Overview of CloudGuard Network for ACI

CloudGuard Network for ACI is the Check Point Advanced Security solution for the Cisco ACI fabric. The Check Point CloudGuard solution enforces advanced Threat Prevention in the ACI fabric and provides full integration between Cisco APICs and the Check Point Security Management Server. It proactively stops malware and zero-day attacks in the Data Center environment and outside of the fabric. The unified management of virtual and physical gateways simplifies security management across all of the network.

CloudGuard has two primary components:

  • The CloudGuard Controller

    The CloudGuard Controller enables the integration of the Check Point Security Management Server with Cisco APIC and other top SDN controllers and cloud managers, such as vCenter. The CloudGuard Controller makes dynamic security policies that contain ACI objects and VMs. It manages CloudGuard gateways and physical gateways, and provides full visibility for Data Center security. Security policies generated with the CloudGuard Controller can be installed on each Check Point Security Gateway across the network.

  • The CloudGuard Gateway

    The CloudGuard Gateway is a Check Point virtual edition gateway or physical appliance deployed automatically in the ACI fabric. It is deployed in managed or unmanaged mode, and enforces the Check Point Security Policy.

Note - Before you start the installation, make sure that all software and hardware components are compatible based on the R80.10 CloudGuard for Cisco ACI Release Notes.

Licensing

Check Point CloudGuard for ACI requires a license attached to the Security Management Server or the Multi-Domain Server. The license is based on the total number of Cisco ACI leaf switches managed by the APICs that are integrated with the Check Point Security Management Server or Multi-Domain Server. The CloudGuard for ACI license covers the functionality of ACI integration. No more licenses are required on the gateways to support this functionality. The license covers Management High Availability for the Security Management Server and the Multi-Domain Server.

A different license is required for all processes that are not related to this ACI integration. This includes other management and, or gateway capabilities.

The license is perpetual and cumulative. You can always add more leaf licenses.

The license covers Management High Availability for the Security Management Server and the Multi-Domain Server.