MOST INSPECTION ARE BYPASSED R82

CEEJAY

Hello, I have encountered this error in my Checkpoint Firewall whenever I install a policy, I am using R82 version. Based on SK, this is a new feature for R82. Is this enable by default? or is there anyway to disable this. I also read the SK that this error prompt when the load exceed on accecpted treshold in RAD process and if the Gateway has no connectivity to threatcloud. I checked that the gateway can reach the cloud and has connection, how will I know what is the accepted treshold in RAD?

the_rock

I cant say for sure, but I can only logically assume to disable the feature (at least based on the sk) would be to set option in your 2nd screenshot to block.

Again, just my logical thinking.

Best,
Andy

emmap

Does the error appear when you install policy and then go away after a minute? Or does it come at other times? If it's only during policy install then you can set up monitoring of it per the SK, install the policy, then check what it outputs and see if that shines a light on anything useful. TAC can help with interpreting it if you need a hand there.

CEEJAY

Yes, it will sometimes not show, and come at other times, but every install the error will prompt.

emmap

OK yea it sounds like you have a load issue or similar. Try the monitoring procedure in the SK article while doing a policy install and see what it says.

CEEJAY

Yes. I assume that it has a laod issue, since based on SK this will only prompt when there is a load isse or connectivity issue to checkpoint cloud, based on my checknig the gateway can resolved and reach the checkpoint cloud. What I can't see in SK is how can I resolved this or somehow can adjust the treshold or disable this feature, since it is only in R82.

CEEJAY

hello @emmap as I noticed now, the error is gone, but ater installation it will show again, then it will go away, I'm not sure how long before it goes away, but what I'm sure is it will prompt every policy installation.

PhoneBoy

Anti-Virus and Anti-Bot generally require real-time access to ThreatCloud.
The "adaptive hold" situation attempts to handle situations where RAD cannot interact with ThreatCloud in a timely manner (either because of connectivity, load, or both).

To disable this (i.e. activate "Maximum Security"), follow the steps in https://support.checkpoint.com/results/sk/sk181434
Likewise, to monitor the situation, follow the steps in the SK.

CEEJAY

Yes, but I'm a little bit confused in this SK. Based on SK, there is a prerequisite for enabling this feature, then as I reading the instructions, the error will encounter if there is connectivity issue to threatcloud or load issue, but there is no indicated solution to resolve the error. I verified that the gateway can reach the checkpoint cloud, one things is where can I see if the load is exceeding in the set treshold and where can I see this? Because this error only appear when I upgrade from r81.20 to R82.

_Val_

On the contrary, it is actually straightforward. You need to make sure that your GW has Internet connectivity properly set up, with the ability to resolve DNS and connect to external services.

It is quite easy to check. Connect to your GW, get expert shell, then run nslookup commands with the FQDN mentioned in the SK. Tell us what you see.

PhoneBoy

As I said, there are two reasons this can occur: connectivity and load.
You've only looked at what one portion of that: the connectivity.

What is the system load here?
Let's start with what the environment is, which includes the exact version/JHF of all components on what (virtual) hardware.
If you're using a VM or an Open Server, please specify the number of cores/RAM/disk allocated.

HeikoAnkenbrand

Hi @CEEJAY,
You need to create a DNS entry in GAIA so that the RadD process in the user space can establish a connection to Check Point. Furthermore, the implied rules should allow this access. If that does not work, explicitly allow traffic from the RadD (the external IP address of the gateway) towards the internet.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

CEEJAY

Hello @HeikoAnkenbrand. I verified that the gateway can reach the threatcloud and I also have policy that allows the traffic going to the internet.

Lesley

First check if you are able to reach the following website:

dig cloudinfra-gw.portal.checkpoint.com

traceroute cloudinfra-gw.portal.checkpoint.com

curl_cli -vk http://cloudinfra-gw.portal.checkpoint.com

If this is OK proceed to check the rad.conf file. Check if autodebug is set to false. (file is located here: $FWDIR/conf/rad_conf.C)

If not proceed change this from true to false with steps below:

sed -i 's/:autodebug (true)/:autodebug (false)/' $FWDIR/conf/rad_conf.C rad_admin stop ; sleep 5 ; rad_admin start

Error might popup, make sure command changed the rad_conf

Above can be done without impact.

If this not help also make change to guidbedit (guidbedit SK: https://support.checkpoint.com/results/sk/sk13009 )

Path: Other > rad_services > malware_rad_service > cache_max_hash_size
Recommended value: 100k–300k (depending on environment load)

-------
Please press "Accept as Solution" if my post solved it 🙂

CEEJAY

Will try this one, but as I noticed, the error only prompts after installation of policy then it will go away. Only prompt after installation of policy.

Lesley

policy push can cause high load on the firewall system.

-------
Please press "Accept as Solution" if my post solved it 🙂

Are you a member of CheckMates?

MOST INSPECTION ARE BYPASSED R82