Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

Default and maximum memory per VS in VSX R80.10

Since R80.10 virtual systems are 64 bit, how is the memory allocation per VS instance works in it and could the amount of RAM for VS's be configured either globally or per VS?

Tags (1)
0 Kudos
15 Replies
Highlighted
Admin
Admin

As I recall, you cannot directly control how much memory a VS uses.

What you CAN do is control the number of concurrent connections supported, and this can be done per VS.

Each connection requires a specific amount of memory depending on the blades used and the like.

Highlighted
Pearl

Dameon,

Prior to R80.10 the VS's were limited to 4GB as they were 32 bit. It was possible then to have a rough idea of how many VS's we can run on appliance.

If newer version perform dynamic memory allocation per instance, how are we supposed to size the appliances? 

0 Kudos
Highlighted
Admin
Admin

The relevant appliance datasheet tells you how many VSes an appliance supports (both with "default" and "max" memory installed).

However, I assume those numbers are based on optimistic assumptions (15k connections per VS, firewall only). 

Each established connection takes anywhere from 2k to 23k per entry, depending on blade mix in use.

0 Kudos
Highlighted
Pearl

Dameon,

Thank you for clarification although, admittedly, I would like to get more clarity on this subject.

https://community.checkpoint.com/people/kaspa0460ae43-b630-4a72-b063-0a8888fa3bb5‌, can you chime in on this subject?

Regards,

Vladimir

0 Kudos
Highlighted
Admin
Admin

Completely understand as the public documentation on this is not concrete--I'll see if I can get someone to elaborate Smiley Happy

Meanwhile, I can say that a 4GB VS (assuming old 32bit limit) would support roughly 500k of connections, depending on blade mix.

There is a little more overhead for 64bit, but that's probably a good place to start spitballing. 

Highlighted
Pearl

Hmm... in your previous reply you've mentioned 15K per VS with Firewall only. In the last one it is 500K in 32 bit. Am I missing something?

0 Kudos
Highlighted
Admin
Admin

Like I said before, the amount of memory a VS takes depends entirely on:

  • The blades configured for that VS
  • The number of connections that VS is configured to support

Obviously there is some other overhead for each VS plus the base OS.

The default setting when you create a VS is 15k connections, which will take far less memory than when you configure it to support, say, 500k.

I know from past experience that a 32bit firewall with 4GB of RAM without VSX can support several hundred thousand connections, again depending on blades configured. 

Obviously, if your VS is only configured to supports 15k connections, it will take far less RAM than 4GB.

Again, I'll see if I can get more specific information.

Highlighted
Pearl

Thanks!

I didn't realize that the 500K was referring to non-VSX for rough comparison. It makes more sense to me now. 

0 Kudos
Highlighted

I guess it's fairly well covered by now Smiley Happy Can just add real life example on fairly simple firewall setup with only FW, VPN and IA blades it uses ~3GB for 300k connections which equates to ~10kB per connection.

Highlighted
Nickel

Clearly what would be a good idea is to actually update the sizing tool on the Checkpoint site to account for how many VS, what blades and roughly how many concurrent connections would be required.

We have a pair of 15600's, currently with 32GB RAM, additionally have 4 blades turned on.  We have about 5 VSs running on there.  OS is R80.20 and was running JHA47 (now JHA87)

Total peak connections 130K

We ran into, what I believe where memory issue so we failed over a heaviest VS over to the standby node which resolved our issue.

We have a few more VSs to add which require around 410K in total.

We have order additional memory to take the units to 64GB, however a sizing tools may have helped avoid this issue.

0 Kudos
Highlighted

Keep in mind that even when the VS is not even handling any traffic, in R80.20 plain it already uses up 750MB per VS. When you add Jumbo 80 or higher another 100MB per VS is added.
You can see the memory used per VS within cpview, advanced, VSX, VSs, statistics (you will get the question if you want to enable statistics. type a and y to do so)
After about a minute you will see memory usage per VS and vSwitch.
Regards, Maarten
Highlighted
Nickel

Great will give that a go!

0 Kudos

We have two 15600 appliances in VSX with VSLS, 

Each module have 3 VS. In the module1 we have 22GB of memory and in the module2 wehave 17GB, each one has 32GB. However, The mod2 have more connections than mod1. Should be more memory in the mod2 that mod1 agree amount of connections? 

Although VSs in mod1 have App control, url filtering, identit awareness, monitor, antibot - antivirus. 

Any advice or agree the context is ok ?

 

 

0 Kudos
Highlighted
Nickel

Hi Julian,

Not sure, what you mean by module1 & 2, if you mean you have two 15600s with different physical memory configurations then firstly not sure why this would be the case as I would recommended that the hardware is correctly matched.

Also it may be useful to determine how many concurrent connections are beginning used per VS and how many cores are assigned per VS.

If you want to know the overall amount of free memory then you could simply run 'cpview'.

I am not aware of a way to actually determine how much memory a specific VS is actually using (Would love to know this, perhaps someone can script something?)

I would only be concerned if you are using swap memory.

See the following when I asked a similar question

https://community.checkpoint.com/t5/General-Topics/Physical-memory-is-high/td-p/32267

0 Kudos
Highlighted

What sizing tool your recommended?

 

0 Kudos