Hi,  I'll open a case and see what the result is. I have to increase "log rotation" so that the disk does not get filled in the meantime.

Hi Mikael, what was the result of the support case? 

Regards, Viktor

Support wanted more information than I was allowed to send. It works as it should. So I just rotate the syslog file every hour.

Hi Mikael, what was the result of the support case?

Regards, Viktor

Hi Viktor,

This is the related SK article:

https://support.checkpoint.com/results/sk/sk181544

Hello, 

yes we have also found this ... 
also i found this SK 181544.

it suggests to "disable the CPU Level Detection"

To disable the high volume of logs in /var/log/messages, disable CPU level detection:
[Expert@FW]# tecli ad at set enable_cpu_level_detection 0

but hey, isnt the CPU Level Detection the reason why customers still use a Sandblast appliance?
what will "tecli ad at set enable_cpu_level_detection 0" do? 
will it disable useful features?

what results did you  get from your TAC cases?

Thanks for the information
The TAC wanted information that I was not allowed to give out.
So I rotated the messages file on an hourly basis.
(and also send the log to a syslog server)

Hello, 

we stumbled over it because we analyzed delayed emails ... so i found this messages ... 

i have also opened a TAC case ... 
well i will not accept an answer like this. customers are buying this stuff to secure their environment and have a high degree of  trust in Check Point.
not answering easy questions like this here does nothing to maintain trust! its the opposite.

+ difference between R81.20 and R81.10? why does it pop up in R81.20?
+ what is this message all about?
+ why does CPU Level Detection triggers it?
+ high CPU is triggered, by writting those amount of logs or something else?
+ when i turn CPU Level Detection off, can i still detect malware to the same degree?
+ if the SK says we must turn it off, why is it enbaled in first place?
+ Check Point should update their SK about what is the background here, so that people get informed and so on ...

Hello 

i´v asked our local CP office to double check the statements of TAC.
they say, CPU Level Detection is not that relevant any longer as it was in the past.
CPU Level Detection was/is most beneficial to detect malware with ROP - attacks methods ... 
https://en.wikipedia.org/wiki/Return-oriented_programming

iam asking myself, what is Check Point using in their Cloud to do Threat Emulation? 
do thy use their own Sandblast appliances as well? 
do they run into the same issue as our customer? 
do they turn off CPU Level Detection on their appliance as well?

so iam still not sure what do to.

It should not impact the security level to disable CPU Level Detection.

Today we had a great session with TAC regarding a different thing on a Sandblast appliance ...
During waiting time we always discuss some things and we came to SK  https://support.checkpoint.com/results/sk/sk181544

we checked the state of the CPU level detection, and its turned off!!!

how dare you?

also no more error messages in /var/log/messages.

can it be that CP turned off this feature in one of its HFA`s`?
if yes ... would be nice if it is written somewhere ...

Can somebody from the audience check this as well, we run R81.20 HFA89.
With HFA53 it was still turned on, not its off. Not turned off by us!