cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80.10 threat extraction high cpu usage

hi,

ive been testing R80.10 with all blades enabled and 2 or 3 days ago I noticed high cpu usage on a 'cat' process in top, to the point where I'm now unable to push policy.

i used pstree to identify the parent process being scrubd, which after a little research found it related to threat extraction.

I dad manage to successfully push policy if I killed the 'cat' processed with 'kill -9'.

Removing the threat extraction blade restores cpu usage to  normality.

i took a migrate export and tried importing the backup to a vm to see if the issue arose, unfortunately it did.

does anyone have any ideas on how I can fix this without rebuilding from scratch?

thanks

Dave

0 Kudos
6 Replies
Admin
Admin

Re: R80.10 threat extraction high cpu usage

Have you opened an SR with TAC on this issue?

0 Kudos

Re: R80.10 threat extraction high cpu usage

No not yet, I thought I may find an answer here before raising with tac

0 Kudos

Re: R80.10 threat extraction high cpu usage

Hello,

I am experiencing the exact same issue. SmartConsole reports Threat Extraction blade is unresponsive, there is a "/bin/cat /dev/urandom" process eating up 100% of one CPU core.

Doing a kill -9 on the process spawns a second similar one. Killing the second one stops the spawning, but renders Threat Extraction useless.

Did you happen to find any solution to this yet?

Thank you

0 Kudos

Re: R80.10 threat extraction high cpu usage

Sorry for rushing in with the question. I found the culprit - Threat Extraction Web API.

Also there is a solution available at sk118353 .

For me it fixed the issue. Hope this helps!

Admin
Admin

Re: R80.10 threat extraction high cpu usage

That's great to hear!

https://community.checkpoint.com/people/dave.45cc086d-5044-468e-82c2-8ee173df935e‌ does this fix the issue for you?

0 Kudos

Re: R80.10 threat extraction high cpu usage

Hi,

Since my setup was in a lab environment I decided to rebuild it clean and configure it as a distributed config rather than a stand-alone.

i have not had the issue so far.

0 Kudos