Maximum Supported Items

This section provides the maximum supported numbers for various hardware and software items.

Management Server

Item

Maximum Number

Hard Limit

Comment

Network objects in all Domains

1,000,000

Yes

This applies to objects of these types - Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., Network, Host, Group, Network Feed, Address Range, Dynamic Object Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time., Wildcard Object, Security Zone, LSV Profile, Domain, Interoperable Device, VoIP Domain, Logical Server, OSE Device, Access Point Name.

Network objects in each Domain

100,000

Security Gateway objects in each Domain

250

and

500

To make sure the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is responsive when you manage more than 300 Security Gateways, it is necessary to disable the three LSM Add-ons as described in sk135972 (LSMServerAddon, PAServerAddon, and PAHBServerAddon).

The maximum supported number of the managed Security Gateways and Cluster Members depends on the installed RAM and the number of CPU cores on the Management Server:

Number of available CPU Cores	Amount of installed RAM	Maximum supported number of the managed Security Gateways
32	96 GB	500
16	96 GB	500
6	32 GB	350
6	16 GB	250

Objects in each Group object

12,000

Yes

Rules in each policy

28,000

Yes

To ensure optimal Security Gateway responsiveness, we recommend configuring a maximum of 20,000 rules in a policy.

While the Security Gateway can support more rules than 20,000 rules, the smaller the number of rules in the installed policy, the more responsive the Security Gateway is.

Changes in one session

100

To ensure optimal Management Server responsiveness, we recommend making 100 or fewer changes in each session (although the Management Server can support more than 500 changes at a time).

Interfaces in each Security Gateway

200

To ensure optimal SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. responsiveness, we recommend configuring a maximum of 200 interfaces in SmartConsole.

If the Security Gateway object contains more interfaces, use the applicable Management API to configure interfaces. See the Check Point Management API Reference. To ensure optimal API responsiveness, we recommend configuring a maximum of 600 interfaces with API.

Layers in Access Control Policy

251

Yes

The maximum number of Policy Layers in an Access Control Policy is 251.

Sizing Recommendations for Check Point Management Server

See sk178325.

Maximum Supported Number of Interfaces on Security Gateway

The maximum number of interfaces supported (physical and virtual) is shown in this table.

Note - This table applies to Check Point Appliances and Open Servers.

Mode	Max # of Interfaces	Notes
Security Gateway	1024	Non-VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode See Security Gateway or Cluster
Virtual Gateway in the VSNext mode	1024	SeeVSNext and Traditional VSX
VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. in the Traditional VSX mode	4096	Includes VLANs and Warp Interfaces SeeVSNext and Traditional VSX
Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. in the Traditional VSX mode	250

Maximum Supported Number of Cluster Members

Cluster Type	Maximum Supported Number of Cluster Members
ClusterXL High Availability or Load Sharing	5
ClusterXL Active-Active	4
ElasticXL	3 on each Site (6 in total in Dual Site)
Geo Cluster	2
Virtual System Load Sharing VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS. in the Traditional VSX mode	13

Number of Supported Items in an ElasticXL Cluster

Item	Number of Supported Items	Notes
Number of Security Appliances in one ElasticXL Cluster	In Single Site and Dual Site deployment: Minimum: 1 on each Site Maximum: 3 on each Site	In a Dual Site deployment, an ElasticXL Cluster must contain a minimum of one Security Appliance from each site.
Number of interfaces configured in one ElasticXL Cluster	In the Security Gateway Mode: Minimum: 2 Maximum: 1024 For each Virtual Gateway in the VSNext Mode: Minimum: 2 Maximum: 1024	Includes all interface types (Physical, Bonds, VLAN, Warp).

Item

Number of

Supported Items

Notes

Number of Security Appliances in one ElasticXL Cluster

In Single Site and Dual Site deployment:

Minimum: 1 on each Site
Maximum: 3 on each Site

In a Dual Site deployment, an ElasticXL Cluster must contain a minimum of one Security Appliance from each site.

Number of interfaces configured in one ElasticXL Cluster

In the Security Gateway Mode:

Minimum: 2
Maximum: 1024

For each Virtual Gateway

in the VSNext Mode:

Minimum: 2
Maximum: 1024

Includes all interface types

(Physical, Bonds, VLAN, Warp).

Number of Supported Items in a Maestro Environment

Item	Number of Supported Items	Notes
Number of Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. configured	Minimum: 1 Maximum: 8	None
Number of Security Appliances in one Security Group	In Single Site and Dual Site deployment: Minimum: 1 Maximum: 28	In Dual Site environments: Each Security Group must contain a minimum of one Security Appliance from each site (see MBS-7606 in sk181128). Each Security Group can contain a maximum of 28 Security Appliances - 14 Security Appliances from each site (see MBS-7773 in sk181128).
Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group	In the Security Gateway Mode and in the VSNext Mode: Minimum: 2 Maximum: 1024 In the Traditional VSX Mode: Minimum: 2 Maximum: 4096 For each Virtual System in the Traditional VSX Mode: Minimum: 2 Maximum: 250	Includes all interface types (Physical, Bonds, VLAN, Warp).

Item

Number of

Supported Items

Notes

Number of Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. configured

Minimum: 1
Maximum: 8

None

Number of Security Appliances in one Security Group

In Single Site and Dual Site deployment:

Minimum: 1
Maximum: 28

In Dual Site environments:

Each Security Group must contain a minimum of one Security Appliance from each site (see MBS-7606 in sk181128).
Each Security Group can contain a maximum of 28 Security Appliances - 14 Security Appliances from each site (see MBS-7773 in sk181128).

Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group

In the Security Gateway Mode

and in the VSNext Mode:

Minimum: 2
Maximum: 1024

In the Traditional VSX Mode:

Minimum: 2
Maximum: 4096

For each Virtual System

in the Traditional VSX Mode:

Minimum: 2
Maximum: 250

Includes all interface types

(Physical, Bonds, VLAN, Warp).