Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Madmaks
Contributor
Jump to solution

Qos policy install problem

Hi,

 

I enabled QOS on cluster but when I try to install, I am facing the error message as following Is there any idea?

- Failed to install QoS Policy. QoS is not allowed when SecureXL is in User Mode.

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

View solution in original post

0 Kudos
14 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP

Are you using version R77.X?

https://support.checkpoint.com/results/sk/sk98229

 

0 Kudos
Madmaks
Contributor

We are using R81.20 and TAKE76 installed on it.   9100 series two devices working with cluster

0 Kudos
AkosBakos
MVP Silver
MVP Silver

Hi @Madmaks 

How many Cores do you have in the Appliance?

KPPAK - Kernel Mode
UPPAK - User Mode

You run SecureXL in UPPAK mode:

https://support.checkpoint.com/results/sk/sk32578

UPPAK does not support the QoS Software Blade.

 

2024-09-20 20_54_05-SecureXL Mechanism.png

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

The appliance you're running is likely in UPPAK mode: https://support.checkpoint.com/results/sk/sk153832#TOC05 
QoS Blade is not supported in UPPAK mode per: https://support.checkpoint.com/results/sk/sk32578 

0 Kudos
(1)
Madmaks
Contributor

Thaks for your ansqers.  

So what should I do in this situation? I replaced it from Fortigate and now I can't use QOS.

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

0 Kudos
the_rock
MVP Gold
MVP Gold

Guys,

Are you 100% sure that is correct? I have my doubts and here is why...I am running sxl+user mode+qos in R81.20 lab, jumbo 84, single gw and cluster, no issues at all, polocy works 100% of the time.

Andy

0 Kudos
PhoneBoy
Admin
Admin

That's what the documentation I found says 🙂
However, there's a bug mentioned in Take 79 of the R81.20 JHF that suggests it might work:

PRJ-53481,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

 

Between that and what @Tal_Paz-Fridman said about R82, @Madmaks, it appears if you upgrade to the recommended JHF (Take 84) on both management and gateway...it should work.
If it doesn't, I suggest engaging the TAC.

0 Kudos
the_rock
MVP Gold
MVP Gold

Hm, right...BUT, it does not say policy install would fail, says gateway might crash. Anyway, @Madmaks , if you do update to jumbo 84, which I would also suggest you do, if any problems after, message me directly, not an issue, happy to show you my lab where this works fine.

Best.

Andy

0 Kudos
Madmaks
Contributor

Thanks everyone for your reply. The_rock if I do, according the result I'll touch you, thanks dude.

the_rock
MVP Gold
MVP Gold

You got it buddy. Have a fantastic weekend!

Andy

 

 

 

0 Kudos
the_rock
MVP Gold
MVP Gold

Can you run this command and see?

# cpprod_util FwIsUsermode

Btw, I use user mode on R81.20 lab with qos, no issue.

Andy

0 Kudos
Madmaks
Contributor

Result of command is 1

0 Kudos
Jones
Collaborator
Collaborator

You can change the SecureXL Mode to Kernel Mode (KPPAK). Go to cpconfig, choose "Check Point SecureXL" to make the change:

 

Configuring Check Point SecureXL...

===================================

SecureXL is running in Kernel mode.

(1) Change SecureXL Mode

(2) Exit

Enter your choice (1-2) :

 

With the command "fwaccel stat" you can see the current SecureXL Mode.

With the command "fwmode -s" you can see the current Firewall Mode. You can change this in cpconfig at "Check Point CoreXL".

 

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events