Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Madmaks
Contributor
Jump to solution

Qos policy install problem

Hi,

 

I enabled QOS on cluster but when I try to install, I am facing the error message as following Is there any idea?

- Failed to install QoS Policy. QoS is not allowed when SecureXL is in User Mode.

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

View solution in original post

0 Kudos
14 Replies
Tal_Paz-Fridman
Employee
Employee

Are you using version R77.X?

https://support.checkpoint.com/results/sk/sk98229

 

0 Kudos
Madmaks
Contributor

We are using R81.20 and TAKE76 installed on it.   9100 series two devices working with cluster

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @Madmaks 

How many Cores do you have in the Appliance?

KPPAK - Kernel Mode
UPPAK - User Mode

You run SecureXL in UPPAK mode:

https://support.checkpoint.com/results/sk/sk32578

UPPAK does not support the QoS Software Blade.

 

2024-09-20 20_54_05-SecureXL Mechanism.png

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

The appliance you're running is likely in UPPAK mode: https://support.checkpoint.com/results/sk/sk153832#TOC05 
QoS Blade is not supported in UPPAK mode per: https://support.checkpoint.com/results/sk/sk32578 

0 Kudos
(1)
Madmaks
Contributor

Thaks for your ansqers.  

So what should I do in this situation? I replaced it from Fortigate and now I can't use QOS.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Upgrade to R82 (which should be out soon). QoS and SecureXL can run together in User Space (UPPAK)

0 Kudos
the_rock
Legend
Legend

Guys,

Are you 100% sure that is correct? I have my doubts and here is why...I am running sxl+user mode+qos in R81.20 lab, jumbo 84, single gw and cluster, no issues at all, polocy works 100% of the time.

Andy

0 Kudos
PhoneBoy
Admin
Admin

That's what the documentation I found says 🙂
However, there's a bug mentioned in Take 79 of the R81.20 JHF that suggests it might work:

PRJ-53481,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

 

Between that and what @Tal_Paz-Fridman said about R82, @Madmaks, it appears if you upgrade to the recommended JHF (Take 84) on both management and gateway...it should work.
If it doesn't, I suggest engaging the TAC.

0 Kudos
the_rock
Legend
Legend

Hm, right...BUT, it does not say policy install would fail, says gateway might crash. Anyway, @Madmaks , if you do update to jumbo 84, which I would also suggest you do, if any problems after, message me directly, not an issue, happy to show you my lab where this works fine.

Best.

Andy

0 Kudos
Madmaks
Contributor

Thanks everyone for your reply. The_rock if I do, according the result I'll touch you, thanks dude.

the_rock
Legend
Legend

You got it buddy. Have a fantastic weekend!

Andy

 

 

 

0 Kudos
the_rock
Legend
Legend

Can you run this command and see?

# cpprod_util FwIsUsermode

Btw, I use user mode on R81.20 lab with qos, no issue.

Andy

0 Kudos
Madmaks
Contributor

Result of command is 1

0 Kudos
Jones
Collaborator
Collaborator

You can change the SecureXL Mode to Kernel Mode (KPPAK). Go to cpconfig, choose "Check Point SecureXL" to make the change:

 

Configuring Check Point SecureXL...

===================================

SecureXL is running in Kernel mode.

(1) Change SecureXL Mode

(2) Exit

Enter your choice (1-2) :

 

With the command "fwaccel stat" you can see the current SecureXL Mode.

With the command "fwmode -s" you can see the current Firewall Mode. You can change this in cpconfig at "Check Point CoreXL".

 

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events