Support Center > Search Results > SecureKnowledge Details
Next Generation Endpoint Security Products Licensing Technical Level

In October 2016, Check Point released the new Next Generation Security Management licensing (NGSM). Also included in this release were Next Generation Endpoint products (NGEP), redesigned to simplify licensing and pricing. This article focuses on the changes to the licensing requirements introduced with the new pricelist.


For more information about the legacy Endpoint Security Software Blade licensing, please see Endpoint Security Licensing for E80.x (sk61832).


Endpoint Security Licensing Requirements

Next Generation Endpoint requires the installation of two types of licenses, with one optional license:

  1. Endpoint Security Management 
  2. Endpoint Security packages (includes Endpoint Container*)
  3. Endpoint Security Policy Server (optional - for use only with E80.20 or higher)

* Endpoint containers no longer require a separate purchase. An equivalent number of Endpoint container seats are included in the new Endpoint Packages.


Endpoint Security Management

Endpoint Security E80 introduced a new Single Agent Unified Management station for all Endpoint Security components which remains unchanged for Next Generation Endpoint solutions. Management for Endpoint products and SandBlast Agent can be deployed on any management server which includes Check Point Endpoint Management (EPM). This includes Smart-1 appliances.

Dedicated open server management solutions require the installation of one of the following Endpoint Security Management licenses:

Product Description
 CPSM-NGSM5 / Smart-1 5 / Smart-1 205  Endpoint Management package for up to 500 Endpoints
 CPSM-P1003-E / CPSM-NGSM10 / Smart-1210  Endpoint Management package for up to1,000 Endpoints
 CPSM-P2503-E / CPSM-NGSM25 / Smart-1 25 / Smart-1 225  Smart-1 Appliance package for 2,500Endpoints and below
 CPSM-NGSM50 / Smart-1 50 / Smart-1 3050  Smart-1 Appliance package for 5,000Endpoints and below
 CPSM-NGSM150 / Smart-1 150 / Smart-1 3150

 Smart-1 Appliance package for unlimitedEndpoints


 Endpoint Management package for unlimitedEndpoints


Note: SandBlast Agent for Browsers is managed from a Check Point cloud portal – a license is not required for the management.


New Endpoint Security Packages

To simplify the pricing and licensing for Endpoint products and align with SandBlast Agent licensing, Endpoint Security Blades have been consolidated into new packages. Similar to the previous Endpoint blades products, both Perpetual and Annual licenses offered.


Perpetual Packages

Check Point offers perpetual packages for the Access Control and Data Protection packages:

SKU Description

Endpoint Access Control perpetual package includes endpoint Firewall and VPN Remote Access


Endpoint Data Protection perpetual package includes endpoint Full Disk Encryption and Media Encryption





Annual Packages

Check Point offers annual packages for the Access Control, Data Protection, Antivirus, SandBlast Agent, SandBlast Agent for Browsers and Endpoint Complete Protection packages for one, two or three years. The duration of the license is indicated by adding -1Y, -2Y or 3-Y the skus below, for example CPEP-ACCESS-1Y for one year, CPEP-ACCESS-2Y for two years or CPEP-ACCESS-3Y for three years.

SKU Description
CPEP-ACCESS  Endpoint Access Control annual package includes endpoint Firewall and VPN Remote Access
CPEP-DATA Endpoint Data Protection annual package includes endpoint Full Disk Encryption and Media Encryption 
CPEP-AV Endpoint Antivirus annual packages includes Anti-Malware, Program Control and Program Advisory
CPEP-SBA SandBlast Agent annual package includes Threat Emulation/Threat Extraction, AntiBot and Forensics
CPEP-SBA-BROWSER    SandBlast Agent for Browsers - managed from a Check Point cloud portal (a license is not required  for the management).
CPEP-AR Sandblast Anti-Ransomware
CPEP-COMPLETE Endpoint Complete annual packages include SandBlast Agent, Antivirus, Data Protection and  Access Control 


Endpoint Security Policy Server (optional - for use with E80.20 or higher only)

Beginning with E80.20, Check Point has introduced Endpoint Policy Servers for remote locations. These will provide a point of connection for remote offices without the need for an additional Endpoint Security Management Server. The SKU for a single Endpoint Security Policy Server is CPSM-CONP-E. No changes were made to the licensing for Policy Servers.

A customer is able to use a number of Policy Servers based on the size of the Endpoint Security Management license in use:

Endpoint Security Management SKU Number of Policy Servers Allowed 
 CPSM-NGSM10/ CPSM-P1003-E  One (1)
 CPSM-P2503-E  Up to Two (2)
 CPSM-PU003-E  Unlimited
 Smart-1 5 / Smart-1 205 / Smart-1 210  One (1)
 Smart-1 25 / Smart-1 225  Up to Two (2)
 Smart-1 50 / Smart-1 3050  Up to Five (5)
 Smart-1 150 / Smart-1 3150  Unlimited


Policy Server licenses are issued on a case by case basis. To inquire about, or to request a Policy Server license, contact Check Point Account Services:

  • By using Live Chat
  • By phone: Americas: +1-972-444-6600 option 3, or International: +972-3-611-5100 option 3
  • By opening a Non-Technical Service Request and providing the Certificate Key or MAC of the Management product and the number of policy server licenses requested

For more information about Endpoint Security Policy Servers, refer to the Endpoint Security Release Notes (E80.40 Endpoint Security Release Notes, E80.60 Endpoint Security Release Notes, E80.61 and R77.20.01 Release Notes, E80.62 and R77.30.01 Release Notes, E80.64 and R77.30.02 Release Notes, E80.65 and R77.30.03 Release Notes).


NGEP Licensing FAQ

Show All in this section
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document