This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2025-04-14 10:10 AM
Jump to solution

URL filtering blade (RAD process) causing high CPU tip

Hey guys,

Just a quick tip, though Im sure most of you may know, referring to below post:

https://community.checkpoint.com/t5/Security-Gateways/High-CPU-on-Security-Gateway-caused-by-RAD-ser...

Customer tried value of 50000 in guidbeedit, no change, so once we did failover, all worked fine. I asked them to install jumbo 99 on the cluster (currently on jumbo 98).

mgmt -> R81.20 jumbo 99

gw cluster -> R81.20 jumbo 98

Btw, if its standalone or just a single gateway, usually cprestart would work, or reboot, but just keep in mind that since cpstop unloads the policy, there would be disruption for short time.

Something to keep in mind if you ever encounter RAD process causing high CPU.

Cheers,

Andy

0 Kudos
1 Solution

Accepted Solutions
D_W
Advisor
‎2025-04-20 02:46 PM
In response to GigaYang
Jump to solution

 https://support.checkpoint.com/results/sk/sk182859 fixed this on our site.

View solution in original post

(1)
41 Replies
D_W
Advisor
‎2025-04-15 05:27 AM
Jump to solution

We had similar issues with RAD High CPU on some systems but solution was to disable the RAD "autodebug" feature.
sk182859 

the_rock
Legend
Legend
‎2025-04-15 05:33 AM
In response to D_W
Jump to solution

Awesome, thanks @D_W 

0 Kudos
the_rock
Legend
Legend
‎2025-04-15 07:05 AM
In response to D_W
Jump to solution

Hey @D_W 

I read that sk again and shows product as anti-bot, did you apply it in the past for URLF issue and worked okay?

Andy

0 Kudos
D_W
Advisor
‎2025-04-15 07:12 AM
In response to the_rock
Jump to solution

Yes I was searching for an URLF Issue - new rule did not hit - then I saw the CPU is high and a lot of these messages in the Loggrafik.png

 

0 Kudos
the_rock
Legend
Legend
‎2025-04-15 07:14 AM
In response to D_W
Jump to solution

Ah, got it. I dont believe my customer had those logs, they just noticed cpu when running top was showing 180% on rad process.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-04-15 07:27 AM
In response to the_rock
Jump to solution

Right, CPU over 100% on RAD is not necessarily a problem as it is multi-threaded.  However high RAD CPU accompanied with laggy Internet surfing performance may be related.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2025-04-15 07:28 AM
In response to Timothy_Hall
Jump to solution

Yep, thats exactly issue they had, laggy surfing.

Andy

0 Kudos
r1der
Advisor
‎2025-04-25 10:30 AM
In response to the_rock
Jump to solution

Weird, I had the same issue - laggy surfing. No one had said anything though.
All along I thought it was my https inspection settings I was testing on myself.

0 Kudos
the_rock
Legend
Legend
‎2025-04-25 10:33 AM
In response to r1der
Jump to solution

Thats why we all share ideas my friend ; )

Henrik_J
Contributor
‎2025-04-15 07:52 AM
In response to D_W
Jump to solution

With the new generation of Quantum Gateways which are running SecureXL in User Space, we've also seen a lot of CPU and stability issues.

UPPAK has created issues with Hyperflow where Dynamic Balancing stops working due to interface state mismatch when trying to reallocate back cores.

Also some known crashes with UPPAK.

So if you're running new quantum GWs, I'd be on lookout for performance issues and bugs.

the_rock
Legend
Legend
‎2025-04-15 07:54 AM
In response to Henrik_J
Jump to solution

Thanks for that @Henrik_J 

Andy

0 Kudos
Jan_Kleinhans
Advisor
‎2025-04-16 06:39 AM
In response to Henrik_J
Jump to solution

We have also such issues with 19200 and UPPAK. Also Hyperflow causes issues in KPPAK on one of our clusters. We disabled it for the moment as we want to go to UPPAK again, as we want to use the hardware acceleration of the nvidia network cards.

the_rock
Legend
Legend
‎2025-04-16 06:43 AM
In response to Jan_Kleinhans
Jump to solution

Thanks for the feedback guys, appreciated.

Andy

0 Kudos
Henrik_J
Contributor
‎2025-04-16 06:55 AM
In response to Jan_Kleinhans
Jump to solution

Interesting.

We have yet to see an hyperflow issue on our 9300.
But we'll be on lookout.

I assume disabling it requires a restart with no issues to ClusterXL Sync?

Jan_Kleinhans
Advisor
‎2025-04-16 07:06 AM
In response to Henrik_J
Jump to solution

We had issues with long lasting TCP sessions like RDP, Citrix HDX or MSSQL. We had entries like this:

 

[11 Mar 9:06:03][fw4_11];[vs_5];psl_send_data: send_cookie_f failed [11 Mar 9:06:03][fw4_11];[vs_5];psl_send_flags: could not send cookie [11 Mar 9:06:03][fw4_19];[vs_5];cphwd_send_cookie: cphwd_send_packet failed [11 Mar 9:06:03][fw4_19];[vs_5];fwpslglue_send: cphwd_send_cookie failed [11 Mar 9:06:03][fw4_19];[vs_5];psl_glue_send_cookie: error, fwpslglue_send failed to send cookie, conn=<dir 1, 172.18.64.73:62975 -> 172.16.80.107:3389 IPP 6> [11 Mar 9:06:03][fw4_19];[vs_5];psl_send_data: send_cookie_f failed [11 Mar 9:06:03][fw4_19];[vs_5];psl_send_flags: could not send cookie

We disabled it via 

connection_pipelining advanced prevent

This doesn't need a reboot and does not harm ClusterXL.

 

Regards,

 

Jan

0 Kudos
the_rock
Legend
Legend
‎2025-04-17 11:56 AM
In response to Jan_Kleinhans
Jump to solution

Very good to know!

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-04-15 07:06 AM
Jump to solution

Great tip, the RAD is discussed extensively in my Gateway Performance Optimization course.  The RAD was enhanced and also multi-threaded during version R80.40 which solved a lot of the old problems, but the amount of chatter between the gateway inspection code and the ThreatCloud just keeps on relentlessly increasing, and the RAD still gets in trouble occasionally.  Here is the most up-to-date content from my course:

rad1.pngrad2.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2025-04-15 07:13 AM
In response to Timothy_Hall
Jump to solution

I was waiting for a response from a TRUE LEGEND, aka @Timothy_Hall  : - )

Thank you!

Andy

0 Kudos
_Val_
Admin
Admin
‎2025-04-16 01:13 AM
Jump to solution

Did you see sk110501 yet?

0 Kudos
GigaYang
Collaborator
‎2025-04-20 01:50 PM
In response to _Val_
Jump to solution

We have also seen high CPU load caused by RAD Daemon in recent days, and it is confirmed to be related to Anti-Bot.

We found a large number of abnormal records in SmartLog (such as attachments), but we are currently unclear about the source of these connections. Any suggested analysis methods?

Thanks

Preview file
34 KB
0 Kudos
the_rock
Legend
Legend
‎2025-04-20 02:11 PM
In response to GigaYang
Jump to solution

I actually observed the same in R82 lab as well after enabling AB blade...mind you, had not seen it since installing jumbo 14, so thats a good sign.

Andy

0 Kudos
GigaYang
Collaborator
‎2025-04-20 02:39 PM
In response to the_rock
Jump to solution

Thanks for the assistance.

What I don't understand is that most of these records are related to AWS EC2 and Google GCP addresses, but when I collected packets through Tcpdump, I couldn't find any relevant information, which made me unsure whether it was unrelated to the attack. There are about dozens of such records per minute.

I have checked some records through Virustotal, and most of them are fine.

0 Kudos
the_rock
Legend
Legend
‎2025-04-20 02:41 PM
In response to GigaYang
Jump to solution

I found in my lab, what I had to do to get around this, was add bunch of bypass rules, which is not really optimal, in my opinion.

Andy

0 Kudos
D_W
Advisor
‎2025-04-20 02:46 PM
In response to GigaYang
Jump to solution

 https://support.checkpoint.com/results/sk/sk182859 fixed this on our site.

(1)
the_rock
Legend
Legend
‎2025-04-20 02:48 PM
In response to D_W
Jump to solution

Excellent! Hey @GigaYang , worth doing that sk, seems 100% related.

Andy

0 Kudos
GigaYang
Collaborator
‎2025-04-20 02:50 PM
In response to D_W
Jump to solution

Thanks for the assistance.

I have applied to the company to execute this SK a few days ago, hoping to solve this problem.

0 Kudos
the_rock
Legend
Legend
‎2025-04-20 02:57 PM
In response to GigaYang
Jump to solution

I just checked my notes from last year (literally day after the sk was written), when one customer had this problem and that sk also worked for them, so its very likely it would fix it for you as well.

Andy

0 Kudos
GigaYang
Collaborator
‎2025-04-20 04:13 PM
In response to the_rock
Jump to solution

After we adjusted according to the steps in sk182859, CPU Loading recovered immediately. But we found that the memory usage of the firewall rose to 70%, of which fwk0_dev_0 accounted for 50%. Has anyone encountered this situation before?

Preview file
39 KB
0 Kudos
the_rock
Legend
Legend
‎2025-04-20 04:15 PM
In response to GigaYang
Jump to solution

What do cpview and top show? Those would be best indicators, in my view.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events