This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ERTK
Contributor
Contributor
‎2026-03-02 12:10 AM

Question About limit concurrent connections on maestro platform.

Hi

i have some dubts about maestro platform an limit concurrent connections behaviour and configuration.

i have an environment maestro dual site, with 3 SGM per site, one SG and VSX /vsls with 2 vs configured, one vs active per site.

if i configure limit concurrent connection for vs1 to 100k, is it 100k for global or 100k per SGM that was included on SG?

Another question, how can i check the total number of concurrent connections ?

if i run vsx stat -l , it gave me a number

if i run g_fw tab -t connections -s , it gave me 6 diferent numbers

..........

Thanks in advanced

 

0 Kudos
11 Replies
Martijn
MVP
MVP
‎2026-03-02 12:28 AM

Hi,

The SGM's act as independet gateways that share a single configuration. So setting the limit to 100k connections is per SGM as far as I know. The same as setting CoreXL firewall instances on a VS. If you set the number of firewall instances, this number is per SGM.

Which version are you running? In R82 you can get more details with 'insights'.  You can also check the number of connections per SGM with the 'asg perf' command.

Martijn

0 Kudos
ERTK
Contributor
Contributor
‎2026-03-02 12:45 AM
In response to Martijn

i understand.

so if i configure 100k and the connections balance is properly it means that SG will be able to manage about 300k conncetions.

about cores, it means that if i put 2 cores on this vs, i have 2 fireweall workers in each SGM of this SG....isnt it?

verion:

R81.20 jha 118.

 

 

about asg perf -v.....yes but if gave much more number...maybe sums all SGM connections.

 

thank u for your answer 

0 Kudos
Martijn
MVP
MVP
‎2026-03-02 12:58 AM
In response to ERTK

Hi,

Correct.

100k connection per VS is 300k on a Security Group with 3 members. The same for cores. If you configure 2 cores (firewall instances) on a VS, that VS will get 2 firewalls instances per SGM.

The 'asg perf' command has more options. You can get more details with the '-vv' option and you can check per VS.
If distribution is configured correctly the concurrent connections per SGM should be about the same. 

Regards,
Martijn

emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-02 01:39 AM
In response to Martijn

You get 100K connections per VS but remember that every connection has an Active and a Backup SGM, so each connection is effectively counted twice in the connection tables across all SGMs. So when calculating the total amount of possible connections you should halve the value you configure in SmartConsole and use that as your per-SGM connection limit calculation. 

Martijn
MVP
MVP
‎2026-03-02 01:48 AM
In response to emmap

Good point @emmap

0 Kudos
ERTK
Contributor
Contributor
‎2026-03-02 02:16 AM
In response to emmap

if i understand properly, each connection is effectively counted 3 times, (it is a dual site environment, one active, one bck in the same site and another bck on the other site).

Thanks u very much i appreciate your answerers to get more knowledge about this topic.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2026-03-02 07:02 AM
In response to ERTK

Each connection is counted 3 times in a Maestro Active/Backup Dual Site configuration.  However, if NAT is involved with a connection in this scenario, it is counted a total of 6 times:

  • Active Site - pre-NAT  primary
  • Active Site - pre-NAT backup successor
  • Active Site - post-NAT primary
  • Active Site - post-NAT backup successor
  • Backup Site - pre-NAT primary
  • Backup Site - post-NAT primary

This is why it is very important to max out the RAM in Maestro gateways if possible, since the "maximum connections" data sheet number for each gateway at a given RAM level needs to be cut in half for use with Maestro, and then cut in half again if NAT is involved.  And those quoted numbers are for IPv4.  Even if you avoid NAT by exclusively using IPv6, it takes twice as much RAM to track each IPv6 connection as it does for IPv4, so you are still down to 25% of the published number for maximum concurrent connections per individual Maestro SGM appliance, even with exclusive use of IPv6.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
ERTK
Contributor
Contributor
‎2026-03-02 11:39 PM
In response to Timothy_Hall

Thank u. I`ll take it into account

I was finding few resources about this kind of topics. 

will this kind of low level tuning be available on your new book?

0 Kudos
Vanness_Chen
Explorer
‎2026-03-03 12:10 AM
In response to emmap

Hi emmap:

If I have three SGMs, and each SGM is handling approximately 300,000 concurrent connections, does that mean the value configured in SmartConsole needs to be set to more than 900,000?

0 Kudos
ERTK
Contributor
Contributor
‎2026-03-03 12:16 AM
In response to Vanness_Chen

Hi,

I think that the smart console value is by SGM, it means a value of 100k on max limit connections on SC, is a 100K per SGM.....if SG is properly balance it means 100k + 100k + 100k

 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-03 12:35 AM
In response to ERTK

Yes, exactly this - but then taking into consideration what @Timothy_Hall put in the earlier post there.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events