Maximum Supported Items

This section provides the maximum supported numbers for various hardware and software items.

Management Server

Item	Maximum Number	Hard Limit	Comment
Network objects in all Domains	500,000	Yes	This applies to objects of these types - Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., Network, Host, Group, Address Range, Dynamic Object Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time., Wildcard Object, Security Zone, LSV Profile, Domain, Interoperable Device, VoIP Domain, Logical Server, OSE Device, Access Point Name.
Network objects in each Domain	100,000	No
Security Gateway objects in each Domain	300 and 500	No	To make sure the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is responsive when you manage more than 300 Security Gateways, it is necessary to disable the three LSM Add-ons as described in sk135972 (`LSMServerAddon`, `PAServerAddon`, and `PAHBServerAddon`).
Objects in each Group object	12,000	Yes
Rules in each policy	28,000	Yes	To ensure optimal Security Gateway responsiveness, we recommend configuring a maximum of 20,000 rules in a policy. While the Security Gateway can support more rules than 20,000 rules, the smaller the number of rules in the installed policy, the more responsive the Security Gateway is.
Changes in one session	100	No	To ensure optimal Management Server responsiveness, we recommend making 100 or fewer changes in each session (although the Management Server can support more than 500 changes at a time).
Interfaces in each Security Gateway	200	No	To ensure optimal SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. responsiveness, we recommend configuring a maximum of 200 interfaces in SmartConsole. If the Security Gateway object contains more interfaces, use the applicable Management API to configure interfaces. See the Check Point Management API Reference. To ensure optimal API responsiveness, we recommend configuring a maximum of 600 interfaces with API.
Layers in Access Control Policy	251 and 231	Yes	The maximum number of Policy Layers in an Access Control Policy is 251. A Security Gateway has a limit of 4900 kernel tables. Each Access Control Policy Layer Layer (set of rules) in a Security Policy. creates 21 kernel tables on the Security Gateway. Each Access Control Policy creates 40 global kernel tables on the Security Gateway (that apply to all Policy Layers). Therefore, the additional calculation is: (4900 tables - 40 tables) / 21 tables per Policy Layer = 231 Policy Layers.

Maximum Supported Number of Interfaces on Security Gateway

The maximum number of interfaces supported (physical and virtual) is shown in this table.

Mode	Max # of Interfaces	Notes
Security Gateway	1024	Non-VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.
VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.	4096	Includes VLANs and Warp Interfaces
Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.	250	Includes VLANs and Warp Interfaces

Note - This table applies to Check Point Appliances and Open Servers.

Maximum Supported Number of Cluster Members

Cluster Type	Maximum Supported Number of Cluster Members
ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic.	5
Virtual System Load Sharing VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS.	13

Cluster Type

Maximum Supported Number of Cluster Members

ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic.

Virtual System Load Sharing VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS.