Solved: Re: Qos policy install problem

Madmaks · ‎2024-09-20

Hi,

I enabled QOS on cluster but when I try to install, I am facing the error message as following Is there any idea?

- Failed to install QoS Policy. QoS is not allowed when SecureXL is in User Mode.

Tal_Paz-Fridman · ‎2024-09-20

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

View solution in original post

Tal_Paz-Fridman · ‎2024-09-20

Are you using version R77.X?

https://support.checkpoint.com/results/sk/sk98229

Madmaks · ‎2024-09-20

We are using R81.20 and TAKE76 installed on it. 9100 series two devices working with cluster

AkosBakos · ‎2024-09-20

Hi @Madmaks

How many Cores do you have in the Appliance?

KPPAK - Kernel Mode
UPPAK - User Mode

You run SecureXL in UPPAK mode:

https://support.checkpoint.com/results/sk/sk32578

UPPAK does not support the QoS Software Blade.

2024-09-20 20_54_05-SecureXL Mechanism.png

----------------
\m/_(>_<)_\m/

PhoneBoy · ‎2024-09-20

The appliance you're running is likely in UPPAK mode: https://support.checkpoint.com/results/sk/sk153832#TOC05
QoS Blade is not supported in UPPAK mode per: https://support.checkpoint.com/results/sk/sk32578

Madmaks · ‎2024-09-20

Thaks for your ansqers.

So what should I do in this situation? I replaced it from Fortigate and now I can't use QOS.

Tal_Paz-Fridman · ‎2024-09-20

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

the_rock · ‎2024-09-20

Guys,

Are you 100% sure that is correct? I have my doubts and here is why...I am running sxl+user mode+qos in R81.20 lab, jumbo 84, single gw and cluster, no issues at all, polocy works 100% of the time.

Andy

PhoneBoy · ‎2024-09-20

That's what the documentation I found says 🙂
However, there's a bug mentioned in Take 79 of the R81.20 JHF that suggests it might work:

PRJ-53481,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

Between that and what @Tal_Paz-Fridman said about R82, @Madmaks, it appears if you upgrade to the recommended JHF (Take 84) on both management and gateway...it should work.
If it doesn't, I suggest engaging the TAC.

the_rock · ‎2024-09-20

Hm, right...BUT, it does not say policy install would fail, says gateway might crash. Anyway, @Madmaks , if you do update to jumbo 84, which I would also suggest you do, if any problems after, message me directly, not an issue, happy to show you my lab where this works fine.

Best.

Andy

Madmaks · ‎2024-09-20

Thanks everyone for your reply. The_rock if I do, according the result I'll touch you, thanks dude.

the_rock · ‎2024-09-20

You got it buddy. Have a fantastic weekend!

Andy

the_rock · ‎2024-09-20

Can you run this command and see?

# cpprod_util FwIsUsermode

Btw, I use user mode on R81.20 lab with qos, no issue.

Andy

Madmaks · ‎2024-09-20

Result of command is 1

Jones · ‎2024-09-23

You can change the SecureXL Mode to Kernel Mode (KPPAK). Go to cpconfig, choose "Check Point SecureXL" to make the change:

Configuring Check Point SecureXL...

===================================

SecureXL is running in Kernel mode.

(1) Change SecureXL Mode

(2) Exit

Enter your choice (1-2) :

With the command "fwaccel stat" you can see the current SecureXL Mode.

With the command "fwmode -s" you can see the current Firewall Mode. You can change this in cpconfig at "Check Point CoreXL".

Are you a member of CheckMates?

Qos policy install problem