This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelfds95
MVP Gold
MVP Gold
yesterday

UPPAK Becoming Mandatory on R82.10? Important Findings About KPPAK Support, Boot Loops on 19000

We know Check Point already introduced the change making UPPAK the default, while still allowing the option to switch back to KPPAK. We saw very strongly during R81.20 and early R82 versions that several firewalls running UPPAK presented many anomalous issues with no clear solution, and only became stable again after switching back to KPPAK.

However, this week, while trying to configure a 19100 firewall running R82 JH 91 with KPPAK, I faced the error below, and the firewall entered a boot loop freeze, even though sk179432 still describes support for it.

Below Error encountered during boot when changing a 19100 firewall from UPPAK to KPPAK:

israelfds95_0-1778856602820.png

 

I switched back to UPPAK and the firewall is operating normally again, so I got important information that I think is worth sharing.

The sk167052 – “User Space Firewall (USFW) support on Security Gateways” documents that:

  • KPPAK will no longer work starting from R82.10
  • israelfds95_0-1778857047518.png

     

  • Firewalls with more than 40 CPUs, with or without HyperThreading enabled, may or can experience boot crashes

    Below is the response from Check Point:

israelfds95_1-1778856602852.png

 

It is important to prepare for this scenario. Those who previously had major issues with UPPAK freezing firewalls, buffer overflows, and environments stuck in a “no solution” situation where the only workaround was switching to KPPAK — whether on older firmware/firewall generations or even newer platforms — should be aware and prepare for this major definitive change that is coming. On high-end platforms like the 19000 and 29000 series, it seems we will fully move forward with UPPAK only.

I also want to raise a complaint


regarding the lack of synchronization and updates across SK documentation. One SK (sk179432) still states that 19000 and 29000 appliances support KPPAK, while another SK (sk167052) already mentions the boot crash issue on firewalls with more than 40 CPUs.

It is extremely important for documentation to be unified and kept updated in order to provide accurate information for all of us in the community who work daily with the solution. When issues happen, we rely on the vendor documentation as our technical reference. If the documentation is incorrect or outdated, we are left completely unprotected from a technical standpoint.

The same applies to certification materials as well. I have already completed almost all certifications, and I have found some very serious documentation errors there too.

User Space Firewall (USFW) support on Security Gateways

https://support.checkpoint.com/results/sk/sk167052

Software Releases for LightSpeed QLS / MLS and Check Point Firewall 9000, 19000, 29000 Appliances

https://support.checkpoint.com/results/sk/sk179432

ATRG: SecureXL

https://support.checkpoint.com/results/sk/sk153832

4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday

Note USFW and UPPAK are not the same thing neither is KSFW and KPPAK

Please be careful not to use them interchangbly as it creates confusion.

CCSM R77/R80/ELITE
israelfds95
MVP Gold
MVP Gold
yesterday
In response to Chris_Atkinson

Thank you for your feedback and for highlighting the importance of precise terminology.

I am aware of the technical differences between UPPAK/KPPAK and USFW/KSFW, and I agree that they should not be used interchangeably. In my post, I referenced sk167052 because it was the same SK that the Check Point engineer used to address the issue I encountered when switching from UPPAK to KPPAK on the 19100 appliance

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday
In response to israelfds95

In that case there is detail missing somewhere as changing SXL modes doesn't alter the other (CoreXL) to my knowledge.

See the table at the bottom of sk167052.

CCSM R77/R80/ELITE
0 Kudos
WiliRGasparetto
MVP Diamond
MVP Diamond
yesterday

Excellent analysis. This is a point many people overlook: installed capacity does not necessarily mean effectively usable capacity, depending on the architecture chosen. In the case of the 19100, choosing KSFW means not only underutilizing approximately 37% of the available CPU resources, but also introducing a documented operational risk. A great reflection on performance, capacity planning, and system stability.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events