for 15600 appliance in datasheet what the limit ? and there are 4 VS

Datasheet has:

In VSX the limit is manually set / configured per VS. 

You should review it on a needs basis considering expected traffic & available memory capacity.

Depends on how much RAM you have. Check the output of 'free -h'. Subtract 3 GB for the OS. For just firewalling, 500k per gigabyte remaining is reasonable. For firewalling plus IPS plus threat emulation plus whatever else, expect more like 200k connections per gigabyte.

With VSX, the above gives you the total capacity of the box, which you then manually split between VSs. Even with a base 15600 with four VSs, you should be able to get over half a million connections per VS without going to extreme lengths.

Thats interesting. Just curious, does such calculation apply to ANY cp setup, regardless if its physical appliance or VM/open server?

Andy

Absolutely. Check Point's branded boxes are just open servers with weird PCIe slots. Take a look at the datasheets for the 15600, 16200, QLS250, etc. Very roughly, they say 16 GB supports ~6M connections, 32 GB supports 8-12M, 64 GB supports 16-25M, and 128 GB supports ~32M. Newer datasheets revise the connections per gigabyte down as new features consume some RAM.

The important thing to keep in mind is that the OS consumes some amount (generally fairly constant, and generally goes up a little with each major version), and the features you enable consume some amount per instance of the feature (i.e, per VS with it enabled).

RAM is cheap. If you're building a firewall for a given connection capacity, go with the 200k per gigabyte (or even 150k per gigabyte), give yourself an extra 25%, and round up to the next stick you need for optimal bank interleaving.

That makes sense. I will say though that like most fw vendors, those data sheets represent PERFECT scenario, which literally never happens, and take into an account single rule any any allow, thats it. They dont really represent any customer's actual live environment.

Andy

Connection capacity is much less sensitive to the environment than throughput is. The only real way to reduce it is enabling the deep inspection features which consume more baseline RAM, leaving less space for connections. Without those, you can actually get much higher connection counts than the datasheets suggest for a given amount of RAM.

is there any way that we can set an alerts messages in smart console or any where, when the concurrent connection reach to 80%  ?

The only way to get those alerts in SmartConsole is to enable Aggressive Aging.
However, it will be based on overall memory usage, not percentage of the connections table being full: https://support.checkpoint.com/results/sk/sk122154 
Otherwise, it will need to be monitored with SNMP, Skyline, or something else.

can explain how we get an get an alert if we enable AA and how does it will works ?

and also any command to delete the TCP connections

Aggressive Aging will generate specific logs when it is activated.
If you have SmartEvent, you should be able to run a report/trigger an alert on one of these logs.

While it is possible to remove entries from the firewall tables (including connections) using fw tab -x (with correct arguments), this is not recommended.
Refer to the docs: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL... 

when AA is enabled what logs will generate ? 

when we have smart event on what logs we can run report/tigger report ?

if possible can explain more ?

Here's an example:

Source: https://community.checkpoint.com/t5/Security-Gateways/Aggressive-Aging/td-p/49209 

can we set the concurrent connection limit for specific rule which have small gruop of users ?

if yes how can get this configuration.

Never heard of that, but would be really useful if it can be done. Closest I can think of something like that would be QoS.

Andy

Sort of, check out the concurrent-conns and concurrent-conns-ratio options to fwaccel dos:  sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher)    You can also limit new connection rates as well.

However this mechanism is implemented in SecureXL and thus can only match IP addresses/ranges/networks and/or port numbers for enforcement; it cannot leverage user identity/group information to my knowledge.

Not that I'm aware of.