topic Re: MOST INSPECTION ARE BYPASSED R82 in Firewall and Security Management

MOST INSPECTION ARE BYPASSED R82

CEEJAY — Wed, 29 Oct 2025 03:09:38 GMT

Hello, I have encountered this error in my Checkpoint Firewall whenever I install a policy, I am using R82 version. Based on SK, this is a new feature for R82. Is this enable by default? or is there anyway to disable this. I also read the SK that this error prompt when the load exceed on accecpted treshold in RAD process and if the Gateway has no connectivity to threatcloud. I checked that the gateway can reach the cloud and has connection, how will I know what is the accepted treshold in RAD?

Re: MOST INSPECTION ARE BYPASSED R82

the_rock — Wed, 29 Oct 2025 03:32:20 GMT

I cant say for sure, but I can only logically assume to disable the feature (at least based on the sk) would be to set option in your 2nd screenshot to block.

Again, just my logical thinking.

Re: MOST INSPECTION ARE BYPASSED R82

emmap — Wed, 29 Oct 2025 04:16:55 GMT

Does the error appear when you install policy and then go away after a minute? Or does it come at other times? If it's only during policy install then you can set up monitoring of it per the SK, install the policy, then check what it outputs and see if that shines a light on anything useful. TAC can help with interpreting it if you need a hand there.

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Wed, 29 Oct 2025 04:58:10 GMT

Yes, it will sometimes not show, and come at other times, but every install the error will prompt.

Re: MOST INSPECTION ARE BYPASSED R82

emmap — Wed, 29 Oct 2025 06:24:40 GMT

OK yea it sounds like you have a load issue or similar. Try the monitoring procedure in the SK article while doing a policy install and see what it says.

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Wed, 29 Oct 2025 06:32:51 GMT

Yes. I assume that it has a laod issue, since based on SK this will only prompt when there is a load isse or connectivity issue to checkpoint cloud, based on my checknig the gateway can resolved and reach the checkpoint cloud. What I can't see in SK is how can I resolved this or somehow can adjust the treshold or disable this feature, since it is only in R82.

Re: MOST INSPECTION ARE BYPASSED R82

PhoneBoy — Wed, 29 Oct 2025 15:03:31 GMT

Anti-Virus and Anti-Bot generally require real-time access to ThreatCloud.
The "adaptive hold" situation attempts to handle situations where RAD cannot interact with ThreatCloud in a timely manner (either because of connectivity, load, or both).

To disable this (i.e. activate "Maximum Security"), follow the steps in https://support.checkpoint.com/results/sk/sk181434
Likewise, to monitor the situation, follow the steps in the SK.

Re: MOST INSPECTION ARE BYPASSED R82

HeikoAnkenbrand — Wed, 29 Oct 2025 17:00:34 GMT

Hi @CEEJAY,
You need to create a DNS entry in GAIA so that the RadD process in the user space can establish a connection to Check Point. Furthermore, the implied rules should allow this access. If that does not work, explicitly allow traffic from the RadD (the external IP address of the gateway) towards the internet.

Re: MOST INSPECTION ARE BYPASSED R82

Lesley — Wed, 29 Oct 2025 17:44:56 GMT

First check if you are able to reach the following website:

dig cloudinfra-gw.portal.checkpoint.com

traceroute cloudinfra-gw.portal.checkpoint.com

curl_cli -vk http://cloudinfra-gw.portal.checkpoint.com

If this is OK proceed to check the rad.conf file. Check if autodebug is set to false. (file is located here: $FWDIR/conf/rad_conf.C)

If not proceed change this from true to false with steps below:

sed -i 's/:autodebug (true)/:autodebug (false)/' $FWDIR/conf/rad_conf.C rad_admin stop ; sleep 5 ; rad_admin start

Error might popup, make sure command changed the rad_conf

Above can be done without impact.

If this not help also make change to guidbedit (guidbedit SK: https://support.checkpoint.com/results/sk/sk13009 )

Path: Other > rad_services > malware_rad_service > cache_max_hash_size
Recommended value: 100k–300k (depending on environment load)

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Thu, 30 Oct 2025 03:23:12 GMT

Yes, but I'm a little bit confused in this SK. Based on SK, there is a prerequisite for enabling this feature, then as I reading the instructions, the error will encounter if there is connectivity issue to threatcloud or load issue, but there is no indicated solution to resolve the error. I verified that the gateway can reach the checkpoint cloud, one things is where can I see if the load is exceeding in the set treshold and where can I see this? Because this error only appear when I upgrade from r81.20 to R82.

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Thu, 30 Oct 2025 03:43:15 GMT

Hello @HeikoAnkenbrand. I verified that the gateway can reach the threatcloud and I also have policy that allows the traffic going to the internet.

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Thu, 30 Oct 2025 03:44:56 GMT

Will try this one, but as I noticed, the error only prompts after installation of policy then it will go away. Only prompt after installation of policy.

Re: MOST INSPECTION ARE BYPASSED R82

CEEJAY — Thu, 30 Oct 2025 03:46:32 GMT

hello @emmap as I noticed now, the error is gone, but ater installation it will show again, then it will go away, I'm not sure how long before it goes away, but what I'm sure is it will prompt every policy installation.

Re: MOST INSPECTION ARE BYPASSED R82

Lesley — Thu, 30 Oct 2025 08:13:43 GMT

policy push can cause high load on the firewall system.

Re: MOST INSPECTION ARE BYPASSED R82

_Val_ — Thu, 30 Oct 2025 08:33:16 GMT

On the contrary, it is actually straightforward. You need to make sure that your GW has Internet connectivity properly set up, with the ability to resolve DNS and connect to external services.

It is quite easy to check. Connect to your GW, get expert shell, then run nslookup commands with the FQDN mentioned in the SK. Tell us what you see.

Re: MOST INSPECTION ARE BYPASSED R82

PhoneBoy — Thu, 30 Oct 2025 14:10:29 GMT

As I said, there are two reasons this can occur: connectivity and load.
You've only looked at what one portion of that: the connectivity.

What is the system load here?
Let's start with what the environment is, which includes the exact version/JHF of all components on what (virtual) hardware.
If you're using a VM or an Open Server, please specify the number of cores/RAM/disk allocated.

Re: MOST INSPECTION ARE BYPASSED R82

mp2012 — Tue, 04 Nov 2025 06:46:42 GMT

Hi,

what does setting "autodebug to false" do exactly? Just disable this mechanism?

Re: MOST INSPECTION ARE BYPASSED R82

Lesley — Tue, 04 Nov 2025 08:38:23 GMT

Reduce the load, collects less info this way.

Re: MOST INSPECTION ARE BYPASSED R82

the_rock — Tue, 04 Nov 2025 19:45:22 GMT

Its exactly what @Lesley said.