Ted.elg increased a lot - Check Point CheckMates

Step Into the Future of
AI-Powered Cyber Security

Register Now

The State of Ransomware Q1 2026
Key Trends and Their Impact

Register Here

AI Security Masters E8:
Claude Mythos: New Era in Cyber Security

Register Now!

Blueprint Architecture for Securing
The AI Factory & AI Data Center

Learn More!

Call For Papers
Your Expertise. Our Stage

Learn More!

CheckMates Go:
CheckMates Fest

Listen Now

16 Replies

139 KB

36 KB

Hi checkmates, I have a problem:

The file "ted.elg" increase a lot and this fills the disk in the active gateway. The Threat Emulation and Threat Extraction blades are not enabled.

We are running a cluster in R80.40

This appears in the ted.elg file (attached image)

Did anything like that happen to anybody else?

139 KB

36 KB

Hi checkmates, I have a problem:

The file "ted.elg" increase a lot and this fills the disk in the active gateway. The Threat Emulation and Threat Extraction blades are not enabled.

We are running a cluster in R80.40

This appears in the ted.elg file (attached image)

Did anything like that happen to anybody else?

139 KB

36 KB

Hi checkmates, I have a problem:

The file "ted.elg" increase a lot and this fills the disk in the active gateway. The Threat Emulation and Threat Extraction blades are not enabled.

We are running a cluster in R80.40

This appears in the ted.elg file (attached image)

Did anything like that happen to anybody else?

139 KB

36 KB

Hi andy thanks for the response

No, nothing in threat prevention policy is installed on this GW

regards

Hi andy thanks for the response

No, nothing in threat prevention policy is installed on this GW

regards

Can you send a screenshot?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Can you send a screenshot?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Yes, of course

This TP policies are for another cluster and are instaled on that cluster. The GW what have this issue is the one in the other image

43 KB

2 KB

Yes, of course

This TP policies are for another cluster and are instaled on that cluster. The GW what have this issue is the one in the other image

43 KB

2 KB

What happens if you delete the file? Does it go back to unusual size after some time?

Best,
Andy
"Have a great day and if its not, change it"

What happens if you delete the file? Does it go back to unusual size after some time?

Best,
Andy
"Have a great day and if its not, change it"

Yes, after delete this file it returned to unusual sizes and again fills the disk after some time, it never stops typing it with the same error ( the error of the image that I sent in the original post)

Yes, after delete this file it returned to unusual sizes and again fills the disk after some time, it never stops typing it with the same error ( the error of the image that I sent in the original post)

As last resort, if you can reboot fw, try that. If not, I would suggest contact TAC, this is worth investigating more.

Best,
Andy
"Have a great day and if its not, change it"

As last resort, if you can reboot fw, try that. If not, I would suggest contact TAC, this is worth investigating more.

Best,
Andy
"Have a great day and if its not, change it"

We reboot the cluster and the problem happened in the another cluster member too.

We reboot the cluster and the problem happened in the another cluster member too.

Definitely get in touch with TAC.

Best,
Andy
"Have a great day and if its not, change it"

Definitely get in touch with TAC.

Best,
Andy
"Have a great day and if its not, change it"

Thanks for your time, we’ll open a case

Thanks for your time, we’ll open a case

Im really sorry, I wish I could have given you some sort of good suggestion. I never seen this problem before, so not really sure why it happens. Maybe someone else in the community will have an idea...one thing though that came to my mind is, can you run ps -auxw command and top as well, just to see if there is a process that could be consuming high memory/cpu that might potentially cause this to happen?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Im really sorry, I wish I could have given you some sort of good suggestion. I never seen this problem before, so not really sure why it happens. Maybe someone else in the community will have an idea...one thing though that came to my mind is, can you run ps -auxw command and top as well, just to see if there is a process that could be consuming high memory/cpu that might potentially cause this to happen?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Here are the outputs

165 KB

265 KB

245 KB

274 KB

321 KB

249 KB

Here are the outputs

165 KB

265 KB

245 KB

274 KB

321 KB

249 KB

Just a shot in the dark here...but, one that that struck me from those outputs is that fwd is consuming unusually high amount of cpu, 30 plus % and then all fw workers about 10% each, which amount to more than 60% right there. I know this might be a bit extreme to try, but just to be 100% positive its not corexl related, if its enabled, I would try disable it as a test and reboot (can be done via cpconfig command). Not sure if thats something you could try, but it would be worth, just to confirm, for sure.

Best,
Andy
"Have a great day and if its not, change it"

Just a shot in the dark here...but, one that that struck me from those outputs is that fwd is consuming unusually high amount of cpu, 30 plus % and then all fw workers about 10% each, which amount to more than 60% right there. I know this might be a bit extreme to try, but just to be 100% positive its not corexl related, if its enabled, I would try disable it as a test and reboot (can be done via cpconfig command). Not sure if thats something you could try, but it would be worth, just to confirm, for sure.

Best,
Andy
"Have a great day and if its not, change it"

Hi Bruno

Did you solve it? I have the same behavior in a cluster in R81.10 ...

Regards

JR

Hi Bruno

Did you solve it? I have the same behavior in a cluster in R81.10 ...

Regards

JR

TE is not enabled?

Does the following command return output?

tecli advanced attributes show | grep -i log

CCSM R77/R80/ELITE

TE is not enabled?

Does the following command return output?

tecli advanced attributes show | grep -i log

CCSM R77/R80/ELITE

Hi Jefferson,

I have sent you a direct message, please check your inbox.

I would like to get more details about the behavior.

BR,

Shiran

Hi Jefferson,

I have sent you a direct message, please check your inbox.

I would like to get more details about the behavior.

BR,

Shiran