This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
2 weeks ago

forklifting 5xxx appliances -> 9100 UPPAK observations

Over the past few weeks i have forklifted (4) 5xxx clusters to 9100.  Spoiler alert - UPPAK has been disabled everywhere.

All 9100s have nothing special added to the order, just a LOM card, no interface bonding, no vlans.  All were installed with R81.20 with the latest recommended hotfix.

First cluster was a 5600 forklift.  This one has the most active connections (typically between 35,000 - 50,000 during the day) but the the bandwidth usage isn't anything exorbitant.  No issues with connectivity after the upgrade, but i noticed that TX-DRP were increasing at an alarming rate - a few hundred thousand per day.  On the 5600 cluster, netstat counters always remained pretty clean.  I found this checkmates thread, reverted to KPPAK and after a week, netstat counters are back to being clean - no other change but UPPAK -> KPPAK: https://community.checkpoint.com/t5/Security-Gateways/Packet-timeout-with-unknown-reason-in-Quantum-...

 

Second cluster was another 5600.  This is by far our largest location from a bandwidth usage perspective.  All of our sites are configured in a single vpn community and all locations are physical appliances except one cloudguard instance in azure.  When this site was forklifted to a 9100, all tunnels came up except the one to azure.  Tried all the normal vpn troubleshooting steps, nothing, nada, tunnel to azure remained down.  I then found this phoneboy podcast with tim hall which mentioned there could be weird vpn behavior with UPPAK - reverted to KPPAK and the tunnel came up immediately and no issues since.  For reference, here is the podcast i was referring to: https://community.checkpoint.com/t5/CheckMates-Go-Cyber-Security/S07E03-What-is-UPPAK/ba-p/245115

 

Last two sites are pretty vanilla - not much bandwidth usage, typical connections are around 8K.  No issues noted since forklifting from 5400s.  But considering the issues that i had with the first two sites, i changed both of these clusters to KPPAK after a few weeks.

 

Just wanted to provide my observations, not looking for any troubleshooting ideas as i won't be putting any of these sites back on UPPAK on R81.20.  WIll see what happens when we upgrade to either r82 or r82.10.

 

 

 

4 Replies
the_rock
Legend
Legend
2 weeks ago

Thanks for that @D_TK . I know in R82, default mode is indeed user mode. Based on my lab testing, so far, seems okay.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
2 weeks ago

Glad to hear the podcast I did with @PhoneBoy helped you out with your Azure VPN issue.  In regard to this:

Just wanted to provide my observations, not looking for any troubleshooting ideas as i won't be putting any of these sites back on UPPAK on R81.20.  WIll see what happens when we upgrade to either r82 or r82.10.

The plan at the moment is for UPPAK to be mandatory on all platforms in R82.10 (not just Lightspeed/Quantum Force) as announced here, however R82.10 is still in private EA.  As far as I can tell the kernel-based SecureXL driver (sim) and its associated KPPAK infrastructure is not even present in the Private EA R82.10 code, at least that I can see.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Timothy_Hall

Sounds like R&D took the "burn the boats" approach. 🙂

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago

Thanks for the feedback on the podcast. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events