This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-01-26 04:22 PM

Default and maximum memory per VS in VSX R80.10

Since R80.10 virtual systems are 64 bit, how is the memory allocation per VS instance works in it and could the amount of RAM for VS's be configured either globally or per VS?

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2018-01-26 09:54 PM

As I recall, you cannot directly control how much memory a VS uses.

What you CAN do is control the number of concurrent connections supported, and this can be done per VS.

Each connection requires a specific amount of memory depending on the blades used and the like.

Vladimir
Champion
Champion
‎2018-01-27 04:19 AM
In response to PhoneBoy

Dameon,

Prior to R80.10 the VS's were limited to 4GB as they were 32 bit. It was possible then to have a rough idea of how many VS's we can run on appliance.

If newer version perform dynamic memory allocation per instance, how are we supposed to size the appliances? 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-27 01:35 PM
In response to Vladimir

The relevant appliance datasheet tells you how many VSes an appliance supports (both with "default" and "max" memory installed).

However, I assume those numbers are based on optimistic assumptions (15k connections per VS, firewall only). 

Each established connection takes anywhere from 2k to 23k per entry, depending on blade mix in use.

0 Kudos
Vladimir
Champion
Champion
‎2018-01-28 06:05 AM

Dameon,

Thank you for clarification although, admittedly, I would like to get more clarity on this subject.

https://community.checkpoint.com/people/kaspa0460ae43-b630-4a72-b063-0a8888fa3bb5‌, can you chime in on this subject?

Regards,

Vladimir

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-28 12:46 PM
In response to Vladimir

Completely understand as the public documentation on this is not concrete--I'll see if I can get someone to elaborate Smiley Happy

Meanwhile, I can say that a 4GB VS (assuming old 32bit limit) would support roughly 500k of connections, depending on blade mix.

There is a little more overhead for 64bit, but that's probably a good place to start spitballing. 

Vladimir
Champion
Champion
‎2018-01-28 01:07 PM
In response to PhoneBoy

Hmm... in your previous reply you've mentioned 15K per VS with Firewall only. In the last one it is 500K in 32 bit. Am I missing something?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-28 01:21 PM
In response to Vladimir

Like I said before, the amount of memory a VS takes depends entirely on:

  • The blades configured for that VS
  • The number of connections that VS is configured to support

Obviously there is some other overhead for each VS plus the base OS.

The default setting when you create a VS is 15k connections, which will take far less memory than when you configure it to support, say, 500k.

I know from past experience that a 32bit firewall with 4GB of RAM without VSX can support several hundred thousand connections, again depending on blades configured. 

Obviously, if your VS is only configured to supports 15k connections, it will take far less RAM than 4GB.

Again, I'll see if I can get more specific information.

Vladimir
Champion
Champion
‎2018-01-28 01:27 PM
In response to PhoneBoy

Thanks!

I didn't realize that the 500K was referring to non-VSX for rough comparison. It makes more sense to me now. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-01-29 06:47 AM
In response to Vladimir

I guess it's fairly well covered by now Smiley Happy Can just add real life example on fairly simple firewall setup with only FW, VPN and IA blades it uses ~3GB for 300k connections which equates to ~10kB per connection.

genisis__
Mentor Mentor
Mentor
‎2019-07-20 12:00 AM
In response to PhoneBoy

Clearly what would be a good idea is to actually update the sizing tool on the Checkpoint site to account for how many VS, what blades and roughly how many concurrent connections would be required.

We have a pair of 15600's, currently with 32GB RAM, additionally have 4 blades turned on.  We have about 5 VSs running on there.  OS is R80.20 and was running JHA47 (now JHA87)

Total peak connections 130K

We ran into, what I believe where memory issue so we failed over a heaviest VS over to the standby node which resolved our issue.

We have a few more VSs to add which require around 410K in total.

We have order additional memory to take the units to 64GB, however a sizing tools may have helped avoid this issue.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-21 02:33 PM
In response to genisis__

Keep in mind that even when the VS is not even handling any traffic, in R80.20 plain it already uses up 750MB per VS. When you add Jumbo 80 or higher another 100MB per VS is added.
You can see the memory used per VS within cpview, advanced, VSX, VSs, statistics (you will get the question if you want to enable statistics. type a and y to do so)
After about a minute you will see memory usage per VS and vSwitch.
Regards, Maarten
genisis__
Mentor Mentor
Mentor
‎2019-07-23 09:57 AM
In response to Maarten_Sjouw

Great will give that a go!

0 Kudos
Julian_Sanchez
Collaborator
‎2020-06-01 05:44 PM
In response to Maarten_Sjouw

We have two 15600 appliances in VSX with VSLS, 

Each module have 3 VS. In the module1 we have 22GB of memory and in the module2 wehave 17GB, each one has 32GB. However, The mod2 have more connections than mod1. Should be more memory in the mod2 that mod1 agree amount of connections? 

Although VSs in mod1 have App control, url filtering, identit awareness, monitor, antibot - antivirus. 

Any advice or agree the context is ok ?

 

 

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2020-06-02 12:51 AM
In response to Julian_Sanchez

Hi Julian,

Not sure, what you mean by module1 & 2, if you mean you have two 15600s with different physical memory configurations then firstly not sure why this would be the case as I would recommended that the hardware is correctly matched.

Also it may be useful to determine how many concurrent connections are beginning used per VS and how many cores are assigned per VS.

If you want to know the overall amount of free memory then you could simply run 'cpview'.

I am not aware of a way to actually determine how much memory a specific VS is actually using (Would love to know this, perhaps someone can script something?)

I would only be concerned if you are using swap memory.

See the following when I asked a similar question

https://community.checkpoint.com/t5/General-Topics/Physical-memory-is-high/td-p/32267

0 Kudos
Julian_Sanchez
Collaborator
‎2020-06-01 05:36 PM
In response to genisis__

What sizing tool your recommended?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events