LICENSE GUIDE Software Blades Products

LICENSE GUIDE Software Blades products

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings Check Point Power-1™ appliances enable organizations to maximize security in high- License is per model. License is for One on the CPAP-SG5075 performance environments such as large campuses or unlimited users.Includes FW, VPN, IPS, CPAP-SG9075 Check Point Security data centers. They combine Check Point firewall, ACCL, ADN blades and 5,000 VPN-1 CPAP-SG11065 Power-1 No 2 Management IPsec VPN, and intrusion prevention Software Blades SecuRemote users, as well as CPAP-SG11075 Appliance and another on with advanced acceleration and networking MultiCore. Prices do not include shipping CPAP-SG11085 the device technologies that deliver a high-performance security costs. platform for multi-Gbps environments. Check Point IP appliances are integrated with Check Lincese is per model. License is for CPAP-IP2455 Point latest software blades and include the One on the Unlimited users. Includes FW, VPN, IPS, CPAP-IP1285 revolutionary IPS software blade in their standard Security CPAP-IP695 Check Point IP ACCL, ADN blades and 5,000 VPN-1 configuration. The IP appliances offer unsurpassed No 2 Management CPAP-IP565 Appliances SecuRemote users, as well as scalability, high performance, reliability and high port and another on CPAP-IP395 MultiCore. Prices do not include shipping density that reduce operational costs while performing the device CPAP-IP295 costs. in demanding mission-critical security environments. License is per model. License is for Check Point UTM-1™ appliances are all-inclusive, unlimited users. Includes Firewall, VPN, turn-key solutions that include everything you need to IPS, AV, URLF & ASPM blades and secure your network. Each appliance includes 1,000 VPN-1 SecuRemote users. integrated centralized management, along with CPAP-SG3076 License also includes Security Check Point complete security updates, hardware support, and CPAP-SG2076 Management container including NPM, CPAP-SG1076 UTM-1 Total customer support. UTM-1 appliances come packaged Yes 1 Device EPM & LOGS blades and 5 Check Point CPAP-SG576 Security with the most comprehensive and flexible security Endpoint Security Secure Access. The CPAP-SG276 Appliances solution available. All UTM-1 appliances can include 130 model can manage 1 gateway only. CPAP-SG136 firewall, intrusion prevention (IPS), antivirus, anti- Models 270, 570, 1070, 2070 and 3070 spyware, URL filtering, Web security, and anti-spam can manage 2 gateways including Software Blades. Additional blades can be flexibly themselves. Prices do not include added as needed. shipping costs.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings License is per model. Includes FW and VPN blades and 1,000 VPN-1 SecuRemote users (the 3 blades includes also IPS blade). License also Check Point UTM-1™ appliances are all-inclusive, CPAP-SG3073 includes Security Management container turn-key solutions that include everything you need to CPAP-SG2073 Check Point including NPM, EPM & LOGS blades CPAP-SG1073 secure your network. Each appliance includes UTM-1 Yes 1 Device and 5 Check Point CPAP-SG572 integrated centralized management, along with appliance Endpoint Security Secure Access. The CPAP-SG272 complete security updates, hardware support, and 130 model can manage 1 gateway only. CPAP-SG132 customer support. Models 270, 570, 1070, 2070 and 3070 can manage 2 gateways including themselves. Prices do not include shipping costs. CPSG-P805 CPSG-P407 CPSG-P405 Check Point Check Point Security Gateways provide the most CPSG-P203-U Security comprehensive, flexible and extensible security while Centrally on the SG100, SG200, SG400 and SG800 CPSG-P207 Gateway pre- keeping security operations simple and affordable. 1 or 2 Security series are designed utilize 1, 2, 4 and 8 CPSG-P205 defined Software Blade containers are the common platform Management cores respectively. SG100 series is CPSG-P203 system that contains all the necessary services to run the server or localy limited to 50 users. SG200 series is CPSG-P106 software blade environment. Every security gateway on the Security limited to 500 users. SG400 and SG800 CPSG-P103 container comes pre-populated with a Check Point Gateway server are unlimited. FW blade is included. CPSG-C801 Check Point Firewall blade, based on award-winning and patented CPSG-C401 Security FireWall-1® technology. 1 CPSG-C201 Gateway CPSG-C101 Container Check Point’s Firewall Software Blade is the world’s most proven firewall solution that’s trusted to secure 100% of the Fortune 100. The Firewall Software Blade Check Point provides the highest level of security, with access Blade should be attached to a Security CPSB-FW 0 -- Firewall blade control, application security, authentication and Gateway Container. Network Address Translation (NAT) available to block unauthorized network users and protect enterprise users and data. Check Point's VPN Software Blade is an integrated software solution that provides secure connectivity to Check Point corporate networks, remote and mobile users, branch Blade should be attached to a Security CPSB-VPN IPSEC VPN offices and business partners. The blade integrates 0 -- Gateway Container. blade access control, authentication and encryption to guarantee the security of network connections over the public Internet.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings The Check Point Web Security Software Blade provides a set of advanced capabilities that detect and Check Point prevent attacks launched against the Web Blade should be attached to a Security CPSB-WS Web Security 0 -- infrastructure. The Web Security Software Blade Gateway Container. blade delivers comprehensive protection when using the Web for business and communication. The Check Point Advanced Networking Software Blade makes it easier for administrators to deploy security within complex and highly utilized network Blade should be attached to a Security Check Point environments making this ideal for high-end enterprise Gateway Container. Generate 2 license Advanced CPSB-ADN and datacenter environments where performance and 0 -- strings – one for the Security Gateway Networking availability are critical. It includes a number of container and another for the Security blade advanced networking features such as dynamic Management container. routing, multicast support, Quality of Service (QoS) prioritization and application load balancing The Check Point Acceleration and Clustering Software Blade deliver a set of advanced technologies, SecureXL and ClusterXL, that work together to Blade should be attached to a Security Check Point maximize performance and security in high- Gateway Container. Generate 2 license Acceleration & performance environments. These work with CoreXL, CPSB-ACCL 0 -- strings – one for the Security Gateway Clustering which is included with the blade containers, to form the container and another for the Security blade foundation of the Open Performance Architecture, Management container. which delivers throughput designed for data center applications and the high levels of security needed to protect against today’s application-level threats. The Check Point security family enables you to deploy VoIP applications such as telephony or video conferencing without introducing new security threats or needing to redesign your network. Because worms Check Point Voice over IP blade and VoIP-specific Denial of Service attacks can take Check Point software is currently available on IP phone services down, the Check Point family CPSB-VOIP Voice over IP 0 -- security gateway release R65.2.100 and delivers an evolving solution that understands and blade is currently managed by security protects against existing and new threats that may management R65.4 and higher. disrupt business continuity. Check Point solutions also reduce the complexity of VoIP deployment by eliminating such common pain points as incompatibility between VoIP and Network Address Translation. Check Point Total Security CPSB-TS-S2 package for 1 Blades should be attached to a Security Check Point Total Security is a package including all year -- Gateway Container. .Service blades are Security Gateway service blades for 1 year (IPS, AV, 0 yearly renewable blades. License is per Check Point URLF and ASPM blades). Total Security gateway. CPSB-TS-S1 package for 1 year - special

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings

Check Point The Check Point IPS Software Blade provides Blade should be attached to a Security CPSB-IPS IPS blade for 1 complete, integrated, next generation firewall intrusion Gateway Container. Service blade is year prevention capabilities at multi-gigabit speeds, yearly renewable blade. License is per resulting in industry-leading total system security and 0 -- gateway. performance. The IPS Blade provides complete threat

Check Point coverage for clients, servers, OS and other

IPS blade for 1 vulnerabilities, malware/worm infections, and more. CPSB-IPS-S1 year - for small businesses The Check Point URL Filtering Software Blade protects users and enterprises by restricting access to Check Point an array of potentially dangerous sites and content, Blade should be attached to a Security URL Filtering blocking inappropriate Web surfing to over 20-million Gateway Container. Service blade is CPSB-URLF 0 -- Blade for 1 URLs. Pre-configured policy templates enable quick yearly renewable blade. License is per year and simple deployment of policies using content gateway. categories. All content profiles are updated continually through a Check Point software update service. Check Point Antivirus & Anti-Spyware Software Blade protects against threats transmitted through HTTP, FTP, SMTP and POP3 protocols. Using a continually updated list of antivirus and antispyware signatures Check Point and anomaly-based protections, the Antivirus and Anti- Blade should be attached to a Security Anti-Virus & Malware Software Blade stops viruses and other Gateway Container. Service blade is CPSB-AV Anti-Malware 0 -- malware at the gateway before they affect users. yearly renewable blade. License is per blade for 1 Businesses gain the benefits of the easy management gateway. year using the familiar Check Point user interfaces that includes policy management, logging and monitoring. By default all protocols are scanned, and options for each protocol can be centrally configured. The Check Point Anti-Spam and Email Security Software Blade provides comprehensive protection for Check Point an organization's messaging infrastructure. A Blade should be attached to a Security Anti-Spam & multidimensional approach protects the email Gateway Container. Service blade is CPSB-ASPM Email Security infrastructure, provides highly accurate spam 0 -- yearly renewable blade. License is per blade for 1 protection, and defends organizations from a wide gateway. year variety of virus and malware threats delivered within email. Continual updates assure that all threats are intercepted before they spread. Smart-1 appliances deliver Check Point’s market License is per model. License is for leading security management software blades on a managing 5 gateways. Includes NPM, Check Point CPAP-SM504 dedicated hardware platform specifically designed for 1 Device EPM, LOGS & PRVS blades. License Smart-1 mid-size and large enterprise security networks. Based also includes MGMT HA. Prices do not on Check Point’s software blade architecture, the line include shipping costs.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings of four Smart-1 appliances are first to deliver a unified License is per model. License is for management solution for network, IPS and endpoint managing 25 or 50 gateways (based on security with unsurpassed extensibility. the model number). Includes NPM, CPAP-SM2507 Check Point EPM, LOGS, PRVS, MNTR, UDIR & CPAP-SM5007 Smart-1 IPSA blades. License also includes MGMT HA. Prices do not include shipping costs. License is per model. License is for managing 50 or 150 gateways (based on the model number). Includes NPM, EPM, LOGS, PRVS, MNTR, MPTL, UDIR & IPSA blades. License also CPAP-SM15008-PV3 Check Point includes MGMT HA. Includes a single CPAP-SM15008-PV5 Smart-1 Multi-Domain server (MDS) Manager CPAP-SM15008-PV10 Provider-1 and Container, a specified number of CPAP-SM5008-PV3 CPAP-SM5008-PV5 Enterprise Customer Add-ons (3, 5 or 10 CMAs) for CPAP-SM5008-PV10 Edition managing unlimited number of gateways. CMA Pro Add-ons are included for the specified number of CMAs. The number of CMAs can be increased by using CPPR-CMA-X-NG on top of the product up to 50 CMAs. Check Point CPSM-PU007 License is per number of managed CPSM-P2506 Security gateways (and not per cluster or per CPSM-P1007 Management Check Point Security Management solutions integrate site.) High Availability configuration of CPSM-PU003 pre-defined Security policy configuration, monitoring, logging, reporting and the Security Management requires both CPSM-P1003 system 1 Management security event management in a single interface - primary and secondary servers to have Check Point server CPSM-CU000 helping minimize total cost of ownership. the same container and blade topology. Security CPSM-C2500 No additional blade (or license) is Management CPSM-C1000 required beyond this requirement. container Check Point’s Network Policy Management Software Blade gives you control over configuring and Check Point managing even the most complex security Network Policy deployments. Based on Check Point's unified security Blade should be attached to a Security CPSB-NPM 0 -- Management architecture, the Network Policy Management Management Container. blade Software Blade provides comprehensive security policy management using SmartDashboard – a single, unified console for all security functionalities. The Endpoint Policy Management Software Blade Check Point enables you to centrally manage the security products Endpoint you use on your organization's end-user devices. This Blade should be attached to a Security CPSB-EPM Policy 0 -- means that you can take and keep control of Management Container. Management computing devices and the sensitive information they blade contain.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings The Logging and Status Software Blade provides Check Point comprehensive information on security activity through Blade should be attached to a Security CPSB-LOGS Logging & logs and a complete, visual picture of changes to 0 -- Management Container. Status blade gateways, tunnels, remote users, and security activities. The Monitoring Software Blade shows a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events. The Monitoring Software Blade centrally Check Point monitors Check Point and OPSEC devices, presenting Blade should be attached to a Security CPSB-MNTR Monitoring 0 -- a complete picture of changes to gateways, tunnels, Management Container. blade remote users, and security activities. This enables administrators to immediately identify changes in network traffic flow patterns that may signify malicious activity. With the Management Portal Software Blade, you can extend browser-based management access to outside groups such as technical support staff or auditors, Check Point while maintaining centralized control of policy Blade should be attached to a Security CPSB-MPTL Management 0 -- enforcement. Management Portal users can view Management Container. Portal blade security policies, the status of all Check Point products and administrator activity as well as edit, create and/or modify internal users, and manage firewall logs. Check Point’s User Directory Software Blade enables Check Point Check Point Security Gateways to leverage LDAP- Blade should be attached to a Security CPSB-UDIR User Directory based user information, eliminating the risks 0 -- Management Container. blade associated with manually maintaining and synchronizing redundant data stores. The IPS Event Analysis Software Blade is a complete IPS event management system for your IPS Software Blade, providing situational visibility, and easy to use forensic and reporting tools. IPS events are presented in a Timeline View so administrators can immediately Check Point focus on their high priority assets, and quickly see Blade should be attached to a Security CPSB-IPSA IPS Event 0 -- threat and vulnerability status of these assets. Quickly Management Container. Analysis blade drill-down from business view monitoring to forensic- level details to easily identify and manage threat information. The IPS Event Analysis Software Blade enables easy overview of overall attack trends and effectiveness of the current IPS policy.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings The SmartProvisioning Management Software Blade provides centralized administration and provisioning of Check Point security devices via a single management console. Using profiles, a network administrator can easily deploy security policy or configuration settings Check Point to multiple, geographically distributed devices. The Blade should be attached to a Security CPSB-PRVS Provisioning SmartProvisioning Blade also provides centralized 0 -- Management Container. blade backup management and a repository of device configurations so administrators can easily apply existing configurations to new devices. By automating device configuration, the SmartProvisioning Blade reduces administrative overhead, reduces errors and ensures security consistency across the network. SmartWorkflow provides a formal process of policy change management that helps administrators reduce errors and enhance compliance. Changing business needs produce a constant stream of requests to change firewall security policies. These changes can Blade should be attached to a Security have far reaching implications if not done correctly Check Point Management Container. License of including: slower firewall performance, network CPSB-WKFL SmartWorkflo 0 -- SmartWorkflow blades is per number of downtime, increased security risks, and lack of w blade managed gateways and should match compliance with corporate and industry standards. the container’s size. Enterprises that have multiple firewall administrators and an environment of frequent changes need an automated solution that helps them review and authorize policy changes against approved configuration standards Check Point Reporting and Eventia Suite package provides the benefits of Event CPSB-EVS Event 0 -- Correlation and Reporting blades Correlation blade package Blades should be attached to a Security The Reporting Software Blade turns the vast amount Management Container. Reporting and of data collected from security and network devices Event Correlation blades are bundled into understandable information that organizations can together and cannot be purchased use to validate the effectiveness of security policies separately. License of blades is per Check Point and practices, plan network capacity, and maximize number of managed gateways and CPSB-RPRT Reporting their security investment. The Reporting Software 0 Reporter Server should match the container’s size. blade Blade centralizes reporting on network, security, and user activity and consolidates the data into concise predefined and custom-built reports. Easy report generation and automatic distribution save time and money.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings The Event Correlation Software Blade provides Blade should be attached to a Security centralized, real-time security event correlation and Management Container. Reporting and Check Point management for Check Point security gateways and Event Correlation blades can only be Event Event correlation CPSB-EVCR third-party devices. Automated aggregation and 0 purchased in a package of two. License Correlation server correlation of data not only substantially minimizes the of Event Correlation blades is per blade time spent analyzing data but also isolates and number of managed gateways and prioritizes the real security threats. should match the container’s size. Check Point Management and Gateway bundles make SG100, SG200, SG400 and SG800 it easy for customers to purchase the right combination CPSG-P805-CPSM-PU007 Security series are designed to utilize 1, 2, 4 and of gateway and management products in a single and CPSG-P405-CPSM-PU003 Management 8 cores respectively. SG100 series is affordable SKU. It includes Security Management CPSG-P405-CPSM-P2506 Check Point server or limited to 50 users. SG200 series is CPSG-P405-CPSM-P1003 managing a specified number of gateways and one Security Yes 2 Security limited to 500 users. SG400 and SG800 CPSG-P203-CPSM-P1003 Security Gateway which provide the most bundle Management & are unlimited. SM200, SM300, SM1000, CPSG-P203-CPSM-P303 comprehensive, flexible and extensible security while Security SM2500, SMU000 are licensed to CPSG-P103-CPSM-P303 keeping security operations simple and affordable. Gateway servers manage 2, 3, 10, 25 and Unlimited CPSG-P103-CPSM-P203 Both the Security Management and Security Gateway gateways respectively. containers comes pre-populated with blades Check Point Provider-1 Enterprise Edition brings a Includes the following blades: NPM, highly scalable multi-domain management solution to 1 for EPM, LOGS, MNTR, IPSA, PRVS, Check Point high-end enterprise customers. Provider-1 Enterprise MDS MPTL and UDIR. Licensing is by number CPSM-PV308 Provider-1 Edition includes a multi-domain management blade MDS level and No and 3 of security domains managed. Can be CPSM-PV508 Enterprise that enables management of up to 3 or 5 separate CMA levels (or 5) for used to manage a single legal entity as Edition security domains, allowing for separate management CMAs. opposed to other Provider-1 licensing access rights while sharing global objects and policies schemes. across the security domains Check Point Security Management Customer Log Module Enables real-time log pre-defined accumulation, tracking and management on a Log Server CPSM-P1001 system dedicated log server for Security Gateways. It includes 1 Device including a container and a license for collecting logs from up to Customer Log 10 gateways Module Add- on blade Check Point Security Security Management Container Expansion increases Management the number of managed gateways in a given Container Blade should be attached to a Security CPSM-C500 container. 0 -- Expansion for Management Container. There is no change to the installed blades. additional 5

managed gateways

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive of Installed on Notes / Limitations Strings Horizon Manager helps security administrators efficiently and proactively manage large-scale deployments of IP security appliances. Horizon Manager automates time-consuming administration while preventing common configuration errors, ensuring the optimal deployment, monitoring, NHM is included with the Provisioning Horizon maintenance, and recovery of IP security appliances. blade. Customers who purchase the CPIP-NHM Manager Administrators can manage operating system Provisioning blade must specify on their License configuration settings and versions, and Check Point PO if they need the NHM license. application packages, from a single console. Additional functionality includes template-based IP appliance configuration and deployment, backup and restore of application and operating system configurations, hardware and software inventory capabilities, and the execution of commands or customized scripts. BGP and IGRP licenses are included with the Advanced Networking (ADN) CPIP-BGP BGP protocol blade for integrated IP Series appliances. Customers who purchase an IP Series appliance must specify they need this license on their Purchase CPIP-IGRP IGRP protocol Order.

Classification: [Unrestricted]—For everyone

NGX Pricelist - Enterprise Solutions

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings The Power-1 appliance family enables organizations to maximize security in high-performance environments such as large campuses or data centers. It combines integrated License is per model. License is One on the firewall, IPSec VPN, and intrusion prevention with advanced for unlimited users.Includes Security Check Point Power-1 acceleration technologies, delivering a high-performance FireWall-1, VPN-1, FloodGate-1, CPPWR-APP No 2 Management Security appliance security platform that can block application layer threats in SecureXL, ClusterXL, MultiCore, and another multi-Gbps environments. Even as new threats appear, and SplatPro. Prices do not on the device) Power-1 appliances maintain or-due to their open include shipping costs. architecture-increase performance while protecting networks against attacks. License is per model. License is Check Point UTM-1™ appliances plus Total Security – 1 year for unlimited users. Includes 5 or 3 years complete Unified threat Management including: Remote access users (either - SmartDefense Services, Content Inspection SecureClient or SNX), (Antivirus and URL Filtering), and Messaging SmartPortal, SmartDirectory, Security. CPUTM-APP- Total Security UTM-1 SmartView Monitor and express - Software subscription, No 1 Device TS Appliances reports. The 450 & 1050 models - Entitlement to reduced product support rates. can manage 3 sites including - Check Point FireWall-1 including Application themselves. The 2050 model Intelligence for unlimited users can mange up to 5 sites - VPN – IPSec Remote Access, Site-to-Site VPN, including itself. Prices do not and SSL VPN (see product specification) included include shipping costs. License is per model. License is for unlimited users. Includes 5 Check Point UTM-1™ appliances deliver proven, tightly Remote access users (either integrated security features to provide the perfect blend of SecureClient or SNX), simplicity and security. UTM-1 appliances offer a complete set SmartPortal, SmartDirectory, of security features including firewall, intrusion prevention, SmartView Monitor and express CPUTM-APP UTM-1 appliance No 1 Device antivirus, anti-spyware, Web application firewall, VoIP reports. The 450 & 1050 models security, instant messaging (IM) and peer-to-peer (P2P) can manage 3 sites including blocking, URL Filtering, as well as secure site-to-site and themselves. The 2050 model remote access connectivity can mange up to 5 sites including itself. Prices do not include shipping costs.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings A unified threat management hardware appliance that provides all-in-one security including firewall, VPN, Licensed per number of SmartDefense Service, IPS and Antivirus for enterprise concurrent connections. The branch offices and remote offices. All appliances are equipped SKU is a product key tied up to CPUTM-EDGE VPN-1 UTM Edge No N/A Device with a serial port, 4 LAN ports, 1 WAN port and 1 DMZ/WAN2 the MAC address of the port. The appliances are available with built-in secure wireless appliance. Prices do not include access point and/or ADSL modem. All wireless and/or ADSL shipping costs models include a USB port used as a print server. Security enforcement point includes Firewall, VPN, intrusion prevention, and antivirus protection and URL filtering for a ClusterXL for Load Sharing specified number of users; It also includes VPN-1 (CXLS) license additionally Check Point VPN-1 CPUTM-VUG SecuRemote for a defined number of users: the unlimited No 1 Gateway required for load sharing UTM Gateway gateway includes 1,000 VPN-1 SecuRemote users. VPN-1 implementations; Licenses per UTM Gateways are managed by SmartCenter UTM, number of users. SmartCenter Power or Provider-1. Security enforcement point for high availability deployments includes FireWall-1, VPN-1, intrusion prevention, and antivirus License must match the protection. Must be used with an existing VPN-1 UTM number of users in the existing CPUTM-VUG- Secondary VPN-1 UTM Gateway of the same size. Additional HA VPN-1 UTM No 1 Gateway VPN-1 UTM Gateway license. HA Gateway Gateways can be added to increase the size of the cluster. License must be used on a VPN-1 UTM Gateways are managed by SmartCenter UTM, gateway in a cluster object. SmartCenter Power or Provider-1. VPN-1 Power Gateways provide the most comprehensive and powerful security for the enterprise. VPN-1 Power Gateways ClusterXL for Load Sharing are managed by SmartCenter UTM, SmartCenter Power (CXLS) license additionally Check Point VPN-1 or Provider-1. All VPN-1 Power Gateways include FireWall-1, CPPWR-VPG No 1 Gateway required for load sharing Power Gateway VPN-1, FloodGate-1, SecureXL, SmartDefense, ClusterXL for implementations; Licensed per High Availability, and VPN-1 SecuRemote for a defined number of users. number of users: the unlimited gateway includes 5,000 VPN-1 SecuRemote users. Additional enforcement point for high availability or load sharing deployments, including FireWall-1, VPN-1, FloodGate- Must be used with an existing 1 and SecureXL, offering protection for a specified number of CPPWR-VPG- Secondary VPN-1 VPG license of the same size. users. VPN-1 Power Gateways are managed by SmartCenter No 1 Gateway HA Power Gateway License must be used on a UTM, SmartCenter Power or Provider-1. Additional HA VPN-1 gateway in a cluster object. Power Gateways can be added to increase the size of the cluster.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings A combination of performance and simplicity- an all-in-one platform that includes the VPN-1 UTM features with the acceleration provided by the VPN-1 Power line. VPN-1 UTM ClusterXL for Load Sharing Power Gateways are managed by SmartCenter UTM, (CXLS) license additionally Check Point VPN-1 SmartCenter Power or Provider-1. All VPN-1 UTM Power CPUTM-VUP No 1 Gateway required for load sharing UTM Power Gateway Gateways include FireWall-1, VPN-1, FloodGate-1, SecureXL, implementations; License per SmartDefense, AntiVirus, URL filtering, ClusterXL for High number of users. Availability, and VPN-1 SecuRemote for a defined number of users: the unlimited gateway includes 5,000 VPN-1 SecuRemote users. Additional enforcement point for high availability or load Must be used with an existing sharing deployments, including FireWall-1, VPN-1, FloodGate- VPN-1 UTM Power license of CPUTM-VUP- Secondary VPN-1 UTM 1, SecureXL, SmartDefense, AntiVirus and URL filtering No 1 Gateway the same size. License must be HA Power Gateway offering protection for a specified number of users. Additional used on a gateway in a cluster HA VPN-1 UTM Power Gateways can be added to increase object. the size of the cluster. Check Point UTM provides comprehensive enterprise-class SmartCenter SmartCenter license is per Check Point UTM - security for organizations. It includes SmartCenter UTM or number of managed sites. VPN- CPUTM-CKP SmartCenter and SmartCenter for a specified number of sites, one VPN-1 No 1 or 2 SmartCenter 1 Gateway License is per Gateway Bundle UTM Gateway protecting specified number of users, and and Gateway number of users. VPN-1 SecuRemote for a specified number of users. Provides comprehensive enterprise security. Includes SmartCenter Power with SmartDashboard, SmartUpdate, SmartMap, SmartDirectory, SmartLSM, SmartCenter High SmartCenter SmartCenter license is per Check Point Power - Availability, SmartView Tracker, SmartView Monitor and or number of managed sites. VPN- CPPWR-CKP SmartCenter and No 1 or 2 SmartPortal. Also includes a single VPN-1 Power Gateway for SmartCenter 1 Gateway License is per Gateway Bundle specified number of users (including FireWall-1, VPN-1, and Gateway number of users. FloodGate-1, SecureXL, and VPN-1 SecuRemote), and SmartDefense. Provides comprehensive enterprise security. Includes SmartCenter Power with SmartDashboard, SmartUpdate, SmartMap, SmartDirectory, SmartLSM, SmartCenter High SmartCenter SmartCenter license is per Check Point UTM Availability, SmartView Tracker, SmartView Monitor, or number of managed sites. VPN- CPUTM-CKPP Power – SmartCenter No 1 or 2 SmartPortal. Also includes a single VPN-1 UTM Power SmartCenter 1 Gateway License is per and Gateway Bundle |Gateway for a specified number of users (including FireWall- and Gateway number of users. 1, VPN-1, FloodGate-1, SecureXL, and VPN-1 SecuRemote), Antivirus URL Filtering and SmartDefense

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Extends the scale of the security system to meet the most demanding performance and reliability requirements of enterprise customers. The VSX Gateway enforces up to 250 Licensed based on virtual discrete VPN-1 Power security policies on a single machine. number of systems running on a Each VS (Virtual System) is associated with a VLAN, which is VSX gateway. The VSX-1 attached to an internal interface of the VSX Gateway. The appliance Model 3070 can run CPPWR-VSX- Check Point VSX-1 additional Virtual Security Gateway enables automatic high Yes 1 Device up to 10 VSs. The VSX-1 APP Appliance availability by providing an additional Virtual Security appliance Model 9070 can run Gateway. SecureXL™ is provided with every VSX Gateway up to 150 VSs. VSX-1 appliance for enhanced VPN and firewall performance. SecurePlatform includes 1 year hardware Pro is included. Virtual Security Gateways require existing warranty. SmartCenter UTM, SmartCenter Power or Provider-1 for SmartCenter. Extends the scale of the security system to meet the most demanding performance and reliability requirements of enterprise customers. The VSX Gateway enforces up to 250 discrete VPN-1 Power security policies on a single machine. Each VS (Virtual System) is associated with a VLAN, which is Check Point Power attached to an internal interface of the VSX Gateway. The Licensed based on virtual CPPWR-VSX Virtual Security additional Virtual Security Gateway enables automatic high Yes 1 Gateway number of systems running on a Gateway - VSX availability by providing an additional Virtual Security VSX gateway Gateway. SecureXL™ is provided with every VSX Gateway for enhanced VPN and firewall performance. SecurePlatform Pro is included. Virtual Security Gateways require existing SmartCenter UTM, SmartCenter Power or Provider-1 for SmartCenter. Secondary VPN-1 License must be of the same CPPWR-VSX- Power VSX gateway Realize non-stop security with a second Virtual System size as the primary VSX in the Yes 1 Gateway HA for Load Sharing and Extension for high availability implementations. cluster. License must be used in High Availability a VSX cluster. Web Intelligence is an add-on to VPN-1 Power, VPN-1 UTM Licensed by the number of and UTM-1 that provides Web application firewall technology protected Web servers (per IP Web Intelligence Add- CPMP-WIT and capabilities. When combined with VPN-1, Web Yes 1 SmartCenter address). In case the Web on for VPN-1 Gateway Intelligence provides protection for the entire Web server is behind Management environment. HA – one license is needed. Must be used with a Web Secondary Web Web application firewall add-on to VPN-1 Power, VPN-1 UTM Intelligence license of the same CPMP-WIT-HA Intelligence Add-on for and UTM-1 enforcement points for a high availability Yes 1 SmartCenter size installed on other cluster VPN-1 Gateway deployment. members Add Quality of Service to VPN-1 Gateways. Provides policy SmartCenter

based Quality of Service to optimize network performance by Per new CPUTM-QOS FloodGate-1 Add-On Yes 1 Licensed per site. Works with assigning priority to business critical applications and end- license for NGX only users. QOS license includes in VPN-1 UTM Power gateways. NGX

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Enables load sharing by distributing traffic between clusters of

ClusterXL for Load redundant gateways so that the computing capacity of CPMP-CXLS Yes 1 SmartCenter Licensed per site/ number of Sharing Add-on multiple machines may be combined to increase total users throughput. Enables Wire-Speed VPN with SecureXL technology and Licensed per gateway. Included CPMP-PPK SecureXL multi-CPU licenses through software based acceleration. For No 1 Gateway in VPN-1 Power. use with FireWall-1 and VPN-1. Enables increased server capacity via automatic application CPFW-CC ConnectControl Add-on 1 Gateway Licensed per gateway. server load balancing. SecurePlatform Pro expands SecurePlatform adding dynamic routing and multicast support for VPN-1 gateways. Supported dynamic routing protocols: –RIP, RIPv2, OSPF, and BGP. CPOS-SPRO SecurePlatform PRO Yes 1 SmartCenter Supported multicast protocols – PIM-SM, PIM-DM, and IGMP. Licensed per Gateway Priced per gateway. Includes also Centralized administrator SmartCenter through RADIUS authentication IPS-1 appliance includes a 1- year hardware warranty. Sensor 50 requires physically resetting Check Point IPS-1 is a dedicated intrusion detection and some switch configurations prevention appliance that delivers mission critical protection Check Point IPS-1 inside the appliance when CPIS-IPS against worms, automated malware and other hybrid threats N/A 1 SmartCenter Sensor changing from passive IDS both known and unknown, with unmatched management, mode to inline prevention with forensic analysis and flexibility. fail pass thru mode and vice versa. Prices do not include shipping costs The IPS-1 Management Server is an add-on to SmartCenter, Check Point provided based on your SmartCenter SKU (3, 5 or Unlimited CPMP-IPS Management server for Yes 1 SmartCenter Gateways). The license is installed on the server running IPS- IPS-1 sensors 1 Management Server. Internal Security Gateway that blocks the spread of worms and attacks inside the network and provides network zone segmentation. InterSpect is built specifically for internal network security. With InterSpect, organizations can protect their network with a complete internal security solution. Included in the CPIS-INSP Check Point InterSpect InterSpect is designed for non-disruptive deployment into No N/A Licensed per device device existing network environments, with a SmartCenter interface tailored for internal security. All models include: SmartDashboard for InterSpect, SmartView Monitor for InterSpect, and Eventia Reporter for InterSpect , and one year of SmartDefense subscription Check Point Connectra is a complete Web Security Gateway Appliance that provides both SSL VPN and integrated Web Licensed per concurrent user. Connectra Web Security in a single, unified security solution. Connectra Included in the CPWS-CRA No N/A Prices do not include shipping Security Gateway provides secure Web-based connectivity by combining easy device costs. SSL VPN and network-level access with unmatched protection for the entire Web environment. Connectra can be

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings purchases as an Appliance or as Software. All models include: Application Intelligence, Web Intelligence, SSL Network Extender, and a 1 year subscription to SmartDefense. Requires an existing Connectra Connectra Web Included in the Appliance of the same size. CPWS-CRA-HA Security Gateway for Additional Connectra appliance for High Availability. No N/A device Prices do not include shipping High Availability costs. An innovative solution to mitigate the risks posed by non-IT Must match the number of users controlled endpoints accessing enterprise resources remotely in the existing CPWS-CRA Integrity Clientless via Web-based applications and gateways, such as Microsoft Connectra license. Connectra license for 25 CPWS-CCV Yes 1 Security for Connectra Outlook Web Access, SSL VPNs or extranets. It protects the Device users comes bundled with enterprise from spyware, keystroke loggers, and other Integrity Clientless Security undesirable software. license for 25 users. Integrity Clientless Must match the number of users Security High in the existing CPWS-CRA CPWS-CCV-HA Additional Integrity Clientless Security for high availability. Yes 1 Server Availability for CPWS-HCRA license; Requires Connectra HA for each product Check Point Connectra is a complete Web security gateway that provides both SSL VPN and integrated Web security in a single unified security solution. Connectra SW is a software Licensed per number of CPWS-CRS Connectra SW solution that installs SecurePlatform, a customized and Yes 1 Server concurrent users. hardened operating system, and Connectra software on an

open server. Connectra also includes Application Intelligence, Web Intelligence, SSL Network Extender, and a 1 year subscription to SmartDefense. Connectra Web Must be used with an existing CPWS-CRS-HA Security SW for High Additional Connectra software for high availability. Yes 1 Server Connectra software of the same Availability size.

Check Point Connectra is a complete Web Security Gateway License also includes that provides SSL VPN access and comprehensive endpoint Application Intelligence, Web Connectra Unlimited - and integrated intrusion prevention security in a single, unified Intelligence, SSL Network CPWS-CRBC Business Continuity remote access solution. The Business Continuity License No 1 Server Extender, Integrity Clientless License for 45 days enables the full use of Connectra, with no restriction on the Security and a 45 day number of users, and with all of its features and related subscription to SmartDefense. services activated for 45 days. SecureClient Mobile delivers secure, continuous remote access and firewall protection for mobile devices that connect CPVP-SCM SecureClient Mobile Yes 1 SmartCenter Licensed per user to VPN-1 and Connectra for continuous protection and productivity. Remote access solution for SSL VPN that enables remote CPVP-SNX SSL Network Extender users to connect client/server applications using an Internet Yes 1 SmartCenter Licensed per user web browser plug-in

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Licensed per protected endpoint. Antivirus and anti-spyware updates require subscription to SmartDefense Anti-malware Service. Secure Access includes Check Point Endpoint Endpoint Security Secure Access includes firewall, program the Endpoint Security CPEP-SA Security - control, NAC, remote access VPN and antivirus/anti-spyware Yes 3 management server in single Secure Access engine. server or High Availability / fail- over configuration. Includes use of SecureClient for Windows and SecureClient for Macintosh Endpoint Security Full Disk Encryption includes full disk Licensed per protected endpoint. Check Point Endpoint encryption for laptops and Desktops with pre-boot Full Disk Encryption includes the CPEP-FDE Security - Yes 3 authentication SmartCenter for Pointsec (MI Full Disk Encryption and WebRH) Check Point Endpoint Endpoint Security Media Encryption includes both port Licensed per protected endpoint. CPEP-MEPP Security - protection and removable media encryption in a single Yes 3 Media Encryption includes Media Encryption package. management server. Endpoint Security Total Security includes all Endpoint Security Licensed per protected endpoint. Check Point Endpoint components including firewall, program control, NAC, VPN Antivirus and anti-spyware CPEP-TS Security - client, antivirus and anti-spyware engine , full disk Yes 9 updates require subscription to Total Security encryption, port protection and media encryption. SmartDefense Anti-malware Service. Program Advisor service is included only with the One year subscription includes antivirus and anti-spyware CPEP-SMDF- Anti-Malware Service SmartDefense Anti-malware updates and Program Advisor service. No 2 Integrity server AM service. Services are priced for

one year unless stated otherwise. Pointsec Mobile Solutions address the very real need to secure the intellectual property and other sensitive data that resides on PDAs and smart phones with a strong and License is per number of seats. complete set of encryption products. Our Mobile Platform SmartCenter for Pointsec is Products completely secure data on the Symbian, Pocket PC, included. CPDS-PMOB Pointsec Mobile Windows Mobile Smartphone and Palm operating systems. Yes 1 The Starter Kit includes 25 seats Our Mobile Solutions have also been designed with the of Pointsec PC and SmartCenter features and functionality required in both Enterprise Business for Pointsec for 25 managed environments and Service Provider offerings. The Pointsec endpoint. Mobile suite provides for a truly mobile workforce with push email and business applications running on handsets

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Utilizes Check Point’s Security Management ArchiTecture (SMART) to enable one-click centralized policy distribution with centralized security SmartCenter of a specified number of Check Point License is per number of sites CPUTM-SC VPN-1 UTM and VPN-1 Power Gateways. Includes No 1 SmartCenter SmartCenter UTM managed. SmartDashboard - a user interface for defining and managing the security policy, and SmartView Tracker - which displays detailed log information on all enforcement points. Utilizes Check Point’s Security Management ArchiTecture (SMART) to enable one-click centralized security SmartCenter and policy distribution for a specified number of VPN-1 UTM and VPN-1 Power Gateways. SmartCenter Power includes SmartDashboard user interface for defining and managing the security policy; SmartUpdate , enabling centralized, one-click software and license SmartCenter; SmartMap , a visual policy editor that graphically depicts network layout and illustrates the effect of security policies; SmartDirectory , enabling Check Point License is per number of sites CPPWR-SC storage and retrieval of VPN-1/FireWall-1 user attributes on No 1 SmartCenter SmartCenter Power managed LDAP servers; SmartLSM , which includes SmartCenter tools for thousands of gateways; SmartCenter High Availability , enabling automatic synchronization of backup SmartCenter servers ensuring resilient security SmartCenter; SmartView Tracker , which displays detailed log information on all enforcement points; SmartView Monitor , providing traffic and performance monitoring; and SmartPorta l™, which provides a web portal to view security policies and objects without installing dedicated SmartConsole clients. Includes a single Multi-Domain Server (MDS) Manager and Container, a specified number of Customer SmartCenter Add- Licensing is by number of 1 for MDS ons (CMAs) for managing an unlimited number of gateways, security domains managed. Can Check Point Provider-1 and 3 (or MDS level and CPMP-PRE and CMA Pro Add-ons including SmartUpdate, SmartMap, No be used to manage a single Enterprise Edition 5) for CMA levels SmartDirectory, SmartLSM, and SmartView Monitor. Addition legal entity as opposed to other CMAs. of Enterprise Edition licenses or MDS Containers to this Provider-1 licensing schemes. product is not allowed. Upgrade the SmartCenter UTM to SmartCenter Power. SmartCenter Add-ons Suite includes SmartUpdate - centralized, one-click software and license SmartCenter. SmartMap - a visual policy editor graphically depicts network layout and illustrates the effect of security policies. SmartCenter Add-ons SmartDirectory - storage and retrieval of VPN-1/FireWall-1 CPUTM-SC- Suite for SmartCenter user attributes on LDAP servers. SmartView Monitor – No 1 SmartCenter ADD UTM provides traffic and performance monitoring. SmartPortal - Licensed by the number of sites provides a web portal to view security policies and objects managed. The license must without installing dedicated SmartConsole clients. match existing number of sites Utilizes Check Point’s Security Management ArchiTecture managed (SMART) to enable one-click centralized security SmartCenter and policy distribution of an unlimited number of Check Point

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings gateways.

Increase the number of sites managed by Check Point SmartCenter UTM. The SmartCenter add-ons are

incremental, not additive. The SXA-2 increases the number of SmartCenter UTM CPUTM-SXA sites managed by Check Point SmartCenter UTM by two (i.e. No 1 SmartCenter SmartCenter Add-on Licensed by the number of sites increase sites managed from 1 to 3 or 3 to 5.) The SXA-20 managed increases the number of sites managed by Check Point Express from 5 to 25. Includes SmartPortal. SmartPortal is a web-based portal to SmartCenter and Licensed per gateway or Provider-1 for viewing and monitoring security policies, CPUTM-SMPO SmartPortal No 1 SmartCenter management server. Number of network status and logs; as well as facilitating SmartCenter users is unlimited user administration. Included with SmartCenter Power. Utilizes Check Point’s Security Management ArchiTecture (SMART) to provide centralized, one-click software and license SmartCenter for Check Point products. The installation Licensed per gateway or CPUTM-SMUP SmartUpdate No 1 SmartCenter of service packs and addition of new products can be SmartCenter server performed from a central GUI. Included in SmartCenter Power. Enhanced SmartCenter capabilities allowing the visualization and editing of security policies and objects through an Licensed per gateway or CPUTM-SMMP SmartMap No 1 SmartCenter automatically generated topological view of the network. SmartCenter server Included in SmartCenter Power. SmartDirectory extends SmartCenter UTM and SmartCenter Licensed per gateway or Power authentication capabilities by enabling the integration SmartCenter server CPUTM-SMDR SmartDirectory of VPN-1/FireWall-1 with LDAP Directory servers for user data No 1 SmartCenter License is additive for 1 but not retrieval and SmartCenter, access control and user for unlimited authentication. Included in SmartCenter Power. SmartCenter Station Replication enables high availability for SmartCenter UTM and SmartCenter Power. Backup SmartCenter stations are automatically synchronized, CPUTM-MGM- SmartCenter High One license is required per pair ensuring constant availability. Note that this feature enables No 1 SmartCenter HA Availability of HA SmartCenter. replication, but does not include an additional SmartCenter UTM or SmartCenter Power license. Included in SmartCenter Power CPMP-MOTIF- Licensed per SmartCenter Motif GUI SmartCenter Console for Solaris No 1 SmartCenter GUI server enables real-time log accumulation, tracking and SmartCenter Log Server Licensed per number of log CPMP-CLM Customer Log Module No 1 on a dedicated log server for VPN-1 Pro Gateways. Device servers Leverages Check Point’s Security SmartCenter ArchiTecture Open Security CPFW-OSE (SMART) to manage packet filters and access lists of third- Yes 1 SmartCenter Licensed per router managed Extension party routers and security devices.

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings EVA should be installed on Eventia Server. From 1 for EVA Eventia Suite provides the benefits of Eventia Analyzer and R63 the EVR CPMP-EVS Eventia Suite Yes and 1 for Licensed per gateway Eventia Reporter in one bundle should also be EVR applied on Eventia Reporter Server EVA- 5,25, and 50 come with 1 Analyzer EVA- 100 comes with 4 Check Point Eventia Analyzer supports 5,25, 50,100 Analyzers Gateways or devices. Integrated with Check Point SMART Licensed per gateway. License CPMP-EVA Eventia Express SmartCenter Eventia is the only solution that provides includes 1 CLM. When working Yes 1 Eventia Server Analyzer centralized, real-time correlation of log data for Check Point in the Provider-1 environment, perimeter, internal and web security gateways; as well as third Eventia 5 supports a single party security and network devices. CMA, Eventia 25 supports up to 5 CMAs, Eventia 50 supports up to 10 CMAs, and Eventia 100 supports up to 25 CMAs. On version prior to NGX R63 the license should Incorporates reporting and monitoring for all Check Point be installed on products. Receive up to the minute information about security the Licensed per gateway- unlimited CPMP-EVR Eventia Reporter and networks through to status alerts, security threat alerts Yes 1 SmartCenter. number of users and defense capabilities monitored and reported in Eventia From R63 the Reporter license should be installed on the Eventia Reporter server Incorporates reporting and monitoring for all Check Point products. Customers receive upto-the-minute information about their security and networks via status alerts, security SmartView Reporter Licensed per reporting site CPMP-SSV threat alerts, and defense capabilities monitored and reported Yes 1 SmartCenter and Monitor in SmartView. In addition, customers are also assisted in their long term decision making and policy planning by data mining, trending, and detailed analytical tools included in SmartView. CPMP-EVA- Eventia Analyzer Check Point Eventia Correlation Unit extends the amount of Correlation No 1 License is per Correlation Unit CORL Correlation Unit logs that can be managed by the Eventia Server Device Server

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings Yearly renewable subscription SmartDefense Total Total Security is a complete Unified threat Management sold per number of users Part of the CPPWR-SDTS Security services for including: SmartDefense Services, Content Inspection No N/A License is per Cluster. The UserCenter* VPN-1 Power-1 (Antivirus and URL Filtering), and Messaging Security. CK/MAC address is required when ordering the service. Update from UTM to Total Security* UTM. Yearly renewable subscription Total Security is complete Unified threat Management Update to One Year or sold per number of users CPUTM-UPD- including: Part of the 3 Years Total Security No N/A License is per Gateway. The TS - SmartDefense Services, Content Inspection UserCenter* for VPN-1 UTM CK/MAC address is required (Antivirus and URL Filtering), and Messaging when ordering the service. Security. Renewal of additional 1 year Total Security. Yearly renewable subscription Total Security is a complete Unified threat Management Renewal of additional sold per number of users CPUTM-REN- including: Part of the One Year Total No N/A License is per Gateway. The TS - SmartDefense Services, Content Inspection UserCenter* Security CK/MAC address is required (Antivirus and URL Filtering), and Messaging when ordering the service. Security. Yearly renewable subscription sold per number of users SmartDefense Services provide ongoing, real-time updates SmartDefense Services Part of the License is per Cluster. CPUTM-SMDF and configuration advisories for defenses and security No N/A for VPN-1 UTM/ UTM-1 UserCenter* The CK/MAC address is policies. SmartDefense Services are licensed annually required when ordering the service. Yearly renewable subscription Update Services provide ongoing, real-time updates and SmartDefense Total sold per number of users configuration advisories for defenses and security policies. Part of the CPUTM-SDCS Security Services for No N/A License is per Cluster. The SmartDefense, Antivirus and URL Filtering Services are UserCenter* VPN-1 UTM CK/MAC address is required licensed annually. when ordering the service. Yearly renewable subscription SmartDefense Services Total Security is a complete Unified threat Management sold per number of users Part of the CPUTM-SDTS plus Content Inspection including: SmartDefense Services, Content Inspection No N/A License is per Cluster. The UserCenter* for VPN-1 UTM-1 (Antivirus and URL Filtering), and Messaging Security. CK/MAC address is required when ordering the service. SmartDefense Services provide ongoing, real-time updates Yearly renewable subscription SmartDefense Services and configuration advisories for defenses and security sold per number of users CPUTM-EDGE- Part of the and Antivirus for VPN-1 policies. SmartDefense Services are licensed annually. The No N/A License is per Cluster. The SDAV UserCenter* UTM Edge Anti-Virus signature update component of SmartDefense CK/MAC address is required Services is also licensed annually. when ordering the service. Yearly renewable subscription SmartDefense Services SmartDefense Services provide ongoing, real-time updates sold per number of users Part of the CPPWR-SMDF for VPN-1 and configuration advisories for defenses and security No N/A License is per Cluster. The UserCenter* Power/Power-1 policies. SmartDefense Services are licensed annually. CK/MAC address is required when ordering the service. SmartDefense Services provide ongoing, real-time updates Yearly renewable subscription CPPWR- SmartDefense Services Part of the and configuration advisories for defenses and security No N/A sold per number of users SMDF-VSX for VPN-1 Power VSX UserCenter* policies. SmartDefense Services are licensed annually. License is per Cluster. The

Classification: [Unrestricted]—For everyone

Number SKU Prefix Name Description Additive Installed on Notes / Limitations of Strings CK/MAC address is required when ordering the service. Yearly renewable subscription SmartDefense Services provide ongoing, real-time updates sold per number of users CPIS-IPS- SmartDefense Services Part of the and configuration advisories for defenses and security No N/A License is per Cluster. The SMDF for IPS-1 UserCenter* policies. SmartDefense Services are licensed annually. CK/MAC address is required when ordering the service. Yearly renewable subscription SmartDefense Services provide ongoing, real-time updates sold per number of users SmartDefense Service Part of the CPIS-SMDF and configuration advisories for defenses and security No N/A License is per site. The CK/MAC for InterSpect UserCenter* policies. SmartDefense Services are licensed annually. address is required when ordering the service. Yearly renewable subscription SmartDefense Services provide ongoing, real-time updates sold per number of users SmartDefense Service Part of the CPWS-SMDF and configuration advisories for defenses and security No N/A License is per site. The CK/MAC for Connectra UserCenter* policies. SmartDefense Services are licensed annually. address is required when ordering the service. Wire-speed VPNs are enabled by high performance encryption acceleration for3DES IPSec/IKE VPN-1 Check Point Connectra Requires an available PCI slot CPVH-CAC-I deployments. . The Connectra Accelerator Card can achieve No N/A N/A Accelerator Card on the Gateway Server. up to 400Mbps IPSec-3DES performance

Utilizes Check Point’s SecureAccess technology, and provides Authentication and Authorization (WebAccess)

services for LAN and REMOTE users using UserAuthority User CPUA-UAU SecuRemote/SecureClient, Windows Clients, Browsers Yes 1 Gateway license Licensed per total number of (including SSL). This component extends security to the users. License is per site. applications and provides the ability to set security policy for web servers. Check Point Integrity Stand-alone desktop firewall keeping employees productive Desktop/ CPIS-IDT Yes 1 Licensed per user Desktop and enterprise data secure— with minimal IT administration. Client Leverages Check Point’s SecureProtect technology to protect

a single machine. It provides a subset of VPN-1 Power CPVP-VSS VPN-1 SecureServer No 1 Gateway capabilities and requires existing SmartCenter. VPN-1 Licensed per server SecureServer includes Multi CPU capabilities. Leverages Check Point’s SecureProtect technology to protect

FireWall-1 a single machine. It provides a subset of FireWall-1 CPFW-FSS No 1 Gateway Licensed per server SecureServer capabilities and requires existing SmartCenter. FireWall-1

SecureServer includes Multi CPU capabilities. Requires an available PCI slot Wire-Speed VPNs are enabled by high performance on the Gateway Server. The Check Point VPN-1 encryption acceleration for 3DES IPSec/IKE VPN-1 CPVH-VAC-IV No N/A N/A VPN Accelerator Card III can Accelerator Card IV deployments. Requires a licensed copy of 3DES VPN-1 achieve up to 400Mbps IPSec- Power. 3DES performance

Classification: [Unrestricted]—For everyone

* This product’s components must be presented in the UserCenter. The SmartCenter Admin must provide credentials (username/password) for this UserCenter # at the time that a SmartDefense update is performed. Note that SmartCenter admin credentials are not the same as UserCenter credentials

Classification: [Unrestricted]—For everyone

Service Provider Solutions

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPR-MDS-MC Provider-1 MDS Provider-1 Multi Domain Servers (MDS) enable one-click CMA licenses are mandatory Manager and centralized policy distribution with centralized resilient for the proper functionality of Container security SmartCenter for a specified number of Customer Provider-1 MDS systems. SmartCenter Add-ons (CMAs) on a single hardware The purchase of a secondary Yes 1 MDS Server platform. Each MDS system consists from 2 basic parts: MDS Manager does not MDS Manager & MDS Container. The Provider-1 system require the purchase of High can manage ALL types of Customer SmartCenter Add-ons Availability software (CMAs). CPPR-MDS-C Provider-1 MDS Enables the addition of multiple Customer SmartCenter Multiple MDS Container Container Add-ons (CMAs) to the MDS Server, thus allowing licenses can be added to the centralized security SmartCenter and policy distribution of same MDS host, up to a VPN-1 Power Gateways for multiple Customers. Multiple Yes 1 MDS Server maximum of 500 CMAs. MDS Container hosts can be cascaded to manage CMA licenses are required thousands of Customers in a single Provider-1 system. The for each CMA on the Provider-1 MDS Container can contain all types of CMAs. Container CPPR-MDS-M Provider-1 MDS Multiple MDS Managers can be cascaded, on multiple The Secondary MDS must Manager for High hosts, to enable SmartCenter High Availability and Yes 1 MDS Server be of the same size as the Availability concurrent access for multiple Administrators. Primary MDS. CPSM-SMM- SiteManager-1 SiteManager-1 Multi Domain Servers (MDS) enable one- CMA licenses are mandatory MC click centralized policy distribution with centralized resilient for the proper functionality security SmartCenter for a specified number of Customer SiteManager-1 MDS SmartCenter Add-ons (CMAs) on a single hardware systems. The purchase of a Yes 1 MDS Server platform. SiteManager-1 can manage ONLY the dedicated secondary MDS Manager SiteManager-1 Customer SmartCenter add-ons (CMAs). does not require the purchase of High Availability software CPPR-PRO Pro Add-on for MDS Pro Add-ons extend the Security Management Needs to be installed at the ArchiTecture (SMART) by providing high end SmartCenter CMA level tools for the Provider-1 environment on the CMA level. The additional abilities includes: SmartDirectory - Powerful Integration with LDAP-based directories, SmartMap – Allows visualizing the network structure in a graph view, Yes 1 MDS Server SmartUpdate – Allows remote deployment of software updates and upgrades, SmartLSM – Allows large-scale management and provisioning, SmartView Monitor – Advanced real-time monitoring functionality, SmartPortal – Allow the web access to the CMA configuration data. The above features are licensed per CMA.

Classification: [Unrestricted]—For everyone

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPR-CMA Provider-1 CMA The Provider-1 Customer SmartCenter Add-on Licensed per number of sites (Primary CMA) (CMA) utilizes Check Point’s Security SmartCenter managed ArchiTecture (SMART) to enable one-click centralized security SmartCenter and policy distribution of a specified number of VPN-1 Power Gateways, for a single Customer. Includes SmartDashboard - user interface for defining and No 1 CMA Level managing the security policy and SmartView Tracker - for displaying detailed log information on all enforcement points. A CMA must be hosted within an MDS Container. CMAs of different Customers are completely isolated from each other. Provider-1 CMAs can only be used within a Provider-1 MDS Container. CPPR-CMA- Provider-1 CMA HA A second Provider-1 CMA for highly available SmartCenter The Secondary CMA must XX-HA (Secondary CMA) of single customer, on a separate MDS Container. Does No 1 CMA Level be of the same size as the not require additional software to enable high availability. Primary CMA. CPSM-ST-CMA SiteManager-1 A Customer SmartCenter Add-on for managing up to 2 Installed on The number of users Standard CMA VPN-1 Power, VPN-1 UTM or VPN-1 UTM Edge gateways. MDS Server, protected by these gateways No 1 (Primary CMA) SiteManager-1 CMAs can be used either within a Provider- applied at must not exceed 250 users. 1 MDS Container or within a SiteManager-1 MDS. CMA Level. CPSM-ST- SiteManager-1 A second SiteManager-1 Standard CMA for highly Installed on The Secondary CMA must CMA-xx-HA Standard CMA-HA available SmartCenter of single customer, on a separate MDS Server, be of the same size as the No 1 (Secondary CMA) MDS Container. Does not require additional software to applied at Primary CMA. enable high availability. CMA Level. CPPR-CLM Customer Log Module Enables real-time accumulation, tracking and SmartCenter A stand-alone Licensed per SmartCenter of logs from VPN-1 Power Gateways of one Customer. host, or co- console. If hosted on non- Log servers are managed at the CMA level, and are not No 1 hosted on a MLM server must have own considered part of the Provider-1 System. VPN-1 Power CLM license gateway. CPPR-MLM-C Multi-Domain Log The MLM is a Container of Customer Log Modules (CLMs). The MLM license enables all Module – MLM It enables centralized log processing for multiple Installed on the contained CLMs. No Customers on a dedicated MDS host. An MLM is MLM Server additional CLM licenses are recommended for larger deployments to improve level, and required. Multiple MLM Yes 1 performance of MDS Container hosts, by offloading their covers all of licenses can be added to the log processing functions. An MLM license cannot be the CLM same host, up to a maximum added to a Provider-1 (or a SiteManager-1) MDS Container licensing. of 250 CLMs. host. CPPR-MOTIF- Provider-1 Motif Gui The Multi-Domain GUI (MDG) is a Provider-1 CMA Use only if a Solaris based GUI interface designed to simplify multi-policy security GUI is required.. Licensed management. It provides an intuitive way to view, edit, and per Solaris Machine running navigate between policies (CMAs) stored centrally on the No 1 SmartCenter the GUI. MDS. Using this GUI, a single administrator can oversee rules, objects, logs, status and alerts for hundreds of customers.

Classification: [Unrestricted]—For everyone

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPPWR-VSX Virtual Security Extends the scale of the security system to meet the most Licensed by the number of Gateway – VPN-1 demanding performance and reliability requirements of Virtual Systems running on a Power VSX enterprise customers. The VSX Gateway enforces up to VSX gateway. When running 250 discrete VPN-1 Power security policies on a single VSX in a cluster environment machine. Each VS (Virtual System) is associated with a with Check Point ClusterXL, VLAN, which is attached to an internal interface of the VSX a ClusterXL license must be Yes 1 Gateway Gateway. The additional Virtual Security Gateway enables installed on the SmartCenter automatic high availability or load sharing by providing an station. additional Virtual Security Gateway. SecureXL is provided with every VSX Gateway for enhanced VPN and firewall performance. Virtual Security Gateways require a VSX- CMA bundle for SmartCenter. CPPWR-VSX- Additional Virtual Additional Virtual Security Gateway (VSX) for Load Sharing License must be of the same HA Security Gateway and High Availability Realize non-stop security with a size as the primary VSX in (VSX) for Load Sharing second Virtual System Extension for high availability the cluster. When running and High Availability implementations. License must be of the same size as the VSX in a cluster environment Yes 1 Gateway primary VSX in the cluster. with Check Point ClusterXL, a ClusterXL license must be installed on the SmartCenter station. CPPR-VSX- Virtual Systems Enables the management of a specified number of Virtual This description is valid for CMA Extension - CMA Systems, for multiple Customers, on a Provider-1. With this VSX 2.0 and higher. Users Bundles (Primary VSX- product, users can define all the Primary CMAs that are with previous were credited CMA) needed to manage the bundled Virtual Systems and the with separate CKs for the: MVSs of the VSX gateways hosting them. These CMAs are MDS Container, CMAs for hosted on a Virtual Container, and do not require a regular managing the VSs, CMA for MDS Container. managing the VSX Gateway. Yes 1 MDS The CMAs created within the VSX-CMA license can manage only Virtual Systems. If management of VPN-1 gateways/clusters is required, MDS Container and CMA licenses need to be purchased. CPPR-VSX- Virtual Systems Enables to define Secondary CMAs for highly available This description is valid for CMA-HA Extension - CMA Provider-1 CMA of a specified number of Virtual VSX 2.0 and higher. Users Bundles (Secondary Systems, for multiple Customers, on a Provider-1 or with previous versions were VSX-CMA) credited with separate CKs SiteManager-1 MDS host. Bundles of Primary and Yes 1 MDS Secondary VSX CMAs can be added on the same MDS for the: MDS Container, host. CMAs for managing the VSs, CMA for managing the VSX Gateway.

Classification: [Unrestricted]—For everyone

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPMSP-MASS VPN-1 MASS Check Point VPN-1 MASS (Multi-Access Security Solution) License is per number of delivers the foundation of secure fixed/mobile convergence user. (FMC) for carriers – enabling them to deliver advanced communications services to their customers without compromising the network’s security. With support for advanced access technologies such as 3G Wireless No 2 Gateway Interworking (3G I-WLAN) and Unlicensed Mobile Access (UMA, also known as Generic Access Network) as well as traditional remote access VPNs, VPN-1 MASS scales to provide remote access for up to 100,000 secure voice channels, and massive amounts of data connections. CPGX-VFF FireWall-1 GX Module FireWall-1 GX combines Check Point's patented Stateful Inspection technology with full GPRS Tunneling Protocol (GTP) awareness. FireWall-1 GX inspects all GTP tunnel fields in the context of both the packet and the tunnel. FireWall-1 GX secures the GPRS backbone when Licensed for an unlimited connecting to roaming partner and roaming exchanges No 1 Gateway number of gateways (GRX). FireWall-1 GX also protects distributed GPRS backbone environments where operators have connections to Gateway GPRS Support Nodes (GGSNs) outside of their own network or to GGSNs that are geographically dispersed CPGX-HVFF FireWall-1 GX Realize non-stop security with two FireWall-1 GX Modules Licensed for an unlimited No 1 SmartCenter Secondary Module for high availability implementations. number of gateways CPGX-GMC FireWall-1 GX FireWall-1 GX SmartCenter provides a rich set of GTP- SmartCenter specific log information, including granular logging details Licensed for an unlimited No 1 SmartCenter on tunnel creation, updates and deletions. Beyond logging, number of gateways a wide range of security alerting options exists as well CPPR-GX-CMA FireWall-1 GX CMA A Provider-1 Customer SmartCenter Add-on for Licensed for an unlimited managing an unlimited number of FireWall-1 GX Modules. No 1 CMA Level number of gateways Includes the Pro Add-on features for this CMA. SMP Security Management The Security Management Portal (SMP) is a SmartCenter Portal solution for service providers that deliver Internet security Licensed per number of to consumers and small businesses. The SMP enables No 1 Management appliances service providers to create flexible service categories and to centrally manage tens of thousands of subscribers. SMP-OD Security Management Based on SMP, SMP On-Demand is a fully- hosted Portal On Demand solution offering managed firewall and intrusion prevention Licensed per number of No 1 Management services, always-on antivirus protection, VPN connectivity, appliances and other value-added services SMP Web Filtering An OPSEC plug-in that allows Service Providers utilizing Licensed per user SMP to provide centrally managed URL filtering services to Yes 1 Management Safe@ appliances. Service based on SurfControl's Web Filter UFP product.

Classification: [Unrestricted]—For everyone

Home Office/Small Business Solutions

Number of SKU Prefix Name Description Additive Installed on Notes / Limitations Strings CPSB-500WG Safe@Office 500W A fully-integrated wireless firewall, intrusion prevention, VPN Series UTM and antivirus gateway. Incorporating an 802.11b/g access Licensed per number of Appliances point. No N/A On the device concurrent users Employing Check Point’s Firewall-1® and VPN-1® technology. CPSB-500G Safe@Office 500 A fully-integrated intrusion prevention, VPN and antivirus Series UTM gateway. Incorporating an 802.11b/g access point. Licensed per number of No N/A On the device Appliances Employing Check Point’s Firewall-1® and VPN-1® concurrent users technology. CPSB-500WG- Safe@Office 500W The Safe@Office 500W ADSL featuring advanced wireless xx-ADSL ADSL security capabilities, a stateful inspection firewall, intrusion Licensed per number of prevention, VPN and antivirus gateway and an integrated No N/A On the device concurrent users high-speed broadband ADSL2/ADSL2+ modem. Incorporating an 802.11b/g access point. CPSB-500G-xx- Safe@Office 500 The Safe@Office 500W ADSL featuring a stateful ADSL ADSL inspection firewall, intrusion prevention, VPN and antivirus Licensed per number of gateway and an integrated high-speed broadband No N/A On the device concurrent users ADSL2/ADSL2+ modem. Incorporating an 802.11b/g access point. ST-CPSB Annual Safe@Office Support and Subscription For Safe@Office appliances only. The appliance MAC Support and Includes the following: a) Security and firmware updates, b) address is required to Subscription Email, web and chat support, c) Telephone support in No N/A purchase the Support English from 8:00 AM to 5 PM US time and d) Advanced Plan. Prices are Annual Replacment. fees. STAV-CPSB Annual Safe@Office Annual Support, Subscription, Gateway Antivirus and No N/A The appliance MAC Antivirus, Application Intelligence Support Plan: address is required to SmartDefense, * Gateway antivirus updates purchase the Advanced Support and * SmartDefense updates Security Services Plan. Subscription * Security and firmware updates Prices are Annual fees. * Email, web and chat support * 8x5 telephone support in US and European time zones * Advanced replacement * Dynamic DNS WF-CPSB Annual Safe@Office Provides URL filtering based on category classification of The appliance MAC Web Filtering web-sites. address is required to Service No N/A purchase the Advanced Security Services Plan. Prices are Annual fees.

Classification: [Unrestricted]—For everyone