- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Following sk182137 - "Internal system error in HTTPS Inspection due to categorization service error (Trap erro... the setting of "number_of_threads" should be changed from (0) to (10).
Please can someone confirm changing these settings ?
We are investigating some issues with high CPU for RAD procces and problematic Internet access. I've found this value is always set to (0) after installation. Does the RAD process runs multithread after changing ? I thought RAD is already multithreaded with the newer releases ?
our log is flooded with errors like this:
Error occurred while accessing:XXXXXXXXXXXXXXXXXXXXXX.profile.iah50-c2.cloudfront.net
RAD request exceeded maximum handing time, check /opt/CPsuite-R81.20/fw1///log/rad_events/Errors/flow_23307_643249
timeout values for URLF and AMWS are already changed to 7200 in rad_conf.C
I have a case opened for various RAD issues since October last year. This is one of them. This "number_of_threads" variable was changed by the assigned engineer and R&D multiple times from 0 to double the cores. The last recommended setting is "1".
I would suggest to open a case (if you have a contract) - hopefully, the RAD problems will get more attention.
This is our current $FWDIR/conf/rad_conf.C:
(
:urlfs_service_check_seconds (7200)
:amws_service_check_seconds (7200)
:cpu_cores_as_number_of_threads (false)
:number_of_threads (1)
:threads_to_cores_ratio (0.334)
:minimal_resources_usage_ratio (0.2)
:number_of_threads_fast_response (4)
:number_of_threads_slow_response (5)
:number_of_threads_zph_response (0)
:number_of_threads_update (0)
:queue_max_capacity (4000)
:debug_traffic (false)
:use_dns_cache (true)
:dns_cache_timeout_sec (2)
:use_ssl_cache (true)
:cert_file_name ("ca-bundle.crt")
:cert_type ("CRT")
:ssl_version ("TLSv1_0")
:ciphers ("TLSv1")
:autodebug (false)
:timeout_events (false)
:normal_flow_events (false)
:log_timeouts (false)
:log_errors (true)
:number_of_reports (512)
:max_repository_multiplier (20)
:flow_timeout (6)
:excessive_flow_timeout (120)
:transfer_timeout_sec (100)
:max_flows (3500)
:max_pc_in_reply (0)
:max_reqs_per_conn_pool (50)
:retry_mechanism_on (true)
:max_retries (25)
:retry_peroid_mins (15)
:happy_eyeballs_timeout (200)
:large_scale_min_cpus (100)
:large_scale_max_threads (70)
:max_threads (32)
)
Oh yes, and set these to "false":
:debug_traffic (false)
:autodebug (false)
Looks like RAD does not cache the results and queries http://cws.checkpoint.com for each and every passing URL, even if they are constantly repeated. I already proved that to R&D twice, but, apparently, they are still not convinced...
Some other thoughts. RAD uses plain HTTP to send all domain names addressed from within the company to CheckPoint in, literally, plain text in the URL. What does not look good from the privacy and confidentiality perspective.
It also does not look good from the performance perspective, because instead of creating one HTTPS connection, and sending names/URLs inside the channel, RAD uses curl on the per name basis.
Obviously, the absence of caching and using CURL instead of a single HTTPS channel means very easy and simple programming, but at what expense?
Yes the RAD daemon has had a long and checkered past; when it starts to struggle Internet surfing performance begins to suffer in noticeable ways. It got much better in R80.40 when they redid the daemon and multi-threaded it. The requests sent by RAD are indeed sent in the clear but that can be changed. If you are seeing the RAD daemon request the same site over and over again, the URL cache may be thrashing and need to be increased. All these topics are covered in by Gateway Performance Optimization Course; the relevant pages for RAD are below:
@Timothy_Hall I was actually going through your book (2nd edition from 2018 is one I got on Amazon in 2023), but dont see that section. Maybe it was not listed in that release, but I totally get the point you made, had that issue happen with customers few times before.
Andy
> the URL cache may be thrashing and need to be increased.
They are already increased to 250-300k in dbedit:
Other > rad_services > [malware_rad_service_0 ; dns_rad_service_0 ; urlf_rad_service_0] up to cache_max_hash_size
Since every request goes to the CP site, either the cache is not used (a bug) or the cache is not expired/renewed (a bug).
"RAD over HTTPS " is a simple replacement HTTP with HTTPS, not creating a single connection I was talking about, hence the performance is obviously degraded.
Also, you might want to increase the cache sizes in GUIDBEdit for:
Other > rad_services > [malware_rad_service_0 ; dns_rad_service_0 ; urlf_rad_service_0] up to cache_max_hash_size
I see all @AlekzNet is saying. Personally, I would still confirm all this with TAC.
Any changes to $FWDIR/conf/rad_conf.C: I would recommend to consult with TAC.
Every setup is different and require different values.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
8 | |
8 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY