Open Server / Virtual Machine Hardware Requirements

ahmed_aburaihan · ‎2025-10-16

Hi Mates,

This is my second post regarding performance issue while doing CheckPoint Labs - in detail:

For this Lab I am using:

HP Elitebook 650 G9

- 12th Gen Intel Core i5-1235U - 1.3GHz

- 49 GB of RAM

- 400 GB SSD

I have installed Smartconsole on a Win10 client, SMS and CP FW separately on distributed systems in VMWare.

I also have Windows Server 2016 installed for Identity based Policies.

I am currently facing performance problems, this Lab is very very slow and I am unable to carry on.

Could you please guide me on better managing this and boost up peformance so that I run those systems smoothly???

Kind Regards,

A.

Chris_Atkinson · ‎2025-10-16

What resources did you assign to each of the VMs?

CCSM R77/R80/ELITE

ahmed_aburaihan · ‎2025-10-16

Hi, thanks for the response.

Here are the resources i used:

For SMS:
12 GB RAM
Processor: 4 (2 Processor 2 Core)
Storage: 70GB

For GW:

12 GB RAM
Processor: 4 (2 Processor 2 Core)
Storage: 60 GB

and of course for the Smartconsole i used a Windows 10 client with 4 GB RAm.

the_rock · ‎2025-10-16

Hey Ahmed,

Does not sadly show what you had used.

Best,
Andy

PhoneBoy · ‎2025-10-17

Not enough disk space for the SMS or Gateway, which will cause issues if you attempt to upgrade either due to insufficient space.
It may also cause other issues.
The exact requirements for disk are mentioned in the Installation/Upgrade Guide (use the Open Server numbers).

the_rock · ‎2025-10-17

💯...always best to follow an official docs.

Best,
Andy

ahmed_aburaihan · ‎2025-10-19

@PhoneBoy
Yes, thats also possible. The exact storage on the base machine is approx. 476.xx GB and I cannot freely alot more space (being conservative here). I also have an external drive of 2 TB and the performance is really really bad (i tried the same lab and installed GW, SMS inside External drive).

Don_Paterson · ‎2025-10-20

I did some testing on a HP laptop with the same CPU specs.

Please see my reply to Tim's message for the details of that testing.

the_rock · ‎2025-10-16

I am with Chris on this one...could be resources assigned, or lack there of.

Best,
Andy

Lesley · ‎2025-10-16

Note: a single cpu core machine will not handle r82 software. You will get strange behavior and at one point you cannot proceed configuring. I think I had troubles to build cluster not 100% sure

2 core minimal! See here requirements

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/Open-Server-H...

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock · ‎2025-10-16

Even for windows vm, i do at least 4 cores.

Best,
Andy

Don_Paterson · ‎2025-10-18

You are definitely looking to get a lot out of the HP laptop in supporting that lab but you should be able to get it working quite well, possibly with some limitations.

Is this what you are trying to do?

VMs running in VMWare Workstation Pro:

Check Point SMS - R82
Security Gateway - R82
Windows Server 2016 (AD/DC, DNS, LDAP)
Windows 10 (SmartConsole client)

Your laptop hardware setup does not sound standard.

Regarding the memory in your laptop. You may have one slot that has a 32 GB module + another with a 16 GB module, and maybe the original memory was upgraded with a mismatched module.

With mismatched sizes, part of your memory may run in single-channel mode and negatively effect memory bandwidth.

You can install and run CPU-Z and look for the Channel setup in the Memory tab. Single is not good. 2 is good (e.g. 2 x 64-bit).

CPU-Z from CPUID (https://www.cpuid.com/softwares/cpu-z.html)

The HP EliteBook 650 G9 platform typically supports 64 GB (2× 32 GB) DDR4-3200. That would help.

Ensure virtualization features are enabled in BIOS:
VT-x, VT-d, Hyper-Threading, EPT.

Set Performance or Balanced Performance (instead of Battery Saver mode).

The 400GB SSD does not sound standard for that HP laptop but in any case I would go for a USB C external drive to run some or all of the VMs on.

Using the Thuderbolt port on your laptop for best performance, to run VMs and use external fast-storage.

An external NVMe enclosure using Thunderbolt 4 / USB4 basically lets you plug a high-performance M.2 NVMe SSD into a laptop via a USB-C/Thunderbolt port. But that could be expensive.

A high speed USB Type-C drive might be cheaper. I have used a Kingston SXS1000 1TB External SSD and that worked for me.

You could also use the other USB ports (USB 3.2) and an external SSD USB drive.

If you use a USB C and USB port for external SSD drives then use the USB ports on opposite sides of the laptop.

In that case you could store the Windows VMs on the USB drive and the Gaia VMs on the USB C drive.

Fixed size/pre-allocated disks should work better for VMware in these situations.

200GB virtual disk size is good for a lab SMS and SG.

The Gaia machines don't really need a lot of disk performance and since it is a lab the logging and disk activity is likely to be low after boot up.

https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=c08007866

The 8GB RAM minimum in the SMS VM will probably work but 16GB is much better. It is best to give it 16GB. Try to give at least 12GB.

The SG can work OK with 8GB but you would run out of memory and may see problems when testing with many Access Control and Threat Prevention blades all switched on at the same time (and more when running https inspection).

So you can use 8GB for the SG but keep the testing light.

8 CPU cores is ideal for both but 4 CPU cores is OK for the SG.

I would try not to run all of the VMs at the same time and would focus on keeping the Windows Server shut down as much as possible and only bring it up for the testing of Identity Awareness and related types of tests.

You could try to run the Windows Server VM on the 400GB internal drive and the Gaia VMs in the USB C drive.

If the laptop runs out of memory then it could start to page and cause a lot of extra disk activity. That is bad but if it happened and the VMs were all on external USB drives then that could help a bit. Not a good situation to be in anyway.

Can you run the SmartConsole in the host (the Laptop's Windows OS) and eliminate the need for the extra Windows 10 VM, or at least the not run the SmartConsole in a VM?

You would have to play around with the vnets and maybe the routing if you want to route traffic from the laptop OS through the SG VM.

In the Windows 10 VM stop and disable as many non-essential services as possible.

Also remove everything that you can from the Start-Up group and also uninstall as much as you can (bloat that comes with Windows 10 (e.g xbox and onedrive)).

Other notes and summary:

Prepare the Laptop (BIOS + Windows)

Plug in AC adapter → set BIOS/HP Power Mode to Performance.
Enable VT-x / EPT / VT-d / Hyper-Threading in BIOS.
Update BIOS + firmware + Intel drivers.
Confirm dual-channel DDR4-3200 is active (CPU-Z → “Channel # = Dual”).
Set Windows Power Profile = Best Performance.
Exclude E:\VMs* and F:\VMs* from Defender scans.

VMware Workstation Configuration

Create fixed-size (pre-allocated) VMDKs.
Choose NVMe controller type if offered.
Allocate vCPU + RAM carefully.
Keep snapshots ≤ 2 active; delete old ones.
Disable “auto-pause idle VMs.”

Hope that helps.

R82 Release notes:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/Open-Server-H...

Open Server / Virtual Machine Hardware Requirements

See sk168335 - Known Limitations for Open Servers and Virtual Machines.

Minimum Hardware Requirements

Check Point Product	Processor	Total CPU cores	Memory
Security Management Server	Supported Intel® Core™ i5 or equivalent	2	8 GB
Multi-Domain Server	Supported Intel® Core™ i5 or equivalent	8	32 GB
Security Gateway	Supported Intel® Core™ i5 or equivalent	2	8 GB
VSX	Supported Intel® Core™ i5 or equivalent	2	8 GB
Standalone	Supported Intel® Core™ i5 or equivalent	4	8 GB

Disk Space Requirements

These are the requirements for the entire disk device to perform a Clean Install:

Check Point Product ⁽⁴⁾	Recommended free disk space	Minimum free disk space ⁽³⁾
Security Management Server ⁽¹⁾, Dedicated Log Server ⁽¹⁾	1 TB	110 GB
Multi-Domain Security Management Server ⁽²⁾, Multi-Domain Log Server ⁽²⁾	1 TB	For the Multi-Domain Server : 100 GB For each additional Domain: 110 GB
Security Gateway	200 GB	110 GB
ClusterXL Cluster Member, VRRP Cluster Member	200 GB	110 GB
Traditional VSX Gateway, Traditional VSX Cluster Member	For the Traditional VSX Gateway / Cluster Member : 200 GB For each Traditional VSX Virtual System : 1 GB	For the Traditional VSX Gateway / Cluster Member: 100 GB For each Traditional VSX Virtual System: 1 GB
Standalone	1 TB	110 GB

Notes:

On an Open Server

/ Virtual Machine that runs a Management Server

/ Log Server

, only one upgrade is allowed.

To upgrade again, use an Advanced Upgrade (with Clean Install) or an Upgrade with Migration - see Upgrade Methods.
1. Export the management database.
2. Copy all other configuration files, in which you made manual changes.
3. Perform a Clean Install of the required version.
4. Import the management database.
5. Configure the required settings again based on the exported files.
On an Open Server / Virtual Machine, additional backup / snapshot is not supported.
On an Open Server / Virtual Machine, at least 20 GB of free disk space is required in the root partition to start the upgrade process to R82.‎
On an Open Server / Virtual Machine, the logging partition size is only large enough for minimum server operations.

Don_Paterson · ‎2025-10-18

Just as an FYI.

This is the spec recommended for a good basic R82 training lab (on Hyper-V).

SMS (Security Management Server)

Platform: Gaia R82 Build 777
Hardware

CPU : 8 cores
RAM : 12 GB
Disk : 500 GB
NIC : 1

SG (Security Gateway)

Platform: Gaia R82 Build 777
Hardware

CPU : 4 cores
RAM : 8 GB
Disk : 250 GB
NICs: 4 (mgmt, internal, dmz and external)

GUI (SmartConsole Client)

Platform: Windows 10 / 11 / Server 2019+
Hardware

CPU : 4 cores
RAM : 4 GB
Disk : 60 GB
NIC : 1

LDAP Server (Domain Controller / AD Server)

Platform: Windows Server 2019 / 2022 (2025 not supported for IA)

CPU : 4 cores
RAM : 8 GB
Disk : 250 GB
NIC : 1

ahmed_aburaihan · ‎2025-10-19

Yes, it is VMWare Workstation. It is actually Gaia R81.20.
My laptop had default 16 GB of Ram and I put another 32 GB which makes it total of 48 GB.
Disk size is approx. 476.xx GB and i do not have enough space to alot it to VMs, i also tried to use external 2 TB drive and it performed really bad.

the_rock · ‎2025-10-19

How many cores?

Best,
Andy

ahmed_aburaihan · ‎2025-10-20

4 in total.

the_rock · ‎2025-10-20

I would try 8 or 10.

Best,
Andy

PhoneBoy · ‎2025-10-20

Perhaps with a USB 3.0+ drive and an SSD/MVNE (versus spinning disk) you will see better performance here.

Don_Paterson · ‎2025-10-20

I used a fast SSD USB (C) drive with thin provisioning and it worked well for me.

Don_Paterson · ‎2025-10-18

Tim gave some good advise in your first post. Definitely keep this in mind.

https://community.checkpoint.com/t5/Cloud-Network-Security/RAM-and-CPU-Requirements-for-GW-and-SMS-i...

Watch out for allocating more RAM than your laptop has physically installed.

Meaning that the VMs that are running should not have more RAM allocated to them than your laptop has physically installed.

That is why I said that the Windows Server should not be running unless you are using it during testing. Otherwise leave it shut down and then the memory consumption is not too much and as low as possible.

the_rock · ‎2025-10-18

Excellent points Don!

Best,
Andy

Timothy_Hall · ‎2025-10-19

Regardless of memory and disk allocations, I highly doubt you will ever get acceptable performance out of this setup. While technically your CPU meets the minimum requirement of being an i5, the i5-1235U has two P-cores (which support SMT, giving 4 logical cores) and 8 E-cores, which are going to perform terribly. I have no idea if VMWare and/or your host OS distinguishes between the different types of cores (my guess is they don't - thanks Intel), so you are going to have multiple threads trying to execute on the equivalent of 8 dog-slow Atom low voltage processors, who are trying to interact with the two speedy P-cores. Big performance/buffering bottlenecks just waiting to happen (thanks Intel).

The open hardware requirements section of the R82 release notes should probably clarify this P-core/E-core thing since "total number of cores" doesn't mean what it used to, since not all cores are necessarily equal anymore (thanks Intel).

The 9300/9400 models also employ P-Cores/E-Cores and the Check Point code has to deal with them; this has already caused performance problems (VSX) and also stability problems (sk183438: Stability issue in Check Point appliances 9300 and 9400).

My advice? Disable all the 8 E-Cores in the BIOS (if supported, but I'm sure Intel in their infinite wisdom may not make this possible) and go with just the 2 P-cores with SMT enabled. It will almost certainly perform better which I know seems counter-intuitive, but there you have it.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Don_Paterson · ‎2025-10-20

Hey Tim,

As it turns out I have a HP laptop with the exact same CPU (12th Gen i5 1235U) and I have a lab running with acceptable performance.

The performance has actually been quite impressive considering I left Outlook open and a few other apps that I use regularly too while I did all the testing.

The HP Laptop has 10 Cores and 12 Logical Cores

VMware Workstation v 17.6.2 on top of Windows 11 (all up to date).

32GB RAM installed. That is after an upgrade. The laptop shipped with 16GB and I was careful to choose the upgrade module to get the best out of the DDR4 memory. 2 * 16GB Crucial.

I would have done the BIOS setup plus any other tuning I could think of when I prepared the laptop to run VMs (after the memory upgrade in May 2024).

Some details, in the form of screenshots, are in the attached PDF but here's a little bit of info about the testing I did today.

I am using a Kingston XS1000 1TB to host all 4 VMs, and I am using non-preallocated virtual disks.

The Kingston is plugged into the laptop's USB-C port (fully capable 10 Gbps USB 3.2 Gen 2 port), but not Thunderbolt.

SmartConsole GUI VM - Windows 11
SMS - R82 - B777 - 8GB RAM - 4vCPU cores (single processor) - 200GB thin drive
SG - R82 - B777 - 8GB RAM - 4vCPU cores (single processor)
Router - VyOS

The VyOS router is on VMNET8 and sitting behind the laptop's WiFi connection.

I actually built the VMs on a different PC (with the Kingston drive plugged into that other PC) so when I booted the VMs on the laptop I had to accept the VMware Workstation messages and ditch the Suspended states of some of the VMs, but after that they booted up fine.

I must have cleaned the Windows 11 GUI VM up because I found that there was no SmartConsole installed and I had to copy the SmartConsole installer onto it and install it. The install only took a few minutes.

I found that the SMS was already configured and had just one GW (an ElasticXL SMO), which I deleted to make way for the single gateway instance (a new build R82 VM with FTW completed).

While I got SIC with the GW and adjusted and installed the policy I found that it was fast to respond.

I did not notice any delays apart from the usual experience of browsing the SmartConsole after the first time log in with the newly installed SmartConsole.

The first policy install took about 43 seconds.

The APPI and IPS database updates took under 15 minutes and I ran them in parallel to push the SMS VM and the HP host a little bit to see how they responded. There were no freezes or delays.

As soon as the Windows 11 SmartConsole VM got internet access it started to download 24H2 (and who knows what else), so that was running in the background but did not cause any issues.

The TP policy install, following enabling the IPS blade, was quick (16 seconds) and the CPU spikes (watching cpview) after installation were short lived (1 or 2 minutes).

I rebooted the SMS to measure that process. It came back quick and it took 7 mins 30 seconds to fully initialize, and stop consuming all CPU resources, before allowing the SmartConsole to reconnect.

That's actually pretty good with all things considered. This lab setup slightly outperforms the labs I work more in (Skillable) but that is not a big surprise since this is a single platform and not a shared cloud platform (shared storage with Hyper-V and whatever else they have going on in there).

Also having just the 4 VMs running, and stored on the external drive seems to make a difference.

The laptop fan was running the whole time, and the CPUs were hot, going up into the 70s - degrees C (158 F) (https://www.alcpu.com/CoreTemp/)

This is not the system I normally run VMs on but If I was going to spend time working on the VMs on the laptop then I would close all other apps, stop all unnecessary services, kill unneeded apps, and arrange better cooling for the laptop.

I would probably also try to run one or two of the VMs from a different USB port.

All in all it's been quite impressive and I would not hesitate to use this setup to do some testing and labs.

Hope this is helpful.

Regards,

Don

Don_Paterson · ‎2025-10-20

Just want to add an update here since I've been in the rabbit hole.

VMware Workstation versioning have changed. They now have a new version, 25H2.

I upgraded my version from 17 to 25H2 and the VMs are actually running faster now.

The SmartConsole Windows 11 VM needed two reboots to update the UEFI bits and then to install the new VMware Tools.

In that 6 minutes the SMS finished initializing and allowed SmartConsole login, which was then faster than before.

VMware Workstation 17.5 added integrating with Windows 11’s Intel Thread Director so it must be some other refinements that they have added that helped with performance. That is unless my v 17 was not optimally configured.

https://techdocs.broadcom.com/us/en/vmware-cis/desktop-hypervisors/workstation-pro/25H2/release-note...

I had to disabled Memory integrity (Hyper-V) in the Windows 11 host, so that VMware Workstation 25H2 would install and then use the native VMware hypervisor, and not Hyper-V.

It looks like the scheduler is letting the VMs sit on P-cores (physical core 1 and 2) and I saw one logical CPU pushed quit hard while doing a simply stress test in the SG VM.

When I kicked off the JHFA Take 39 download on the SMS and SG at the same time, and then after that the upgrades, also in parallel, then I saw the other CPUs kick in but nothing was ever pegged at 100%, and it seemed to favour the P-cores (put them to work more). But it looked like a balanced load.

The SMS and SG were done upgrading in about 15 minutes.

I was impressed and it was an interesting exercise.

Are you a member of CheckMates?

CCSA/CCSE Labs on HP Notebook - Performance Issue

Prepare the Laptop (BIOS + Windows)

VMware Workstation Configuration

Open Server / Virtual Machine Hardware Requirements

Minimum Hardware Requirements

Disk Space Requirements