In October 2016, Check Point released the new Next Generation Security Management licensing (NGSM). Also included in this release were Next Generation Endpoint products (NGEP), redesigned to simplify licensing and pricing. This article focuses on the changes to the licensing requirements introduced with the new pricelist.

 

For more information about the legacy Endpoint Security Software Blade licensing, please see Endpoint Security Licensing for E80.x (sk61832).

 

Endpoint Security Licensing Requirements

Next Generation Endpoint requires the installation of two types of licenses, with one optional license:

1. Endpoint Security Management 
2. Endpoint Security packages (includes Endpoint Container*)
3. Endpoint Security Policy Server (optional - for use only with E80.20 or higher)

* Endpoint containers no longer require a separate purchase. An equivalent number of Endpoint container seats are included in the new Endpoint Packages.

 

Endpoint Security Management

Endpoint Security E80 introduced a new Single Agent Unified Management station for all Endpoint Security components which remains unchanged for Next Generation Endpoint solutions. Management for Endpoint products and SandBlast Agent can be deployed on any management server which includes Check Point Endpoint Management (EPM). This includes Smart-1 appliances.

Dedicated open server management solutions require the installation of one of the following Endpoint Security Management licenses:

Product	Description
CPSM-NGSM5 / Smart-1 5 / Smart-1 205	Endpoint Management package for up to 500 Endpoints
CPSM-P1003-E / CPSM-NGSM10 / Smart-1210	Endpoint Management package for up to1,000 Endpoints
CPSM-P2503-E / CPSM-NGSM25 / Smart-1 25 / Smart-1 225	Smart-1 Appliance package for 2,500Endpoints and below
CPSM-NGSM50 / Smart-1 50 / Smart-1 3050	Smart-1 Appliance package for 5,000Endpoints and below
CPSM-NGSM150 / Smart-1 150 / Smart-1 3150	Smart-1 Appliance package for unlimitedEndpoints
CPSM-PU003-E	Endpoint Management package for unlimitedEndpoints

 

Note: SandBlast Agent for Browsers is managed from a Check Point cloud portal – a license is not required for the management.

 

New Endpoint Security Packages

To simplify the pricing and licensing for Endpoint products and align with SandBlast Agent licensing, Endpoint Security Blades have been consolidated into new packages. Similar to the previous Endpoint blades products, both Perpetual and Annual licenses offered.

 

Perpetual Packages

Check Point offers perpetual packages for the Access Control and Data Protection packages:

SKU	Description
CPEP-ACCESS-P	Endpoint Access Control perpetual package includes endpoint Firewall and VPN Remote Access
CPEP-DATA-P	Endpoint Data Protection perpetual package includes endpoint Full Disk Encryption and Media Encryption

 

 

 

 

Annual Packages

Check Point offers annual packages for the Access Control, Data Protection, Antivirus, SandBlast Agent, SandBlast Agent for Browsers and Endpoint Complete Protection packages for one, two or three years. The duration of the license is indicated by adding -1Y, -2Y or 3-Y the skus below, for example CPEP-ACCESS-1Y for one year, CPEP-ACCESS-2Y for two years or CPEP-ACCESS-3Y for three years.

SKU	Description
CPEP-ACCESS	Endpoint Access Control annual package includes endpoint Firewall and VPN Remote Access
CPEP-DATA	Endpoint Data Protection annual package includes endpoint Full Disk Encryption and Media Encryption
CPEP-AV	Endpoint Antivirus annual packages includes Anti-Malware, Program Control and Program Advisory
CPEP-SBA	SandBlast Agent annual package includes Threat Emulation/Threat Extraction, AntiBot and Forensics
CPEP-SBA-BROWSER	SandBlast Agent for Browsers - managed from a Check Point cloud portal (a license is not required  for the management).
CPEP-AR	Sandblast Anti-Ransomware
CPEP-COMPLETE	Endpoint Complete annual packages include SandBlast Agent, Antivirus, Data Protection and  Access Control

 

Endpoint Security Policy Server (optional - for use with E80.20 or higher only)

Beginning with E80.20, Check Point has introduced Endpoint Policy Servers for remote locations. These will provide a point of connection for remote offices without the need for an additional Endpoint Security Management Server. The SKU for a single Endpoint Security Policy Server is CPSM-CONP-E. No changes were made to the licensing for Policy Servers.

A customer is able to use a number of Policy Servers based on the size of the Endpoint Security Management license in use:

Endpoint Security Management SKU	Number of Policy Servers Allowed
CPSM-NGSM10/ CPSM-P1003-E	One (1)
CPSM-P2503-E	Up to Two (2)
CPSM-PU003-E	Unlimited
Smart-1 5 / Smart-1 205 / Smart-1 210	One (1)
Smart-1 25 / Smart-1 225	Up to Two (2)
Smart-1 50 / Smart-1 3050	Up to Five (5)
Smart-1 150 / Smart-1 3150	Unlimited

 

Policy Server licenses are issued on a case by case basis. To inquire about, or to request a Policy Server license, contact Check Point Account Services:

• By using Live Chat
• By phone: Americas: +1-972-444-6600 option 3, or International: +972-3-611-5100 option 3
• By opening a Non-Technical Service Request and providing the Certificate Key or MAC of the Management product and the number of policy server licenses requested

For more information about Endpoint Security Policy Servers, refer to the Endpoint Security Release Notes (E80.40 Endpoint Security Release Notes, E80.60 Endpoint Security Release Notes, E80.61 and R77.20.01 Release Notes, E80.62 and R77.30.01 Release Notes, E80.64 and R77.30.02 Release Notes, E80.65 and R77.30.03 Release Notes).

 

NGEP Licensing FAQ

• Are older Endpoint Security Blade products still supported if I want to upgrade to a latest version of Endpoint Security?

  • Yes the older Endpoint Security Blade SKUS are still supported and use the same blade licensing features as the new NGEP licenses. There is no change to the underlying blade license architecture.

• Are the old EndPoint products still available for purchase?

  • No, the old EndPoint Blade SKUs are no longer available for new orders, but can be renewed.
  • New seats should be ordered using the new packages

• Can I convert my old licenses to the new SKUS?

  • There is no direct functionality upgrade because of the different packaging; however, you can purchase new annual products instead of renewing the old annual products or ask your account manager about trade-in options if you have older perpetual licensing.

• I have older Endpoint Blade licenses with Endpoint Containers, but the new price list says there is no requirement for an endpoint container license. Do I still need to renew the support for the container and install the Endpoint container licenses on my Endpoint Security Server?

  • Provided you are still using Endpoint Blades licenses, yes, you still need to renew support for Endpoint Containers and install the container licenses for the equivalent number of seats.
  • Although Endpoint Containers are no longer sold as a separate products with the new packages, the pricing and licenses functionality were consolidated into the new packages so the container license still must be installed to properly enable the functionality,
  • As older Endpoint Blades seats are removed and replaced by the new licenses, the related containers can then be removed.

• Is EndPoint URL Filtering part of the new EndPoint offering?

  • No EndPoint URL filtering is not included in any of the standard Endpoint Packages currently, including Endpoint Complete. 
  • This is currently only available as standalone product that must be specially order through the Sales Solution Center. Customers interested in purchasing EndPoint URL Filtering should contact their reseller or account manager for a quote.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.