EA Feature: QoS in SD-WAN
This section describes an SD-WAN feature in the Early Availability stage.
|
Important:
|
Introduction to QoS in SD-WAN
SD-WAN Policy can apply QoS settings to ensure traffic priority for the relevant applications.
The SD-WAN Security Gateway performs the required QoS calculations based on the available bandwidth of the applicable interface:
-
Traffic arrives at the Security Gateway.
If the Access Control policy allows this traffic, continue.
-
If the SD-WAN Policy matches the traffic to a rule with a specific Steering Behavior, continue.
Otherwise, the Security Gateway forwards the traffic based on the operating system's routing table.
-
The SD-WAN Policy examines the Steering Behavior object to determine the relevant WAN Link.
-
The SD-WAN Policy examines the QoS override settings in the Steering Behavior object.
-
The SD-WAN Policy examines WAN Link Mapping for the QoS settings in the relevant interface.
-
The Security Gateway examines the bandwidth settings in the specific interface in the Gaia OS.
-
The Security Gateway performs the required QoS calculations and processes the traffic accordingly.
Configuring QoS in SD-WAN
|
Note - The SD-WAN service automatically creates the default QoS object called Default QoS with the Priority (Weight) value Medium in these cases:
|
Workflow
-
Configure the required QoS objects (Weight, Limit, Guarantee, DSCP tagging).
A QoS object determines an interface (ISP) per traffic direction (Upload or Download) in one of these configuration places:
-
WAN Link Mapping - the QoS settings of the relevant WAN Link.
-
The SD-WAN Policy rule that contains a Steering Behavior object with possible override settings on its QoS tab.
-
-
In the WAN Link Mapping, configure which QoS object to use, if not explicitly configured in the Steering Behavior objects.
You can select the Default QoS object, if nothing else is available or wanted.
-
Optional: In the applicable Steering Behavior objects, configure the required QoS settings to override the QoS settings you configured in WAN Link Mapping.

-
Log in to Check Point Infinity Portal.
-
Click the top left > in the section Quantum, click SD-WAN.
-
From the left navigation panel, click Network.
-
In the middle section, click SD-WAN Policy.
-
From the top toolbar, click Manage Objects.
-
From the top toolbar, click
(New) > click QoS.
-
In the Name field, enter a descriptive name that represents this QoS object.
-
Optional: In the Comment field, enter an applicable text that describes this QoS object.
This comment is very useful when you select this object later in the SD-WAN Policy.
-
In the Thresholds section:
-
Select the required Priority (Weight) - Low, Medium, High, or Critical.
This QoS priority determines the traffic precedence relative to priorities configured in other QoS objects that are used in the SD-WAN Policy.
The SD-WAN Security Gateway performs the required calculation to understand the weight relation between different rules.
These calculations are based on the number of available QoS objects, number of active QoS objects (with active connections), and their QoS priority.
These calculations include two steps:
-
Relative Weight - calculated during each installation of the SD-WAN Policy:
Relative Weight = (Value of the QoS priority) / (Total number of QoS objects in the SD-WAN Policy)
The Default QoS object is always used in WAN Link Mapping.
Each QoS priority has a predefined internal weight value used for this calculation:
-
Critical priority - 800
-
High priority - 400
-
Medium priority - 200
-
Low priority - 100
-
-
On-the-fly calculation - when the SD-WAN Policy matches traffic to a rule:
Bandwidth for each active QoS object = (Total available interface bandwidth) x [(Relative Weight of each active QoS object) / (Total relative weights of active QoS objects)]
The final calculated QoS settings are applied later, such that specific traffic is Prioritized, Limited, or Guaranteed, making best usage of the link's bandwidth.
-
-
Optional: Configure the Limit - either based on % of total bandwidth, or in Mbps.
This value determines the maximum limit of total bandwidth that may be used for traffic that matches a rule with this QoS object.
Important:
-
In a QoS object, the "limit" value cannot be greater than the total bandwidth available on the interface. Otherwise, policy installation fails.
-
If traffic reaches the configured priority (weight) or limit, then the final QoS decision is based on the lowest of these two values.
-
-
Optional: Configure the Guarantee - either based on % of total bandwidth, or in Mbps.
This value determines the guaranteed bandwidth for traffic that matches a rule with this QoS object.
Important:
-
In a QoS object, the "guarantee" value cannot be greater than the "limit" value. Otherwise, policy installation fails.
-
In all configured QoS objects, the sum of all "guarantee" values cannot be greater than 90% of the total bandwidth available on the interface. Otherwise, policy installation fails.
-
If traffic reaches the configured "priority" ("weight") value or the "guarantee" value, then the final QoS decision is always based on the "guarantee" value.
-
-
-
Optional: In the DSCP Tagging section:
This setting adds DSCP tags to signal to other devices across the network to prioritize specific traffic, ensuring critical traffic is handled with higher importance.
-
Select Enable DSCP tagging.
-
In the field Packets will be tagged as, select the applicable DSCP behavior.
-
-
Click OK.
The QoS object now appears in Manage Objects > Custom QoS.
-
Close the Manage Objects panel.

In the WAN Link Mapping, configure which QoS object to use, if not explicitly configured in the Steering Behavior objects.
See WAN Link Mapping.

Optional: In the applicable Steering Behavior objects, configure the required QoS settings to override the QoS settings you configured in WAN Link Mapping.
-
Click the QoS tab.
-
In the section QoS Configuration, select Override according to.
-
Select the required QoS object.
-
Optional: In the section QoS on Upload and Download traffic:
This setting applies the QoS configuration to the WAN candidates that you selected on the Steering Candidates tab in this Steering Behavior object.
-
Select Override and choose specific Traffic Directions per WAN Link.
-
For at least one WAN Link, you must select Use for Upload or Use for Download.
-
Note - All other upload / download interfaces use the default QoS settings configured in WAN Link Mapping.

-
Create a new rule, or edit an existing rule (see Configuring SD-WAN Policy).
-
From the top toolbar, click Publish to save the changes.
-
From the top toolbar, click Enforce to apply the changes.
The orange frame on this button means there are changes that are not enforced.
In the popup window that opens, click Publish & Enforce Policy.
Example QoS Calculation

One interface on a Security Gateway for "ISP1" with a total bandwidth of 500 Mbps.
Five QoS objects (four QoS objects are active - excluding the QoS object with the Priority "High"):
-
The Default QoS object with: Priority = Medium (internal weight value 200), no Limit, no Guarantee
-
A custom QoS object #1 with: Priority = Critical (internal weight value 800), Limit = 400 Mbps, Guarantee = 200 Mbps
-
A custom QoS object #2 with: Priority = Critical (internal weight value 800), Limit = 400 Mbps, Guarantee = 200 Mbps
-
A custom QoS object #3 with: Priority = High (internal weight value 400), no Limit, no Guarantee (in our example, this object is not active)
-
A custom QoS object #4 with: Priority = Low (internal weight value 100), Limit = 40 Mbps, no Guarantee
Calculations:
-
Relative weight calculation:
Relative Weight = (Value of the QoS priority) / (Total number of QoS objects in the SD-WAN Policy)
-
Relative Weight for the "Critical" priority = 800 / 5 objects = 160
-
Relative Weight for the "High" priority = 400 / 5 objects = 80
-
Relative Weight for the "Medium" priority = 200 / 5 objects = 40
-
Relative Weight for the "Low" priority = 100 / 5 objects = 20
-
-
On-the-fly calculation:
Bandwidth for each active QoS object = (Total available interface bandwidth) x [(Relative Weight of each active QoS object) / (Total relative weights of active QoS objects)]
In our example, only these QoS objects are active:
-
The Default QoS object with the "Medium" priority
-
A custom QoS object #1 with the "Critical" priority
-
A custom QoS object #2 with the "Critical" priority
-
A custom QoS object #4 with the "Low" priority
Therefore:
-
Total relative weights of active QoS objects = (160 x 2) + 40 + 20 = 380
-
Bandwidth for the active QoS object #1 with the "Critical" priority = 500 Mbps x (160 / 380) = 210 Mbps
-
Bandwidth for the active QoS object #2 with the "Critical" priority = 500 Mbps x (160 / 380) = 210 Mbps
-
Bandwidth for the active Default QoS object with the "Medium" priority = 500 Mbps x (40 / 380) = 55 Mbps
-
Bandwidth for the active QoS object #4 with the "Low" priority = 500 Mbps x (20 / 380) = 25 Mbps
For each of the QoS objects with the "Critical" priority, these settings apply:
-
Bandwidth = 210 Mbps
-
Limit = 400 Mbps
-
Guarantee = 200 Mbps
Because the Guarantee is configured, the remaining bandwidth for other QoS objects is:
Remaining bandwidth = (Total bandwidth of the interface) - (Total "Guarantee") = 500 - (200 + 200) = 100 Mbps
This means that if the total traffic that matches the QoS objects with the "Critical" priority reaches the maximum of 190 Mbps + 190 Mbps = 380 Mbps, the remaining matched QoS objects may be left with little to almost no bandwidth.
In this example, the remaining 100 Mbps will again be calculated by the on-the-fly calculation:
-
Active QoS object 1 with the "Critical" priority = 100 Mbps x (160 / 380) = 42 Mbps
-
Active QoS object 2 with the "Critical" priority = 100 Mbps x (160 / 380) = 42 Mbps
-
Active QoS object 3 with the "Medium" priority = 100 Mbps x (40 / 380) = 11 Mbps
-
Active QoS object 4 with the "Low" priority = 100 Mbps x (20 / 380) = 5 Mbps
There may also be times when the QoS objects with higher priorities use most of the available bandwidth, leaving very little bandwidth for the QoS objects with lower priorities. As a result, the SD-WAN Security Gateway may reach a point where it must drop traffic.
-