Introduction to QoS
Check Point's QoS Solution
QoS is a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution. QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software.
QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic. QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing. With highly granular controls, QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel.
QoS is deployed with the Security Gateway. These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network.
QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point-patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or application. After a packet has been classified, QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation.
Features and Benefits
QoS provides the following features and benefits:
- Flexible QoS policies with weights, limits and guarantees: QoS enables you to develop basic policies specific to your requirements. These basic policies can be modified at any time to incorporate any of the Advanced QoS features described in this section.
- Integration with the Security Gateway: Optimize network performance for VPN and unencrypted traffic: The integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration.
- Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker.
- Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base.
- Integrated Low Latency Queuing: define special classes of service for "delay sensitive" applications like voice and video to the QoS Policy Rule Base.
- Integrated Authenticated QoS: provide QoS for end‑users in dynamic IP environments, such as remote access and DHCP environments.
- Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol.
- No need to deploy separate VPN, Firewall and QoS devices: QoS and Firewall share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects in both solutions.
- Proactive management of network costs: QoS's monitoring systems enable you to be proactive in managing your network and thus controlling network costs.
- Support for end-to-end QoS for IP networks: QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software.
Traditional QoS vs. QoS Express
The and QoS modes are included in each product installation. The Express mode lets you define basic policies quickly and easily to "get up and running". The Traditional mode incorporates QoS advanced features. You can specify Traditional or Express each time you install a new policy.
This table shows a comparative table of the features of the Traditional and Express modes of QoS.
The following workflow shows both the basic and advanced steps that System Administrators follow for installation, setup and operation.
- Verify that QoS is installed on the Security Gateway.
- Start SmartDashboard. See Starting SmartDashboard.
- Define Global Properties. See Defining QoS Global Properties.
- Define the gateway network objects.
- Setup the basic rules and sub-rules governing the allocation of QoS flows on the network. See Editing QoS Rule Bases. After the basic rules have been defined, you may modify these rules to add any of the more advanced features described in step 8.
- Implement the Rule Base. See Implementing the Rule Base.
- Enable log collection and monitor the system. See Enabling Log Collection.
- Modify rules defined in step 4 by adding any of the following features:
QoS's Innovative Technology
QoS is a bandwidth management solution for Internet and Intranet gateways that enables network administrators to set bandwidth policies to solve or alleviate network problems like the bandwidth congestion at network access points. The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic, as well as individual connections. QoS controls both inbound and outbound traffic flows.
Network traffic can be classified by Internet service, source or destination IP address, Internet resource (for example, specific URL designators), user or traffic direction (inbound or outbound). A QoS Policy consists of rules that specify the weights, limits and guarantees that are applied to the different classifications of traffic.
A rule can have multiple sub-rules, enabling an administrator to define highly granular Bandwidth Policies.
QoS provides its real benefits when the network lines become congested. Instead of allowing all traffic to flow arbitrarily, QoS ensures that important traffic takes precedence over less important traffic so that the enterprise can continue to function with minimum disruption, despite network congestion. QoS ensures that an enterprise can make the most efficient use of a congested network.
QoS is completely transparent to both users and applications.
QoS implements four innovative technologies:
- Stateful Inspection: QoS incorporates Check Point's patented Stateful Inspection technology to derive complete state and context information for all network traffic.
- Intelligent Queuing Engine: This traffic information derived by the Stateful Inspection technology is used by QoS Intelligent Queuing Engine (IQ EngineTM) to accurately classify traffic and place it in the proper transmission queue. The network traffic is then scheduled for transmission based on the QoS Policy. The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ) algorithm to precisely control the allocation of available bandwidth and ensure efficient line utilization.
- WFRED (Weighted Flow Random Early Drop): QoS makes use of WFRED, a mechanism for managing packet buffers that is transparent to the user and requires no pre-configuration.
- RDED (Retransmission Detection Early Drop): QoS makes use of RDED, a mechanism for reducing the number of retransmits and retransmit storms. This Check Point mechanism, drastically reduces retransmit counts, greatly improving the efficiency of the enterprise's existing lines. The increased bandwidth that QoS makes available to important applications comes at the expense of less important (or completely unimportant) applications. As a result purchasing more bandwidth can be significantly delayed.
QoS contains four innovative technologies, which are discussed in this section.
Employing Stateful Inspection technology, QoS accesses and analyzes data derived from all communication layers. This state and context data is stored and updated dynamically, providing virtual session information for tracking both connection‑oriented and connectionless protocols (for example, UDP‑based applications). Cumulative data from the communication and application states, network configuration and bandwidth allocation rules are used to classify communications.
Stateful Inspection enables QoS to parse URLs and set priority levels based on file types. For example, QoS can identify HTTP file downloads with *.exe or *.zip extensions and allocates bandwidth accordingly.
Intelligent Queuing Engine
QoS uses an enhanced WFQ algorithm to manage bandwidth allocation. A QoS packet scheduler moves packets through a dynamically changing scheduling tree at different rates in accordance with the QoS Policy. High priority packets move through the scheduling tree more quickly than low priority packets.
QoS leverages TCP's throttling mechanism to automatically adjust bandwidth consumption per individual connections or classes of traffic. Traffic bursts are delayed and smoothed by QoS packet scheduler, holding back the traffic and forcing the application to fit the traffic to the QoS Policy. By intelligently delaying traffic, the IQ Engine effectively controls the bandwidth of all IP traffic.
The preemptive IQ Engine responds immediately to changing traffic conditions and guarantees that high priority traffic always takes precedence over low priority traffic. Accurate bandwidth allocation is achieved even when there are large differences in the weighted priorities (for example 50:1). In addition, since packets are always available for immediate transmission, the IQ Engine provides precise bandwidth control for both inbound and outbound traffic, and ensures 100% bandwidth utilization during periods of congestion. In addition, in Traditional mode it uses per connection queuing to ensure that every connection receives its fair share of bandwidth.
WFRED (Weighted Flow Random Early Drop)
WFRED is a mechanism for managing the packet buffers of QoS. WFRED does not need any preconfiguring. It adjusts automatically and dynamically to the situation and is transparent to the user.
Because the connection of a LAN to the WAN creates a bottleneck, packets that arrive from the LAN are queued before being retransmitted to the WAN. When traffic in the LAN is very intense, queues may become full and packets may be dropped arbitrarily. Dropped packets may reduce the throughput of TCP connections, and the quality of streaming media.
WFRED prevents QoS buffers from being filled by sensing when traffic becomes intense and dropping packets selectively. The mechanism considers every connection separately, and drops packets according to the connection characteristics and overall state of the buffer.
Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP header (which is seldom used), WFRED queries QoS as to the priority of the connection, and then uses this information. WFRED protects "fragile" connections from more "aggressive" ones, whether they are TCP or UDP, and always leaves some buffer space for new connections to open.
RDED (Retransmit Detect Early Drop)
TCP exhibits extreme inefficiency under certain bandwidth and latency conditions. For example, the bottleneck that results from the connection of a LAN to the WAN causes TCP to retransmit packets. RDED prevents inefficiencies by detecting retransmits in TCP streams and preventing the transmission of redundant packets when multiple copies of a packet are concurrently queued on the same flow. The result is a dramatic reduction of retransmit counts and positive feedback retransmit loops. Implementing RDED requires the combination of intelligent queuing and full reconstruction of TCP streams, capabilities that exist together only in QoS.
The architecture and flow control of QoS is similar to Firewall.
QoS has three components:
- Security Management Server
The components can be installed on one machine or in a distributed configuration on a number of machines.
Bandwidth policy is created using SmartDashboard. The policy is downloaded to the Security Management Server where it is verified and downloaded to the QoS Gateways using CPD (Check Point Daemon), which is run on the gateway and the Security Management Server. The QoS gateway uses the Firewall chaining mechanism (see below) to receive, process and send packets. QoS uses a proprietary classifying and rule-matching infrastructure to examine a packet. Logging information is provided using Firewall kernel API.
The major role of the QoS gateway is to implement a QoS policy at network access points and control the flow of inbound and outbound traffic. It includes two main parts:
- QoS kernel driver
- QoS daemon
QoS Kernel Driver
The kernel driver is the heart of QoS operations. It is in the kernel driver that IP packets are examined, queued, scheduled and released, enabling QoS traffic control abilities. Utilizing Firewall kernel services, QoS functionality is a part of the cookie chain, a Check Point infrastructure mechanism that allows gateways to operate on each packet as it travels from the link layer (the machine network card driver) to the network layer (its IP stack), or vice versa.
QoS Daemon (fgd50)
The QoS daemon is a user mode process used to perform tasks that are difficult for the kernel. It currently performs two tasks for the kernel (using Traps):
- Resolving DNS for the kernel (used for Rule Base matching).
- Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base matching).
- In CPLS configuration, the daemon updates the kernel of any change in the cluster status. For example, if a cluster member goes down the daemon recalculates the relative loads of the gateways and updates the kernel.
The QoS SmartConsole is an add-on to the Security Management Server. The Security Management Server, which is controlled by SmartConsole clients, provides general services to QoS and is capable of issuing QoS functions by running QoS command line utilities. It is used to configure the bandwidth policy and control QoS gateways. A single Security Management Server can control multiple QoS gateways running either on the same machine as the Security Management Server or on remote machines. The Security Management Server also manages the Log Repository and acts as a log server for the SmartView Tracker. The Security Management Server is a user mode process that communicates with the gateway using CPD.
The main SmartDashboard application is SmartDashboard. By creating "bandwidth rules" the SmartDashboard allows system administrators to define a network QoS policy to be enforced by QoS.
Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS gateways and their policies.
QoS in SmartDashboard
SmartDashboard is used to create and modify the QoS Policy and define the network objects and services. If both VPN and QoS are licensed, they each have a tab in SmartDashboard.
The QoS Policy rules are shown the QoS Rule Base.
The Security Management Server and the QoS Gateway can be installed on the same machine or on two different machines. When they are installed on different machines, the configuration is known as distributed:
The above figure shows a distributed configuration, in which one Security Management Server (consisting of a Security Management Server and a SmartConsole controls four QoS Gateways, which in turn manage bandwidth allocation on three QoS enabled lines.
A single Security Management Server can control and monitor multiple QoS Gateways. The QoS Gateway operates independently of the Security Management Server. QoS Gateways can operate on additional Internet gateways and interdepartmental gateways.
SmartConsole and the Security Management Server can be installed on the same machine or on two different machines. When they are installed on two different machines, QoS implements the Client/Server model, in which a SmartConsole controls a Security Management Server running on another workstation.
In the configuration depicted in the above figure, the functionality of the Security Management Server is divided between two workstations (Tower and Bridge). The Security Management Server, including the database, is on Tower. The SmartConsole is on Bridge.
The user, working on Bridge, maintains the QoS Policy and database, which reside on Tower. The QoS Gateway on London enforces the QoS Policy on the QoS enabled line.
The Security Management Server is started with the
cpstart command, and must be running if you wish to use the SmartConsole on one of the client machines.
A SmartConsole can manage the Server (that is, run the SmartConsole to communicate with a Security Management Server) only if both the administrator running the SmartConsole and the machine on which the SmartConsole is running have been authorized to access the Security Management Server.
In practice, this means that the following conditions must be met:
To prevent more than one administrator from modifying a QoS Policy at the same time, QoS implements a locking mechanism. All but one open policy is 'Read Only'.
Interaction with VPN
QoS is installed on the Security Gateway. Because QoS and Firewall share a similar architecture and many core technology components, users can utilize the same user-defined network objects in both solutions. This integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration. Both products can also share state table information which provides efficient traffic inspection and enhanced product performance. QoS, with its tight integration with Firewall, provides the unique ability to enable users that deploy the solutions in tandem to define bandwidth allocation rules for encrypted and network‑address‑translated traffic.
Security Management Server
QoS uses the Security Management Server and shares the objects database (network objects, services and resources) with the Firewall. Some types of objects have properties which are product specific. For example, the Firewall has encryption properties which are not relevant to QoS, and a QoS network interface has speed properties which are not relevant to the Firewall.