This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2025-04-25 09:02 AM
Jump to solution

Unusual higher that average CPU

Greetings all, I am observing a higher than average CPU usage on one of our gateways.
We normally hover in the low CPU usage percentages, but yesterday I noticed we were hovering around 50% and staying there.
I looked at top -H and saw the rad_resp_slow_0, rad_resp_slow_1, and rad_resp_slow_2 processes using a lot of CPU. 
I'm afraid we're being attacked or something is going on, but I can't identify what is causing these. Is there a report or view in SmartConsole that can show me like blade usages perhaps? I'm not sure where to go from here now that I've identified processes using the CPU. 

 

According to support (SR#6-0004255887), this is the Resource Awareness Daemon, and helps with managing anti-malware policies, etc. I was told it could be due to complex rulebase or policy operations, however I don't recall changing or adding any new policies.
My only guess would be IPS? 

Should I do this?
 Solved: High CPU on Security Gateway caused by RAD service... - Check Point CheckMates

Where would you start?

 

Thanks!

Preview file
247 KB
Preview file
519 KB
Preview file
424 KB
0 Kudos
1 Solution

Accepted Solutions
r1der
Advisor
‎2025-05-01 02:49 PM
In response to the_rock
Jump to solution

So far Take 174 for R81.10 seems to be the fix. Still monitoring of course, but looks good.
(Flat line due to switching to secondary gateway) but you see the CPU usage creeping up again towards May1.

View solution in original post

Preview file
20 KB
14 Replies
the_rock
Legend
Legend
‎2025-04-25 09:06 AM
Jump to solution

Hey mate,

See if below discussion helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/URL-filtering-blade-RAD-process-causing-high-C...

the_rock
Legend
Legend
‎2025-04-25 09:32 AM
Jump to solution

You could try disable IPS, does not hurt, and see if it helps. Just uncheck the blade, install policy.

Andy

r1der
Advisor
‎2025-04-25 10:14 AM
In response to the_rock
Jump to solution

Thanks, I'm going to go through that post.

*Update* I was curious if moving to the standby gateway will help. So I performed admin failover and I am back down to 4% ~ but I'm not sure what was happening with the other gateway. I'm going to let it sit for a bit to see if CPU starts increasing again, and then move it back to the gateway that was having high cpu.

the_rock
Legend
Legend
‎2025-04-25 10:20 AM
In response to r1der
Jump to solution

Thats how I fixed it last few times...failover, leave it for a day, fail back...done.

Andy

Chris_Atkinson
Employee Employee
Employee
‎2025-04-25 06:32 PM
In response to r1der
Jump to solution

Careful a failover may simply have temporarily masked the condition...

Which version/JHF is used? Note there are some worthwhile fixes in R81.20 JHF T99 that may be relevant.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2025-04-25 06:46 PM
In response to Chris_Atkinson
Jump to solution

Good point Chris. Thats why I said probably not a bad idea to leave the other member as master day or two, just to be on a safe side and then fail back.

Andy

0 Kudos
r1der
Advisor
‎2025-04-29 03:30 PM
In response to Chris_Atkinson
Jump to solution

Hi Chris, yes, I agree it probably is just temporarily masking the issue.
Yesterday and today, I saw the active gateway hover higher than normal CPU. 
We're on R81.10 Jumbo Hotfix Take 172. @the_rock I am upgrading SMS/GW1 to R81.10 Take 174 and failing over tomorrow.
I have a support case with TAC and they also advise to update based on this:
List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator

PRJ-58089,
PMTR-109845

Security Gateway

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.
0 Kudos
the_rock
Legend
Legend
‎2025-04-29 03:36 PM
In response to r1der
Jump to solution

Good idea...that take shows recommended anyway.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-04-27 06:02 PM
In response to r1der
Jump to solution

Hey mate,

Any luck with this?

Best,

Andy

0 Kudos
r1der
Advisor
‎2025-05-01 02:49 PM
In response to the_rock
Jump to solution

So far Take 174 for R81.10 seems to be the fix. Still monitoring of course, but looks good.
(Flat line due to switching to secondary gateway) but you see the CPU usage creeping up again towards May1.

Preview file
20 KB
the_rock
Legend
Legend
‎2025-05-01 02:55 PM
In response to r1der
Jump to solution

Great job!

the_rock
Legend
Legend
‎2025-05-01 05:33 PM
In response to r1der
Jump to solution

For what its worth, I now suggest to everyone based on my extensive lab testing, mgmt on R82, gateways R81.20 jumbo 99, works real well. I would not bother with gateways to R82 yet, at least until its recommended version, which I believe will be soon, but even then, would give it month or two.

Hope that helps.

Andy

0 Kudos
maad-pul
Contributor
‎2025-05-27 01:37 AM
In response to the_rock
Jump to solution

Hi All,

When patched to R81.20 TAKE99  (which was done yesterdag) is SK182859 relevant then?

I still see som problems in Anti-Bot & Anti-Virus Blade, but much fewer then before patching.

Should I still implement this, the "solution" based on this threat? Edit "rad_max_concurrent_requests" from 2500 to 5000"
https://community.checkpoint.com/t5/Security-Gateways/High-CPU-on-Security-Gateway-caused-by-RAD-ser...

PRJ-58090,
PMTR-109845

Security Gateway

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.



/Mattias

0 Kudos
r1der
Advisor
‎2025-07-28 02:53 PM
In response to maad-pul
Jump to solution

Hey, sorry I didn't get notifications for this and haven't logged on here in a while. Hopefully you have your issues resolved by now. 

I didn't have to edit "rad_max_concurrent_requests", since patching fixed my issue. I'd start a TAC Case just to be sure if I were you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events