The cpsizeme is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to "Running cpsizeme" section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.
This cpsizeme output and report can assist in improving the sizing accuracy in any one of the following scenarios:
Replacing the current Security Gateway appliance with a new one.
Future growth and planning ahead.
Enabling more security Software Blades on the current Security Gateway.
Troubleshoot performance issues on the Security Gateway
This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.
It is possible to upload the raw data to Check Point and e-mail the report at any time, even after running the script (refer to "Running cpsizeme" section).
We recommend not to run cpsizeme for more than 24 hours.
These are the mains outputs of the cpsizeme script:
Summary archive file - includes the Security Gateway's performance statistics of traffic, CPU, memory utilization, and an XML file to be used for sizing. This archive does not include connection data or IP addresses. To see the information stored in the summary archive file, run 'cpsizeme -S' command and select option 2 'Show summary of last successful session' in the menu.
* Email address: email@example.com
* Name of company / organization:
* Script version: 3.1
* Date & time: 2014-02-17 16:46:24
* Scheduled end: 2014-02-18 16:46:24
* Utility Sampling duration: 1 days
* Appliance: VMware Virtual Platform [1959 MB]
* Active blades: FW MGMT VPN MAB A_URLF AV ASPM APP_CTL IPS DLP IA SSL_INSPECT ANTB MON TE
* Gateway version: Check Point Gaia R77.10
* Gateway name: R77-10-SA
* SecureXL: on
HA module not started.
* ClusterXL: no
* Main functions performed by this gateway:
* Perimeter security: y
* DMZ security: n
* Protect the datacenter: y
* Segment internal networks: y
* Protect web servers: n
* Estimated number of users: 40
* Estimated gateway throughput [Mbps]: 100
* Size of internet pipe [Mbps]: 100
* Satisfied with gateway performance: y
* Estimated number of remote users: 10
* Estimated number of IPSec VPN remote users: 15
* Additional customer feedback: n
* Maximum gateway throughput: 28.082305 Mbps
* Maximum packet rate: 4929 Packets/sec
* Maximum Total CPU: 46%
* CPU core 0: 70% (Max core utilization: 100%)
* CPU core 1: 30% (Max core utilization: 100%)
* CPU core 2: 37% (Max core utilization: 100%)
* CPU core 3: 49% (Max core utilization: 91%)
* Maximum kernel CPU: 27%
* kernel CPU core 0: 19% (Max core kernel Utilization: 34%)
* kernel CPU core 1: 11% (Max core kernel Utilization: 24%)
* kernel CPU core 2: 10% (Max core kernel Utilization: 19%)
* kernel CPU core 3: 68% (Max core kernel Utilization: 91%)
* Estimated number of unique IPs behind gateway: 0
* Maximum concurrent connections: 111
* Average concurrent connections: 57
* Maximum memory utilization: 1314964 KB
* Minimum Free Memory: 1.91298 MB
* Accelerated packets: 0.00%
* VPN traffic: 0.00%
* Detected interface packet drops: no
* Detected install policy: no
* SMT status: Unsupported
* Estimated average of NAT connections: 0% (average concurrent connections:56)
Detailed archive file - includes all the raw performance data used for analysis and statistics, including connections and routing tables with IP addresses. The detailed archive can be used for performance troubleshooting.
PDF Performance Report - a graphical report, which is based on the summary archive file. This report is being generated and e-mailed to you, using the cpsizeme Online Report Service (see sample report).
Supported Platforms and Versions
Click here to view details of Supported Platforms and Versions
This table shows which appliances are supported to run the cpsizeme script:
Check Point Quantum Spark appliances (former SMB) that run Gaia Embedded OS
- Not supported
The following limitations apply to cpsizeme script:
SecureXL must be enabled on Security Gateway for this script to work
VSX is not supported
In ClusterXL High Availability mode, it is not supported to run this script on the Standby member.
Do not run the cpsizeme script when there is a shift in time due to daylight saving or other system clock change.
We do not recommended to run the cpsizeme script on Check Point appliances with SAM card / Acceleration cards.
Downloading and Installing cpsizeme
The cpsizeme script is part of main-train Firewall version.
For cpsizeme to work properly:
Gaia Deployment Agent - CPUSE should be updated to the latest recommended version to be able to update cpsizeme automatically. All the online customers should have the latest public CPUSE Deployment Agent. The offline customers should refer to sk92449 to update/install the latest version of CPUSE Deployment Agent manually.
The cpsizeme must be updated to use CPInfo for data upload instead of deprecated cp_uploader. After you update the CPUSE, the cpsizeme can update itself to the latest version.
The CPInfo utility must be updated to the latest recommended version to be able to upload data collected by cpsizeme.
To update cpsizeme to the newest available version:
Download cpsizeme package from the table below. It is always recommended to use the latest version of cpsizeme to prevent the automatic update failures.
cpsizeme for Gaia OS
14 February 2022
Copy the cpsizeme package to a directory on the Security Gateway (for example, /var/log/).
Connect to the command line on the Security Gateway.
Log in to the Expert mode.
Extract the package:
[Expert@HostName]# tar -xvzf <name_of_downloaded_cpsizeme_package>
Assign the required permissions to the script:
[Expert@HostName]# chmod +x cpsizeme
Move this file to the default cpsizeme directory $FWDIR/bin/ to overwrite the existing file:
If you wish to run the script for different amount of time, run:
[Expert@HostName]# cpsizeme XY
X designates the amount of time to run
Y designates the time units: m (for minutes), h (for hours), d (for days)
To run the utility for 48 hours, enter:
[Expert@HostName]# cpsizeme 48h
To run the utility for 75 minutes, enter:
[Expert@HostName]# cpsizeme 75m
Note: cpsizeme should run for at least 3 minutes for proper functionality.
To see the special menu for the script, run:
[Expert@HostName]# cpsizeme -S
Please choose an option:
1 Show upload history
2 Show summary of last successful session
3 Show summary of gathered information
4 Show instructions to get sizing PDF report via email
5 Show location of generated files
6 Send summary & detailed archives to Check Point
7 Send summary archive to Check Point
8 Reanswer the utility's questions
9 Cleanup login notifications & optionally all related files
To restart a running cpsizeme process, run:
[Expert@HostName]# cpsizeme X
where X designates the new options (duration, proxy, etc.) to be used in the new process. The previous options aren't valid for the new process.
Then choose option #2 ('Start a new session'). The previous process will be terminated, and a new one will be started.
To stop a running cpsizeme process, run:
Then choose option #3 ('Delete current session and exit') that will terminate the running process.
It is strongly recommended to run the latest version of the cpsizeme script.
To check the version of the current cpsizeme' script on Security Gateway, run:
[Expert@HostName]# cpsizeme -V
On some Security Gateway versions, the cpsizeme script will allow to check for updates and to update the script. It is recommended to choose this option, when available.
To update the cpsizeme script manually:
Clean up the existing cpsizeme results. Run:
[Expert@HostName]# cpsizeme -S
And select option 9 'Cleanup login notifications & optionally all related files'
Remove the current cpsizeme script file:
[Expert@HostName]# rm -i /<path_to>/cpsizeme
Refer to the instructions in "Installing cpsizeme" section.
Uploading cpsizeme results to Check Point
There are two procedures to receive the cpsizeme report:
Automatically upload from the Security Gateway - assuming that the Security Gateway is connected to the Internet:
The cpsizeme script can upload the output files to Check Point. This is done when the user is prompted with the following options and selects either the first, or the second option:
1 Run the utility and automatically send both the detailed & summary
archives to Check Point
2 Run the utility and automatically send only the summary archive to
3 Run the utility without sending the data automatically to Check Point
A valid license must be installed on the Security Gateway (to allow uploading to Check Point servers).