Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Managing QoS

This chapter describes how to configure and manage QoS. The procedures described in this chapter all presuppose that you have already started the SmartDashboard application as described in Starting SmartDashboard.

Related Topics

Defining QoS Global Properties

Specifying Interface QoS Properties

Editing QoS Rule Bases

Modifying Rules

Defining Sub-Rules

Working with Differentiated Services (DiffServ)

Working with Low Latency Classes

Working with Authenticated QoS

Managing QoS for Citrix ICA Applications

Managing QoS for Citrix Printing

Viewing QoS Gateway Status

Configuring QoS Topology

Enabling Log Collection

Defining QoS Global Properties

You can define the QoS Global Properties, including the maximum weight of a QoS rule, the default value for the weight of a new QoS rule, the unit of measure for displaying transmission rates, and various timeout values for the implementation of the QoS rules.

To Modify the QoS Global Properties

  1. From the Policy menu, choose Global Properties or click the Edit Global Properties icon in the toolbar.

    The Global Properties window opens.

  2. Click QoS in the tree that appears on the left side of the page. The QoS page of the Global Properties window is displayed.

    The following properties that apply to QoS rules are displayed. You can change any of these fields:

    In the Weight area:

    • Maximum weight of rule: The maximum weight that can be assigned to rules. The default value is 1000, but can be changed to any number.
    • Default weight of rule: The weight to be assigned in the Action column by default to new rules, including new Default rules.
    • In the Rate area:
    • Unit of measure: The unit specified in QoS windows by default for transmission rates (for example, Bps - Bytes per second).

    In the Authenticated timeout for QoS area:

    • Authenticated IP expires after: If a user has been authenticated, all connections that are opened within the specified time receive the guaranteed bandwidth connection. Any connection opened after the specified time will be queried with the User Authority Server (UAS) again.
    • Non authenticated IP expires after: If a user has previously tried and failed to be authenticated by the QoS Policy, then all connections that are opened within the specified time will not receive the guaranteed bandwidth connection. This means that they will not match that specific rule during that time.
    • Unresponded queried IP expires after: The User Authority Server (UAS) database is queried to see if a user's IP has been previously authenticated using Client Authentication or SSL. Until an answer is received, connections from this user will be classified to the next matching rule. If an answer is not received within the specified time, there will be another query.

    Note - Click Set Default to restore the default settings for the Authentication timeout for QoS parameters.

  3. Click OK to save the changes to the QoS Global Properties.

Specifying Interface QoS Properties

You must first define the network objects, that is, the gateway and its interfaces on which QoS controls traffic flow. For further information, see: R76 Security Management Administration Guide.

After defining the interfaces you can specify the QoS properties for those interfaces. This is done in the QoS tab of the Interface Properties window. Defining the interface QoS properties involves setting the Inbound and Outbound active transmission rates and specifying the Differentiated Services (DiffServ) and Low Latency classes. You can change these definitions at any time.

Note - The QoS tab is only enabled for the interfaces of gateways that have QoS checked under Check Point Products in the General Properties of the Check Point Gateway window.

To Define the Interface QoS Properties

  1. Open the Properties window for the appropriate gateway by double-clicking the gateway in the Objects Tree, or by choosing the gateway from the list in the Network Objects window. The Check Point Gateway - General Properties window opens.
  2. Choose Topology in the tree on the left side of the Check Point Gateway - General Properties window. The Check Point Gateway - Topology window is displayed.
  3. If a list of the gateway's interfaces are not already present, click Get... to automatically retrieve the interfaces' information. If you choose this method of configuring the gateway, the topology fetched suggests the external interface of the gateway based on the QoS gateway routing table. You must ensure that this information is correct.

    Alternatively, clicking Add displays the Interface Properties window. Interface information can then be defined in the General and Topology tabs of this window.

  4. Double-click on the appropriate interface, or select it and click Edit. The Interface Properties window is displayed.
  5. Click the QoS tab. The QoS tab opens:

    Note - The interfaces on the WAN side (or the interface connected to the slower network) should usually be set to active. On a simple gateway with only two interfaces, QoS should be installed only on the interface connected to the WAN. If the gateway also controls DMZ traffic, you may want to install QoS on the interface connected to the DMZ.

    1. Check Inbound Active to enable QoS to control traffic on this interface in the inbound direction.
    2. From the Rate list select the available bandwidth in the inbound direction, or enter the interface rate manually.
    3. Check Outbound Active to enable QoS to control traffic on this interface in the outbound direction.
    4. From the Rate list select the available bandwidth in the outbound direction, or enter the interface rate manually.

    Note - Ensure that the rates correspond to the actual physical capacity of the interfaces, as QoS does not verify these values.

    If the rate is incorrectly defined as less than the line's real capacity, QoS will not use more than the capacity defined, and the excess capacity will remain unused. If the rate is incorrectly defined as more than the line's real capacity, QoS will not control the traffic correctly.

  6. In the DiffServ and Low Latency classes area, you can specify the Differentiated Services (DiffServ) and Low Latency Queuing classes to be used on the interface.

    You can Add, Edit or Remove a class. Refer to Working with Differentiated Services (DiffServ) and Working with Low Latency Classes for more details on adding or editing DiffServ and Low Latency Classes.

    For information about DiffServ and Low Latency classes, see Differentiated Services (DiffServ) and Low Latency Queuing.

  7. Click OK to save the changes to the interface QoS properties.
  8. For each of the relevant interfaces, do steps 4 - 7.

Editing QoS Rule Bases

A Policy Package comprises several Rule Bases, depending on the policy types selected.

QoS policy is implemented by defining an ordered set of rules in the Rule Base. The Rule Base is comprised of those rules which you create and a default rule. The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. The fundamental concept of the Rule Base is that unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base.

The Rule Base specifies what actions are to be taken with the data packets. It specifies the source and destination of the communication, what services can be used, at what times, whether to log the connection and the logging level.

A QoS Rule Base is applied to specific gateways and interfaces. After you have created the Policy Package and defined its QoS rules you must install it on the relevant QoS gateways.

For further details, refer to Overview.

To Create a New Policy Package

  1. From the File menu choose New. The New Policy Package window is displayed.
  2. Enter the name of the Policy Package in the New Policy Package Name field. This name cannot:
    • Contain any reserved words or spaces.
    • Start with a number.
    • Contain any of the following characters: %, #, ', &, *, !, @, ?, <, >, /, \, :.
    • End with any of the following suffixes: .w, .pf, .W.

      In the QoS area, select whether you want Traditional mode or Express mode.

  3. Click OK to save the Policy Package to a new file. The new Policy Package is saved and a Default Rule is automatically created.

To Open an Existing Policy Package

  1. From the File menu choose Open. The Open Policy Package window is displayed.
  2. Double-click on the appropriate Policy Package, or select it and click Open. The selected Policy Package is displayed.

To Add a Rule to the Rule Base

When you add rules to a Policy Package you can position the new rule at any location in the Policy Package. The Default Rule which is automatically created with the Rule Base must always remain in the last position in the Rule Base.

  1. Position your mouse cursor in the Name field of the QoS tab, at the position where you want to add a new rule.
  2. You can add the new rule either from the Rule menu, the toolbar, or right-click on any name in the Name column of a rule to display the Rule menu, as shown here:

Adding a Rule

To add a rule

Select from Menu

Toolbar button

After the last rule

Rules > Add Rule > Bottom

Before the first rule

Rules > Add Rule > Top

After the current rule

Rules > Add Rule > Below

Before the current rule

Rules > Add Rule > Above

To the current rule

Rules > Add Sub-Rule

Description of Rule Menu Items

Menu Option

Explanation

Add Rule above

Adds a rule before the current rule.

Add Rule below

Adds a rule after the current rule.

Add Sub-Rule

Deletes the current rule.

Delete Rule

Deletes the current rule.

Copy Rule

Copies the current rule to the clipboard.

Cut Rule

Deletes the current rule and puts it in the clipboard.

Paste Rule

Pastes the rule in the clipboard (a sub-menu is displayed from which you can select whether to paste the rule above or below the current rule).

Add Class of Service

Specifies a Class of Service (see Differentiated Services (DiffServ) and Low Latency Queuing). A sub-menu is displayed from which you can select whether the Class of Service is to be added above or after the current rule.

Hide Rule

Hides the current rule. The rule is still part of the Rule Base and will be installed when the QoS Policy is installed.

Disable Rule

Disables the current rule. The rule appears in the Rule Base but is not enforced by the QoS Policy.

Rename Rule

Renames the current rule.

Matching Method

Starting from QoS NG this feature is not relevant since it is kept for backward compatibility only (version 4.1).

  1. Select one of the options for creating the new rule. The Rule Name window is displayed.
  2. Enter the name of the rule in the Rule Name field.
  3. Click OK. The rule is added to the Rule Base at the selected position and is comprised of the default values defined in the QoS page of the Global Properties window. Follow the procedures described in the pages that follow to modify this rule.

To Rename a Rule

  1. In the QoS tab, double-click on the rule you want to rename, or right-click on the rule and select Rename Rule. The Rule Name window is displayed.
  2. Enter the rule name in the Rule Name field.
  3. Click OK to save the rule name.

To Copy, Cut or Paste a Rule

You can copy, cut or paste a rule using either the Edit or Rules menus or the right-click menu of the selected rule.

  1. In the QoS tab, select the rule you want to copy, cut or paste.
  2. From the Edit or Rules menu, choose one of the options described in the table below.

Copying, Cutting and Pasting Rules

Action

From Menu select

Cut

Edit > Cut

Copy

Edit > Copy

Paste

Edit > Paste

If you choose Paste, then the Paste menu will be opened. You must then select Bottom, Top, Above, or Below to specify where in the Rule Base to paste the rule.

To Delete a Rule

You can delete a rule using either the right-click menu of the selected rule or clicking the Delete button on the toolbar.

  1. In the QoS tab, select the rule you want to delete.
  2. Click the Delete button on the toolbar.
  3. Click Yes to delete the selected rule.

Modifying Rules

You can modify any of the rule fields, as often as you like, until the rule is in the form that you require. This includes specifying the source and destination of each communication, what services can be used at what times (including TCP, Compound TCP, UDP, and ICMP services), the actions to be taken with the data packets, whether you want to maintain a log of the entries for the selected rule, and on which interfaces of the QoS gateway the rule is enforced.

This section describes the procedures for modifying the various fields in a rule. Refer to Overview for more details about rules.

Modifying Sources in a Rule

You can modify the source(s) of the communication in a rule. You can add as many sources as required. In addition, you can restrict the sources of the rule to particular user groups, or to user groups originating from specific locations.

To Add Sources to a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Source column of the selected rule and select Add. The Add Object window is displayed, listing the network objects defined in the Security Policy and the QoS Policy.

    Note - You can also use the Add Object window to define new objects and delete or modify objects.

  3. Select one or more network objects (using the standard Windows selection keys) to add to the rule's Source.
  4. Click OK. The objects are added to the Source field. You can add as many sources as required.

To Add User Access to the Sources of a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Source column of the selected rule and select Add Users Access. The User Access window is displayed.
  3. Choose one of the user groups to add to the rule's Source.
  4. Select whether you want to restrict the Location, as follows:
    • No restriction: There is no restriction on the source of the users. For example, if you choose All Users and check No restriction, then AllUsers@Any will be inserted under Source in the rule.
    • Restrict to: The source is restricted to the network object you select in the list box. For example, the source object in the rule will be AllUsers@Local_Net.
  5. Click OK to add the user access to the rule source.

To Edit, Delete, Cut, Copy or Paste a Source in a Rule

You can edit, delete, cut, copy or paste a source in a rule using the right-click menu of the selected source.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Source of the selected rule and select one of the following options:
    • Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. (Alternatively, you can double-click on an object in the Source column of the selected rule to edit it.)
    • Delete: The selected object is deleted. If you delete the last source object in the rule it is replaced by Any.
    • Cut: The selected object is cut and put it in the clipboard.
    • Copy: The selected object is copied to the clipboard.
    • Paste: The object is pasted from the clipboard to the rule's Source.

To View Where an Object is Used

You can view where the selected object is used (in queries, active policies, and so on).

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Source of the selected rule and choose Where Used. The Object References window is displayed, showing you where the selected object is used (in queries, active policies, and so on).
  3. Click Close to return to the rule.

Modifying Destinations in a Rule

You can modify the destination(s) of the communication in a rule. You can add as many destinations as required.

To Add Destinations to a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Destination column of the selected rule and select Add. The Add Object window opens), listing the network objects defined in the Security Policy and the QoS Policy.

    Note - You can also use the Add Object window to define new objects and delete or modify objects.

  3. Select one or more network objects (using the standard Windows selection keys) to add to the rule's Destination.
  4. Click OK. The objects are added to the Destination field. You can add as many destinations as required.

To Edit, Delete, Cut, Copy or Paste a Destination in a Rule

You can edit, delete, cut, copy or paste a destination in a rule using the right-click menu of the selected source.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Destination of the selected rule and select one of the following options:
    • Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. (Alternatively, you can double-click on an object in the Destination column of the selected rule to edit it.)
    • Delete: The selected object is deleted. If you delete the last destination object in the rule it is replaced by Any.
    • Cut: The selected object is cut and put it in the clipboard.
    • Copy: The selected object is copied to the clipboard.
    • Paste: The object is pasted from the clipboard to the rule's Destination.

To View Where an Object is Used

You can view where the selected object is used (in queries, active policies, and so on).

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Source of the selected rule and choose Where Used. The Object References window is displayed showing you where the selected object is used (in queries, active policies, and so on).
  3. Click Close to return to the rule.

Modifying Services in a Rule

You can modify the service(s) in a rule. You can add as many services as required, however, you can only add one URI for QoS resource in a single rule.

Note - Previous versions of QoS have not limited the number of URIs for QoS resources allowed per rule. If you are using a QoS Policy originally designed for use with a previous QoS version, be sure to redefine any rule that has more than one resource in its Service Field.

To Add Services to a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Service column of the selected rule and select Add. The Add Object window is displayed listing the network objects defined in the Security Policy and the QoS Policy.
  3. Select one or more network objects (using the standard Windows selection keys) to add to the rule's Service.
  4. Click OK. The objects are added to the Service field. You can add as many services as required. However only one TCP Citrix or URI for QoS service is allowed.

To Add a Service with a Resource to a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Source column of the selected rule and select Add with Resources. You can only add one service with a resource to a rule, so this option will only be available if you have not already added a service with a resource to this rule. The Services with Resource window is displayed.
  3. Choose one of the services in the Location area and then select the appropriate resource from the Resource list. For further information, refer to:
    • Only resources of type URI for QoS can be added to the QoS Rule Base. URI for QoS is used for identifying HTTP traffic according to the URL (URI).
    • Do not use the protocol prefix (http://) when setting up a URI resource. HTTP services with URI for QoS resources can be defined on all ports.
    • The regular expression supported by QoS is of form a*b where a and b are strings and * is wildcard.
    • Both full and relative URI are supported:
      • Full URI: Use the full URI but without protocol prefix (for example, do not use"http://"). Valid full URI example: "www.my-site.com/pic/qos.gif"
      • Relative URI: Use the URI that starts just after the domain name. The relative URI must start with slash. For example: "/pic/qos.gif"
  4. Click OK to add the service with a URI for QoS resource to the rule.

Note - Only one resource is allowed in a single rule.

To Edit, Delete, Cut, Copy or Paste a Service in a Rule

You can edit, delete, cut, copy or paste a service in a rule using the right-click menu of the selected service.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Service of the selected rule and select one of the following options:
    • Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. (Alternatively, you can double-click on an object in the Service column of the selected rule to edit it.)
    • Delete: The selected object is deleted. If you delete the last service object in the rule it is replaced by Any.
    • Cut: The selected object is cut and put it in the clipboard.
    • Copy: The selected object is copied to the clipboard.
    • Paste: The object is pasted from the clipboard to the rule's Service.

To View Where an Object is Used

You can view where the selected object is used (in queries, active policies, and so on).

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Service of the selected rule and choose Where Used. The Object References window is displayed showing you where the selected object is used (in queries, active policies, and so on).
  3. Click Close to return to the rule.

Modifying Rule Actions

You can modify the default properties of a rule. The available options depend on whether it is a simple or advanced type of rule. The advanced rule action type enables you to specify limits and guarantee allocation on a per connection basis.

To Edit the Rule Actions

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Action column of the selected rule and select Edit Properties. The QoS Action Properties window is displayed.
    • If the Action Type of the rule is defined as Simple, the QoS Action Properties window opens:
    • If the Action Type of the rule is defined as Advanced, the following QoS Action Properties window opens:

    Note - When Express QoS has been installed, Advanced Actions are not available.

  3. The following properties are displayed for a QoS rule with a simple action type. You can change any of these fields:

    In the Action Type area:

    • Simple: The full set of actions with the exception of the Guarantee Allocation and the per connection limit features.
    • Advanced: The full set of actions with the Guarantee Allocation feature included.
    • In the VPN Traffic area:
    • Allow rule only to encrypted traffic: Check this box if you want the rule to be matched only by VPN traffic. If you do not check this field, rules will be matched by all traffic types, both VPN and non-VPN traffic. VPN traffic means traffic that is encrypted in this same gateway by IPsec VPN. This field does not apply to traffic that was encrypted prior to arriving to this gateway. This type of traffic can be matched using the "IPSec" service. For further explanation on how to use this check box for prioritizing VPN traffic over non-VPN, see Example of a Rule Matching VPN Traffic.
    • In the Action Properties area you can define the restrictions on bandwidth for connections to which the rule applies in the following fields:
    • Rule Weight: Enables you to define the weight of the rule. This field is checked by default and has the value defined in the Global Properties window in Defining QoS Global Properties. It is recommended to leave this value as is to avoid a complete loss of bandwidth. For detailed information see Weight.

    Important - 0 rate in conjunction with 0 guarantee can lead to the rule's complete loss of bandwidth. To prevent this from happening, retain some ratio in the Rule Weight. The default is 10.

    • Rule Limit: Enables you to restrict the total bandwidth consumed by the rule. For detailed information see Limits.

    Note - When using weights or guarantees, the weighted fair queuing algorithm that QoS makes use of assures that no bandwidth is ever wasted. Spare bandwidth is divided among the backlogged rules. However, if you set a rule limit, it will not use spare bandwidth above this limit.

    • Rule Guarantee: Enables you to define the absolute bandwidth allocated to the rule. For detailed information see Guarantees.

    Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit.

  4. (Optional) The following additional properties are displayed for a QoS rule with an advanced action type. You can change any of these fields:

    In the Limit area:

    • Rule Limit: Enables you to restrict the total bandwidth consumed by the rule. For detailed information see Limits.

    Note - When using weights or guarantees, the weighted fair queuing algorithm that QoS makes use of assures that no bandwidth is ever wasted. Spare bandwidth is divided among the backlogged rules. However, if you set a rule limit, it will not use spare bandwidth above this limit.

    • Per connection limit: Enables you to set a rule limit per connection.

    Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit.

    In the Guarantee Allocation area:

    • Guarantee: Enables you to allocate a minimum bandwidth to the connections matched with a rule. For detailed information see Guarantees.
    • Per rule: Enables you to define the absolute bandwidth allocated to the rule.

    Note - The number you enter for the Per rule cannot be larger than the Rule Limit.

    • Per connection: Enables you to manage the bandwidth at the connection-level.
    • Per connection guarantee: Enables you to restrict the absolute bandwidth allocated per connection.
    • Number of guaranteed connections: Enables you to allocate a minimum number of guaranteed connections.

    Note - The Number of guaranteed connections multiplied by the Per connection guarantee cannot be greater than the rule limit.

    • Accept additional connections: Check this option to allow connections without per connection guarantees to pass through this rule and receive any leftover bandwidth. Enter the maximum amount of bandwidth that is allowed for this option in the text box. This only occurs if all other conditions have been met.

    Note - Select a non-zero rule weight when Accept additional non-guaranteed connections is checked.

  5. Click OK to update the QoS Action Properties for the rule.

To Reset the Rule Actions to Default Values

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Action column of the selected rule and select Reset to Default. The action properties for the selected rule are reset to their default values. The default values are defined in the QoS page of the Global Properties window (see Defining QoS Global Properties).

Modifying Tracking for a Rule

You can choose whether you want to maintain a log of the entries for the selected rule. If you do want to log the entries, you also have the option of logging the entries in account format. For further information on tracking and logging, see Overview of Logging. For information on how to turn logging on, see Enabling Log Collection.

To Modify Tracking for a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Track column of the selected rule. The menu that is displayed has the following options:

Track

Meaning

None

No logging is done for this connection.

Log

Logging is done for this connection.

Account

Logging for this connection is done in Accounting format.

  1. Select the required option.

Modifying Install On for a Rule

The Install On field specifies on which interfaces of the QoS gateway the rule is enforced. You can select any number of Install On objects.

Note - In order to install a QoS Policy on a gateway, you must ensure that the gateway has a QoS gateway installed in the Global Properties window and that the interface is defined in the QoS tab of the Interface Properties window. (See Defining QoS Global Properties and Specifying Interface QoS Properties.)

To Modify Install On for a Rule

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Install On column of the selected rule and select Add. The Add Interface window is displayed.
  3. (Optional) Click Select Targets to select additional installable targets. The Select Installation Targets window is displayed.
  4. To add any target(s) to the list of Installed Targets, select the target(s) in the Not in Installation Targets area and click Add.

    The selected target(s) are added to the In Installation Targets area.

  5. To remove a target(s) from the In Installation Targets area, select the target(s) and click Remove.

    The selected targets are returned to the Not in Installation Targets area.

  6. Click OK. The selected targets now appear in the Add Interface window.
  7. Select from the list of targets in the Add Interface window:
    • A gateway (and all its interfaces on which QoS is defined), or
    • An interface (in both directions), or
    • One direction of an interface
  8. Click OK. The selected interface is added to the Install On field.

To Delete an Install On for a Rule

You can remove an interface for a rule. The rule will no longer be enforced for the interface.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Service of the selected rule and select Delete. The selected object is deleted.

To View Where an Object is Used

You can view where the selected object is used.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Install On of the selected rule and choose Where Used. The Object References window opens showing where the selected object is used.
  3. Click Close to return to the rule.

Modifying Time in a Rule

You can specify the times that the rule is enforced. You add any number of time objects to a rule.

To Modify Time in Rules

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Time column of the selected rule and select Add. The Add Object window is displayed.
  3. (Optional) You can edit a time object:
    1. Select the required time object and click Edit to modify a time object. The Time Properties window is displayed. (Alternatively, you can double-click on an object in the Time column of the selected rule to edit it.)
    2. Edit the fields in the Time Properties window, as required.
    3. Click OK. The Time Object Properties are amended.
  4. Select the required time object in the Add Object window. The time object is added to the rule.

To Edit or Delete a Time Object for a Rule

You can edit or delete a time object in a rule using the right-click menu of the selected service.

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Time of the selected rule and select one of the following options:
    • Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. (Alternatively, you can double-click on an object in the Time column of the selected rule to edit it.)
    • Delete: The selected object is deleted. If you delete the last time object in the rule it is replaced by Any.

To View Where an Object is Used

You can view where the selected object is used (in queries, active policies, and so on).

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click on the Service of the selected rule and choose Where Used. The Object References window is displayed showing you where the selected object is used (in queries, active policies, and so on).
  3. Click Close to return to the rule.

Adding Comments to a Rule

You can add a comment to a rule.

To Add Comments to Rules

  1. From the Rule Base choose the rule you want to modify.
  2. Right-click in the Comment column of the selected rule and select Edit. The Comment window is displayed. You can also open this window by double-clicking in the Comment column of the selected rule.
  3. Type any text you wish to add in the text box.
  4. Click OK. The comment is added to the rule.

Defining Sub-Rules

Sub-rules are rules that allocate bandwidth more specifically within a rule. For example, consider the rule shown in the figure below.

The bandwidth allocated to the ABC_VPN rule is further allocated among the sub-rules ABC_VPN_ERP through Default under ABC_VPN.

To Define Sub-Rules

  1. Select the rule under which the sub-rule is to be defined.
  2. Right-click in the Rule Name column.
  3. Select Add Sub-Rule from the menu. The Rule Name window is displayed.
  4. Enter the sub-rule name and click OK. The new sub-rule together with a default sub‑rule is automatically created, under the rule selected in 1 above, using the default values defined.
  5. You may modify the sub-rules by following the same procedures for editing rules described on page in Editing QoS Rule Bases.
  6. Add new sub-rules by following the same procedures for creating rules described in Editing QoS Rule Bases.

To View Sub-Rules

The sub-rules under a main rule can be seen by expanding the rule in the QoS Rule Tree. To view sub-rules in the Rule Base itself, click one of the sub-rules in the relevant main rule. The Rule Base shows all the sub-rules for that rule.

Working with Differentiated Services (DiffServ)

A DiffServ rule specifies not only a QoS Class, but also a weight, in the same way that other QoS Policy Rules do. These weights are enforced only on the interfaces on which the rule is installed.

Refer to Differentiated Services (DiffServ) for additional information on DiffServ.

To Implement DiffServ Marking

  1. Define one or more DiffServ Classes of Service using the QoS Classes window. You may also define a Class of Service Group.

    For more information, see To Define a DiffServ Class of Service.

  2. In the QoS tab of the Interface Properties window of all interfaces on which the DiffServ class will be implemented (see Specifying Interface QoS Properties), click Add under DiffServ and Low Latency classes to add a new class, or Edit to edit the properties of an existing class. See Specifying Interface QoS Properties.
  3. In the Add QoS Class Properties window, select the QoS class and define the Inbound and Outbound parameters.
  4. Click OK. You can now add QoS Classes to the Rule Base.
  5. Right-click in the Name column of a rule and choose Add Class of Service, or choose Add QoS Class from the Rules menu.
  6. Specify whether the class should appear above or after the rule in the Rule Base.
  7. Choose the required Class of Service from the drop-down menu in the Add Class of Service window.
  8. Click OK. A DiffServ class header appears in the Rule Base.
  9. Add rules under the QoS Class you defined, by either:
    • Choosing Rules > Add Rule > Below from the menu, or
    • Right-clicking on the QoS Class and choosing Add Rule > Below from the menu

To Define a DiffServ Class of Service

  1. From the Manage menu select QoS>QoS Classes.

    The QoS Classes window opens.

  2. Click New to define a new DiffServ class and select DiffServ Class of Service to display the Class of Service Properties window.
  3. Enter the following details in the Class of Service Properties window:
    • Name: The name of the Class of Service.
    • Comment: The text to be displayed when this class is selected in the QoS Classes window
    • Color: Select a color from the list.
    • Type: Select a type from the list. You may choose a predefined or user defined class.
    • DiffServ code: This is a read-only field that displays the DiffServ marking as a bitmap.
  4. Click OK to create the new DiffServ Class of Service.

To Define a DiffServ Class of Service Group

  1. From the Manage menu select QoS > QoS Classes. The QoS Classes window displays.
  2. Click New to define a new DiffServ class and select DiffServ Class of Service Group to display the Group Properties window.
  3. Enter the following details in the Group Properties window:
    • Name: The name of the group.
    • Comment: The text to be displayed when this class is selected in the QoS Classes window.
    • Color: Select a color from the list.
    • To add a DiffServ class to the group, select the class in the list box labeled Not in Group, and click Add.
    • To delete a class from the group, select the class in the list box labeled In Group, and click Remove.
  4. Click View expanded group to display all members of the selected DiffServ group.
  5. Click OK to create the new DiffServ Class of Service Group.

To Add QoS Class Properties for Expedited Forwarding

  1. From the QoS tab of the Interface Properties window, click Add or Edit.
  2. From the menu that is displayed select either Low Latency Classes or DiffServ > Expedited Forwarding.

    The Add Low Latency QoS Class Properties window is displayed if you selected Low Latency Classes. If you selected DiffServ Expedited Forwarding, a similar window with the identical fields is displayed.

  3. Enter the required information as detailed below. You should define at least one inbound or outbound direction.
    • Class: Select a Low Latency class from the list of defined classes.
    • Inbound: Define the portion of the interface's inbound capacity to be reserved.
    • Constant Bit Rate: The constant bit rate at which packets of this class will be transmitted.
    • Maximal Delay: The maximum delay that will be tolerated for packets of this class. Those packets that exceed this delay are dropped.
    • Outbound: Define the portion of the interface's outbound capacity to be reserved by defining a Constant Bit Rate and a Maximum Delay as described above.
  4. Click OK. The new class is added.

To Add QoS Class Properties for Non Expedited Forwarding

  1. From the QoS tab of the Interface Properties window, click Add or Edit.
  2. From the menu that is displayed select DiffServ>Others. The Add DiffServ QoS class Properties window is displayed
  3. Enter the required information as detailed below. You should define at least one inbound or outbound direction.
    • Class: Select a DiffServ class from the list of defined classes.
    • Inbound: Define the portion of the interface's inbound capacity to be reserved.
    • Guaranteed bandwidth: The bandwidth guaranteed to be marked with the QoS Class.
    • Bandwidth Limit: The upper limit of the bandwidth to be marked with the QoS Class. Traffic in excess of the Bandwidth Limit will not be marked. For example, if the interface's capacity is 256MB and Bandwidth Limit to 192MB, then traffic beyond 192MB will not be marked.
    • Outbound: Define the portion of the interface's outbound capacity to be marked by defining a Guaranteed Bandwidth and a Bandwidth Limit as described above.
  4. Click OK. The new class is added.

Working with Low Latency Classes

QoS Low Latency Queuing makes it possible to define special classes of service for "delay sensitive" applications like voice and video. Rules under these classes can be used together with other rules in the QoS Policy Rule Base. Low Latency classes require you to specify the maximal delay that is tolerated and a Constant Bit Rate. QoS then guarantees that traffic matching rules of this type are forwarded within the limits of the bounded delay.

For more detailed information, please see Low Latency Queuing.

To Implement Low Latency Queuing

Having defined one or more Low Latency Classes of Service, you can implement Low Latency Queuing as follows:

  1. In the QoS tab of the Interface Properties window of all interfaces on which Low Latency classes are implemented (see Specifying Interface QoS Properties), click Add under DiffServ and Low Latency classes to add a new class, or Edit to edit the properties of an existing class.
  2. In the Add QoS Class Properties window, select the Low Latency class and define the Inbound and Outbound parameters (see To Add QoS Class Properties for Expedited Forwarding).
  3. Click OK. You can now add Low Latency Classes to the QoS Policy Rule Base.
  4. Right-click in the Name column of a rule and choose Add Class of Service, or choose Add QoS Class from the Rules menu.
  5. Specify whether the class should appear above or below the rule in the Rule Base.

    Note - The order of the classes in the Rule Base must be DiffServ, followed by Low Latency, and then Best Effort. You will not be able to add a Low Latency class to the Rule Base above any DiffServ classes you may have.

  6. Choose the required Class of Service from the drop-down menu in the Add Class of Service window.
  7. Click OK. A class header appears in the Rule Base.
  8. Add rules under the QoS Class you defined, by either:
    • Choosing Rules > Add Rule > Below from the menu, or
    • Right-clicking on the QoS Class and choosing Add Rule > Below from the menu.

To Define Low Latency Classes of Service

Before a Low Latency class can be implemented on an interface and used in the QoS Rule Base, it must be defined.

  1. From the Manage menu select QoS>QoS Classes. The QoS Classes window is displayed.
  2. Define the Low Latency Class of Service as described in To Define a DiffServ Class of Service.
  3. To define a new Low Latency class, click New and select Low Latency Class of Service to display the Class of Service Properties window.

To Define Class of Service Properties for Low Latency Queuing

  1. From the Manage menu select QoS > QoS Classes. The QoS Classes window is displayed.
  2. Click New and select Low Latency Class of Service to display the Class of Service Properties window.
  3. Enter the following details:
    • Name: The name of the Class of Service.
    • Comment: Enter the text to be displayed when this class is selected in the QoS Classes window.
    • Color: Select a color from the list.
    • Class Priority: Select one of the five priority types from the list (Class 1 being the highest priority).
  4. Click OK. The new Low Latency Class of Service is saved.

Working with Authenticated QoS

Authenticated QoS provides Quality of Service (QoS) for end-users in dynamic IP environments, such as remote access and DHCP environments. This enables priority users, such as corporate CEOs, to receive priority service when remotely connecting to corporate resources.

For more detailed information, please see Authenticated QoS.

To Use Authenticated QoS

In order to apply Authenticated QoS in a rule, follow these steps:

  1. Make sure that the UAS package is installed on the gateway that performs Authenticated QoS.
  2. Make sure that the User Authority Server, under Check Point Products Installed, is checked on the Security Gateway upon which you are installing the policy.
  3. Create a group in Manage > Users > New > Group in the menu. The Group Properties window is displayed.
  4. Include all the user(s) to whom you want to give priority by selecting the user and clicking Add.
  5. To remove a user from the group, select the user and click Remove.
  6. Make a rule and in the Source column, right-click and select Add object > Add legacy user access.

    For example, if the CEO of your company is in a remote location and wants to access his email and without waiting too long, create a rule as follows:

A Rule that Allows Access to email from a Remote Location

Rule Name

Source

Destination

Service

Action

CEO

CEO@localnet

Any

Pop-3

Weight 10

Guarantee 50,000 Bps

Note - To minimize the resources taken up by Authenticated QoS, it is recommended that Authenticated QoS rules refer to specific services, and unless absolutely necessary, you should not include Any in the Service field.

  1. Install the policy.

    Note - The user must be authenticated in the UAS in order for the QoS policy to be enforced.

Policy-wide properties for Authenticated QoS can be defined in the QoS page of the Global Properties window. For more information, see Defining QoS Global Properties.

Managing QoS for Citrix ICA Applications

In order to deliver a QoS solution for the Citrix ICA protocol, complete the following procedures:

  1. Disable session sharing in the Citrix Program Neighborhood.
  2. Modify your Security Policy to allow the Citrix_ICA and Citrix_ICA_Browsing services.

    Note - The Any service does not include the Citrix ICA service.

  3. Discover the Citrix application names, as defined by the Citrix Administrator, and retrieve your Citrix ICA application names from the SmartView Tracker. This includes turning on the application detection check box and installing Security and QoS Policies.
  4. Define new Citrix TCP services with the application names you have detected.
  5. Add the appropriate Citrix TCP services to rules in your QoS Policy.
  6. Install the QoS Policy.

Disabling Session Sharing

Citrix enables session sharing by default. In this mode, traffic from all the applications used by a specific client share the same TCP connection. In order for QoS to prioritize different Citrix ICA applications from the same client, you must disable session sharing. This means that every application uses a separate TCP connection (all going to the same server port, 1494, from different source ports).

You should contact the Citrix Administrator to configure the correct mode.

To Disable Session Sharing:

  1. Double-click the Citrix Program Neighborhood icon placed on the desktop by the Citrix install program.
  2. Click the Settings icon or, from the File menu, select Application Set Settings.
  3. Select the Default Options tab.
  4. From the Window Size list, select something other than Seamless Window.

Modifying your Security Policy

You must modify your Security Policy to enable the new Citrix_ICA TCP and Citrix_ICA_Browsing UDP services. The Citrix_ICA service initializes the stateful inspection of the Citrix ICA protocol. The Citrix_ICA service is not included in the Any service of the Security Policy and must therefore be enabled in one of the following ways:

  • In the Security tab add a rule to your Security Policy with the Citrix_ICA TCP service. Similarly, add a rule for the Citrix_ICA_Browsing service. Alternatively, you can add simply add the Citrix_metaFrame group, which incorporates both the Citrix_ICA TCP and Citrix_ICA_Browsing UDP services.

OR

  1. Expand the TCP branch of the Services Tree. Double-click on the Citrix_ICA service. The TCP Service Properties - Citrix _ICA window is displayed.
  2. Click Advanced. The Advanced TCP Service Properties window is displayed.
  3. Check Match for Any to turn on the Citrix ICA protocol inspection without having to add a specific rule for the Citrix_ICA service (if the Any service is allowed).

Discovering Citrix ICA Application Names

In order to discover the Citrix ICA application name, as defined by the Citrix Administrator, use QoS to snoop the wire and send logs (of type alert) to the SmartView Tracker, recording the Citrix ICA application name. The Citrix ICA application detection is turned off by default.

Note - The frequency of recording an application name log (alert) is 24 hours.

Advanced: If you want to reset the application detection cache in order to re log a Citrix ICA application on the wire even if it was logged in the past 24 hours use the following command line instruction:

fw tab -t fg_new_citrix_app -x

To Enable Citrix ICA Application Name Logging:

  1. Double-click on the gateway in the Network Objects Tree. The Check Point Gateway - General Properties window is displayed.
  2. Choose Logs and Masters > Additional Logging in the tree on the left side of the Check Point Gateway - General Properties window. The Additional Logging Configuration window is displayed.
  3. Check Detect new Citrix ICA application names to enable QoS to log the Citrix application names.
  4. Click OK. Citrix ICA application name detection is enabled.
  5. Create a Security Policy with a valid rule that uses the Citrix_ICA service.
  6. Install the QoS and Security policies on the QoS gateway and let it run for a period of time. See Installing a QoS Policy.

    Note - The QoS policy content is irrelevant to the application detection feature.

  7. View the QoS log entries using SmartView Tracker (the entries are of Type Alert and contain the Citrix ICA application names). Once you have the application names you can turn off the application detection, as well as define new Citrix TCP services to use in a QoS policy.

    Note - It is a pre-requisite that the Citrix_ICA TCP be enabled in the Security Policy.

To Disable Citrix ICA Application Name Logging:

  1. Double-click on the gateway in the Network Objects Tree. The Check Point Gateway - General Properties window is displayed.
  2. Choose Logs and Masters > Additional Logging in the tree on the left side of the Check Point Gateway - General Properties window. The Additional Logging Configuration window is displayed.
  3. Uncheck Detect new Citrix ICA application names so that QoS will not log the Citrix application names.
  4. Click OK. Citrix ICA application name detection is disabled.
  5. Install the QoS Policy.

Defining a New Citrix TCP Service

A new service type was introduced in the SmartDashboard, Citrix TCP.

To Define a New Citrix TCP Service

  1. Right-click on the Citrix TCP branch of the Services Tree, and select New Citrix TCP. The Citrix Service Properties window is displayed.
  2. Enter the following details in the Citrix Service Properties window, as shown in the example below:
    • Name: The name of the new service.
    • Comment: A comment describing the new service.
    • Color: Select a color from the list.
    • Application: The exact name (case insensitive) of the Citrix Application.

    Note - The application name is case insensitive.

  3. Click OK to create the new Citrix Class of Service.

Adding a Citrix TCP Service to a Rule (Traditional Mode Only)

Once you have created a new Citrix TCP service, you can add the service to a rule in your QoS Policy, in the usual manner. See Editing QoS Rule Bases.

Installing the Security and QoS Policies

Once you have created the appropriate Security and QoS Policies these must be installed.

Managing QoS for Citrix Printing

Printing generates relatively large quantities of data, causing the TCP connection to consume excessive quantities of bandwidth. Clearly, from a QoS perspective this type of connection should be identified and the bandwidth made available to these connections should be limited.

There are three primary methods of printing in the MetaFrame environment, IP Network printing, MetaFrame Auto-Creation of printers and local MetaFrame printing.

QoS provides a solution for printing traffic using the MetaFrame Auto-Creation of printers printing method, by classifying each ICA connection as either a printing or a non-printing connection.

A connection that is classified as printing is assigned to a Citrix printing rule. This rule can be configured to limit printing traffic and thus avoid excessive consumption of bandwidth. A connection that is classified as non-printing is assigned to a rule according to the regular matching method.

Classification of the connection is dynamic and is based on examining the ICA priority bits of each packet. An ICA connection is therefore matched dynamically to one of two different rules depending on the type of data passing through the connection at any point in time.

It is recommended that you limit the bandwidth per connection for printing to 25Kbps. This value represents the average bandwidth utilization of a single non-printing Citrix ICA session versus an additional 150Kbps of bandwidth per session that printing often requires. This preserves bandwidth for other traffic.

Configuring a Citrix Printing Rule (Traditional Mode Only)

Define a printing rule to which all ICA connections that are in a printing state are assigned.

To Configure a Citrix Printing Rule

  1. Position your cursor in the Name field of the QoS tab, at the position where you want to add a new rule.
  2. Right-click and select one of the Add Rule options. The Rule Name window is displayed.
  3. Enter the rule name in the Rule Name field.
  4. Click OK to save the rule name.
  5. Right-click in the Service column and select Add. The Add Object window is displayed, listing the network objects defined in the Security Policy and the QoS Policy.
  6. Select the predefined Citrix_ICA_printing service and click OK. The service is added to the rule.
  7. Right-click in the Action column and select Edit Properties. The QoS Action Properties window is displayed.
  8. Select Advanced in the Action Type area.
  9. Select Per connection limit in the Limit area.
  10. Enter a per connection limit of 25 Kbps in the Per connection limit field (recommended).
  11. Click OK.

Viewing QoS Gateway Status

Display QoS Gateways Controlled by SmartConsole

Use the SmartView Monitor. For information about the Check Point SmartView Monitor, see the R76 SmartView Monitor Administration Guide.

Configuring QoS Topology

When the MetaFrame Auto-Creation of printers printing method is used, the Citrix printing traffic passes from the Citrix Server to the Citrix Client. To enforce QoS on this traffic, QoS must be installed on the Gateway external interface on the inbound direction, or on the Gateway internal interface on the outbound direction, that is, Flood-Gate-1 must be able to "see" the traffic passing from the Citrix Server to the Citrix Client.

Enabling Log Collection

In order for a connection to be logged, the QoS logging flag must be turned on and the connection's matching rule must be marked with either Log or Account in the Track field of the rule. For further information on how QoS's logging features work, see Overview of Logging.

To Turn on QoS Logging

A QoS gateway logs to the log if Turn on QoS Logging is checked in the Additional Logging page (under Logs and Masters) of the QoS gateway's Properties window. By default QoS Logging is turned on.

To Confirm that the Rule is Marked for Logging

  1. Select the rule whose connection will be logged.
  2. Confirm that either Log or Account appear in the Track field.

    See To Modify Tracking for a Rule.

To Start SmartView Tracker

To start SmartView Tracker, double-click on the SmartView Tracker icon, or choose SmartView Tracker from the Window menu in the SmartDashboard window.

It is now possible to view log data according to:

  • Rule Name
  • Rules using DiffServ
  • Control type having to do with install and uninstall logs
 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print