FAQ

QoS Basics

When should I use QoS policy mode and when should I use Express mode?  

• Use QoS policy mode to fine-tune functionality and enhanced QoS features while using acceleration
• Express mode should be selected if your system requires only basic QoS

What are the benefits of using each mode?  

• QoS policy mode gives optimal QoS functionality
• Express policy mode remains available as a legacy mode

Can I change between QoS modes?

• You can change from Express mode to QoS policy mode
• You cannot change from a QoS policy mode to Express mode

What is the highest weight I can use in a rule? — Weights are relative. The only limitation is the Maximum weight of rule parameter, which is defined in the Global Properties window under QoS. The default parameter is 1000, but can be changed to any number.

In the example shown here:

You can see the significance of the value of the weight allocated in two different policies. In the example both the HTTP and FTP connections initially enjoy an equal share of the available bandwidth, although they each had a weight of 500 in Policy 1 and a weight of 2 in Policy 2.

By adding a third rule to both policies you can significantly change the result. For example, an SMTP connection with a weight of 100 can be added to each policy. Due to the high initial weights used in Policy 1, there is an insignificant change to the amount of bandwidth available for the HTTP connection in Policy 1 + third rule. However, due to the low initial weights used in Policy 2, the amount of bandwidth that is available to the HTTP connection in Policy 2 + third rule is significantly reduced.

Should I install QoS on the external or the internal interface? — While QoS can run on both interfaces, it is highly recommended to position QoS on the external interface only.

What is the difference between guarantees and weights? — Guarantees and weights are similar in their behavior. Despite the difference in their dictionary meaning, they both guarantee the allocated bandwidth to the matched traffic. The differences between them are:

• Guarantees are stated in absolute numbers (for example, 20000bps) and weights are stated in relative numbers (for example, 100).
• Guarantees are allocated their share of bandwidth before weights. For example if you have a link of 1.5 MB:

Your Rule Base is:

• HTTP Guarantee 1Mb
• FTP Weight 40
• SMTP Weight 10

The result is:

• first 1 MB for HTTP is allocated, then
• 0.4 MB for FTP is allocated and 0.1MB for SMTP is allocated.

Use guarantees to define bandwidth in absolute terms or for per connection guarantees.

Which Firewall resources does QoS support in the Rule Base? — QoS can use its resources to inspect HTTP traffic. Resources are defined using the URI for QoS option and can contain specific URLs or files. For example, to restrict web surfing to http://www.example.com add a QoS URI resource that looks for the string "www.example.com " (without http://). Then use the resource in a QoS rule and add a limit.

Do guarantees waste bandwidth? — No. QoS uses a sophisticated queuing mechanism. An application only takes as much bandwidth as it needs. Any unused bandwidth is then available for use by other applications.

How do I know if loaned bandwidth is available for applications that may need it back? — There is no loaned bandwidth in QoS. Bandwidth that is not utilized by a guarantee/weighted rule is immediately (on a per-packet basis) distributed to the other connections, according to their relative priorities. The important thing to remember is Resolution (referring to level of granularity). QoS allocates bandwidth on a per packet basis. Therefore, only one packet is allocated at a time, resulting in the most accurate scheduling policy.

Other Check Point Products - Support and Management

Where is QoS placed in the Multi-Domain Security Management Inspection chain? — QoS is composed of two components:

• QoS Policy, which is in charge of rule matching
• QoS Scheduling, which is in charge of packet scheduling

Does QoS work With Multi-Domain Security Management? — Yes. One of QoS's most important features is its unique and sophisticated integration with Multi-Domain Security Management. Its integration features include:

• accurate classification of VPN traffic (inside the VPN tunnel)
• classification of NATed traffic
• shared network objects and topology (that save you time and effort in administration)
• common SmartDashboard with an advanced GUI but a familiar look and feel
• authenticated Quality of Service allows you to assign bandwidth to VPN remote users
• DiffServ Support and QoS bring Better than Frame Relay QoS to the VPN world
• log verification

Is SmartView Monitor a part of QoS? — No. As of NG with Application Intelligence (R55), SmartView Monitor is a separate product that is bundled with QoS.

Does QoS support Load Sharing configurations? — Yes, QoS supports all ClusterXL configurations. QoS supports the SYNC mechanism and therefore can be used with CPLS/CPHA or third-party solutions. For OPSEC partner solutions, see the OPSEC Website.

Does QoS support NATed traffic? — QoS has full support for NATed traffic, including matching, scheduling, limiting and all other QoS features.

What is the maximum number of QoS gateways I can manage? — QoS gateway management is identical to that for any gateway. Thus, the maximum number of gateways is identical to the maximum number of gateways that are managed.

Do I need to run QoS on the Security Management Server? — Yes, in order to manage a QoS gateway you need to install QoS on the Security Management Server.

Policy Creation

When should I use LLQ (Low Latency Queuing)? — LLQ is best suited for VoIP applications, Video conferencing and other multimedia applications. LLQ is targeted for applications where:

• a minimal guaranteed bandwidth is required for adequate performance
• low delay and Jitter are required

Is QoS Rule Base "first match"? — From QoS NG forward, all QoS rules are matched on the "first match" principle. Meaning that only the first rule that applies to a connection is activated.

For example, if you have a rule for CEO traffic and a rule for HTTP traffic, the rule that appears first within the Rule Base will be matched to all CEO surfing.

Correct Rule Base (CEO is the first match)

1. SRC=CEO => Guarantee = 128Kbps
2. Service=HTTP => Limit = 64Kbps

Incorrect Rule Base (CEO traffic will be limited)

1. Service=HTTP => Limit = 64Kbps
2. SRC=CEO => Guarantee = 128Kbps

I am using QoS on multiple gateways. What is the best way to organize my Rule Base?

• If you are managing gateways with identical bandwidth and you want an identical policy for all gateways, define as All in the Install On field.
• If you are managing gateways with varied bandwidths and want an identical policy for all gateways, you can have one policy installed on all gateways. It is best to use weights since they assign relative bandwidth and not a fixed one. Remember that weights also guarantee bandwidth allocation.
• If you are managing gateways with varied bandwidths and want a different policy for all gateways, you can use different sub-rules for each gateway. You can also use common rules that are matched for gateways.

When should I use Sub-rules? — Sub-rules should be used when there is hierarchy between objects. For example, when you want to manage bandwidth according to organizational structure, such as within an organization that has R&D, Marketing and operation divisions.

How can I see the top bandwidth-hogging applications? — From the command line run the command rtmtopsvc.

Fine-tuning QoS Performance

To fine-tune QoS performance:

1. Upgrade to the latest R77.10 Security Gateway.
2. Enable acceleration.
3. In most cases you need to install QoS only on the external interfaces of the gateway.
4. Unless you are using limits for outbound traffic, install QoS only for the inbound direction.
5. Put more frequent rules at the top of your Rule Base.
6. Turn per connection limits into per rule limits.
7. Turn per connection guarantees into per rule guarantees.

Protocol Support

What protocols/services are supported by QoS? — See: http://www.checkpoint.com/products/downloads/vpn-1_fw-1_fg-1_app_support.pdf

Can I prioritize system administration traffic? — Yes. This can be done in any of the following ways:

• Guarantees for administrators based on authentication
• Guarantees for administrators based on IPs, networks
• Guarantees for applications only administrators use (for example, Multi-Domain Security Management control protocols, PC-Anywhere)
• Combinations of all the above

Does QoS support Citrix applications? —  Yes. In addition:

• Citrix applications can be differentiated from one another.
• QoS identifies Citrix ICA printing traffic and reclassifies it to a proper rule.

Does QoS support SIP? — Yes. Starting from QoS FP2, the SIP protocol is supported.

Does QoS support H323? — Yes. Starting from QoS FP1, the H323 protocol is supported

Does QoS support GRE? — Yes. This protocol is supported.

Installation/Backward Compatibility/Licensing/Versions

When will QoS next feature pack be available? — QoS feature packs/releases are usually shipped at the same time Multi-Domain Security Management feature packs are released.

How do I?

How do I guarantee performance for my mail server? — You need to add a rule matching your email traffic. You can do this by either matching the source/destination of your mail server, or matching mail protocols (SMTP, POP3, Exchange). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set.

How do I ensure Quality of Service for Voice Over IP? — QoS FP1 introduced the VoIP-tuned mechanism Low Latency Queuing (LLQ). This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP.

To limit the number of connections admitted, use LLQ with a per connection guarantee. For voice, you want to give each conversation a guaranteed bandwidth. Usually you would want an admission policy that does not accept additional calls if bandwidth is not adequate.

How can I prioritize traffic for remote users? — Using the Authenticated QoS feature of QoS, you can prioritize bandwidth allocation for remote VPN users and Windows domain user groups.

How do I guarantee performance for my ERP applications? — You need to add a rule matching your ERP traffic. You can do this by either matching the source/destination of your ERP server, or matching application protocols (SAP, BAAN, ORACLE). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set. If your ERP application is not a predefined service, you can either add it manually or use the first method.

If you are using ERP over HTTP, check "How can I provide bandwidth for my intranet applications"?

Can I use QoS to prevent Denial of Service Attacks? — QoS's main goal is not an Anti-Denial of Service tool. However, there are many situations in which QoS can be used to detect, monitor and prevent such attacks. Using SmartView Monitor and QoS you can perform detection and monitoring.

Prevention can be achieved in the following ways:

• by limiting applications that are known to be a part of DOS attacks (for example, ICMP, suspicious URLs).
• by providing guarantees for important traffic (for example, ERP, MAIL, VoIP).
• by providing guaranteed bandwidth for authenticated users using Authenticated QoS. Authenticated users can be identified with digital signatures and can rely on VPN authentication and encryption. QoS guarantees that these users will get their bandwidth. The attacker cannot authenticate to the VPN and will not get bandwidth for the attack.

Why is limiting bandwidth for Napster better than blocking it? — Blocking "non-work related" applications might cause users to find a way to bypass blocking. Prioritizing bandwidth lets users continue with their activities without damaging critical business processes. Consider a university where the Internet connection is being used for peer-to-peer file downloads like Napster and Kazaa. Blocking these services completely may encourage the students find a smart way to bypass the block, which in turn might cause legal problems. QoS offers smarter solutions:

• Limiting the allocated bandwidth for such applications – this can be done with or without the students' knowledge.
• Limiting the allocated bandwidth during daytime, and providing more bandwidth at night.
• Providing guarantees to important users (Professors, MIS) while allowing students to use the reminder of the bandwidth.

General Issues

My machine is experiencing certain technical failures. What should I do? — Check the Web for updated release notes on known issues and limitations. Contact your vendor for further support.

I set up a guarantee/limit but in SmartView Monitor it seems to be broken? — If you are looking at very low traffic limit (for example, 1000 Bytes per second) at a high frequency (update every 2 seconds) it might look, as if the limit is broken since QoS does not fragment packets. If you lower the sampling frequency of SmartView Monitor (update every 8 seconds) you will see that limits are kept.

Can QoS prompt a user for authentication in order to use the Authenticated QoS feature? — No. In order to use Authenticated QoS, Multi-Domain Security Management must perform an authentication session prior to the classification of the connection by QoS.

Can I deploy QoS on LAN environments? — Yes. You will need to position the hardware to support the network traffic you want to prioritize. QoS is best deployed in congestion points for network traffic.

What happens if a line's bandwidth (as defined in the QoS tab of the Interface Properties window) is less than its physical ("real") bandwidth? — QoS will only allocate as much bandwidth as is defined in the Interface Properties window. Additional bandwidth will not be allocated regardless of the physical bandwidth of the interface.

What happens if a link bandwidth (of the link defined in QoS) is more than its physical ("real") bandwidth? — QoS will attempt to transmit more than the physical bandwidth allows. This can cause random traffic drops in the next hop that result in the loss of critical packets.