https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247791#M9033 <P>As you know, the number of concurrent connections permitted in a VS is set via SmartConsole in the VS object.<BR />Unfortunately, there is no API support for legacy VSX objects.<BR />Which means this is not scriptable.</P> Wed, 30 Apr 2025 12:49:36 GMT PhoneBoy 2025-04-30T12:49:36Z https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247755#M9032 <P>Hi</P><P>We are looking into having to adjust the concurrent connection limit slightly, due to contractual obligations with our customers and I would like to know if there is any way, API, CLI or other, that would allow us to set a new value, instead of having to go into the GUI and setting a new individual value on 130+ Virtual Systems.</P><P>I have not found evidence that vsx_provisioning_tool can do it, unless I missed something.</P><P>Any ideas?</P><P>&nbsp;</P><P>We are currently running R81.10 and looking into upgrading to 81.20.</P> Wed, 30 Apr 2025 08:32:42 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247755#M9032 NoMaD_dk 2025-04-30T08:32:42Z https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247791#M9033 <P>As you know, the number of concurrent connections permitted in a VS is set via SmartConsole in the VS object.<BR />Unfortunately, there is no API support for legacy VSX objects.<BR />Which means this is not scriptable.</P> Wed, 30 Apr 2025 12:49:36 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247791#M9033 PhoneBoy 2025-04-30T12:49:36Z https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247797#M9034 <P>Same cannot find anything related to this in the API guide.&nbsp;</P> <P>Extra tip:</P> <P>Do you already monitor connection limit with SNMP? This is possible.&nbsp;</P> <P>Alternative is to run&nbsp;vsx stat-l and the systems and collect the info from there.&nbsp;</P> <P>Plus not 100% sure ( dont have my notes with me) but i think in r82 on vsx you can now use the option auto for the connection limit.</P> Wed, 30 Apr 2025 13:57:00 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247797#M9034 Lesley 2025-04-30T13:57:00Z https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247926#M9035 <P>Yes, we already monitor it. The question is if the value could be manipulated in another way than through the GUI, which I see is not possible.</P><P>Setting the value to auto is not an option either, due to billing and contracts obligations.</P> Thu, 01 May 2025 12:51:13 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247926#M9035 NoMaD_dk 2025-05-01T12:51:13Z https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247927#M9036 <P>For what is worth, this is what came from AI.</P> <P>Andy</P> <P>*************************************************************************</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="" data-start="0" data-end="319">To script setting the <STRONG data-start="22" data-end="53">concurrent connection limit</STRONG> on <STRONG data-start="57" data-end="91">VSX (Virtual System Extension)</STRONG> in Check Point firewalls, you'll typically use <STRONG data-start="139" data-end="155">CLI commands</STRONG>, particularly through <STRONG data-start="178" data-end="190"><CODE data-start="180" data-end="188">fw ctl</CODE></STRONG> or <STRONG data-start="194" data-end="237">SmartConsole/SmartCenter CLI (mgmt_cli)</STRONG> depending on whether you're modifying kernel parameters or object configurations.</P> <P class="" data-start="321" data-end="417">Here’s a practical approach, assuming you want to set connection limits per Virtual System (VS):</P> <HR data-start="419" data-end="422" /> <H3 class="" data-start="424" data-end="505"><span class="lia-unicode-emoji" title=":wrench:">🔧</span> Option 1: Using <CODE data-start="447" data-end="463">fw ctl set int</CODE> for runtime kernel limit (not persistent)</H3> <P class="" data-start="506" data-end="582">This sets the concurrent connection limit in memory, not surviving a reboot.</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">bash</DIV> <DIV class="sticky top-9"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-sidebar-surface-primary text-token-text-secondary dark:bg-token-main-surface-secondary flex items-center rounded-sm px-2 font-sans text-xs"><SPAN class="" data-state="closed"><BUTTON class="flex gap-1 items-center select-none px-4 py-1" aria-label="Copy">Copy</BUTTON></SPAN><SPAN class="" data-state="closed"><BUTTON class="flex items-center gap-1 px-4 py-1 select-none">Edit</BUTTON></SPAN></DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-bash"><SPAN><SPAN class="hljs-comment"># Example for setting max concurrent connections to 500,000 on VSID 2</SPAN> vsenv 2 fw ctl <SPAN class="hljs-built_in">set</SPAN> int fw_conn_table_limit 500000 </SPAN></CODE></DIV> </DIV> <P>&nbsp;</P> <PRE class="overflow-visible!" data-start="584" data-end="715">&nbsp;</PRE> <P class="" data-start="717" data-end="727">To verify:</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">bash</DIV> <DIV class="sticky top-9"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-sidebar-surface-primary text-token-text-secondary dark:bg-token-main-surface-secondary flex items-center rounded-sm px-2 font-sans text-xs"><SPAN class="" data-state="closed"><BUTTON class="flex gap-1 items-center select-none px-4 py-1" aria-label="Copy">Copy</BUTTON></SPAN><SPAN class="" data-state="closed"><BUTTON class="flex items-center gap-1 px-4 py-1 select-none">Edit</BUTTON></SPAN></DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-bash"><SPAN>fw ctl get int fw_conn_table_limit </SPAN></CODE></DIV> </DIV> <P>&nbsp;</P> <PRE class="overflow-visible!" data-start="728" data-end="774">&nbsp;</PRE> <BLOCKQUOTE data-start="776" data-end="832"> <P class="" data-start="778" data-end="832"><span class="lia-unicode-emoji" title=":warning:">⚠️</span> Not persistent — use <CODE data-start="802" data-end="815">fwkern.conf</CODE> for persistence.</P> </BLOCKQUOTE> <HR data-start="834" data-end="837" /> <H3 class="" data-start="839" data-end="894"><span class="lia-unicode-emoji" title=":locked_with_key:">🔐</span> Option 2: Make persistent via <CODE data-start="876" data-end="894">/etc/fwkern.conf</CODE></H3> <P class="" data-start="895" data-end="954">Add the following to <CODE data-start="916" data-end="934">/etc/fwkern.conf</CODE> on the VSX gateway:</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">bash</DIV> <DIV class="sticky top-9"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-sidebar-surface-primary text-token-text-secondary dark:bg-token-main-surface-secondary flex items-center rounded-sm px-2 font-sans text-xs"><SPAN class="" data-state="closed"><BUTTON class="flex gap-1 items-center select-none px-4 py-1" aria-label="Copy">Copy</BUTTON></SPAN><SPAN class="" data-state="closed"><BUTTON class="flex items-center gap-1 px-4 py-1 select-none">Edit</BUTTON></SPAN></DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-bash"><SPAN><SPAN class="hljs-comment"># For VSID 2 (set while in that VS context)</SPAN> fw_conn_table_limit=500000 </SPAN></CODE></DIV> </DIV> <P>&nbsp;</P> <PRE class="overflow-visible!" data-start="956" data-end="1038">&nbsp;</PRE> <BLOCKQUOTE data-start="1040" data-end="1158"> <P class="" data-start="1042" data-end="1158">You must do this from within the VS context (<CODE data-start="1087" data-end="1101">vsenv &lt;VSID&gt;</CODE>), and reboot or run <CODE data-start="1122" data-end="1138">fw ctl set int</CODE> afterward to apply.</P> </BLOCKQUOTE> <HR data-start="1160" data-end="1163" /> <H3 class="" data-start="1165" data-end="1240">🧠 Option 3: Using <CODE data-start="1188" data-end="1198">mgmt_cli</CODE> or API to configure SmartConsole settings</H3> <P class="" data-start="1241" data-end="1344">If you want to set limits as part of a policy object (e.g., per gateway or VS), use the management API.</P> <P class="" data-start="1346" data-end="1433">Example with <CODE data-start="1359" data-end="1369">mgmt_cli</CODE> (not directly for connection limits but to modify VSX objects):</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">bash</DIV> <DIV class="sticky top-9"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-sidebar-surface-primary text-token-text-secondary dark:bg-token-main-surface-secondary flex items-center rounded-sm px-2 font-sans text-xs"><SPAN class="" data-state="closed"><BUTTON class="flex gap-1 items-center select-none px-4 py-1" aria-label="Copy">Copy</BUTTON></SPAN><SPAN class="" data-state="closed"><BUTTON class="flex items-center gap-1 px-4 py-1 select-none">Edit</BUTTON></SPAN></DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-bash"><SPAN>mgmt_cli <SPAN class="hljs-built_in">set</SPAN> simple-gateway name <SPAN class="hljs-string">"My_VSX_Gateway"</SPAN> max-concurrent-connections 500000 --domain <SPAN class="hljs-string">"MyDomain"</SPAN> -r <SPAN class="hljs-literal">true</SPAN> -s session.json </SPAN></CODE></DIV> </DIV> <P>&nbsp;</P> <PRE class="overflow-visible!" data-start="1435" data-end="1574">&nbsp;</PRE> <BLOCKQUOTE data-start="1576" data-end="1665"> <P class="" data-start="1578" data-end="1665">You’ll need to check your exact object type (<CODE data-start="1623" data-end="1639">simple-gateway</CODE>, <CODE data-start="1641" data-end="1646">vsx</CODE>, etc.) and fields.</P> </BLOCKQUOTE> <HR data-start="1667" data-end="1670" /> <H3 class="" data-start="1672" data-end="1693"><span class="lia-unicode-emoji" title=":light_bulb:">💡</span> Script Example</H3> <P class="" data-start="1694" data-end="1749">Here’s a shell script to set the limit on multiple VSs:</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">bash</DIV> <DIV class="sticky top-9"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-sidebar-surface-primary text-token-text-secondary dark:bg-token-main-surface-secondary flex items-center rounded-sm px-2 font-sans text-xs"><SPAN class="" data-state="closed"><BUTTON class="flex gap-1 items-center select-none px-4 py-1" aria-label="Copy">Copy</BUTTON></SPAN><SPAN class="" data-state="closed"><BUTTON class="flex items-center gap-1 px-4 py-1 select-none">Edit</BUTTON></SPAN></DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-bash"><SPAN><SPAN class="hljs-meta">#!/bin/bash</SPAN> LIMIT=500000 <SPAN class="hljs-keyword">for</SPAN> VSID <SPAN class="hljs-keyword">in</SPAN> 2 3 4; <SPAN class="hljs-keyword">do</SPAN> <SPAN class="hljs-built_in">echo</SPAN> <SPAN class="hljs-string">"Setting connection limit for VSID <SPAN class="hljs-variable">$VSID</SPAN></SPAN>" vsenv <SPAN class="hljs-variable">$VSID</SPAN> fw ctl <SPAN class="hljs-built_in">set</SPAN> int fw_conn_table_limit <SPAN class="hljs-variable">$LIMIT</SPAN> <SPAN class="hljs-keyword">done</SPAN> </SPAN></CODE></DIV> </DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <PRE class="overflow-visible!" data-start="1751" data-end="1928">&nbsp;</PRE> <P class="" data-start="1930" data-end="2007">To make this persistent, you’d script editing <CODE data-start="1976" data-end="1994">/etc/fwkern.conf</CODE> for each VS.</P> Thu, 01 May 2025 13:04:29 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-script-setting-concurrent-connection-limit-on-VSX/m-p/247927#M9036 the_rock 2025-05-01T13:04:29Z