EA Feature: QoS in SD-WAN

Introduction to QoS in SD-WAN

In SD-WAN Policy you can configure QoS objects to ensure high priority traffic for the relevant applications.

Each rule that contains a QoS object, applies the configured QoS settings independently and enforces them based only on the traffic that matches this rule.

You create the required QoS objects for each interface and for each direction of Upload / Download.

The SD-WAN Security Gateway performs the required calculations based on the available bandwidth of the applicable interface.

Note - The SD-WAN service automatically creates the default QoS object called Default QoS with the Priority (Weight) value Medium in these cases:

  • When you connect your Management Server to Infinity Portal.

  • When you run the SD-WAN Wizard.

Supported Security Gateways

=== WHAT ARE THE REQUIREMENTS ???

Configuring QoS in SD-WAN

Workflow

  1. Configure the required QoS objects.

  2. In the WAN Link Mapping, configure the required QoS settings for the interfaces to override the Default QoS object.

  3. Optional: In the applicable Steering Behavior objects, configure the required QoS settings to override the QoS settings you configured in WAN Link Mapping.

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the left navigation panel, click Network.

  4. In the middle section, click SD-WAN Policy.

  5. From the top toolbar, click Manage Objects.

  6. From the top toolbar, click (New) > click QoS.

  7. In the Name field, enter a descriptive name that represents this QoS object.

  8. Optional: In the Comment field, enter an applicable text that describes this QoS object.

    This comment is very useful when you select this object later in the SD-WAN Policy.

  9. In the Thresholds section:

    1. Select the required Priority (Weight) - Low, Medium, High, or Critical.

      This QoS priority determines the traffic precedence relative to priorities configured in other QoS objects that are used in the SD-WAN Policy.

      The SD-WAN Security Gateway performs the required calculation to understand the weight (percentage) relation between different rules.

      This calculation is based on the number of active rules (with active connections) with each QoS priority:

      === IS THIS FORMULA CORRECT ???

      Relative Weight = (Internal weight value of the configured QoS Priority) / (Total number of SD-WAN Policy rules that contain Steering objects with various QoS settings)

      Each QoS priority has a predefined internal weight value used for this calculation:

      • Critical priority - 800

      • High priority - 400

      • Medium priority - 200

      • Low priority - 100

    2. Optional: Configure the Limit - either based on % of total bandwidth, or in Mbps.

      This value determines the maximum limit of total bandwidth that may be used for traffic that matches a rule with this QoS object.

      Important:

      • In a QoS object, the "limit" value cannot be greater than the total bandwidth available on the interface. Otherwise, policy installation fails.

      • If traffic reaches the configured priority (weight) or limit, then the final QoS decision is based on the lowest of these two values.

    3. Optional: Configure the Guarantee - either based on % of total bandwidth, or in Mbps.

      This value determines the guaranteed bandwidth for traffic that matches a rule with this QoS object.

      Important:

      • In a QoS object, the "guarantee" value cannot be greater than the "limit" value. Otherwise, policy installation fails.

      • In a QoS object, the "guarantee" value cannot be more than 90% of the total bandwidth.

      • If traffic reaches the configured "priority" ("weight") value or the "guarantee" value, then the final QoS decision is always based on the "guarantee" value.

  10. Optional: In the DSCP Tagging section:

    This setting adds DSCP tags to signal to other devices across the network to prioritize specific traffic, ensuring critical traffic is handled with higher importance.

    1. Select Enable DSCP tagging.

    2. In the field Packets will be tagged as, select the applicable DSCP behavior.

  11. Click OK.

    The QoS object now appears in Manage Objects > Custom QoS.

  12. Close the Manage Objects panel.

In the WAN Link Mapping, configure the required QoS settings for the interfaces to override the Default QoS object.

See WAN Link Mapping.

Optional: In the applicable Steering Behavior objects, configure the required QoS settings to override the QoS settings you configured in WAN Link Mapping.

  1. Click the QoS tab.

  2. In the section QoS Configuration, select Override according to.

  3. Select the required QoS object.

  4. Optional: Select Override and choose specific Traffic Directions per WAN Link.

    === ARE THERE MORE FIELDS AFTER SELECTING THIS CHECKBOX ???

    This setting applies the QoS configuration to the WAN candidates that you selected on the Steering Candidates tab.

    Important - For this setting to work, you must enable Upload or Download in at least one WAN Link

    .

    === HOW TO DO THIS ???

  1. Create a new rule, or edit an existing rule (see Configuring SD-WAN Policy).

  2. From the top toolbar, click Publish to save the changes.

  3. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    In the popup window that opens, click Publish & Enforce Policy.

Example QoS Calculation

One interface on a Security Gateway for "ISP1" with a total bandwidth of 500 Mbps.

Four QoS objects:

  • The default QoS object with the Priority = Medium (internal weight value 200), no Limit, no Guarantee

  • Priority = Critical (internal weight value 800), Limit = 400 Mbps, Guarantee = 250 Mbps

  • Priority = Critical (internal weight value 800), Limit = 400 Mbps, Guarantee = 250 Mbps

  • Priority = Low (internal weight value 100), Limit = 40 Mbps

Relative weight calculation (see the formula above):

  • Relative Weight for the Critical priority = 800 / 4 objects = 200

  • Relative Weight for the Medium priority = 200 / 4 objects = 50

  • Relative Weight for the Low priority = 100 / 4 objects = 25

Divided as per the number of valid rules being used

=== THIS CALCULATION IS NOT CLEAR AT ALL -
WHY DO WE SUM ALL VALUES ???
WHERE DID % VALUES COME FROM ???

200 (42%) + 200 (42%) + 25 (5%) + 50 (11%) = 475 (100%)

The total bandwidth of 500 Mbps on the interface is divided based on the above percentages:

  • 210 Mbps for the QoS object #1 with the Priority "Critical"

  • 210 Mbps for the QoS object #2 with the Priority "Critical"

  • 55 Mbps for the QoS object with the Priority "Medium"

  • 25 Mbps for the QoS object with the Priority "Low"

For the Priority "Critical", there are 210 Mbps for each of the QoS objects, while there is also a 400 Mbps Limit, and a 250 Mbps Guarantee.

This means, each QoS object will have up to 210 Mbps available and a Guarantee of 250 Mbps.

As a result, if traffic that matches these QoS objects reaches the total bandwidth limit (500 Mbps), the QoS objects with lower priorities may be left without bandwidth. In such a case, the SD-WAN Security Gateway drops traffic that matches the QoS objects with lower priorities.

This will later be applied, such that specific traffic will be Prioritized, Limited, or Guaranteed, making best usage of the link’s bandwidth.