Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?

How do I make FireWall-1 Support More Connections? (FireWall-1 Performance Tuning)

Product:VPN-1 Power/UTM
Last Modified:14-Apr-2009

General Performance Considerations

Followings are general recommendations that can significantly improve the VPN-1 performance:

  • Always use the latest versions of Check Point & IPSO versions

  • Place the most commonly accessed rules on top of the rulebase

  • Keep the rulebase small & simple. Reduce the number of rules by combining similar rules together

  • Disable any FireWall-1 implied rules that you do not need

  • If not using VPN (encryption) on the module, make sure the VPN-1 Power product is disabled on that module

  • If using VPN, use AES-128 instead of 3DES or AES-256

  • To improve VPN performance, use VPN Hardware Accelerator card.

  • Avoid using Domain objects

  • Use Networks instead of address ranges in NAT

  • Disable Decrypt on accept property if not using VPN (encryption)

  • Keep logging to a minimum

  • When LDAP server as user database minimize the number of groups


Make sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215.

nokia[admin]# fwaccel stat

Accelerator Status : on

Templates : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,

HasClock, Templates, VirtualDefrag, GenerateIcmp,

IdleDetection, Sequencing, TcpStateDetect,

AutoExpire, DelayedNotif, McastRouting,


Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,

3DES, DES, ESP, LinkSelection, DynamicVPN,

NatTraversal, EncRouting

For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL'

For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled

On Nokia console run:

nokia[admin]# ipsofwd list

net:ip:forward:noforwarding = 0

net:ip:forward:noforwarding_author = fwstart

net:ip:forward:switch_mode = flowpath

net:ip:forwarding = 1

Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below:

nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath"

Increasing Connections Table

Expanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations

In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins.

For large connection table size, Nokia recommends to set it manually, using the following table:

Table 1 Disk-Based IP Security Platforms


CP Max Conns

CP Max Conns with Web Intelligence

Hash Table size

Memory Pool Size

Max Memory Pool size

256 MB


2 MB

48 MB

64 MB

512 MB



4 MB

196 MB

256 MB

1 GB



8 MB

400 MB

512 MB

2 GB



16 MB

800 MB

900 MB

Table 2 Flash-Based IP security Platforms:


CP Max Conns

CP Max Conns with Web Intelligence

Hash Table size

Memory Pool size

Max Memory Pool size

512 MB *



4 MB

128 MB

196 MB

1 GB



8 MB

256 MB

400 MB

2 GB



16 MB

800 MB

900 MB

Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above.

In case you need to customize these settings, use the following data to determine the exact value as per your need:

Memory Requirements for FireWall-1 NG/NGX

The memory required depends on the kind of connections used:

  • For simple connections (accept), overhead_per_connection is ~325 bytes

  • For NAT'ed connections: overhead_per_connection is ~542 bytes

  • For Resources: overhead_per_connection is ~401 bytes

  • For VPN: overhead_per connection is ~399 bytes

  • For general overhead: 6mb

Assuming the worst case scenario (NAT):

fwhmem = 6mb + 542 * connections_limit

For 100000 connections it is:

6144*1024 + 542*100000 = 60491456 (57.6 MB)

Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.

IPSO Flows-Specific Suggestions

If you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables:

By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local):

nokia[admin]# ipsctl -w net:ip:flow:flows_max_nexthops xxx (xxx <>

Security Servers

run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf:

80 in.ahttpd wait -4

Along with the change above, increase the per-system open files limit to support 4 HTTP security servers:

nokia[admin]# ipsctl -w kern:maxfiles 16384 (can be added to the /var/etc/rc.localfile)

You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460.


1 Response to "Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?"

sophia said... February 17, 2015 at 5:06 AM

your post is really too informative.. and interesting..
Family Law Bradford
Personal injury Bradford
Personal Injury Solicitor Bradford

Post a Comment

Search This Blog

Blog Archive

Total Pageviews