Basic Policy Management
This section covers basic policy management.
Overview
This chapter describes the basic QoS Policy management that is required to enable you to define and implement a working QoS Rule Base. More advanced QoS Policy management features are discussed in Advanced QoS Policy Management.
Rule Base Management
SmartDashboard Toolbar
You can use the SmartDashboard toolbar to do these actions:
Icon
|
Description
|
|
Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu.
For example, if you are instructed to select > , click this button to open the Manage menu and then select the option.
|
|
Save current policy and all system objects.
|
|
Open a policy package, which is a collection of Policies saved together with the same name.
|
|
Refresh policy from the Security Management Server.
|
|
Open the Database Revision Control window.
|
|
Change global properties.
|
|
Verify Rule Base consistency.
|
|
Install the policy on Security Gateways or VSX Gateways.
|
|
Open SmartConsole.
|
Overview
QoS policy is implemented by defining a set of rules in the Rule Base. The Rule Base specifies what actions are to be taken with the data packets. The Rule Base specifies:
- Source and destination of the traffic
- Services that can be used
- Times
- Logging and logging level
The Rule Base comprises the rules you create and a default rule (see Default Rule). The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. Unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base.
An important aspect of Rule Base management is reviewing SmartView Tracker traffic logs.
QoS works by inspecting packets in a sequential manner. When QoS receives a packet belonging to a connection, it compares it against the first rule in the Rule Base. Then against the second, then the third. When QoS finds a rule that matches, it stops checking and applies that rule.
If the matching rule has sub-rules the packets are then compared against the first sub-rule. Then the second and third and other sub-rules until it finds a match.
If the packet fails to match a rule or sub-rule, the default rule or default sub-rule is applied. The first rule that matches is applied to the packet, not the rule that best matches.
After you have defined your network objects, services and resources, you can use them in building a Rule Base. For instructions on building a Rule Base, see Editing QoS Rules.
The QoS Policy Rule Base concept is equivalent to the Security Policy Rule Base. For more, see the: R77 Security Management Administration Guide.
|
Note - It is best to organize lists of objects (network objects and services) into groups. Using groups gives you a better overview of your QoS Policy and leads to a more readable Rule Base. New objects added to groups are automatically included in the rules.
|
Connection Classification
A connection is classified according to four criteria:
A set of network objects such as specified computers, networks, user groups or domains.
A set of network objects such as specified computers, networks, user groups or domains.
A set of IP services, TCP, UDP, ICMP or URLs.
Specified days or time periods.
Network Objects
The network objects that can be used in QoS rules include workstations, networks, domains, and groups.
For more on network objects, see the R77 Security Management Administration Guide.
User Groups
QoS lets you define Groups of predefined users. For example, all the users in the marketing department can be grouped together in a User Group called Marketing. When defining a rule, you can use this group as the instead of adding individual users to the column of the rule.
Services and Resources
QoS allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in QoS rules include TCP, Compound TCP, UDP, ICMP and Citrix TCP services, IP services
Resources can also be used in a QoS Rule Base. They must be of type URI for QoS.
Time Objects
QoS allows you to define Time objects. Time objects are used to specify when a rule is enforced. Time objects can be defined for specified times or days. Days can be divided into days of the month or days of the week.
Bandwidth Allocation and Rules
A rule can specify three factors to be applied to bandwidth allocation for classified connections:
Weight
Weight is the percentage of the available bandwidth allocated to a rule. This is not the same as the weight in the QoS Rule Base, which is a manually assigned priority.
To calculate what percentage of the bandwidth the connections matched to a rule receives:
Priority in SmartDashboard
The weight = -----------------------------------------------------
Total priority of all the rules with open connections
|
For example:
- if this rule's weight (priority in SmartDashboard) is 12
- the total weight (priority in SmartDashboard) of all the rules for which connections are currently open is 120
Then all the connections open under this rule are allocated 12/120, or 10%. The weight of this rule is 10%. The rule gets 10% of the available bandwidth if the rule is active. In practice, if other rules are not using their maximum allocated bandwidth, a rule can get more than the bandwidth allocated by this formula. Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal weight.
Allocating bandwidth according to weights ensures full use of the line even if a specified class is not using all of its bandwidth. In such a case, the left over bandwidth is divided between the remaining classes in accordance with their relative weights. Units are configurable, see Defining QoS Global Properties.
Guarantees
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
- The sum of all connections in a rule
A total rule guarantee reserves a minimum bandwidth for all the connections below a rule. The actual bandwidth allocated to each connection depends on the number of open connections that match the rule. The total bandwidth allocated to the rule cannot be less than the guarantee. The more connections that are open, the less bandwidth each connection receives.
- Individual connections in a rule
A per-connection guarantee means that each connection that matches the specified rule is guaranteed a minimum bandwidth.
Note: Although weights guarantee the bandwidth share for specified connections, only a guarantee lets you to specify an absolute bandwidth value.
Limits
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point after which connections below a rule are not allocated more bandwidth, even if there is surplus bandwidth available.
Limits can also be defined for the sum of all connections in a rule or for individual connections within a rule.
For more information on weights, guarantees and limits, see Action Type.
|
Note - Bandwidth allocation is not fixed. As connections are opened and closed, QoS continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy.
|
Default Rule
A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the QoS page of the Global Properties window. You can change the weight, but you cannot delete the default rule (see Weight).
The default rule applies to all connections not matched by the other rules or sub-rules in the Rule Base.
A default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group. For more, see: To Verify and View the QoS Policy.
QoS Action Properties
In the QoS Action Properties window you can define bandwidth allocation properties, limits and guarantees for a rule.
Action Type
Select one of these:
Action Type
|
QoS Policy
|
Express Mode Policy
|
Simple
|
Yes
|
Yes
|
Advanced
|
Yes
|
No
|
Simple
These actions are available:
- Apply rule to encrypted traffic only
- Rule weight
- Rule limit
- Rule guarantee
Advanced
The same actions that are available in Simple mode are available in Advanced mode. Advanced mode also has :
Example of a Rule Matching VPN Traffic
VPN traffic is traffic that is encrypted in the same gateway by the Security Gateway. VPN traffic does not refer to traffic that was encrypted by a non-Check Point product prior to arriving at this gateway. This type of traffic can be matched using the IPSec service.
When is selected in the window, only VPN traffic is matched to the rule. If this field is not checked, all types of traffic (both VPN and non-VPN) are matched to the rule.
Use the option to create a Rule Base that applies only to VPN traffic. These actions are different from actions applied to non‑VPN traffic. Since QoS uses the First Rule Match concept, the VPN traffic rules must be defined as the top rules in the Rule Base. Below them define rules that apply to all other types of traffic. Other types of traffic skip the top rules and match to one of the non-VPN rules. To separate VPN traffic from non-VPN traffic, define this rule at the top of the QoS Rule Base:
Name
|
Source
|
Destination
|
Service
|
Action
|
VPN rule
|
Any
|
Any
|
Any
|
VPN Encrypt, and other configured actions
|
All the VPN traffic is matched to this rule. The rules below this VPN Traffic Rule are then checked only against non-VPN traffic. You can define sub-rules below the VPN Traffic rule that classify the VPN traffic more granularly.
Bandwidth Allocation and Sub-Rules
When a connection is matched to a rule with sub-rules, the sub-rules are checked for match. If none of the sub-rules apply, the default rule for the sub-rules is applied (see Default Rule).
Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The same rules then apply to the nested sub-rules. If the connection matches a sub-rule that has sub-rules, the nested sub-rules are checked for a match. If none of the nested sub-rules apply, the default rule for the nested sub-rules is applied.
Bandwidth is allocated on a top/down basis. This means that:
- Sub-rules cannot give more bandwidth to a matching rule, than the rule in which the sub-rule is located.
- A nested sub-rule cannot give more bandwidth than the sub-rule in which it is located.
A Rule Guarantee must always be greater than or equal to the Rule Guarantee of a sub‑rule in that rule. The same applies to Rule Guarantees in sub-rules and their nested sub-rules.
Example:
Bandwidth Allocation in Nested Sub-Rules:
|
|
|
|
|
Rule Name
|
Source
|
Destination
|
Service
|
Action
|
Rule A
|
Any
|
Any
|
ftp
|
Rule Guarantee - 100KBps
Weight 10
|
Start of Sub-Rule A
|
Rule A 1
|
Client-1
|
Any
|
ftp
|
Rule Guarantee - 100KBps
Weight 10
|
Start of Sub-Rule A1
|
Rule A1.1
|
Any
|
Any
|
ftp
|
Rule Guarantee - 80KBps
Weight 10
|
Rule A1.2
|
Any
|
Any
|
ftp
|
Weight 10
|
End of sub-rule A1
|
RuleA2
|
Client-1
|
Any
|
ftp
|
Weight 10
|
End of sub-rule A
|
Rule B
|
Any
|
Any
|
http
|
Weight30
|
In this example, surplus bandwidth from the application of Rule A1.1 is applied to Rule A2 before it is applied to Rule A1.2.
Implementing the Rule Base
After defining rules, run an heuristic check () on the Rule Base to make sure the rules do not conflict.
After verifying the Rule Base, install the policy on QoS gateways that will enforce it.
|
Note - Make sure the QoS blade is enabled on the gateway before you install the policy.
|
To Verify and View the QoS Policy
- Select Policy > Verify to run an heuristic check on the Rule Base to make sure that there are no conflicting rules.
- Select Policy > View to see the generated rules as ASCII text.
To Install and Enforce the Policy
To install and enforce the QoS Policy:
- From the Policy menu, select Install.
The Install Policy window shows.
- Specify the QoS gateways on which to install the Policy.
- By default, all QoS gateways are already selected.
- For an object to be a QoS gateway, it needs to have the QoS blade enabled.
- The objects in the list are those that have QoS Installed selected in their definition (see Specifying Interface QoS Properties).
- The QoS Policy is not installed on unselected items.
- Click OK.
Uninstalling the QoS Policy
- On the File menu, select .
The window opens.
- For those gateways that have the QoS blade enabled, select the QoS option.
- Click OK.
Note:
- Uninstalling the policy does not disable the QoS blade. The QoS blade remains active but does not enforce a QoS policy. The earlier policy remains on the gateway.
- The QoS Policy will be installed again if the gateway is rebooted.
- To permanently stop the gateway from enforcing QoS, disable the QoS blade.
To Monitor the QoS Policy
SmartView Monitor lets you to monitor traffic through a QoS interface. For more, see the R77 SmartView Monitor Administration Guide.
|
