Overview of CloudGuard for ACI

CloudGuard for ACI is the Check Point Advanced Security solution for the Cisco ACI fabric. The Check Point CloudGuard solution enforces advanced Threat Prevention inside the ACI fabric and provides complete integration between Cisco APICs and the Check Point Security Management Server. It proactively stops malware and zero-day attacks inside the Data Center environment and outside of the fabric. The unified management of virtual and physical gateways simplifies security management across the entire network.

CloudGuard has two main components:

• The CloudGuard Controller

  The CloudGuard Controller enables the integration of the Check Point Security Management Server with Cisco APIC and other leading SDN controllers and cloud managers, such as vCenter. The CloudGuard Controller makes dynamic security policies that contain ACI objects and VMs. It manages CloudGuard gateways and physical gateways, and provides complete visibility for Data Center security. Security policies generated with the CloudGuard Controller can be installed on every Check Point Security Gateway across the network.

• The CloudGuard Gateway

  The CloudGuard Gateway is a Check Point virtual edition gateway or physical appliance deployed automatically inside the ACI fabric. It is deployed in managed or unmanaged mode, and enforces the Check Point security policy.

Note - Before you start the installation, verify that all software and hardware components are compatible based on the R80.10 CloudGuard for Cisco ACI Release Notes.

Licensing

Check Point CloudGuard for ACI requires a license attached to the Security Management Server or the Multi-Domain Server. The license is based on the total number of Cisco ACI leaf switches managed by the APICs that are integrated with the Check Point Security Management Server or Multi-Domain Server. The CloudGuard for ACI license covers the functionality of ACI integration. No additional licenses are required on the gateways to support this functionality. The license covers Management High Availability for the Security Management Server and the Multi-Domain Server.

A separate license is required for all processes that are not associated with ACI integration. This includes other management and/or gateway capabilities.

The license is perpetual and cumulative. You can always add more leaf licenses.

The license covers Management High Availability for the Security Management Server and the Multi-Domain Server.