- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
what is the limit or default value of concurrent connections ?
will the command fw ctl pstat will also include any expired sessions in the value ?
how to check any expired connections where present in the concurrent connections when we run the fw ctl pstat ?
Unless you've explicitly set a limit, the limit is available memory, and depends on the features enabled.
The datasheet for the relevant appliance will tell you what is supported in this regard.
The connections table only includes active connections.
Once a connection terminates, expires, or is removed due to "aggressive aging" (an IPS protection), they are removed from the connections table.
Unless you've explicitly set a limit, the limit is available memory, and depends on the features enabled.
The datasheet for the relevant appliance will tell you what is supported in this regard.
The connections table only includes active connections.
Once a connection terminates, expires, or is removed due to "aggressive aging" (an IPS protection), they are removed from the connections table.
for 15600 appliance in datasheet what the limit ? and there are 4 VS
Datasheet has:
5 to 10 million concurrent connections, 64 byte response (performance measured with default/maximum memory)
In VSX the limit is manually set / configured per VS.
You should review it on a needs basis considering expected traffic & available memory capacity.
Depends on how much RAM you have. Check the output of 'free -h'. Subtract 3 GB for the OS. For just firewalling, 500k per gigabyte remaining is reasonable. For firewalling plus IPS plus threat emulation plus whatever else, expect more like 200k connections per gigabyte.
With VSX, the above gives you the total capacity of the box, which you then manually split between VSs. Even with a base 15600 with four VSs, you should be able to get over half a million connections per VS without going to extreme lengths.
Thats interesting. Just curious, does such calculation apply to ANY cp setup, regardless if its physical appliance or VM/open server?
Andy
Absolutely. Check Point's branded boxes are just open servers with weird PCIe slots. Take a look at the datasheets for the 15600, 16200, QLS250, etc. Very roughly, they say 16 GB supports ~6M connections, 32 GB supports 8-12M, 64 GB supports 16-25M, and 128 GB supports ~32M. Newer datasheets revise the connections per gigabyte down as new features consume some RAM.
The important thing to keep in mind is that the OS consumes some amount (generally fairly constant, and generally goes up a little with each major version), and the features you enable consume some amount per instance of the feature (i.e, per VS with it enabled).
RAM is cheap. If you're building a firewall for a given connection capacity, go with the 200k per gigabyte (or even 150k per gigabyte), give yourself an extra 25%, and round up to the next stick you need for optimal bank interleaving.
That makes sense. I will say though that like most fw vendors, those data sheets represent PERFECT scenario, which literally never happens, and take into an account single rule any any allow, thats it. They dont really represent any customer's actual live environment.
Andy
Connection capacity is much less sensitive to the environment than throughput is. The only real way to reduce it is enabling the deep inspection features which consume more baseline RAM, leaving less space for connections. Without those, you can actually get much higher connection counts than the datasheets suggest for a given amount of RAM.
is there any way that we can set an alerts messages in smart console or any where, when the concurrent connection reach to 80% ?
The only way to get those alerts in SmartConsole is to enable Aggressive Aging.
However, it will be based on overall memory usage, not percentage of the connections table being full: https://support.checkpoint.com/results/sk/sk122154
Otherwise, it will need to be monitored with SNMP, Skyline, or something else.
can explain how we get an get an alert if we enable AA and how does it will works ?
and also any command to delete the TCP connections
Aggressive Aging will generate specific logs when it is activated.
If you have SmartEvent, you should be able to run a report/trigger an alert on one of these logs.
While it is possible to remove entries from the firewall tables (including connections) using fw tab -x (with correct arguments), this is not recommended.
Refer to the docs: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL...
when AA is enabled what logs will generate ?
when we have smart event on what logs we can run report/tigger report ?
if possible can explain more ?
Here's an example:
Source: https://community.checkpoint.com/t5/Security-Gateways/Aggressive-Aging/td-p/49209
can we set the concurrent connection limit for specific rule which have small gruop of users ?
if yes how can get this configuration.
Never heard of that, but would be really useful if it can be done. Closest I can think of something like that would be QoS.
Andy
Sort of, check out the concurrent-conns and concurrent-conns-ratio options to fwaccel dos: sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher) You can also limit new connection rates as well.
However this mechanism is implemented in SecureXL and thus can only match IP addresses/ranges/networks and/or port numbers for enforcement; it cannot leverage user identity/group information to my knowledge.
Not that I'm aware of.
@PhoneBoy explained it perfectly, thats your answer.
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
19 | |
12 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY