This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BrunoCiongoli
Collaborator
‎2022-03-29 09:46 AM

Ted.elg increased a lot

Hi checkmates, I have a problem:

 

The file "ted.elg" increase a lot and this fills the disk in the active gateway. The Threat Emulation and Threat Extraction blades are not enabled.

 

We are running a cluster in R80.40

 

This appears in the ted.elg file (attached image) 

 

Did anything like that happen to anybody else?

 

 

 

Preview file
139 KB
Preview file
36 KB
0 Kudos
16 Replies
the_rock
Legend
Legend
‎2022-03-29 11:38 AM

Hey Bruno,

Cant say I ever seen that issue happen myself. Can you ensure there is nothing in threat prevention policy enabled for those blades? I checked my 2 lab fw's and both have this file with size less than 200 Kb.

Andy

Screenshot_1.png

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 01:46 PM
In response to the_rock

Hi andy thanks for the response

No, nothing in threat prevention policy is installed on this GW

 

regards

0 Kudos
the_rock
Legend
Legend
‎2022-03-29 01:47 PM
In response to BrunoCiongoli

Can you send a screenshot?

Andy

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 01:56 PM
In response to the_rock

Yes, of course

This TP policies are for another cluster and are instaled on that cluster. The GW what have this issue is the one in the other image

Preview file
43 KB
Preview file
2 KB
0 Kudos
the_rock
Legend
Legend
‎2022-03-29 02:00 PM
In response to BrunoCiongoli

What happens if you delete the file? Does it go back to unusual size after some time?

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 02:13 PM
In response to the_rock

Yes, after delete this file it returned to unusual sizes and again fills the disk after some time, it never stops typing it with the same error ( the error of the image that I sent in the original post)

0 Kudos
the_rock
Legend
Legend
‎2022-03-29 02:16 PM
In response to BrunoCiongoli

As last resort, if you can reboot fw, try that. If not, I would suggest contact TAC, this is worth investigating more.

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 03:43 PM
In response to the_rock

We reboot the cluster and the problem happened in the another cluster member too.

0 Kudos
the_rock
Legend
Legend
‎2022-03-29 03:47 PM
In response to BrunoCiongoli

Definitely get in touch with TAC.

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 03:50 PM
In response to the_rock

Thanks for your time, we’ll open a case

0 Kudos
the_rock
Legend
Legend
‎2022-03-29 03:56 PM
In response to BrunoCiongoli

Im really sorry, I wish I could have given you some sort of good suggestion. I never seen this problem before, so not really sure why it happens. Maybe someone else in the community will have an idea...one thing though that came to my mind is, can you run ps -auxw command and top as well, just to see if there is a process that could be consuming high memory/cpu that might potentially cause this to happen?

Andy

0 Kudos
BrunoCiongoli
Collaborator
‎2022-03-29 04:11 PM
In response to the_rock

Here are the outputs

Preview file
165 KB
Preview file
265 KB
Preview file
245 KB
Preview file
274 KB
Preview file
321 KB
Preview file
249 KB
0 Kudos
the_rock
Legend
Legend
‎2022-03-29 04:18 PM
In response to BrunoCiongoli

Just a shot in the dark here...but, one that that struck me from those outputs is that fwd is consuming unusually high amount of cpu, 30 plus % and then all fw workers about 10% each, which amount to more than 60% right there. I know this might be a bit extreme to try, but just to be 100% positive its not corexl related, if its enabled, I would try disable it as a test and reboot (can be done via cpconfig command). Not sure if thats something you could try, but it would be worth, just to confirm, for sure.

0 Kudos
JeffersonRomero
Participant
Participant
‎2022-08-26 01:04 PM
In response to BrunoCiongoli

Hi Bruno

Did you solve it? I have the same behavior in a cluster in R81.10 ...

Regards

JR

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-08-26 09:06 PM
In response to JeffersonRomero

TE is not enabled?

Does the following command return output?

tecli advanced attributes show | grep -i log

CCSM R77/R80/ELITE
0 Kudos
Shiran_Gold
Employee
Employee
‎2022-08-29 12:12 AM
In response to JeffersonRomero

Hi Jefferson,

 

I have sent you a direct message, please check your inbox.

I would like to get more details about the behavior.

 

BR,

Shiran

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events