K, so it is correct. I would probably open TAC case to look into it further.

Andy

I would 100% take the advice of @Timothy_Hall . I feel if there is anyone out there who knows this stuff, its him. Man even wrote a section of the book about this topic : - )

Andy

You have 9.8GB of memory available (not free) out of 32GB so you have plenty of memory; your firewall is not dipping into swap space and as such is not struggling for memory.   fwk0_dev_0 is expected to consume a large amount of memory as it is the lead process for all of your Firewall Worker Instance threads when the firewall is in USFW mode. While top is running hit SHIFT-H and you will be able to see all the individual fwk threads representing the worker instances in your CoreXL split, it looks like you did that in your second screenshot.   I don't see anything in your screenshots that is not expected behavior.

Thanks for the answers.
But what I don't understand is why all this happened after I adjusted the RAD settings.

I get your point, for sure @GigaYang . Thats why I think having TAC verify would not be a bad idea.

Andy

I think the only way to know 100% if process from the sk caused that issue would be to revert. Maybe its too coincidental, but we cant be certain.

Andy

Thanks

We have already set up TAC in the past few days.

Support has responded that this situation has nothing to do with sk182859. sk182859 has successfully solved our previous CPU overshoot problem.

Support is expected to conduct a remote inspection this afternoon, and I will report back here later.

K, sounds good!

Hey @GigaYang , any news after remote with TAC?

Andy

Hi Andy,
Thank you for your assistance.

Support believes that we have correctly implemented sk182859 and resolved the CPU issue caused by RAD Daemon.

But he thinks the memory problem is caused by increased traffic/connections. In our Rule Base, there is a rule (#24) that causes all subsequent rules to be executed in the F2F path. He also suspected that the problem might be caused by IPS.

However, none of these instructions can explain why memory usage increases immediately after executing sk182859 and remains at 75%. So he finally guessed that Memoey Leaking might be the last reason and suggested us sk35496. However, as far as I understand, Memoey Leaking usually increases slowly, and no Memoey Leaking problem was detected in the HCP Report.

In addition, there is currently no Heavy Traffic connection in our system.

Finally, the memory usage status for the past month is provided.

Hi All,

When patched to R81.20 TAKE99  (which was done yesterdag) is SK182859 relevant then?

I still see som problems in Anti-Bot & Anti-Virus Blade, but much fewer then before patching.

Should I still implement this, the "solution" based on this threat? Edit "rad_max_concurrent_requests" from 2500 to 5000"
https://community.checkpoint.com/t5/Security-Gateways/High-CPU-on-Security-Gateway-caused-by-RAD-ser...

/Mattias