Support Center > Search Results > SecureKnowledge Details
The Check Point Performance Sizing Utility (CPSizeMe) Technical Level

Table of Contents:

  • Description
  • Main Outputs
  • Supported Platforms and Versions
  • Known Limitations
  • Downloading and Installing cpsizeme
  • Running cpsizeme'
  • Restarting cpsizeme
  • Stopping cpsizeme
  • Updating cpsizeme
  • Uploading cpsizeme results to Check Point
  • Troubleshooting
  • Related solutions



The cpsizeme is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to "Running cpsizeme" section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.

This cpsizeme output and report can assist in improving the sizing accuracy in any one of the following scenarios:

  • Replacing the current Security Gateway appliance/server with a new one.
  • Future growth and planning ahead.
  • Enabling more security Software Blades on the current Security Gateway.
  • Troubleshoot performance issues on the Security Gateway

This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.
It is possible to upload the raw data to Check Point and e-mail the report at any time, even after running the script (refer to "Running cpsizeme" section).


Main Outputs

These are the mains outputs of the cpsizeme script:

  • Summary archive file - includes the Security Gateway's performance statistics of traffic, CPU, memory utilization, and an XML file to be used for sizing. This archive does not include connection data or IP addresses.
    In order to see the information stored in the summary archive file, run 'cpsizeme -S' command and select option 2 'Show summary of last successful session' in the menu.
    Show / Hide example
    General information
    * Email address:
    * Name of company / organization: 
    * Script version: 3.1
    * Date & time: 2014-02-17 16:46:24
    * Scheduled end: 2014-02-18 16:46:24
    * Utility Sampling duration: 1 days
    * Appliance: VMware Virtual Platform [1959 MB]
    * Gateway version: Check Point Gaia R77.10
    * Gateway name: R77-10-SA
    * SecureXL: on
    * Clustering:
    HA module not started.
    * ClusterXL: no
    Customer estimation
    * Main functions performed by this gateway:
            * Perimeter security: y
            * DMZ security: n
            * Protect the datacenter: y
            * Segment internal networks: y
            * Protect web servers: n
    * Estimated number of users: 40
    * Estimated gateway throughput [Mbps]: 100
    * Size of internet pipe [Mbps]: 100
    * Satisfied with gateway performance: y
    * Estimated number of remote users: 10
    * Estimated number of IPSec VPN remote users: 15
    * Additional customer feedback: n
    Measured Data
    * Maximum gateway throughput: 28.082305 Mbps
    * Maximum packet rate: 4929 Packets/sec
    * Maximum Total CPU: 46%
            * CPU core 0: 70% (Max core utilization: 100%)
            * CPU core 1: 30% (Max core utilization: 100%)
            * CPU core 2: 37% (Max core utilization: 100%)
            * CPU core 3: 49% (Max core utilization: 91%)
    * Maximum kernel CPU: 27%
            * kernel CPU core 0: 19% (Max core kernel Utilization: 34%)
            * kernel CPU core 1: 11% (Max core kernel Utilization: 24%)
            * kernel CPU core 2: 10% (Max core kernel Utilization: 19%)
            * kernel CPU core 3: 68% (Max core kernel Utilization: 91%)
    * Estimated number of unique IPs behind gateway: 0
    * Maximum concurrent connections: 111
    * Average concurrent connections: 57
    * Maximum memory utilization: 1314964 KB
    * Minimum Free Memory: 1.91298 MB
    * Accelerated packets: 0.00%
    * VPN traffic: 0.00%
    * Detected interface packet drops: no
    * Detected install policy: no
    * SMT status: Unsupported
    * Estimated average of NAT connections: 0% (average concurrent connections:56)
  • Detailed archive file - includes all the raw performance data used for analysis and statistics, including connections and routing tables with IP addresses. The detailed archive can be used for performance troubleshooting.

  • PDF Performance Report - a graphical report, which is based on the summary archive file. This report is being generated and e-mailed to you, using the cpsizeme Online Report Service (see sample report).


Supported Platforms and Versions

The cpsizeme script is supported on all Check Point appliances (not supported on Open Servers or 600/700/1100/1200R/1400/1500 devices running Gaia Embedded).


Known Limitations

The following limitations apply to cpsizeme script:

  • SecureXL must be enabled on Security Gateway for this script to work
  • VSX is not supported 
  • In ClusterXL High Availability mode, it is not supported to run this script on Standby member.
  • Not recommended to use on Check Point appliances with SAM/AC cards for sizing on AST
  • Do not run cpsizeme script when there is a shift in time due to daylight saving time or other system clock change.


Downloading and Installing cpsizeme

The cpsizeme script is part of main-train Firewall version.

For cpsizeme to work properly: 

  • DCdownloader should be updated to the latest recommended version to be able to update cpsizeme automatically.
    All of the online customers should have the newest public DA.
    The offline customers should refer to sk92449 to update/install new version of DA agent. 
  • cpsizeme must be updated to use CPInfo for data upload instead of deprecated cp_uploader. After update of DCdownloader, cpsizeme can update itself to the latest version.
  • The CPInfo utility must be updated to the latest recommended version to be able to upload data collected by cpsizeme.

To update cpsizeme to the newest available version:

  1. Download the latest recommended version of cpsizeme package:

    Platform Version Date Download
    cpsizeme for Gaia / SecurePlatform 5.2 29 Aug 2020  (cpsizeme.tgz)
    cpsizeme for IPSO 6.2 3.6 02 Mar 2017  (cpsizeme.tar.gz)

    Note: if you have a problem with downloading the tool using Chrome browser, refer to sk76080.

  2. Copy the cpsizeme package to a directory on Security Gateway (e.g., /var/log/).

  3. Extract the package:

    [Expert@HostName]# tar -xvzf <name_of_downloaded_cpsizeme_package>

  4. Assign the execute permissions to the script:

    [Expert@HostName]# chmod +x cpsizeme

  5. Move this file to the default cpsizeme directory $FWDIR/bin/ to overwrite the existing version:

    [Expert@HostName]# mv cpsizeme $FWDIR/bin/cpsizeme 

  6. Download and install the latest version of CPInfo utility from The CPInfo utility.


Running cpsizeme

  • To see the basic help for the script, run: [Expert@HostName]# cpsizeme -h

  • To see the advanced help for the script, run: [Expert@HostName]# cpsizeme --help

To run the script with default parameters: [Expert@HostName]# cpsizeme

By default, the script will run for 24 hours.

If you wish run the script for different amount of time, run: [Expert@HostName]# cpsizeme XY

  • X designates the amount of time to run
  • Y designates the time units: m (for minutes), h (for hours), d (for days)

  • To run the utility for 48 hours, run: [Expert@HostName]# cpsizeme 48h

  • To run the utility for 75 minutes, run: [Expert@HostName]# cpsizeme 75m

Note: cpsizeme should be run for at least 3 minutes for proper functionality.

  • To see the special menu for the script, run:

    [Expert@HostName]# cpsizeme -S
    Please choose an option:
    1       Show upload history
    2       Show summary of last successful session
    3       Show summary of gathered information
    4       Show instructions to get sizing PDF report via email
    5       Show location of generated files
    6       Send summary & detailed archives to Check Point
    7       Send summary archive to Check Point
    8       Reanswer the utility's questions
    9       Cleanup login notifications & optionally all related files
    10      Exit
    Your choice?


Restarting cpsizeme

To restart a running cpsizeme process, run: [Expert@HostName]# cpsizeme X

where X designates the new options (duration, proxy, etc.) to be used in the new process. The previous options aren't valid for the new process.

Then choose option #2 ('Start a new session'). Previous process will be terminated and a new one will be started.


Stopping cpsizeme

To stop a running cpsizeme process, run: [Expert@HostName]# cpsizeme

Then choose option #3 ('Delete current session and exit') that will terminate the running process.


Updating cpsizeme

It is strongly recommended to run the latest version of the cpsizeme script.

  • To check the version of the current cpsizeme' script on Security Gateway, run:

    [Expert@HostName]# cpsizeme -V

  • On some Security Gateway versions, the cpsizeme script will allow to check for updates and to update the script. It is recommended to choose this option when available.

  • To update the cpsizeme script manually:

    1. Cleanup the existing cpsizeme results: [Expert@HostName]# cpsizeme -S
      And select option 9 'Cleanup login notifications & optionally all related files'

    2. Remove the current cpsizeme script file: [Expert@HostName]# rm -i /<path_to>/cpsizeme

    3. Refer to the instructions in "Installing cpsizeme" section.


Uploading cpsizeme results to Check Point

There are two procedures to receive the cpsizeme report:

  1. Automatically upload from the Security Gateway - assuming that the Security Gateway has Internet connectivity:

    • The cpsizeme script can upload the output files to Check Point. This is done when the user is prompted with the following options and selects either the first, or the second option:
      Please choose:
           1  Run the utility and automatically send both the detailed & summary
              archives to Check Point
           2  Run the utility and automatically send only the summary archive to
              Check Point
           3  Run the utility without sending the data automatically to Check Point
      Your choice?
    • A valid license must be installed on the Security Gateway (to allow uploading to Check Point servers).

    • To allow connectivity to Check Point servers, refer to the 'System Requirements' section in sk92739 - The CPInfo utility.

      • If a Proxy is used to access HTTPS servers, then run:

        [Expert@HostName]# ./cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT

      • If a username and password are required for the Proxy, then run:

        [Expert@HostName]# ./cpsizeme -p USERNAME:PASSWORD@PROXY_IP_ADDRESS:PROXY_PORT

  2. Offline options:

    1. Offline upload procedure - If the Security Gateway does not have connectivity to Check Point servers, you can upload the data via e-mail.

      1. Locate the cpsizeme output XML file on the Security Gateway. Run:
        [Expert@HostName]# cpsizeme -S
        And select option 5 'Show location of generated files'.
      2. Transfer the cpsizeme output XML file from the Security Gateway to your computer.
      3. Attach the cpsizeme output XML file to an e-mail.
      4. Send the e-mail to the following e-mail address:
      5. You will receive an e-mail from with attached PDF report within 1 hour (see sample report).

    2. Upload manually the XML to Appliance Sizing Tool (AST) as follows:

      (Note: Log in to the Support Center, go to the "QUOTING TOOLS" menu and click on the "Appliance Sizing Tool". Users with PartnerMap access will find this under "SELL" -> "Appliance Sizing Tool")

      1. In the 'Sizing with CPSizeMe' section at the bottom, click 'Upload CPSizeMe File'.

      2. Select the XML file and click on 'Upload'.
      3. Immediately the information from the XML file will be fetched in the AST upper left column.
      4. Review the automatically completed information in the AST.
      5. Adjust characteristics as needed, such as activating additional Software Blades, for example.
        - Check additional blades if needed
        - Choose the correct number of users
        - If the gateway passes traffic also to the Internet, select the checkbox near the Internet Connection field and note how many traffic to be send "outside",through the gateway. This portion of traffic has the direct impact on the selected blades like IPS, Application Control etc.




Refer to "Uploading cpsizeme results to Check Point" section.

  • Problem: failed to upload report when sending the summary or the detailed archive


    • Check connectivity from the Security Gateway to the following sites:
      • on TCP port 443
      • on TCP port 22
      For example, run telnet 443

    • If you need to use a proxy server to connect to the above sites, use the proxy method of cpsizeme.
      Run: cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT

  • Problem: failed updating the version


    • Check connectivity from the Security Gateway to the following sites:
      • on TCP port 443
      • on TCP port 22

    For example, run telnet 443


Give us Feedback
Please rate this document