Introduction to QoS
Check Point's QoS Solution
QoS is a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution. QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software.
QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic. QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing. With highly granular controls, QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel.
QoS is deployed with the Security Gateway. These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network.
QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point-patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or application. After a packet has been classified, QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation.
Features and Benefits
QoS provides the following features and benefits:
- Flexible QoS policies with weights, limits and guarantees: QoS enables you to develop basic policies specific to your requirements. These basic policies can be modified at any time to incorporate any of the Advanced QoS features described in this section.
- Integration with the Security Gateway: Optimize network performance for VPN and unencrypted traffic: The integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration.
- Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker.
- Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base.
- Integrated Low Latency Queuing: define special classes of service for "delay sensitive" applications like voice and video to the QoS Policy Rule Base.
- Integrated Authenticated QoS: provide QoS for end‑users in dynamic IP environments, such as remote access and DHCP environments.
- Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol.
- No need to deploy separate VPN, Firewall and QoS devices: QoS and Firewall share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects in both solutions.
- Proactive management of network costs: QoS's monitoring systems enable you to be proactive in managing your network and thus controlling network costs.
- Support for end-to-end QoS for IP networks: QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software.
Traditional QoS vs. QoS Express
The and QoS modes are included in each product installation. The Express mode lets you define basic policies quickly and easily to "get up and running". The Traditional mode incorporates QoS advanced features. You can specify Traditional or Express each time you install a new policy.
This table shows a comparative table of the features of the Traditional and Express modes of QoS.
Feature
|
QoS Traditional
|
QoS Express
|
Find out more...
|
Weights
|
*
|
*
|
Weight
|
Limits (whole rule)
|
*
|
*
|
Limits
|
Authenticated QoS
|
*
|
|
Authenticated QoS
|
Logging
|
*
|
*
|
Overview of Logging
|
Accounting
|
*
|
*
|
|
Supported by UTM-1 Edge Gateways
|
|
*
|
R75.40VS UTM-1 Edge Administration Guide.
|
Support of platforms and HW accelerator
|
*
|
*
|
|
High Availability and Load SharingLoad Sharing
|
*
|
*
|
|
Guarantee (Per connection)
|
*
|
|
Per Connections Guarantees
|
Limit (Per connection)
|
*
|
|
Limits
|
LLQ (controlling packet delay in QoS)
|
*
|
|
Low Latency Queuing
|
DiffServ
|
*
|
|
Differentiated Services (DiffServ)
|
Sub-rules
|
*
|
|
|
Matching by URI resources
|
*
|
|
|
Matching by DNS string
|
*
|
|
|
TCP Retransmission Detection Mechanism (RDED)
|
*
|
|
|
Matching Citrix ICA Applications
|
*
|
|
|
Workflow
The following workflow shows both the basic and advanced steps that System Administrators follow for installation, setup and operation.
- Verify that QoS is installed on the Security Gateway.
- Start SmartDashboard. See Starting SmartDashboard.
- Define Global Properties. See Defining QoS Global Properties.
- Define the gateway network objects.
- Setup the basic rules and sub-rules governing the allocation of QoS flows on the network. See Editing QoS Rule Bases. After the basic rules have been defined, you may modify these rules to add any of the more advanced features described in step 8.
- Implement the Rule Base. See Implementing the Rule Base.
- Enable log collection and monitor the system. See Enabling Log Collection.
- Modify rules defined in step 4 by adding any of the following features:
QoS Architecture
Basic Architecture
The architecture and flow control of QoS is similar to Firewall. QoS has three components:
- SmartConsole
- Security Management Server
- Gateway
The components can be installed on one machine or in a distributed configuration on a number of machines.
Bandwidth policy is created using SmartDashboard. The policy is downloaded to the Security Management Server where it is verified and downloaded to the QoS Gateways using CPD (Check Point Daemon), which is run on the gateway and the Security Management Server. The QoS gateway uses the Firewall chaining mechanism (see below) to receive, process and send packets. QoS uses a proprietary classifying and rule-matching infrastructure to examine a packet. Logging information is provided using Firewall kernel API.
QoS Gateway
The major role of the QoS gateway is to implement a QoS policy at network access points and control the flow of inbound and outbound traffic. It includes two main parts:
- QoS kernel driver
- QoS daemon
QoS Kernel Driver
The kernel driver is the heart of QoS operations. It is in the kernel driver that IP packets are examined, queued, scheduled and released, enabling QoS traffic control abilities. Utilizing Firewall kernel services, QoS functionality is a part of the cookie chain, a Check Point infrastructure mechanism that allows gateways to operate on each packet as it travels from the link layer (the machine network card driver) to the network layer (its IP stack), or vice versa.
QoS Daemon (fgd50)
The QoS daemon is a user mode process used to perform tasks that are difficult for the kernel. It currently performs two tasks for the kernel (using Traps):
- Resolving DNS for the kernel (used for Rule Base matching).
- Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base matching).
- In CPLS configuration, the daemon updates the kernel of any change in the cluster status. For example, if a cluster member goes down the daemon recalculates the relative loads of the gateways and updates the kernel.
QoS SmartConsole
The QoS SmartConsole is an add-on to the Security Management Server. The Security Management Server, which is controlled by SmartConsole clients, provides general services to QoS and is capable of issuing QoS functions by running QoS command line utilities. It is used to configure the bandwidth policy and control QoS gateways. A single Security Management Server can control multiple QoS gateways running either on the same machine as the Security Management Server or on remote machines. The Security Management Server also manages the Log Repository and acts as a log server for the SmartView Tracker. The Security Management Server is a user mode process that communicates with the gateway using CPD.
The main SmartDashboard application is SmartDashboard. By creating "bandwidth rules" the SmartDashboard allows system administrators to define a network QoS policy to be enforced by QoS.
Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS gateways and their policies.
QoS in SmartDashboard
SmartDashboard is used to create and modify the QoS Policy and define the network objects and services. If both VPN and QoS are licensed, they each have a tab in SmartDashboard.
The QoS Policy rules are shown the QoS Rule Base.
QoS Configuration
The Security Management Server and the QoS Gateway can be installed on the same machine or on two different machines. When they are installed on different machines, the configuration is known as distributed:
The above figure shows a distributed configuration, in which one Security Management Server (consisting of a Security Management Server and a SmartConsole controls four QoS Gateways, which in turn manage bandwidth allocation on three QoS enabled lines.
A single Security Management Server can control and monitor multiple QoS Gateways. The QoS Gateway operates independently of the Security Management Server. QoS Gateways can operate on additional Internet gateways and interdepartmental gateways.
Client-Server Interaction
SmartConsole and the Security Management Server can be installed on the same machine or on two different machines. When they are installed on two different machines, QoS implements the Client/Server model, in which a SmartConsole controls a Security Management Server running on another workstation.
In the configuration depicted in the above figure, the functionality of the Security Management Server is divided between two workstations (Tower and Bridge). The Security Management Server, including the database, is on Tower. The SmartConsole is on Bridge.
The user, working on Bridge, maintains the QoS Policy and database, which reside on Tower. The QoS Gateway on London enforces the QoS Policy on the QoS enabled line.
The Security Management Server is started with the cpstart command, and must be running if you wish to use the SmartConsole on one of the client machines.
A SmartConsole can manage the Server (that is, run the SmartConsole to communicate with a Security Management Server) only if both the administrator running the SmartConsole and the machine on which the SmartConsole is running have been authorized to access the Security Management Server.
In practice, this means that the following conditions must be met:
Concurrent Sessions
To prevent more than one administrator from modifying a QoS Policy at the same time, QoS implements a locking mechanism. All but one open policy is 'Read Only'.
Interaction with VPN
Interoperability
QoS is installed on the Security Gateway. Because QoS and Firewall share a similar architecture and many core technology components, users can utilize the same user-defined network objects in both solutions. This integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration. Both products can also share state table information which provides efficient traffic inspection and enhanced product performance. QoS, with its tight integration with Firewall, provides the unique ability to enable users that deploy the solutions in tandem to define bandwidth allocation rules for encrypted and network‑address‑translated traffic.
Security Management Server
QoS uses the Security Management Server and shares the objects database (network objects, services and resources) with the Firewall. Some types of objects have properties which are product specific. For example, the Firewall has encryption properties which are not relevant to QoS, and a QoS network interface has speed properties which are not relevant to the Firewall.
|