlled endpoints accessing enterprise resources the existing CPWS-CRA license. Integrity Clientless remotely via Web-based applications and gateways, such Connectra Connectra license for 25 users CPWS-CCV Yes 1 Security for Connectra as Microsoft Outlook Web Access, SSL VPNs or extranets. Device comes bundled with Integrity It protects the enterprise from spyware, keystroke loggers, Clientless Security license for 25 and other undesirable software. users. Integrity Clientless Must match the number of users in Security High the existing CPWS-CRA CPWS-CCV-HA Additional Integrity Clientless Security for high availability. Yes 1 Server Availability for CPWS-HCRA license; Requires HA Connectra for each product Check Point Connectra is a complete Web security gateway that provides both SSL VPN and integrated Web security in a single unified security solution. Connectra SW is a Licensed per number of concurrent CPWS-CRS Connectra SW software solution that installs SecurePlatform, a customized Yes 1 Server users. and hardened operating system, and Connectra software on

an open server. Connectra also includes Application Intelligence, Web Intelligence, SSL Network Extender, and a 1 year subscription to SmartDefense. Connectra Web Must be used with an existing CPWS-CRS-HA Security SW for High Additional Connectra software for high availability. Yes 1 Server Connectra software of the same Availability size.

Check Point Connectra is a complete Web Security Gateway that provides SSL VPN access and License also includes Application comprehensive endpoint and integrated intrusion prevention Connectra Unlimited - Intelligence, Web Intelligence, SSL security in a single, unified remote access solution. The CPWS-CRBC Business Continuity No 1 Server Network Extender, Integrity Business Continuity License enables the full use of License for 45 days Clientless Security and a 45 day Connectra, with no restriction on the number of users, and subscription to SmartDefense. with all of its features and related services activated for 45 days. SecureClient Mobile delivers secure, continuous remote access and firewall protection for mobile devices that CPVP-SCM SecureClient Mobile Yes 1 SmartCenter Licensed per user connect to VPN-1 and Connectra for continuous protection and productivity. Remote access solution for SSL VPN that enables remote CPVP-SNX SSL Network Extender users to connect client/server applications using an Internet Yes 1 SmartCenter Licensed per user web browser plug-in Licensed per protected endpoint. Antivirus and anti-spyware updates Check Point Endpoint Endpoint Security Secure Access includes firewall, program require subscription to CPEP-SA Security - control, NAC, remote access VPN and antivirus/anti- Yes 3 SmartDefense Anti-malware Secure Access spyware engine. Service. Secure Access includes the Endpoint Security management server in single server or High

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Availability / fail-over configuration. Includes use of SecureClient for Windows and SecureClient for Macintosh Endpoint Security Full Disk Encryption includes full disk Licensed per protected endpoint. Check Point Endpoint encryption for laptops and Desktops with pre-boot Full Disk Encryption includes the CPEP-FDE Security - Yes 3 authentication SmartCenter for Pointsec (MI and Full Disk Encryption WebRH) Check Point Endpoint Endpoint Security Media Encryption includes both port Licensed per protected endpoint. CPEP-MEPP Security - protection and removable media encryption in a single Yes 3 Media Encryption includes Media Encryption package. management server. Endpoint Security Total Security includes all Endpoint Security components including firewall, program control, Licensed per protected endpoint. Check Point Endpoint Antivirus and anti-spyware updates NAC, VPN client, antivirus and anti-spyware CPEP-TS Security - Yes 9 require subscription to Total Security engine , full disk encryption, port protection and media SmartDefense Anti-malware encryption. Service.

Program Advisor service is included One year subscription includes antivirus and anti-spyware CPEP-SMDF- Anti-Malware Service Integrity only with the SmartDefense Anti- updates and Program Advisor service. No 2 AM server malware service. Services are priced

for one year unless stated otherwise. Pointsec Mobile Solutions address the very real need to secure the intellectual property and other sensitive data that resides on PDAs and smart phones with a strong and complete set of encryption products. Our Mobile Platform License is per number of seats. Products completely secure data on the Symbian, Pocket SmartCenter for Pointsec is PC, Windows Mobile Smartphone and Palm operating included. CPDS-PMOB Pointsec Mobile Yes 1 systems. Our Mobile Solutions have also been designed The Starter Kit includes 25 seats of with the features and functionality required in both Pointsec PC and SmartCenter for Enterprise Business environments and Service Provider Pointsec for 25 managed endpoint. offerings. The Pointsec Mobile suite provides for a truly mobile workforce with push email and business applications running on handsets Utilizes Check Point’s Security Management ArchiTecture (SMART) to enable one-click centralized policy distribution with centralized security SmartCenter of a specified number Check Point of VPN-1 UTM and VPN-1 Power Gateways. Includes License is per number of sites CPUTM-SC No 1 SmartCenter SmartCenter UTM SmartDashboard - a user interface for defining and managed. managing the security policy, and SmartView Tracker - which displays detailed log information on all enforcement points. Check Point Utilizes Check Point’s Security Management ArchiTecture License is per number of sites CPPWR-SC No 1 SmartCenter SmartCenter Power (SMART) to enable one-click centralized security managed

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings SmartCenter and policy distribution for a specified number of VPN-1 UTM and VPN-1 Power Gateways. SmartCenter Power includes SmartDashboard user interface for defining and managing the security policy; SmartUpdate , enabling centralized, one-click software and license SmartCenter; SmartMap , a visual policy editor that graphically depicts network layout and illustrates the effect of security policies; SmartDirectory , enabling storage and retrieval of VPN- 1/FireWall-1 user attributes on LDAP servers; SmartLSM , which includes SmartCenter tools for thousands of gateways; SmartCenter High Availability , enabling automatic synchronization of backup SmartCenter servers ensuring resilient security SmartCenter; SmartView Tracker , which displays detailed log information on all enforcement points; SmartView Monitor , providing traffic and performance monitoring; and SmartPorta l™, which provides a web portal to view security policies and objects without installing dedicated SmartConsole clients. Includes a single Multi-Domain Server (MDS) Manager and Container, a specified number of Customer SmartCenter Licensing is by number of security 1 for MDS Add-ons (CMAs) for managing an unlimited number of MDS level domains managed. Can be used to Check Point Provider-1 and 3 (or CPMP-PRE gateways, and CMA Pro Add-ons including SmartUpdate, No and CMA manage a single legal entity as Enterprise Edition 5) for SmartMap, SmartDirectory, SmartLSM, and SmartView levels opposed to other Provider-1 CMAs. Monitor. Addition of Enterprise Edition licenses or MDS licensing schemes. Containers to this product is not allowed. Upgrade the SmartCenter UTM to SmartCenter Power. SmartCenter Add-ons Suite includes SmartUpdate - centralized, one-click software and license SmartCenter. SmartMap - a visual policy editor graphically depicts network layout and illustrates the effect of security policies. SmartDirectory - storage and retrieval of VPN-1/FireWall-1 SmartCenter Add-ons CPUTM-SC- user attributes on LDAP servers. SmartView Monitor – Suite for SmartCenter No 1 SmartCenter ADD provides traffic and performance monitoring. SmartPortal - UTM provides a web portal to view security policies and objects Licensed by the number of sites without installing dedicated SmartConsole clients. managed. The license must match Utilizes Check Point’s Security Management ArchiTecture existing number of sites managed (SMART) to enable one-click centralized security SmartCenter and policy distribution of an unlimited number of Check Point gateways. Increase the number of sites managed by Check Point SmartCenter UTM. The SmartCenter add-ons are SmartCenter UTM incremental, not additive. The SXA-2 increases the number CPUTM-SXA No 1 SmartCenter SmartCenter Add-on of sites managed by Check Point SmartCenter UTM by two Licensed by the number of sites (i.e. increase sites managed from 1 to 3 or 3 to 5.) The SXA- managed 20 increases the number of sites managed by Check Point

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Express from 5 to 25. Includes SmartPortal.

SmartPortal is a web-based portal to SmartCenter and Licensed per gateway or Provider-1 for viewing and monitoring security policies, CPUTM-SMPO SmartPortal No 1 SmartCenter management server. Number of network status and logs; as well as facilitating SmartCenter users is unlimited user administration. Included with SmartCenter Power. Utilizes Check Point’s Security Management ArchiTecture (SMART) to provide centralized, one-click software and license SmartCenter for Check Point products. The Licensed per gateway or CPUTM-SMUP SmartUpdate No 1 SmartCenter installation of service packs and addition of new products SmartCenter server can be performed from a central GUI. Included in SmartCenter Power. Enhanced SmartCenter capabilities allowing the visualization and editing of security policies and objects Licensed per gateway or CPUTM-SMMP SmartMap No 1 SmartCenter through an automatically generated topological view of the SmartCenter server network. Included in SmartCenter Power. SmartDirectory extends SmartCenter UTM and SmartCenter Licensed per gateway or Power authentication capabilities by enabling the integration SmartCenter server CPUTM-SMDR SmartDirectory of VPN-1/FireWall-1 with LDAP Directory servers for user No 1 SmartCenter License is additive for 1 but not for data retrieval and SmartCenter, access control and user unlimited authentication. Included in SmartCenter Power. SmartCenter Station Replication enables high availability for SmartCenter UTM and SmartCenter Power. Backup SmartCenter stations are automatically synchronized, CPUTM-MGM- SmartCenter High One license is required per pair of ensuring constant availability. Note that this feature enables No 1 SmartCenter HA Availability HA SmartCenter. replication, but does not include an additional SmartCenter UTM or SmartCenter Power license. Included in SmartCenter Power CPMP-MOTIF- Motif GUI SmartCenter Console for Solaris No 1 SmartCenter Licensed per SmartCenter server GUI enables real-time log accumulation, tracking and Log Server CPMP-CLM Customer Log Module SmartCenter on a dedicated log server for VPN-1 Pro No 1 Licensed per number of log servers Device Gateways. Leverages Check Point’s Security SmartCenter Open Security CPFW-OSE ArchiTecture (SMART) to manage packet filters and access Yes 1 SmartCenter Licensed per router managed Extension lists of third-party routers and security devices.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings EVA should be installed on Eventia Server. 1 for EVA From R63 Eventia Suite provides the benefits of Eventia Analyzer and CPMP-EVS Eventia Suite Yes and 1 for the EVR Licensed per gateway Eventia Reporter in one bundle EVR should also be applied on Eventia Reporter Server EVA- 5,25, and 50 come with 1 Analyzer EVA- 100 comes with 4 Analyzers Check Point Eventia Analyzer supports 5,25, 50,100 Licensed per gateway. License Gateways or devices. Integrated with Check Point SMART includes 1 CLM. When working in CPMP-EVA Eventia Express SmartCenter Eventia is the only solution that provides Eventia Yes 1 the Provider-1 environment, Eventia Analyzer centralized, real-time correlation of log data for Check Point Server 5 supports a single CMA, Eventia 25 perimeter, internal and web security gateways; as well as supports up to 5 CMAs, Eventia 50 third party security and network devices. supports up to 10 CMAs, and Eventia 100 supports up to 25 CMAs. On version prior to NGX R63 the license should be Incorporates reporting and monitoring for all Check Point installed on products. Receive up to the minute information about the Licensed per gateway- unlimited CPMP-EVR Eventia Reporter security and networks through to status alerts, security Yes 1 SmartCenter number of users threat alerts and defense capabilities monitored and . From R63 reported in Eventia Reporter the license should be installed on the Eventia Reporter server

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Incorporates reporting and monitoring for all Check Point products. Customers receive upto-the-minute information about their security and networks via status alerts, security SmartView Reporter threat alerts, and defense capabilities monitored and Licensed per reporting site CPMP-SSV Yes 1 SmartCenter and Monitor reported in SmartView. In addition, customers are also assisted in their long term decision making and policy planning by data mining, trending, and detailed analytical tools included in SmartView. Correlation CPMP-EVA- Eventia Analyzer Check Point Eventia Correlation Unit extends the amount of No 1 Device License is per Correlation Unit CORL Correlation Unit logs that can be managed by the Eventia Server Server Yearly renewable subscription sold SmartDefense Total Total Security is a complete Unified threat Management Part of the per number of users License is per CPPWR-SDTS Security services for including: SmartDefense Services, Content Inspection No N/A UserCenter* Cluster. The CK/MAC address is VPN-1 Power-1 (Antivirus and URL Filtering), and Messaging Security. required when ordering the service. Update from UTM to Total Security* UTM. Total Security is complete Unified threat Management Yearly renewable subscription sold Update to One Year or CPUTM-UPD- including: Part of the per number of users License is per 3 Years Total Security No N/A TS - SmartDefense Services, Content Inspection UserCenter* Gateway. The CK/MAC address is for VPN-1 UTM (Antivirus and URL Filtering), and Messaging required when ordering the service. Security. Renewal of additional 1 year Total Security. Total Security is a complete Unified threat Management Yearly renewable subscription sold Renewal of additional CPUTM-REN- including: Part of the per number of users License is per One Year Total No N/A TS - SmartDefense Services, Content Inspection UserCenter* Gateway. The CK/MAC address is Security (Antivirus and URL Filtering), and Messaging required when ordering the service. Security. Yearly renewable subscription sold SmartDefense Services provide ongoing, real-time updates per number of users License is per SmartDefense Services Part of the CPUTM-SMDF and configuration advisories for defenses and security No N/A Cluster. for VPN-1 UTM/ UTM-1 UserCenter* policies. SmartDefense Services are licensed annually The CK/MAC address is required when ordering the service. Update Services provide ongoing, real-time updates and Yearly renewable subscription sold SmartDefense Total configuration advisories for defenses and security policies. Part of the per number of users License is per CPUTM-SDCS Security Services for No N/A SmartDefense, Antivirus and URL Filtering Services are UserCenter* Cluster. The CK/MAC address is VPN-1 UTM licensed annually. required when ordering the service. Yearly renewable subscription sold SmartDefense Services Total Security is a complete Unified threat Management Part of the per number of users License is per CPUTM-SDTS plus Content Inspection including: SmartDefense Services, Content Inspection No N/A UserCenter* Cluster. The CK/MAC address is for VPN-1 UTM-1 (Antivirus and URL Filtering), and Messaging Security. required when ordering the service. SmartDefense Services provide ongoing, real-time updates Yearly renewable subscription sold SmartDefense Services CPUTM-EDGE- and configuration advisories for defenses and security Part of the per number of users License is per and Antivirus for VPN-1 No N/A SDAV policies. SmartDefense Services are licensed annually. The UserCenter* Cluster. The CK/MAC address is UTM Edge Anti-Virus signature update component of SmartDefense required when ordering the service.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Services is also licensed annually.

Yearly renewable subscription sold SmartDefense Services SmartDefense Services provide ongoing, real-time updates Part of the per number of users License is per CPPWR-SMDF for VPN-1 and configuration advisories for defenses and security No N/A UserCenter* Cluster. The CK/MAC address is Power/Power-1 policies. SmartDefense Services are licensed annually. required when ordering the service. Yearly renewable subscription sold SmartDefense Services provide ongoing, real-time updates CPPWR- SmartDefense Services Part of the per number of users License is per and configuration advisories for defenses and security No N/A SMDF-VSX for VPN-1 Power VSX UserCenter* Cluster. The CK/MAC address is policies. SmartDefense Services are licensed annually. required when ordering the service. Yearly renewable subscription sold SmartDefense Services provide ongoing, real-time updates CPIS-IPS- SmartDefense Services Part of the per number of users License is per and configuration advisories for defenses and security No N/A SMDF for IPS-1 UserCenter* Cluster. The CK/MAC address is policies. SmartDefense Services are licensed annually. required when ordering the service. Yearly renewable subscription sold SmartDefense Services provide ongoing, real-time updates SmartDefense Service Part of the per number of users License is per CPIS-SMDF and configuration advisories for defenses and security No N/A for InterSpect UserCenter* site. The CK/MAC address is policies. SmartDefense Services are licensed annually. required when ordering the service. Yearly renewable subscription sold SmartDefense Services provide ongoing, real-time updates SmartDefense Service Part of the per number of users License is per CPWS-SMDF and configuration advisories for defenses and security No N/A for Connectra UserCenter* site. The CK/MAC address is policies. SmartDefense Services are licensed annually. required when ordering the service. Wire-speed VPNs are enabled by high performance encryption acceleration for3DES IPSec/IKE VPN-1 Check Point Connectra Requires an available PCI slot on CPVH-CAC-I deployments. . The Connectra Accelerator Card can No N/A N/A Accelerator Card the Gateway Server. achieve up to 400Mbps IPSec-3DES performance

Utilizes Check Point’s SecureAccess technology, and provides Authentication and Authorization (WebAccess) services for LAN and REMOTE users using UserAuthority User CPUA-UAU SecuRemote/SecureClient, Windows Clients, Browsers Yes 1 Gateway license (including SSL). This component extends security to the Licensed per total number of users. applications and provides the ability to set security policy for web servers. Check Point Integrity Stand-alone desktop firewall keeping employees productive Desktop/ CPIS-IDT Yes 1 Licensed per user Desktop and enterprise data secure— with minimal IT administration. Client Leverages Check Point’s SecureProtect technology to

protect a single machine. It provides a subset of VPN-1 CPVP-VSS VPN-1 SecureServer No 1 Gateway Power capabilities and requires existing SmartCenter. VPN- Licensed per server 1 SecureServer includes Multi CPU capabilities.

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Leverages Check Point’s SecureProtect technology to

FireWall-1 protect a single machine. It provides a subset of FireWall-1 CPFW-FSS No 1 Gateway Licensed per server SecureServer capabilities and requires existing SmartCenter. FireWall-1

SecureServer includes Multi CPU capabilities. Requires an available PCI slot on Wire-Speed VPNs are enabled by high performance the Gateway Server. The VPN Check Point VPN-1 encryption acceleration for 3DES IPSec/IKE VPN-1 CPVH-VAC-IV No N/A N/A Accelerator Card III can achieve up Accelerator Card IV deployments. Requires a licensed copy of 3DES VPN-1 to 400Mbps IPSec-3DES Power. performance

* This product’s components must be presented in the UserCenter. The SmartCenter Admin must provide credentials (username/password) for this UserCenter # at the time that a SmartDefense update is performed. Note that SmartCenter admin credentials are not the same as UserCenter credentials

Service Provider Solutions

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPR-MDS-MC Provider-1 MDS Provider-1 Multi Domain Servers (MDS) enable one-click CMA licenses are mandatory Manager and centralized policy distribution with centralized resilient for the proper functionality of Container security SmartCenter for a specified number of Customer Provider-1 MDS systems. SmartCenter Add-ons (CMAs) on a single hardware The purchase of a secondary Yes 1 MDS Server platform. Each MDS system consists from 2 basic parts: MDS Manager does not MDS Manager & MDS Container. The Provider-1 system require the purchase of High can manage ALL types of Customer SmartCenter Add-ons Availability software (CMAs). CPPR-MDS-C Provider-1 MDS Enables the addition of multiple Customer SmartCenter Multiple MDS Container Container Add-ons (CMAs) to the MDS Server, thus allowing licenses can be added to the centralized security SmartCenter and policy distribution of same MDS host, up to a VPN-1 Power Gateways for multiple Customers. Multiple Yes 1 MDS Server maximum of 500 CMAs. MDS Container hosts can be cascaded to manage CMA licenses are required thousands of Customers in a single Provider-1 system. The for each CMA on the Provider-1 MDS Container can contain all types of CMAs. Container CPPR-MDS-M Provider-1 MDS Multiple MDS Managers can be cascaded, on multiple The Secondary MDS must Manager for High hosts, to enable SmartCenter High Availability and Yes 1 MDS Server be of the same size as the Availability concurrent access for multiple Administrators. Primary MDS. CPSM-SMM- SiteManager-1 SiteManager-1 Multi Domain Servers (MDS) enable one- CMA licenses are mandatory MC click centralized policy distribution with centralized resilient for the proper functionality security SmartCenter for a specified number of Customer SiteManager-1 MDS SmartCenter Add-ons (CMAs) on a single hardware systems. The purchase of a Yes 1 MDS Server platform. SiteManager-1 can manage ONLY the dedicated secondary MDS Manager SiteManager-1 Customer SmartCenter add-ons (CMAs). does not require the purchase of High Availability software CPPR-PRO Pro Add-on for MDS Pro Add-ons extend the Security Management Needs to be installed at the ArchiTecture (SMART) by providing high end SmartCenter CMA level tools for the Provider-1 environment on the CMA level. The additional abilities includes: SmartDirectory - Powerful Integration with LDAP-based directories, SmartMap – Allows visualizing the network structure in a graph view, Yes 1 MDS Server SmartUpdate – Allows remote deployment of software updates and upgrades, SmartLSM – Allows large-scale management and provisioning, SmartView Monitor – Advanced real-time monitoring functionality, SmartPortal – Allow the web access to the CMA configuration data. The above features are licensed per CMA.

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPR-CMA Provider-1 CMA The Provider-1 Customer SmartCenter Add-on Licensed per number of (Primary CMA) (CMA) utilizes Check Point’s Security SmartCenter gateways managed ArchiTecture (SMART) to enable one-click centralized security SmartCenter and policy distribution of a specified number of VPN-1 Power Gateways, for a single Customer. Includes SmartDashboard - user interface for defining and No 1 CMA Level managing the security policy and SmartView Tracker - for displaying detailed log information on all enforcement points. A CMA must be hosted within an MDS Container. CMAs of different Customers are completely isolated from each other. Provider-1 CMAs can only be used within a Provider-1 MDS Container. CPPR-CMA- Provider-1 CMA HA A second Provider-1 CMA for highly available SmartCenter The Secondary CMA must XX-HA (Secondary CMA) of single customer, on a separate MDS Container. Does No 1 CMA Level be of the same size as the not require additional software to enable high availability. Primary CMA. CPSM-ST-CMA SiteManager-1 A Customer SmartCenter Add-on for managing up to 2 Installed on The number of users Standard CMA VPN-1 Power, VPN-1 UTM or VPN-1 UTM Edge gateways. MDS Server, protected by these gateways No 1 (Primary CMA) SiteManager-1 CMAs can be used either within a Provider- applied at must not exceed 250 users. 1 MDS Container or within a SiteManager-1 MDS. CMA Level. CPSM-ST- SiteManager-1 A second SiteManager-1 Standard CMA for highly Installed on The Secondary CMA must CMA-xx-HA Standard CMA-HA available SmartCenter of single customer, on a separate MDS Server, be of the same size as the No 1 (Secondary CMA) MDS Container. Does not require additional software to applied at Primary CMA. enable high availability. CMA Level. CPPR-CLM Customer Log Module Enables real-time accumulation, tracking and SmartCenter A stand-alone Licensed per SmartCenter of logs from VPN-1 Power Gateways of one Customer. host, or co- console. If hosted on non- Log servers are managed at the CMA level, and are not No 1 hosted on a MLM server must have own considered part of the Provider-1 System. VPN-1 Power CLM license gateway. CPPR-MLM-C Multi-Domain Log The MLM is a Container of Customer Log Modules (CLMs). The MLM license enables all Module – MLM It enables centralized log processing for multiple Installed on the contained CLMs. No Customers on a dedicated MDS host. An MLM is MLM Server additional CLM licenses are recommended for larger deployments to improve level, and required. Multiple MLM Yes 1 performance of MDS Container hosts, by offloading their covers all of licenses can be added to the log processing functions. An MLM license cannot be the CLM same host, up to a maximum added to a Provider-1 (or a SiteManager-1) MDS Container licensing. of 250 CLMs. host. CPPR-MOTIF- Provider-1 Motif Gui The Multi-Domain GUI (MDG) is a Provider-1 CMA Use only if a Solaris based GUI interface designed to simplify multi-policy security GUI is required.. Licensed management. It provides an intuitive way to view, edit, and per Solaris Machine running navigate between policies (CMAs) stored centrally on the No 1 SmartCenter the GUI. MDS. Using this GUI, a single administrator can oversee rules, objects, logs, status and alerts for hundreds of customers.

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPWR-VSX Virtual Security Extends the scale of the security system to meet the most Licensed by the number of Gateway – VPN-1 demanding performance and reliability requirements of Virtual Systems running on a Power VSX enterprise customers. The VSX Gateway enforces up to VSX gateway. When running 250 discrete VPN-1 Power security policies on a single VSX in a cluster environment machine. Each VS (Virtual System) is associated with a with Check Point ClusterXL, VLAN, which is attached to an internal interface of the VSX a ClusterXL license must be Yes 1 Gateway Gateway. The additional Virtual Security Gateway enables installed on the SmartCenter automatic high availability or load sharing by providing an station. additional Virtual Security Gateway. SecureXL is provided with every VSX Gateway for enhanced VPN and firewall performance. Virtual Security Gateways require a VSX- CMA bundle for SmartCenter. CPPWR-VSX- Additional Virtual Additional Virtual Security Gateway (VSX) for Load Sharing License must be of the same HA Security Gateway and High Availability Realize non-stop security with a size as the primary VSX in (VSX) for Load Sharing second Virtual System Extension for high availability the cluster. When running and High Availability implementations. License must be of the same size as the VSX in a cluster environment Yes 1 Gateway primary VSX in the cluster. with Check Point ClusterXL, a ClusterXL license must be installed on the SmartCenter station. CPPR-VSX- Virtual Systems Enables the management of a specified number of Virtual This description is valid for CMA Extension - CMA Systems, for multiple Customers, on a Provider-1. With this VSX 2.0 and higher. Users Bundles (Primary VSX- product, users can define all the Primary CMAs that are with previous were credited CMA) needed to manage the bundled Virtual Systems and the with separate CKs for the: MVSs of the VSX gateways hosting them. These CMAs are MDS Container, CMAs for hosted on a Virtual Container, and do not require a regular managing the VSs, CMA for MDS Container. managing the VSX Gateway. Yes 1 MDS The CMAs created within the VSX-CMA license can manage only Virtual Systems. If management of VPN-1 gateways/clusters is required, MDS Container and CMA licenses need to be purchased. CPPR-VSX- Virtual Systems Enables to define Secondary CMAs for highly available This description is valid for CMA-HA Extension - CMA Provider-1 CMA of a specified number of Virtual VSX 2.0 and higher. Users Bundles (Secondary Systems, for multiple Customers, on a Provider-1 or with previous versions were VSX-CMA) credited with separate CKs SiteManager-1 MDS host. Bundles of Primary and Yes 1 MDS Secondary VSX CMAs can be added on the same MDS for the: MDS Container, host. CMAs for managing the VSs, CMA for managing the VSX Gateway.

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPMSP-MASS VPN-1 MASS Check Point VPN-1 MASS (Multi-Access Security Solution) License is per number of delivers the foundation of secure fixed/mobile convergence user. (FMC) for carriers – enabling them to deliver advanced communications services to their customers without compromising the network’s security. With support for advanced access technologies such as 3G Wireless No 2 Gateway Interworking (3G I-WLAN) and Unlicensed Mobile Access (UMA, also known as Generic Access Network) as well as traditional remote access VPNs, VPN-1 MASS scales to provide remote access for up to 100,000 secure voice channels, and massive amounts of data connections. CPGX-VFF FireWall-1 GX Module FireWall-1 GX combines Check Point's patented Stateful Inspection technology with full GPRS Tunneling Protocol (GTP) awareness. FireWall-1 GX inspects all GTP tunnel fields in the context of both the packet and the tunnel. FireWall-1 GX secures the GPRS backbone when Licensed for an unlimited connecting to roaming partner and roaming exchanges No 1 Gateway number of gateways (GRX). FireWall-1 GX also protects distributed GPRS backbone environments where operators have connections to Gateway GPRS Support Nodes (GGSNs) outside of their own network or to GGSNs that are geographically dispersed CPGX-HVFF FireWall-1 GX Realize non-stop security with two FireWall-1 GX Modules Licensed for an unlimited No 1 SmartCenter Secondary Module for high availability implementations. number of gateways CPGX-GMC FireWall-1 GX FireWall-1 GX SmartCenter provides a rich set of GTP- SmartCenter specific log information, including granular logging details Licensed for an unlimited No 1 SmartCenter on tunnel creation, updates and deletions. Beyond logging, number of gateways a wide range of security alerting options exists as well CPPR-GX-CMA FireWall-1 GX CMA A Provider-1 Customer SmartCenter Add-on for Licensed for an unlimited managing an unlimited number of FireWall-1 GX Modules. No 1 CMA Level number of gateways Includes the Pro Add-on features for this CMA. SMP Security Management The Security Management Portal (SMP) is a SmartCenter Portal solution for service providers that deliver Internet security Licensed per number of to consumers and small businesses. The SMP enables No 1 Management appliances service providers to create flexible service categories and to centrally manage tens of thousands of subscribers. SMP-OD Security Management Based on SMP, SMP On-Demand is a fully- hosted Portal On Demand solution offering managed firewall and intrusion prevention Licensed per number of No 1 Management services, always-on antivirus protection, VPN connectivity, appliances and other value-added services SMP Web Filtering An OPSEC plug-in that allows Service Providers utilizing Licensed per user SMP to provide centrally managed URL filtering services to Yes 1 Management Safe@ appliances. Service based on SurfControl's Web Filter UFP product.

Home Office/Small Business Solutions

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPSB-500WG Safe@Office 500W A fully-integrated wireless firewall, intrusion prevention, Series UTM Appliances VPN and antivirus gateway. Incorporating an 802.11b/g Licensed per number of access point. No N/A On the device concurrent users Employing Check Point’s Firewall-1® and VPN-1® technology. CPSB-500G Safe@Office 500 A fully-integrated intrusion prevention, VPN and antivirus Series UTM Appliances gateway. Incorporating an 802.11b/g access point. Licensed per number of No N/A On the device Employing Check Point’s Firewall-1® and VPN-1® concurrent users technology. CPSB-500WG- Safe@Office 500W The Safe@Office 500W ADSL featuring advanced xx-ADSL ADSL wireless security capabilities, a stateful inspection firewall, intrusion prevention, VPN and Licensed per number of No N/A On the device antivirus gateway and an integrated high-speed concurrent users broadband ADSL2/ADSL2+ modem. Incorporating an 802.11b/g access point. CPSB-500G-xx- Safe@Office 500 The Safe@Office 500W ADSL featuring a stateful ADSL ADSL inspection firewall, intrusion prevention, VPN and Licensed per number of antivirus gateway and an integrated high-speed No N/A On the device concurrent users broadband ADSL2/ADSL2+ modem. Incorporating an 802.11b/g access point. ST-CPSB Annual Safe@Office Support and Subscription For Safe@Office appliances The appliance MAC Support and only. Includes the following: a) Security and firmware address is required to Subscription updates, b) Email, web and chat support, c) Telephone No N/A purchase the Support support in English from 8:00 AM to 5 PM US time and d) Plan. Prices are Annual Advanced Replacment. fees. STAV-CPSB Annual Safe@Office Annual Support, Subscription, Gateway Antivirus and No N/A The appliance MAC Antivirus, Application Intelligence Support Plan: address is required to SmartDefense, Support * Gateway antivirus updates purchase the Advanced and Subscription * SmartDefense updates Security Services Plan. * Security and firmware updates Prices are Annual fees. * Email, web and chat support * 8x5 telephone support in US and European time zones * Advanced replacement * Dynamic DNS WF-CPSB Annual Safe@Office Provides URL filtering based on category classification of The appliance MAC Web Filtering Service web-sites. address is required to No N/A purchase the Advanced Security Services Plan. Prices are Annual fees.