This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
konecnyl
Participant
‎2025-05-07 01:13 PM
Jump to solution

HTTPS Inspection significantly slows down loading of images

Hi,

on our firewall (Check Point R81.20 - Build 043), we are observing significant slowdowns when loading images while using map services – especially when panning or zooming maps on portals such as mapy.cz, Google Maps, or Street View.
The issue affects only images (tiles), while other parts of the pages load smoothly.

For selected services (e.g. mapserver.mapy.cz, panorama-mapserver.mapy.cz), we created Custom Applications/Sites and added them to bypass rules for HTTPS Inspection, which helped. However, on other portals where a large number of image requests occur, the slowdowns still persist.

Context:

  • Firewall: R81.20 - Build 043, KSFW, 16 cores, 14 fw_worker instances

  • QUIC is blocked

  • HTTPS Inspection is enabled with categorization, 0% accelerated connections

  • CPASXL traffic is around 40% of total traffic

  • Latency increases, especially with a larger number of image requests

  • Browsers: Chrome/Edge/Firefox (latest versions), OS: Windows 10/11

  • MS Defender and Windows policies are up-to-date

  • Perf and Spike Detective show load on fw_worker threads (e.g. kiss_thin_nfa_exec_one_buf_parallel_xlate, cmi_execute_ex)

Questions:

  • Do you have any recommendations on how to effectively deal with slowdowns during inspection of large numbers of image requests?

  • Is there a way to bypass only image requests (e.g. by MIME type, file path, or pattern), but inspect all other traffic?

  • Has anyone seen improvements by switching to USFW mode, if the issue was related only to TLS inspection of map tiles?

  • Could recent Windows or browser updates have impacted TLS handshake behavior and caused additional inspection load?

Thanks for any insight – we welcome even small real-world experiences.

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2025-05-08 05:35 AM
Jump to solution

Do you have Policy-Based Routing enabled?  There is a known problem with PBR and Active Streaming: sk183194: Slow web browsing to the Internet and download of files is stuck

Also make sure that OCSP and CRL Retrieval are working: Unreached OCSP - causes serious lag

If you have persistent high latency for Internet traffic, there was an issue with Active Streaming where it would not allow the TCP window to scale up far enough to counteract the high latency, but that should have been fixed awhile ago: HTTPS Inspection Limiting TCP receive window to 262144 bytes and limiting throughput of tcp stream

Also be very sure you are NOT using "Any" in the Destination or Services fields of any HTTPS Inspection rules, as this will drag huge amounts of traffic into Active Streaming that should not be there.

Finally you may need to do some tuning of Active Streaming by adjusting the variable cpas_max_burst among others as mentioned here: https://community.checkpoint.com/t5/Security-Gateways/81-20-Performance-CPU-issue/m-p/214709#M40990

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(1)
18 Replies
PhoneBoy
Admin
Admin
‎2025-05-07 02:01 PM
Jump to solution

It is not technically feasible to bypass HTTPS Inspection for a specific resource (type) on a page as the decision to bypass or inspect must be made before the encryption is negotiated.

The only reason I can think of for images specifically to be slower is because they are being processed by a Threat Prevention blade.
What Threat Prevention blades are active on this gateway and do you see any logs that might indicate this?

the_rock
Legend
Legend
‎2025-05-07 02:45 PM
Jump to solution

Maybe make sure what I attached is set to background, it can help.

Andy

Preview file
91 KB
Preview file
91 KB
Chris_Atkinson
Employee Employee
Employee
‎2025-05-07 04:36 PM
Jump to solution

Thanks for providing the major version used, what JHF/Jumbo take & enabled_blades?

CCSM R77/R80/ELITE
0 Kudos
Lesley
Authority Authority
Authority
‎2025-05-08 01:38 PM
In response to Chris_Atkinson
Jump to solution

indeed need to know jumbo to see open bugs.

+ have you seen optional and recommended bypass in this SK? https://support.checkpoint.com/results/sk/sk163595

if complains are with google worth to bypass that is listed here. 

Do you have any RAD errors? (a few is OK, loads is worth checking)

https://support.checkpoint.com/results/sk/sk182859

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
konecnyl
Participant
‎2025-05-08 11:55 PM
In response to Chris_Atkinson
Jump to solution

Thanks for your reply! Here are the details:

  • Version: R81.20

  • Jumbo Hotfix: Take 92

  • Enabled Blades: Firewall, Application Control, URL Filtering, HTTPS Inspection, Identity Awareness, Threat Emulation, Anti-Virus, Anti-Bot, IPS

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-05-09 06:02 AM
In response to konecnyl
Jump to solution

Take 99 (bundling fixes from previous JHFs) includes some AppC fixes including for gzip encoded flows, possibly relevant.

 

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend
‎2025-05-09 06:25 AM
In response to Chris_Atkinson
Jump to solution

Definitely good idea Chris.

I do see below in the notes as well.

Andy

PRJ-52612,
PRHF-31058

SSL Inspection

NEW: This Take introduces a fail-open mechanism for HTTPS Inspection with Hardware Security Module (HSM) integration. If the HSM becomes unavailable, TLS connections now automatically bypass HTTPS Inspection, ensuring continuous network connectivity.
(1)
the_rock
Legend
Legend
‎2025-05-07 06:09 PM
Jump to solution

Let me take a crack at the questions...

Andy

  • Do you have any recommendations on how to effectively deal with slowdowns during inspection of large numbers of image requests?

I would check background vs hold mode settings I attached in my screenshots in the previous response

  • Is there a way to bypass only image requests (e.g. by MIME type, file path, or pattern), but inspect all other traffic?

Not that Im aware of, unless you know the EXACT fqdn

  • Has anyone seen improvements by switching to USFW mode, if the issue was related only to TLS inspection of map tiles?

Personally, I never had an issue regardless of the mode I was using

  • Could recent Windows or browser updates have impacted TLS handshake behavior and caused additional inspection load?

Definitely not, as I had not had any issues in my lab due to those updates

Timothy_Hall
Legend Legend
Legend
‎2025-05-08 05:35 AM
Jump to solution

Do you have Policy-Based Routing enabled?  There is a known problem with PBR and Active Streaming: sk183194: Slow web browsing to the Internet and download of files is stuck

Also make sure that OCSP and CRL Retrieval are working: Unreached OCSP - causes serious lag

If you have persistent high latency for Internet traffic, there was an issue with Active Streaming where it would not allow the TCP window to scale up far enough to counteract the high latency, but that should have been fixed awhile ago: HTTPS Inspection Limiting TCP receive window to 262144 bytes and limiting throughput of tcp stream

Also be very sure you are NOT using "Any" in the Destination or Services fields of any HTTPS Inspection rules, as this will drag huge amounts of traffic into Active Streaming that should not be there.

Finally you may need to do some tuning of Active Streaming by adjusting the variable cpas_max_burst among others as mentioned here: https://community.checkpoint.com/t5/Security-Gateways/81-20-Performance-CPU-issue/m-p/214709#M40990

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
konecnyl
Participant
‎2025-05-09 05:55 AM
In response to Timothy_Hall
Jump to solution

So far, we've identified the following issues in the logs:

RAD request exceeded maximum handling time, check /opt/CPsuite-R81.20/fw1/log/rad_events/Errors/flow_61468_20244022 for more details

[rad_http_response_handler.cpp:27] CRadHttpResponseHandler::goToNextTask: [INFO] enter to ...
[rad_response_task.cpp:19] CRadResponseTask::CRadResponseTask: [INFO] enter to ...
[rad_decrypted_response_task.cpp:24] CRadDecryptedResponseTask::CRadDecryptedResponseTask: [INFO] enter to ...

Unreached OCSP (HTTPS Inspection blade):
Failed to fetch OCSP. Make sure the security gateway has an outgoing HTTP access, and that the proxy and DNS servers are well configured.
Refer to sk159872 for more details.
Certificate DN: 'CN=cas.avalon.perfdrive.com'
Requested Server Name: cas.avalon.perfdrive.com

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-09 09:12 AM
In response to konecnyl
Jump to solution

The inability to fetch OCSP from the gateway would definitely cause the slowness issues.
Specifically, these connections are made from the gateway to verify the certificate on the remote end.
Ensure the gateway has outgoing HTTP access and proxy/DNS settings are correct.

0 Kudos
konecnyl
Participant
‎2025-05-09 11:27 AM
In response to Timothy_Hall
Jump to solution

In the end, it turned out that applying the hotfix to Take 99 helped – the response time is now instant.
We have PBR enabled, so we followed sk183194: Slow web browsing to the Internet and download of files is stuck.
We also removed the newly created bypass rules. All related processes, such as fw_worker and rad (which was previously at 290% CPU), have significantly dropped in the top output.

So far, I haven't had the chance to test it thoroughly, mainly due to lower employee activity today, but it looks like the overall CPU load on the gateway has also improved.

Because of the lower usage today, I will do full testing again on Monday – but I already dare to say that the issue is resolved.

Thank you for your valuable advice – it helped a lot.
And I apologize for the delayed replies and maybe some nervousness.

Lukas

konecnyl
Participant
‎2025-05-09 03:52 AM
Jump to solution

After further investigation, we found that the issue is not limited to image loading – it's a general slowness in browsing websites and internet access. When we apply a full HTTPS Inspection bypass for the affected user, the response time becomes instant and the issue disappears.

0 Kudos
the_rock
Legend
Legend
‎2025-05-09 03:55 AM
In response to konecnyl
Jump to solution

Did you check settings from the screenshots I sent initially? I really believe if those are wrong, it could cause such issue.

Andy

0 Kudos
konecnyl
Participant
‎2025-05-09 05:48 AM
In response to the_rock
Jump to solution

Yes, I checked the settings from your screenshots.

The first option is configured exactly as in your screenshot.

For the second option, I changed it from Custom to Background, but unfortunately it did not improve the situation.

Lukas

the_rock
Legend
Legend
‎2025-05-09 05:59 AM
In response to konecnyl
Jump to solution

Just saw your last response...did you check with TAC if it indeed could be RAD related? If so, maybe check out below discussion.

Andy

https://community.checkpoint.com/t5/Security-Gateways/URL-filtering-blade-RAD-process-causing-high-C...

konecnyl
Participant
‎2025-05-09 11:27 AM
In response to the_rock
Jump to solution

In the end, it turned out that applying the hotfix to Take 99 helped – the response time is now instant.
We have PBR enabled, so we followed sk183194: Slow web browsing to the Internet and download of files is stuck.
We also removed the newly created bypass rules. All related processes, such as fw_worker and rad (which was previously at 290% CPU), have significantly dropped in the top output.

So far, I haven't had the chance to test it thoroughly, mainly due to lower employee activity today, but it looks like the overall CPU load on the gateway has also improved.

Because of the lower usage today, I will do full testing again on Monday – but I already dare to say that the issue is resolved.

Thank you for your valuable advice – it helped a lot.
And I apologize for the delayed replies and maybe some nervousness.

Lukas

the_rock
Legend
Legend
‎2025-05-09 11:37 AM
In response to konecnyl
Jump to solution

Awesome job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events