- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
During heavy load on your firewall busiest periods you can get connection failures I read. As mentioned in other threads on this community you can run this command to see if your firewall reached the limit:
fw tab -t connections -s
But default on new installations og Gaia it's not configured a limit nmber of concurrent connections. On your firewall object in SmartConsole it's set to automatically:
So my question is what is the limit actually set to then? My gateway has 16GB of RAM. Output of the above command:
I see that since boot up that the peak was at 21394 concurrent connections. But since I actually don't know the limit and if this is low or high what do I get out of this command? How do I know if new connections were dropped (not from firewall policy) because firewall could not keep track of the new connection?
The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS. If you want to set it manually, the settings depends on your traffic and resources. The setting affect the VPN kernel. Lets assume you have 1000+ remote users, which are connect to office network thorugh the mobile access blade, it creates multiple connections ( from user to gateway, from gateway to internal rdp server). So on the example environment you should increase the maximum concurrent connections, by default maximum is 25000, increase the limit 27000 (2 times 1000). You can read for more information >
Capacity Optimization and Connections Table
If you set the maximum conn manually and for somehow it reached the limit , you can run the following command to check if there is dropped connection because of connection limit.
fw ctl zdebug + drop
You may see something like that >
By the way you can can run following command to gather statistics about the connections .
fw ctl pstat
Connections:
17907 total, 2214 TCP, 10855 UDP, 21 ICMP,
4817 other, 0 anticipated, 8 recovered, 8 concurrent,
68 peak concurrent
*
total - Since last machine boot time.
other - Other protocols (Not TCP/UDP/ICMP)
concurrent - At the time the output was taken.
peak concurrent - Since last machine boot time.
Hi Edson, aggressive aging gets activated only when connection table is getting full thus "cleaning" up idle connections much quicker than normally. This is to allow you to process new connections when you are near capacity. Technically it sounds a "good and helpful" feature (and it is mostly!) but I have to admit we have seen some strange behaviour when AA was active - some RDP connections over SSL did not work for example. I would say - if you see AA active, act on it, fix it, it's not a "normal" state 
more like a workaround till you free up memory/tables
Like my example with peak at 21394 concurrent connections, what does that tell me? Was that close to maximum what the firewall could handle before starting to drop new connections? I mean I don't know the treshold and when to start to worry without waiting for the next storm and run fw ctl zdebug drop command
Ok so you are asking actually how many connections can your firewall handle? For example if you set the limit automatically, when will the firewall reach the maximum connection limit ? Like Kaspars Zibarts said, with these resources, can't be that you were anywhere near the limit with this small number.
Maybe the appliance datasheet can help, there is statistics about conn under performance section. Perhaps you can make an inference from these datas.
You can always guestimate based on current state of fw ctl pstat
for example
System Capacity Summary:
Memory used: 9% (1175 MB out of 11845 MB) - below watermark
Concurrent Connections: 24946 (Unlimited)
Aggressive Aging is enabled, not active
You could easily rough estimate that we could run 10 times as many connections on this firewall (at current usage of 9%), so 10 x 25k = 250000
It's very hard to put exact number as it depends on blades that are enabled and NAT usage
A simple FW connection will only consume ~10kB whereas in example above you can see that each connection was ~40kB that's because IA, IPS and AB is enabled on that gateway
Thank you. I find this interesting:
Around the same memory usage in percent but very different numbers in connections. So based on a rough calculation
10 x 7k = 70 000. Several blades are enabled.
The actual amount of memory a connection takes up depends on the blades in use.
We used to have a public SK that explained memory usage, but I think it's internal only now.
IPv6 uses more memory also
| User | Count |
|---|---|
| 25 | |
| 11 | |
| 7 | |
| 7 | |
| 6 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 |
Wed 05 Nov 2025 @ 11:00 AM (EST)
TechTalk: Access Control and Threat Prevention Best PracticesThu 06 Nov 2025 @ 10:00 AM (CET)
CheckMates Live BeLux: Get to Know Veriti – What It Is, What It Does, and Why It MattersTue 11 Nov 2025 @ 05:00 PM (CET)
Hacking LLM Applications: latest research and insights from our LLM pen testing projects - AMERTue 11 Nov 2025 @ 10:00 AM (CST)
Hacking LLM Applications: latest research and insights from our LLM pen testing projects - EMEA