Glossary

    A
  • Accelerated Path
    Packet flow on the Host appliance, when the packet is completely handled by the SecureXL device. It is processed and forwarded to the network.
  • Affinity
    The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores.
  • Anti-Bot
    Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.
  • Anti-Spam
    Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM.
  • Anti-Virus
    Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.
  • Application Control
    Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.
  • Audit Log
    Log that contains administrator actions on a Management Server (login and logout, creation or modification of an object, installation of a policy, and so on).
    • B
  • Breakout Cable
    An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable.
  • Bridge Mode
    Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.
    • C
  • Chassis Management Module
    On Scalable Chassis - a hardware component that controls and monitors 60000 / 40000 Appliance (Chassis) operation such as, fan speed, Chassis and module temperature, and component hot-swapping. Acronym: CMM.
  • Cluster
    Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.
  • Cluster Member
    Security Gateway that is part of a cluster.
  • Compliance
    Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration.
  • Content Awareness
    Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT.
  • CoreXL
    Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores.
  • CoreXL Dynamic Dispatcher
    Improved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXL Firewall instances. Traffic distribution between CoreXL Firewall instances is dynamically based on the utilization of CPU cores, on which the CoreXL Firewall instances are running. The dynamic decision is made for first packets of connections, by assigning each of the CoreXL Firewall instances a rank, and selecting the CoreXL Firewall instance with the lowest rank. The rank for each CoreXL Firewall instance is calculated according to its CPU utilization. The higher the CPU utilization, the higher the CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is less likely to be selected by the CoreXL SND.
  • CoreXL Firewall Instance
    On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one processing CPU core. These firewall instances handle traffic at the same time, and each firewall instance is a complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.
  • CoreXL SND
    Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming traffic from the network interfaces; Securely accelerating authorized packets (if SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel instances (SND maintains global dispatching table, which maps connections that were assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall instances is statically based on Source IP addresses, Destination IP addresses, and the IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick to a particular FWK daemon is done at the first packet of connection on a very high level, before anything else. Depending on the SecureXL settings, and in most of the cases, the SecureXL can be offloading decryption calculations. However, in some other cases, such as with Route-Based VPN, it is done by FWK daemon.
  • CPUSE
    Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
    • D
  • DAC Cable
    Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers).
  • DAIP Gateway
    Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the IP address of the external interface is assigned dynamically by the ISP.
  • Data Loss Prevention
    Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP.
  • Data Type
    Classification of data in a Check Point Security Policy for the Content Awareness Software Blade.
  • Distributed Deployment
    Configuration in which the Check Point Security Gateway and the Security Management Server products are installed on different computers.
  • Downlink Ports
    Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization).
  • Dynamic Object
    Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time.
    • E
  • Endpoint Policy Management
    Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment.
  • Expert Mode
    The name of the elevated command line shell that gives full system root permissions in the Check Point Gaia operating system.
    • F
  • F2F
    Denotes non-VPN connections that SecureXL forwarded to firewall. See "Firewall Path".
  • Firewall Path
    Packet flow on the Host Security Appliance, when the SecureXL device is unable to process the packet. The packet is passed to the CoreXL layer and then to one of the CoreXL Firewall instances for full processing. This path also processes all packets when SecureXL is disabled. Synonym: Slow Path.
    • G
  • Gaia
    Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems.
  • Gaia Clish
    The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).
  • Gaia gClish
    The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group.
  • Gaia Portal
    Web interface for the Check Point Gaia operating system.
    • H
  • Hotfix
    Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior.
  • HTTPS Inspection
    Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.
  • HyperSync
    Check Point patented technology that makes sure that active connections are only synchronized to backup Security Appliances in the Security Group. HyperSync makes sure each connection flow has a backup within the Security Group.
    • I
  • ICA
    Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.
  • Identity Awareness
    Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.
  • Identity Logging
    Check Point Software Blade on a Management Server to view Identity Logs from the managed Security Gateways with enabled Identity Awareness Software Blade.
  • Internal Network
    Computers and resources protected by the Firewall and accessed by authenticated users.
  • IPS
    Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).
  • IPsec VPN
    Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.
  • IRQ Affinity
    A state of binding an IRQ to one or more CPU cores.
    • J
  • Jumbo Hotfix Accumulator
    Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.
    • K
  • Kerberos
    An authentication server for Microsoft Windows Active Directory Federation Services (ADFS).
    • L
  • Log Server
    Dedicated Check Point server that runs Check Point software to store and process logs.
  • Logging & Status
    Check Point Software Blade on a Management Server to view Security Logs from the managed Security Gateways.
    • M
  • Maestro Orchestrator
    A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO.
  • Management Interface
    (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI.
  • Management Server
    Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.
  • Manual NAT Rules
    Manual configuration of NAT rules by the administrator of the Check Point Management Server.
  • Medium Path
    Packet flow on the Host Security Appliance, when the packet is handled by the SecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewall instances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL infrastructure to send the packet to the single CoreXL Firewall instance that still functions. When the Medium Path is available, the SecureXL fully accelerates the TCP handshake. Rule Base match is achieved for the first packet through an existing connection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for Content Inspection, an FWK instance now handles the packets. The SecureXL sends all packets that contain data to FWK for data extraction in order to build the data stream. Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets, because they do not contain data that needs to be streamed. The Medium Path is available only when CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in some configurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPS Inspection; Proxy mode; Mobile Access; VoIP; Web Portals. Synonym: PXL.
  • Mobile Access
    Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.
  • Multi-Domain Log Server
    Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS.
  • Multi-Domain Server
    Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.
  • Multi-Queue
    An acceleration feature on Security Gateway that configures more than one traffic queue for each network interface. Multi-Queue assigns more than one receive packet queue (RX Queue) and more than one transmit packet queue (TX Queue) to an interface. Multi-Queue is applicable only if SecureXL is enabled (this is the default). Acronym: MQ.
    • N
  • Network Object
    Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies.
  • Network Policy Management
    Check Point Software Blade on a Management Server to manage an on-premises environment with an Access Control and Threat Prevention policies.
    • O
  • Open Server
    Physical computer manufactured and distributed by a company, other than Check Point.
  • Orchestrator
    See "Maestro Orchestrator".
    • P
  • Power Entry Module
    Hardware component that supplies DC power with EMC filtering and over-current protection on Scalable Chassis. Acronym: PEM.
  • Power Supply Unit
    Hardware component that supplies AC power with filtering and over-current protection. Acronym: PSU.
  • Provisioning
    Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM.
  • PSL
    Passive Streaming Library. Packets may arrive at Security Gateway out of order, or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases, a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with the Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer, which provides stream reassembly for TCP connections. (2) The Security Gateway makes sure that TCP data seen by the destination system is the same as seen by code above PSL. (3) The PSL handles packet reordering, congestion, and is responsible for various security aspects of the TCP layer, such as handling payload overlaps, some DoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewall chain and from the SecureXL. (5) The PSL serves as a middleman between the various security applications and the network packets. It provides the applications with a coherent stream of data to work with, free of various network problems or attacks. (6) The PSL infrastructure is wrapped with well-defined APIs called the Unified Streaming APIs, which are used by the applications to register and access streamed data.
  • PSLXL
    Technology name for combination of SecureXL and PSL (Passive Streaming Library) in versions R80.20 and higher. In versions R80.10 and lower, this technology was called PXL (PacketXL).
    • Q
  • QoS
    Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.
    • R
  • Rule
    Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.
  • Rule Base
    All rules configured in a given Security Policy. Synonym: Rulebase.
    • S
  • Scalable Chassis
    The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis.
  • SecureXL
    Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.
  • Security Gateway
    Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.
  • Security Gateway Module
    On Scalable Chassis - a hardware component on a 60000 / 40000 Appliance (Chassis) that operates as a physical Security Gateway. A Chassis contains many Security Gateway Modules that work together as a single, high performance Security Gateway or VSX Gateway. In Maestro - a role of a Security Appliance. Part of the Security Group that contains the assigned Security Appliances. A Security Appliance in a Security Group has one IPv4 address and represents all assigned Security Appliances as one entity. Acronym: SGM.
  • Security Group
    A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.
  • Security Group Member
    Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM.
  • Security Management Server
    Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.
  • Security Policy
    Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.
  • Security Switch Module
    On Scalable Chassis - a hardware component on a 60000 / 40000 Appliance (Chassis) that manages the flow of network traffic to and from the Security Gateway Module in the Chassis. In Maestro - a role of the Quantum Maestro Orchestrator that manages the flow of network traffic to and from the Security Groups. Acronym: SSM.
  • SGM
    In Maestro - a role of a Security Appliance. Part of the Security Group that contains the assigned Security Appliances. A Security Appliance in a Security Group has one IPv4 address and represents all assigned Security Appliances as one entity. For Scalable Chassis - see "Security Gateway Module".
  • Shared Management
    Feature that makes it possible to assign the same Management Port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management Port has a different IP address and a different MAC address in each Security Group, to which this port is assigned.
  • SIC
    Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.
  • Single Management Object
    Single Security Gateway object in SmartConsole that represents a Security Group configured on a Quantum Maestro Orchestrator / Scalable Chassis. Acronym: SMO.
  • SmartConsole
    Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.
  • SmartDashboard
    Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.
  • SmartProvisioning
    Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM.
  • SmartUpdate
    Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment.
  • SMO Master
    The Security Appliance (in Maestro) / Security Gateway Module (on Scalable Chassis) in a Security Group that handles management tasks for all Security Appliances / Security Gateway Modules in the Security Group. By default, this role is assigned to the Security Appliance / Security Gateway Module with the lowest Member ID in the Security Group. See "SMO".
  • Software Blade
    Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.
  • SSM
    In Maestro - a role of the Quantum Maestro Orchestrator that manages the flow of network traffic to and from the Security Groups. For Scalable Chassis - see "Security Switch Module".
  • Standalone
    Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server.
    • T
  • Threat Emulation
    Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.
  • Threat Extraction
    Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.
    • U
  • Updatable Object
    Network object that represents an external service, such as Microsoft 365, AWS, Geo locations, and more.
  • Uplink Ports
    Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object.
  • URL Filtering
    Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.
  • User Directory
    Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions.
    • V
  • VSX
    Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.
  • VSX Gateway
    Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.
    • Z
  • Zero Phishing
    Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH.