topic Re: Check Point Firewalls Connection Table in Firewall and Security Management

Check Point Firewalls Connection Table

katsarasd — Thu, 05 Feb 2026 11:34:03 GMT

Hello Everyone,

Our Infrastructure consists of External & Internal firewalls in Cluster HA Availability mode. Check Point Firewalls are Virtual Machines deployed on Vmware Esxi Hosts.

Firewalls have assigned resources of:

4 vCPUs
16 GB RAM
NICs are VMXNET 3

Recently, while performing zdebug on internal firewalls we've noticed 98-100% connection table utilization. TAC advised us to change the capacity optimization setting from 2500 to automatic. After the change we've noticed that the cpu utilization on the active gateway now is around 35%.

My question is if this is going to create any issue on the internal firewalls in the future ? i.e resource exhaustion ? kernel corruption ? it would be advisable to increase the vCPU on the affected gateways ?

Thanks in Advance

Re: Check Point Firewalls Connection Table

Don_Paterson — Thu, 05 Feb 2026 11:59:44 GMT

It should not but there is not enough information to give a firm answer/s.

Performance question answers are not always straight forward and as much information as possible should be collected and used to investigate.

Automatic has been the default for new installations for many versions now.

The more connections that are handled by the gateway the more memory used - to record the connection details in the connections table (and NAT and other tables).

CPU is consumed by the firewall software enforcing the policy. Rule matching.

SecureXL can offload the CPUs significantly if a lot of traffic is handled on the fast path, but traffic handled by blades like IPS, App. Control and Content Awareness will take more CPU.

HTTPS Inspection will also require more CPU resources.

fwaccel stats -s

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_PerformanceTuning_AdminGuide/Content/Topics-PTG/SecureXL.htm

What version/s are you running?

What was the CPU utilization before?

Do you plan to have more traffic load in the future?

Any more blades to be added in the future? E.G. IPS or other Threat Prevention blades.

You can use various commands to monitor the usage or RAM and CPU, including cpview, fw ctl pstat,

I still like the old command: fw tab -t connections -s

Also:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_CLI_ReferenceGuide/Content/Topics-CLIG/SECMG/cpstat.htm?Highlight=cpstat

Just for guidance and initial learning:

Snippet from https://support.checkpoint.com/results/sk/sk39555

Connections Table and Memory Pool

Note - These settings exist only in SmartDashboard R77.30 and lower.

To control connections table size and kernel memory from SmartDashboard, select one of these options in the section "Calculate connections hash table size and memory pool":

Automatically (default and recommended) - Automatically calculates all values for this Security Gateway / Cluster / VSX Virtual System. The administrator does not need to change them. The derived settings are typically high maximum memory pool and low initial memory pool size values.
Manually - Table size, Hash size, and HMEM size are set manually. It is not recommended to change this setting to a high value, because the more memory you allocate, the larger the impact on Security Gateway performance.

Connections Hash Table Size

Note - This setting exists only in SmartDashboard R77.30 and lower.

Connections hash table size - Size of the hash table in bytes (default = 131072). This value must be an integer that is an exponential power of two and approximately four times the value of the "Maximum concurrent connection".

Example: If the connection limit is set to 50000, the hash table size should be 2¹⁶=65536.

A larger hash size has a good effect on performance.
An effective hash table size should be approximately four times the number of average concurrent connections.
In most cases, the maximum operational limit of a 4 MB hash table size can support a maximum of one million connections.

When you use the "Automatic" setting, the connections hash table size, memory pool size, and maximum memory pool size values change in these ranges:

Concurrent connections limit	Hash size (bytes)	Mem. Pool (MB)	Max. Mem. Pool (MB)
0-21000	65536	6-8	24-33
22000-43000	131072	8-17	35-68
44000-87000	262144	17-34	70-139
88000-174000	524288	35-69	140-278
175000-349000	1048576	70-139	280-559
350000-699000	2097152	140-279	560-1119
700000-1398000	4194304	280-559	1121-2047

Example: For a maximum concurrent connections limit of 725000, automatic calculations result in these values:

Connections hash table size: 4194304
Memory pool size: 290 MB
Maximum memory pool size: 1161 MB

Note: Automatic settings do not account for the physical memory available on the Security Gateway / Cluster Members. The examples in the above section show a high maximum limit and low memory pool size.

Re: Check Point Firewalls Connection Table

Don_Paterson — Thu, 05 Feb 2026 12:07:54 GMT

I should also mention the hcp -r all command, just to get the Health Check Point tests run and see current health status.

That may help to get a view of what's happening in there and then also have a benchmark.

After running hcp you should be able to connect to the gateway and view the report in a html page:

https://<gateway-ip>:<port-if-needed>/hcp

Re: Check Point Firewalls Connection Table

katsarasd — Thu, 05 Feb 2026 13:02:51 GMT

Hello @Don_Paterson ,

Thanks for the valuable info.

According to what you asked:

What version/s are you running?--> 81.20 take 120

What was the CPU utilization before?--> it as around 4-5 %

Do you plan to have more traffic load in the future? We expect more groth

Any more blades to be added in the future? E.G. IPS or other Threat Prevention blades.--> IPS, Anti-Bot, Anti-Virus are enabled

Also i've run the hcp -r all command on the firewall and the results seem fine.

Regards

Re: Check Point Firewalls Connection Table

the_rock — Thu, 05 Feb 2026 13:34:30 GMT

TAC is 100% correct and here is why I would suggest the same. Main reason is because when its set to automatic, gateway would technically calculate needed memory/cpu usage based on consumption, rather than when its set to manual.

Re: Check Point Firewalls Connection Table

Don_Paterson — Thu, 05 Feb 2026 13:55:16 GMT

You are welcome.

The CPU utilization numbers would need some supporting information like number of connections and connections/second at the same point in time.

5% normally indicates a gateway that is idling and handling very little or no traffic at the point in time when the CPU resource utilisation is measured.

It is also important to monitor the active gateway in the cluster and not the standby, and to understand the differences in the numbers taken from each of them.

This document can give you an idea of the possible maximum throughput capabilities of an R81.20 gateway with 4 CPU cores and different combinations of blades.

https://www.checkpoint.com/downloads/products/cloudguard-gateway-performance-for-vmware-esxi-datasheet.pdf

You should talk to presales.

If you need more CPUs to handle more traffic in the future then more CPU licenses would be needed unless they are already purchased and in the vSEC license pool.

They can also advise on performance and future planning.

You can learn about performance monitoring from various sources (example below) but it may be quicker to talk to presales or professional services.

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40528#M703