This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NoMaD_dk
Participant
‎2025-04-30 01:32 AM

How to script setting concurrent connection limit on VSX?

Hi

We are looking into having to adjust the concurrent connection limit slightly, due to contractual obligations with our customers and I would like to know if there is any way, API, CLI or other, that would allow us to set a new value, instead of having to go into the GUI and setting a new individual value on 130+ Virtual Systems.

I have not found evidence that vsx_provisioning_tool can do it, unless I missed something.

Any ideas?

 

We are currently running R81.10 and looking into upgrading to 81.20.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2025-04-30 05:49 AM

As you know, the number of concurrent connections permitted in a VS is set via SmartConsole in the VS object.
Unfortunately, there is no API support for legacy VSX objects.
Which means this is not scriptable.

0 Kudos
Lesley
Authority Authority
Authority
‎2025-04-30 06:57 AM

Same cannot find anything related to this in the API guide. 

Extra tip:

Do you already monitor connection limit with SNMP? This is possible. 

Alternative is to run vsx stat-l and the systems and collect the info from there. 

Plus not 100% sure ( dont have my notes with me) but i think in r82 on vsx you can now use the option auto for the connection limit.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
NoMaD_dk
Participant
‎2025-05-01 05:50 AM
In response to Lesley

Yes, we already monitor it. The question is if the value could be manipulated in another way than through the GUI, which I see is not possible.

Setting the value to auto is not an option either, due to billing and contracts obligations.

0 Kudos
the_rock
Legend
Legend
‎2025-05-01 06:04 AM

For what is worth, this is what came from AI.

Andy

*************************************************************************

 

 

To script setting the concurrent connection limit on VSX (Virtual System Extension) in Check Point firewalls, you'll typically use CLI commands, particularly through fw ctl or SmartConsole/SmartCenter CLI (mgmt_cli) depending on whether you're modifying kernel parameters or object configurations.

Here’s a practical approach, assuming you want to set connection limits per Virtual System (VS):

🔧 Option 1: Using fw ctl set int for runtime kernel limit (not persistent)

This sets the concurrent connection limit in memory, not surviving a reboot.

 

bash
# Example for setting max concurrent connections to 500,000 on VSID 2 vsenv 2 fw ctl set int fw_conn_table_limit 500000

 

 

To verify:

 

bash
fw ctl get int fw_conn_table_limit

 

 

⚠️ Not persistent — use fwkern.conf for persistence.

🔐 Option 2: Make persistent via /etc/fwkern.conf

Add the following to /etc/fwkern.conf on the VSX gateway:

 

bash
# For VSID 2 (set while in that VS context) fw_conn_table_limit=500000

 

 

You must do this from within the VS context (vsenv <VSID>), and reboot or run fw ctl set int afterward to apply.

🧠 Option 3: Using mgmt_cli or API to configure SmartConsole settings

If you want to set limits as part of a policy object (e.g., per gateway or VS), use the management API.

Example with mgmt_cli (not directly for connection limits but to modify VSX objects):

 

bash
mgmt_cli set simple-gateway name "My_VSX_Gateway" max-concurrent-connections 500000 --domain "MyDomain" -r true -s session.json

 

 

You’ll need to check your exact object type (simple-gateway, vsx, etc.) and fields.

💡 Script Example

Here’s a shell script to set the limit on multiple VSs:

 

bash
#!/bin/bash LIMIT=500000 for VSID in 2 3 4; do echo "Setting connection limit for VSID $VSID" vsenv $VSID fw ctl set int fw_conn_table_limit $LIMIT done 

 

To make this persistent, you’d script editing /etc/fwkern.conf for each VS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events