Solved: Re: Qos policy install problem

Madmaks

Hi,

I enabled QOS on cluster but when I try to install, I am facing the error message as following Is there any idea?

- Failed to install QoS Policy. QoS is not allowed when SecureXL is in User Mode.

Tal_Paz-Fridman

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

View solution in original post

Tal_Paz-Fridman

Are you using version R77.X?

https://support.checkpoint.com/results/sk/sk98229

Madmaks

We are using R81.20 and TAKE76 installed on it. 9100 series two devices working with cluster

AkosBakos

Hi @Madmaks

How many Cores do you have in the Appliance?

KPPAK - Kernel Mode
UPPAK - User Mode

You run SecureXL in UPPAK mode:

https://support.checkpoint.com/results/sk/sk32578

UPPAK does not support the QoS Software Blade.

----------------
\m/_(>_<)_\m/

PhoneBoy

The appliance you're running is likely in UPPAK mode: https://support.checkpoint.com/results/sk/sk153832#TOC05
QoS Blade is not supported in UPPAK mode per: https://support.checkpoint.com/results/sk/sk32578

Madmaks

Thaks for your ansqers.

So what should I do in this situation? I replaced it from Fortigate and now I can't use QOS.

Tal_Paz-Fridman

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

the_rock

Guys,

Are you 100% sure that is correct? I have my doubts and here is why...I am running sxl+user mode+qos in R81.20 lab, jumbo 84, single gw and cluster, no issues at all, polocy works 100% of the time.

Andy

PhoneBoy

That's what the documentation I found says 🙂
However, there's a bug mentioned in Take 79 of the R81.20 JHF that suggests it might work:

PRJ-53481,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

Between that and what @Tal_Paz-Fridman said about R82, @Madmaks, it appears if you upgrade to the recommended JHF (Take 84) on both management and gateway...it should work.
If it doesn't, I suggest engaging the TAC.

the_rock

Hm, right...BUT, it does not say policy install would fail, says gateway might crash. Anyway, @Madmaks , if you do update to jumbo 84, which I would also suggest you do, if any problems after, message me directly, not an issue, happy to show you my lab where this works fine.

Best.

Andy

Madmaks

Thanks everyone for your reply. The_rock if I do, according the result I'll touch you, thanks dude.

the_rock

You got it buddy. Have a fantastic weekend!

Andy

the_rock

Can you run this command and see?

# cpprod_util FwIsUsermode

Btw, I use user mode on R81.20 lab with qos, no issue.

Andy

Madmaks

Result of command is 1

Jones

You can change the SecureXL Mode to Kernel Mode (KPPAK). Go to cpconfig, choose "Check Point SecureXL" to make the change:

Configuring Check Point SecureXL...

===================================

SecureXL is running in Kernel mode.

(1) Change SecureXL Mode

(2) Exit

Enter your choice (1-2) :

With the command "fwaccel stat" you can see the current SecureXL Mode.

With the command "fwmode -s" you can see the current Firewall Mode. You can change this in cpconfig at "Check Point CoreXL".

Are you a member of CheckMates?

Qos policy install problem