Appendix A - AIOps Alerts

The following table lists alerts generated by AIOps and describes what each alert indicates.

Alert Text	Summary/Description
High risk of kernel crashes when the 'ena' interface is in use.	Your machine is at high risk of kernel crashes due to an unsupported ethtool feature when using the `ena` interface.
Possibility of crash when bond interfaces are configured.	The Security Gateway <`machine name`> may crash with a `vmcore` dump file and get into a boot loop due to memory corruption when bond interfaces are configured.
Possibility of high memory utilization when using Site-to- Site VPN with Permanent Tunnels.	The Security Gateway <`machine name`> may experience high memory utilization when using Site-to-Site VPN with Permanent Tunnels.
Possibility of link failure on interfaces with an MTU greater than 1500.	The Security Gateway <`machine name`> may experience intermittent link failures on interfaces configured with an MTU greater than 1500.
License about to expire - License pool may no longer serve CloudGuard Gateways.	Licenses in the license pool will expire soon.
Automatic distribution of Central Licenses failed.	The `vsec_lic_cli` tool on the Management Server failed to distribute licenses to Cloud Firewall Gateways. Traffic through these Security Gateways is at risk.
License expired - License Pool may no longer serve Cloud Firewall Gateways.	Licenses in the license pool expired.
Failover between Cluster Members failed - Cloud API Errors suspected.	Cluster Members could not fail over. Traffic through this cluster is at risk. Cloud API communication failed during the cluster failover process. When an Active cluster member becomes unavailable, the Standby cluster member must use the cloud provider APIs to reassign IP addresses and update routing tables.
The Cloud Management Extension (CME) service is unable to connect or scan the cloud account <`account name`>	The Cloud Management Extension (CME) service on your Management Server fails to connect to or scan a cloud account. This connection is critical for managing the Cloud Firewall Gateways.
Management API failure: Unable to connect or respond	Alert generated due to one of these reasons: Management API failed to connect to the Management Server There was no response from the Management Server The Management Server command failed
The scale-in failed for the Security Gateway <`gateway name`>	The Cloud Management Extension (CME) automated provisioning failed to remove (scale-in) a Security Gateway.
The scale-out failed for the Security Gateway <`gateway name`>	The Cloud Management Extension (CME) automated provisioning failed to add (scale-out) a Security Gateway.
The Cloud Management Extension (CME) service stopped.	The Cloud Management Extension (CME) service on your Management Server stopped working. CME continuously monitors Cloud Firewall Gateways and synchronizes them with the Management Server. Your ability to manage and scale Security Gateways is at risk.
Provisioning failure: Unable to complete Virtual WAN setup	Automated provisioning of a Virtual WAN (vWAN) Gateway with the Cloud Management Extension (CME) failed.
CloudGuard Controller scanner failed.	The CloudGuard Controller scanner failed to connect to cloud accounts to retrieve cloud objects. Your ability to create dynamic policy and update existing objects is at risk.
CloudGuard Controller service stopped.	CloudGuard Controller service stopped. This affects dynamic cloud objects management and policy enforcement which can cause policy mismatch failures.
Bond interface does not receive traffic.	Alert triggered by the HCP test about bond interfaces health. Ensure correct bond interface configuration. If required, contact Check Point Support.
Outbound traffic is not balanced in a bond interface.	On the Check Point server <`hostname`>, at least in one bond interface, outbound (TX) traffic is not balanced in between the subordinate interfaces.
Wrong affinity configuration of CoreXL Firewall Instances.	On the Security Gateway <`hostname`>, at least one CoreXL Firewall instance is configured to work on all CPU cores, which is not supported.
CoreXL is enabled on global context(VS0).	CoreXL is enabled on global context (VS0) on the VSX Gateway <`hostname`>
High CPU utilization by the CXLD daemon.	The `cxld` daemon consumes CPU at a high level on the Cluster Member <`hostname`>
Firewall debug is enabled.	Firewall debug is enabled on the Security Gateway <`hostname`>
SecureXL debug is enabled.	SecureXL debug is enabled on the Security Gateway <`hostname`>
CoreXL Dynamic Balancing is disabled.	CoreXL Dynamic Balancing is disabled on the Security Gateway <`hostname`>
The Outbound HTTPS Inspection Certificate	The Outbound HTTPS Inspection Certificate has expired on the Security Gateway <`hostname`>
Critical health issue in an SSD storage device.	There is a critical issue in SMART health of an SSD storage device on the Check Point server <`hostname`>
Internal Certificate Authority (ICA) Certificate has expired	The Internal Certificate Authority (ICA) Certificate has expired on the Management Server <`hostname`>
CoreXL utilization issue in the VSX mode.	There is an issue with the number of CoreXL Firewall instances, CoreXL SND instances, and CPU cores on the VSX Gateway <`hostname`>
The system daemon <`process name`> is down.	The critical system daemon <`process name`> is down in the global context <`context`> on the Security Gateway <`hostname`>
Fan unit failure	On the Security Gateway <`machine name`>, the hardware sensor indicates that the fan speed is below the required minimum. Current reading: `<Reading>` <units>. Valid range: <`Minimum`>-<`Maximum`> <units>
Power Supply 12V issue	The device hardware sensor indicates the 12V reading is out of normal bound. Reading: <`Voltage`> Volts. Valid range: <`Minimum voltage`> - <`Maximum voltage`> Volts
Power Supply 5V issue	The hardware sensor indicates that the power supply VCC 5V output is not within the valid range on the Security Gateway <`hostname`>. Current reading: <`Voltage`> Volts. Valid range: <`Minimum voltage`> - <`Maximum voltage`> Volts
CPU temperature issue	The device hardware sensor indicates the CPU Temp reading is out of normal bound. Reading: <`Current temperature`> Celsius. Valid range: <`Minimum temperature`> - <`Maximum temperature`> Celsius
System Intake temperature issue	The device hardware sensor indicates the System Intake Temp reading is out of normal bound. Reading: <`Current temperature`> Celsius. Valid range <`Minimum temperature`> - <`Maximum temperature`> Celsius
Power Supply 1.05V issue.	The device hardware sensor indicates the 1.05V reading is out of normal bound. Reading: <`Voltage`> Volts. Valid range: <`Minimum voltage`> - <`Maximum voltage`> Volts
System temperature issue.	The device hardware sensor indicates the system temperature reading is out of normal bound. Reading: <`Current temperature`> Celsius. Valid range: <`Minimum temperature`> - <`Maximum temperature`> Celsius
DIMM (RAM) Voltage issue.	On the Security Gateway <`hostname`>, the hardware sensor indicates that the DIMM Voltage is not within the valid range. Reading: <`Current voltage`> Volts. Valid range: <`Minimum voltage`> - <`Maximum voltage`> Volts
RAID status is degraded.	The RAID status is degraded on the Check Point server <`hostname`>
Some physical interfaces are not configured with Full Duplex.	Some physical interfaces are not configured with Full Duplex on the Check Point server <`hostname`>.
Some 10/25/40/100 GbE interfaces are not running the recommended firmware version.	Alert triggered by a firmware version of some interfaces. Check Point recommends installing the latest firmware version on 10/25/40/100 GbE interfaces. See sk141812.
<`sensor type`> issue	The device hardware sensor indicates the <`sensor type`> reading is out of normal bound. Reading: <`Current voltage`> Volts. Valid range: <`Minimum voltage`> - <`Maximum voltage`> Volts
IPS update issue	There is an IPS update issue on the Security Gateway <`hostname`>.
The eMMC flash memory has exceeded 90% of its overall lifespan.	The eMMC flash memory device lifetime used has passed 90% of its overall lifespan. This is critical ware and requires immediate action. See following details: Product: <`mac`>. Value: 90.0% of device lifetime used.
Update Required for VPN/Remote Access Security Gateways Using DigiCert/GeoTrust CA by Sep 8, 2025	On September 8, 2025, DigiCert stopped supporting HTTP/1.0 for OCSP and CRL checks. Without upgrading the protocol support, DigiCert certificate validation may fail, and will affect Site-to-Site VPN and Remote Access VPN on Check Point Security Gateways / Quantum Quantum Spark Gateways / CloudGuard Network Gateways.
Security Gateway may drop HTTP/2 traffic because the FWK process may terminate.	When HTTPS Inspection is enabled, the Security Gateway <`hostname`> drops HTTP/2 traffic and generates a core dump file for the FWK daemon.
FWK crash on cvpn_expired_session kernel table on `hostname`	During the Multi-Version Cluster (MVC) upgrade, the FWK process may terminate on ClusterXL members with the Mobile Access Software Blade enabled.
Blade <`blade name`> is in <`health template`> state	Received a status update from the Management Server about this blade. Example: `<blade name> is in a degraded state.`
<`asset name`> has <`template`> with entitlement	Received a status update from the Management Server about this asset. Message varies for each machine. Example: `<Asset> has non-critical issues with entitlement`
<`asset name`> has <`healthTemplate`> <`overall status`>	Received a status update from the Management Server about this asset. Message varies for each machine. Example: `<Asset> has critical issues (overall status)`
Check Point License expired `x` days ago.	Alert triggered by an expired Check Point license. Example: On the Check Point server `<host name>`, the license expired `x` days ago:`<license name>`.
The VPN Certificate is about to expire in `x` days.	Alert triggered by the VPN Certificate expiration. Example: On the Security Gateway <`gateway name`>, the VPN Certificate is about to expire in x days.