RAD resolves cws.checkpoint.com on policy installation and holds the IP address for categorization.
If the first DNS reply that the RAD daemon receives when querying cws.checkpoint.com is "no such name A cws.checkpoint.com", it considers this a failure and ignores further DNS replies even if the latter were successful. As a result, future URL categorization attempts will fail because RAD does not have an IP address registered for cws.checkpoint.com.
Note: RAD will query all DNS servers in /etc/resolv.conf. This can include other DNS servers that were not configured in clish. Doing packet captures only for the DNS servers configured in clish or in the webUI may be misleading.