Dameon,

Prior to R80.10 the VS's were limited to 4GB as they were 32 bit. It was possible then to have a rough idea of how many VS's we can run on appliance.

If newer version perform dynamic memory allocation per instance, how are we supposed to size the appliances? 

The relevant appliance datasheet tells you how many VSes an appliance supports (both with "default" and "max" memory installed).

However, I assume those numbers are based on optimistic assumptions (15k connections per VS, firewall only). 

Each established connection takes anywhere from 2k to 23k per entry, depending on blade mix in use.

Completely understand as the public documentation on this is not concrete--I'll see if I can get someone to elaborate

Meanwhile, I can say that a 4GB VS (assuming old 32bit limit) would support roughly 500k of connections, depending on blade mix.

There is a little more overhead for 64bit, but that's probably a good place to start spitballing. 

Hmm... in your previous reply you've mentioned 15K per VS with Firewall only. In the last one it is 500K in 32 bit. Am I missing something?

Like I said before, the amount of memory a VS takes depends entirely on:

• The blades configured for that VS
• The number of connections that VS is configured to support

Obviously there is some other overhead for each VS plus the base OS.

The default setting when you create a VS is 15k connections, which will take far less memory than when you configure it to support, say, 500k.

I know from past experience that a 32bit firewall with 4GB of RAM without VSX can support several hundred thousand connections, again depending on blades configured. 

Obviously, if your VS is only configured to supports 15k connections, it will take far less RAM than 4GB.

Again, I'll see if I can get more specific information.

Thanks!

I didn't realize that the 500K was referring to non-VSX for rough comparison. It makes more sense to me now. 

I guess it's fairly well covered by now  Can just add real life example on fairly simple firewall setup with only FW, VPN and IA blades it uses ~3GB for 300k connections which equates to ~10kB per connection.

Clearly what would be a good idea is to actually update the sizing tool on the Checkpoint site to account for how many VS, what blades and roughly how many concurrent connections would be required.

We have a pair of 15600's, currently with 32GB RAM, additionally have 4 blades turned on.  We have about 5 VSs running on there.  OS is R80.20 and was running JHA47 (now JHA87)

Total peak connections 130K

We ran into, what I believe where memory issue so we failed over a heaviest VS over to the standby node which resolved our issue.

We have a few more VSs to add which require around 410K in total.

We have order additional memory to take the units to 64GB, however a sizing tools may have helped avoid this issue.

Great will give that a go!

We have two 15600 appliances in VSX with VSLS, 

Each module have 3 VS. In the module1 we have 22GB of memory and in the module2 wehave 17GB, each one has 32GB. However, The mod2 have more connections than mod1. Should be more memory in the mod2 that mod1 agree amount of connections? 

Although VSs in mod1 have App control, url filtering, identit awareness, monitor, antibot - antivirus. 

Any advice or agree the context is ok ?

Hi Julian,

Not sure, what you mean by module1 & 2, if you mean you have two 15600s with different physical memory configurations then firstly not sure why this would be the case as I would recommended that the hardware is correctly matched.

Also it may be useful to determine how many concurrent connections are beginning used per VS and how many cores are assigned per VS.

If you want to know the overall amount of free memory then you could simply run 'cpview'.

I am not aware of a way to actually determine how much memory a specific VS is actually using (Would love to know this, perhaps someone can script something?)

I would only be concerned if you are using swap memory.

See the following when I asked a similar question

https://community.checkpoint.com/t5/General-Topics/Physical-memory-is-high/td-p/32267

What sizing tool your recommended?