Appendix A - AIOps Alerts
The following table lists alerts generated by AIOps and describes what each alert indicates.
|
Alert Text |
Summary/Description |
|---|---|
|
High risk of kernel crashes when the 'ena' interface is in use. |
Your machine is at
high risk of kernel crashes due to an unsupported ethtool feature when using the |
|
Possibility of crash when bond interfaces are configured. |
The Security Gateway \"{{m_machine_name}}\" may crash with a |
|
Possibility of high memory utilization when using Site-to- Site VPN with Permanent Tunnels. |
The Security Gateway \"{{m_machine_name}}\" may experience high memory utilization when using Site-to-Site VPN with Permanent Tunnels. |
|
Possibility of link failure on interfaces with an MTU greater than 1500. |
The Security Gateway \"{{m_machine_name}}\" may experience intermittent link failures on interfaces configured with an MTU greater than 1500. |
|
License about to expire - License pool may no longer serve CloudGuard Gateways. |
The licenses in the license pool will expire soon. |
|
Automatic distribution of Central Licenses failed. |
The \"vsec_lic_cli\" tool on the Management Server failed to distribute licenses to Cloud Firewall Gateways. Traffic through these Security Gateways is at risk. |
|
License expired - License Pool may no longer serve Cloud Firewall Gateways. |
Licenses in the license pool expired. |
|
Failover between Cluster Members failed - Cloud API Errors suspected. |
Cluster Members could not fail over. Traffic through this cluster is at risk.
Cloud API communication failed during the cluster failover process. When an Active cluster member becomes unavailable, the Standby cluster member must use the cloud provider APIs to reassign IP addresses and update routing tables. |
|
The Cloud Management Extension (CME) service is
unable to connect or scan the cloud account |
The Cloud Management Extension (CME) service on your Management Server fails to connect to or scan a cloud account. This connection is critical for managing the Cloud Firewall Gateways. |
|
Management API failure: Unable to connect or respond |
Management API failed to connect to the Management Server, there was no response from the Management Server, or the Management Server command failed. |
|
The scale-in failed for the Security Gateway \"{{gateway_name}}\" |
The Cloud Management Extension (CME) automated provisioning failed to remove (scale-in) a Security Gateway. |
|
The scale-out failed for the Security Gateway \"{{gateway_name}}\" |
The Cloud Management Extension (CME) automated provisioning failed to add (scale-out) a Security Gateway. |
|
The Cloud Management Extension (CME) service stopped. |
The Cloud Management Extension (CME) service on your Management Server stopped working. CME continuously monitors Cloud Firewall Gateways and synchronizes them with the Management Server. Your ability to manage and scale Security Gateways is at risk. |
|
Provisioning failure: Unable to complete Virtual WAN setup |
Automated provisioning of a Virtual WAN (vWAN) Gateway with the Cloud Management Extension (CME) failed. |
|
CloudGuard Controller scanner failed. |
The CloudGuard Controller scanner failed to connect to cloud accounts to retrieve cloud objects. Your ability to create dynamic policy and update existing objects is at risk. |
|
CloudGuard Controller service stopped. |
CloudGuard Controller service stopped. This affects dynamic cloud objects management and policy enforcement which can cause policy mismatch failures. |
|
Bond interface does not receive traffic. |
<none> |
|
Outbound traffic is not balanced in a bond interface. |
On the Check Point server \"{{[host.name]}}\", at least in one bond interface, outbound (TX) traffic is not balanced in between the subordinate interfaces. |
|
Wrong affinity configuration of CoreXL Firewall Instances. |
On the Security Gateway "{{[host.name]}}", at least one CoreXL Firewall instance is configured to work on all CPU cores, which is not supported. |
|
CoreXL is enabled on global context(VS0). |
On the VSX Gateway "{{[host.name]}}", CoreXL is enabled on global context(VS0). |
|
High CPU utilization by the CXLD daemon. |
On the Cluster Member \"{{[host.name]}}\", the 'cxld' daemon consumes CPU at a high level. |
|
Firewall debug is enabled. |
On the Security Gateway "{{[host.name]}}", the Firewall debug is enabled. |
|
SecureXL debug is enabled. |
On the Security Gateway "{{[host.name]}}", the SecureXL debug is enabled. |
|
CoreXL Dynamic Balancing is disabled. |
On the Security Gateway \"{{[host.name]}}\", CoreXL Dynamic Balancing is disabled. |
|
The Outbound HTTPS Inspection Certificate {{template}} |
On the Security Gateway "{{[host.name]}}", the Outbound HTTPS Inspection Certificate {{template}} |
|
Critical health issue in an SSD storage device. |
On the Check Point server \"{{[host.name]}}\", there is a critical issue in SMART health of an SSD storage device. |
|
Internal Certificate Authority (ICA) Certificate {{template}} |
On the Management Server "{{[host.name]}}", the Internal Certificate Authority (ICA) Certificate {{template}} |
|
CoreXL utilization issue in the VSX mode. |
On the VSX Gateway \"{{[host.name]}}\", there is an issue with the number of CoreXL Firewall instances, CoreXL SND instances, and CPU cores. |
|
The system daemon '{{process_name}}' is down. |
On the Security Gateway \"{{[host.name]}}\", the critical system daemon '{{process_name}}' is down in the global context '{{context}}'. |
|
Fan unit failure. |
On the Security Gateway \"{{m_machine_name}}\", the hardware sensor indicates that the fan speed is below the required minimum. Current reading: {{reading}} {{units}}. Valid range: {{min}}-{{max}} {{units}}. |
|
Power Supply 12V issue. |
The device hardware sensor indicates the 12V reading is out of normal bound. Reading: "{{[voltage.current]}}" Volt. Valid range "{{[voltage.min]}}" - "{{[voltage.max]}}" Volts |
|
Power Supply 5V issue. |
On the Security Gateway "{{[host.name]}}", the hardware sensor indicates that the Power Supply VCC 5V output is not within the valid range. Current reading: "{{[voltage.current]}}" Volt. Valid range: "{{[voltage.min]}}" - "{{[voltage.max]}}" Volts |
|
CPU temperature issue. |
The device hardware sensor indicates the CPU Temp reading is out of normal bound. Reading: "{{[temperature.current]}}" Celsius. Valid range "{{[temperature.min]}}" - "{{[temperature.max]}}" Celsius |
|
System Intake temperature issue. |
The device hardware sensor indicates the System Intake Temp reading is out of normal bound. Reading: "{{[temperature.current]}} Celsius. Valid range "{{[temperature.min]}}" - "{{[temperature.max]}}" Celsius |
|
Power Supply 1.05V issue. |
The device hardware sensor indicates the 1.05V reading is out of normal bound. Reading: "{{[voltage.current]}}" Volt. Valid range "{{[voltage.min]}}" - "{{[voltage.max]}}" Volts |
|
System temperature issue. |
The device hardware sensor indicates the System Temp reading is out of normal bound. Reading: "{{[temperature.current]}} Celsius. Valid range "{{[temperature.min]}}" - "{{[temperature.max]}}" Celsius |
|
DIMM (RAM) Voltage issue. |
On the Security Gateway "{{[host.name]}}", the hardware sensor indicates that the DIMM Voltage is not within the valid range. Current reading: "{{[voltage.current]}}" Volt. Valid range: "{{[voltage.min]}}" - "{{[voltage.max]}}" Volt |
|
RAID status is degraded. |
On the Check Point server "{{[host.name]}}", the RAID status is degraded. |
|
Some physical interfaces are not configured with Full Duplex. |
On the Check Point server "{{[host.name]}}", some physical interfaces are not configured with Full Duplex. |
|
Some 10/25/40/100 GbE interfaces are not running the recommended firmware version. |
Current firmware version: "{{[firmware.current_version]}}" |
|
{{sensor_type}} issue. |
The device hardware sensor indicates the "{{[sensor_type]}}" reading is out of normal bound. Reading: "{{[voltage.current]}}" Volt. Valid range: "{{[voltage.min]}}" - "{{[voltage.max]}}" Volt |
|
IPS update issue. |
On the Security Gateway "{{[host.name]}}", there is an IPS update issue. |
|
The eMMC flash memory has exceeded 90% of its overall lifespan. |
The eMMC flash memory device lifetime used has passed 90% of its overall lifespan. This is critical ware and requires immediate action. See following details: Product: "{{[mac]}}". Value: 90.0% of device lifetime used |
|
Update Required for VPN/Remote Access Security Gateways Using DigiCert/GeoTrust CA by Sep 8, 2025 |
On September 8, 2025, DigiCert stopped supporting HTTP/1.0 for OCSP and CRL checks. Without upgrading the protocol support, DigiCert certificate validation may fail, and will affect Site-to-Site VPN and Remote Access VPN on Check Point Security Gateways / Quantum Spark Gateways / CloudGuard Network Gateways |
|
Security Gateway may drop HTTP/2 traffic because the FWK process may terminate. |
When HTTPS Inspection is enabled, the Security Gateway \"{{hostname}}\" drops HTTP/2 traffic and generates a core dump file for the FWK daemon. |
|
FWK crash on cvpn_expired_session kernel table on \"{{hostname}}\" |
During the Multi-Version Cluster (MVC) upgrade, the FWK process may terminate on ClusterXL members with the Mobile Access Software Blade enabled |
|
Blade '{{[blade.name]}}' is in {{healthTemplate}} state |
'{{[blade.name]}}' is in a degraded state |
|
'{{[asset.name]}}' has {{template}} with entitlement |
{{{message}}} (Message varies based on the data received from the machine) |
|
'{{[asset.name]}}' has {{healthTemplate}} (overall status) |
{{{message}}} |
|
Policy installation on '{{[asset.name]}}' {{healthTemplate}} |
Policy installation on '{{[asset.name]}}' {{healthTemplate}}:{{{description}}} |
|
Check Point License {{template}}. |
On the Check Point server \"{{[host.name]}}\", the license {{template}}: '{{ck}}'. |
|
The VPN Certificate {{template}} |
On the Security Gateway \"{{gw_name}}\", the VPN Certificate {{template}} |