Cloud Native CloudGuard Security Portfolio Offerings

Includes:
∙ Posture management and continuous compliance
Cloud Posture Management ∙ Protected assets inventory management
∙ Network configurations visualization
Automate governance across multi-
∙ Proactive network security with region lock and tamper
cloud assets and services including
protection for security groups
visualization and assessment of
∙ Custom compliance rule creation with unique GSL language
securityposture, misconfiguration
∙ High fidelity security indicators with reporting and dashboards
detection, and enforcement
∙ Automated and customizable policy remediation
of security best practices and
∙ Third-party integrations
compliance frameworks.
∙ Intelligence for account activity analytics and anomaly detection
∙ IAM Safety

Intelligence Includes:
Detect and mitigate threats within ∙ Account activity analytics, anomaly detection and
cloud environments, as well as network traffic visibility
analyze activity and leverage UEBA ∙ User entity behavior analytics (UEBA)
algorithms to fend off cloud attacks. ∙ Automated investigation and response

Workload Protection
Protect cloud native applications with Includes:
automated cloud native security for ∙ ShiftLeft tool for code hygiene in CI
containers, serverless functions, ∙ Posture Management to ensure best practice compliance
applications and APIs. Includes the ∙ Microservice runtime protection (containers and serverless)
following CloudGuard offerings: ∙ AppSec to protect applications and APIs , including BOT
— Containers prevention, and Intrusion Prevention System (IPS)
— Serverless
— AppSec

Includes:
Cloud Network Security ∙ Advanced threat prevention
Provide advanced threat prevention ∙ IPS
and automated cloud network security ∙ Identity awareness
through a virtual security gateway, ∙ Application control
with unified security management ∙ Anti-virus
across all your public cloud and ∙ Anti-bot
private cloud environments. ∙ URL filtering
∙ VPN
∙ Threat emulation
∙ Threat extraction
∙ Zero-day
∙ ThreatCloud
∙ Third-party integrations
Cloud Native CloudGuard Security Licensing Guide

Cloud Posture Management (license that consumes assets)

Buy increments of 100 assets and dynamically consume for Posture, Serverless or Container
Security. SKUs that include AppSec Workloads and Intelligence Pro licenses can be added.
Posture:
∙ 1 VM instance (EC2s, VMs) equals 1 asset
∙ 1 database instance (RDS) equals 1 asset
∙ 60 latest serverless functions (Lambda) equal 1 asset
∙ 1 posture container node equals 3 assets
Runtime:
∙ 10M serverless invocations (Lambda, FunctionApp) equal 1 asset
∙ 1 runtime container node equals 2 assets

Billable Assets:
All assets are protected, but only those running and specified below count as billable.
∙ In AWS environments, EC2 and RDS instances and Lambda functions are counted as assets.
(Micro and nano instances are protected for free.)
∙ In Azure environments, VMs and SQL Servers are counted as assets. The 0 family (A0/D0)
is excluded.
∙ In Google Cloud environments, instances are counted as assets (except F1-micro
instances types).
∙ In Alibaba Cloud environments, ECS and RDS entities are counted as assets.
∙ For Serverless, we only charge once, even if you have a different version of the same
serverless functions.
∙ For Container posture, all nodes running containers on onboarded clusters are counted.
∙ The Container posture includes container compliance, admission control and image assurance
(runtime, registry and ShiftLeft).
∙ For container runtime, all nodes running containers runtime agent are counted.
∙ Asset count is consistent with time of periodically scanning the environment and could change
with scan if you have assets going up and down.

Complementary Offerings:
∙ Includes Intelligence for account activity. Per each billable asset, 12GB of logs ingestion is
provided for 1 month retention. Currently there is no way to extend the retention period or the
ingestion amounts.
∙ Complementary executions for serverless run yearly.
∙ For Serverless, every 100 asset SKUs purchased provides 200M serverless function invocations.
∙ A free two-week product trial is available as part of every pricing plan (no credit card required).

Details:
∙ CP-CGD9-CNP-25-1Y is a first time landing SKU. If environment requires more than 25, use the
100 billable asset SKU: CP-CGD9-CNP-100-1Y or CP-CGD9-CNX-100-1Y (CSPM with IAM Safety).
∙ ShiftLeft scans are subject to fair use of up to 50 scans per month, per node.
Cloud Native CloudGuard Security Licensing Guide

Intelligence Pro
Pricing is based on raw network log ingestion and the duration that analyzed logs are kept.
Offered in either 1,000GB or 10TB log ingestion. Analyzed logs stored for a month or year.

Details:
∙ The license is not yearly; it will cover ingestion while there is capacity left.
∙ Account activity logs are included at no additional cost with a purchased CSPM license, up to 12GB
per billable asset. Currently there is no way to extend the retention period or the ingestion amounts.
∙ Intelligence Pro adds network traffic coverage.

AppSec Workloads
Licensed by number of HTTP requests, AppSec Workloads SKU should be used when customer is also
consuming Cloud Posture Management. AppSec can also be licensed as a standalone product (see below).
∙ 10M application requests equal 1 workload unit

Details:
∙ Fair use policy is 10GB logs for 100M requests; kept for 1 year, and up to 100 agents.

AppSec Standalone
Licensed by number of HTTP requests, Standalone SKU should be used when customer is NOT
consuming Cloud Posture Management. AppSec Workload SKU can be used in conjunction with
Cloud Posture Management (see above).
∙ Licensed in tiers of 100M yearly requests
∙ CP-CGAS-100-* is the mandatory SKU to buy a single instance of base tier of 100
∙ Once purchase exceeds base tier of 100, CP-CGAS-100A-* additional SKU is to be used in
conjunction with CP-CGAS-100* SKU

Details:
∙ Fair use policy is 10GB logs for 100M requests; kept for 1 year, and up to 100 agents.
∙ When licensing AppSec Standalone the base SKU should NEVER be used more than once.

Cloud Network Security

Licensed by the number of virtual cores (vCores) assigned to the virtual machine running it.
Licenses are pool based, making it easy to add additional licenses. License cores are agnostic and
can be deployed anywhere.

Details:
∙ License pool is deployed on your Check Point management ser ver and automatically assigned to
CloudGuard Network gateways.
∙ Customer can purchase additional software blades and deploy them on specific CloudGuard
Network Gateways.
∙ Multi-Domain-Management (MDM) - every license pool should be issued with the CMA IP and will
be attached to the CloudGuard Network Security gateways which are managed by that CMA.
∙ NGTX cloud inspection quota is 10k files/vCore/month.
∙ Public Cloud: Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Oracle Cloud
Infrastructure, Alibaba Cloud, IBM cloud, Huawei, Yandex, and more.
 Pricing Examples

Cloud Posture Management with Intelligence

∙ Azure: 175 billable assets at 20GB flow logs per month

∙ AWS: 350 billable assets at 35GB flow logs per month

License Requirements:

∙ 6 licenses for CSPM (600 assets, includes IAM Safety)

– (6x) CP-CGD9-CNX-100-1Y

• 1TB of Intelligence – (1x) CP-CGLG-1000GB-YLOG YLOG

(with 1 year retention), or (1x) CP-CGLG-1000GB-MLOG
(with 1 month retention)

Cloud Posture Management with AppSec

∙ AWS: 275 billable assets with 6 web servers that receive
a total of 55M HTTP requests

License Requirements:

• 3 licenses for CSPM (300 assets) – (3x) CP-CGD9-CNP-100-1Y

• 100 Workload units – (1x) CP-CGWL-SL-100-1Y

Cloud Network Security

• AWS: 4 gateways of 4 cores/each, with Threat Extraction and
Threat Emulation for zero-day attacks (NGTX)

 License Requirements:
∙ 16 licenses for Network Security
– (16x) CPSG-VSEC-AWS-BUN-NGTX

CONTACT US:

Check Point Software Technologies

5 Shlomo Kaplan Street, Tel Aviv 6789159, Israel

+972-3-753-4555