Basic Policy Management
Overview
This chapter describes the basic QoS policy management that is required to enable you to define and implement a working QoS Rule Base. More advanced QoS policy management features are discussed in Advanced QoS Policy Management.
Rule Base Management
SmartDashboard Toolbar
You can use the SmartDashboard toolbar to do these actions:
Icon
|
Description
|
|
Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu.
For example, if you are instructed to select > , click this button to open the Manage menu and then select the option.
|
|
Save current policy and all system objects.
|
|
Open a policy package, which is a collection of Policies saved together with the same name.
|
|
Refresh policy from the Security Management Server.
|
|
Open the Database Revision Control window.
|
|
Change global properties.
|
|
Verify Rule Base consistency.
|
|
Install the policy on Security Gateways or VSX Gateways.
|
|
Open SmartConsoles.
|
Overview
QoS policy is implemented by defining an ordered set of rules in the Rule Base. The Rule Base specifies what actions are to be taken with the data packets. It specifies the source and destination of the communication, what services can be used, and at what times, whether to log the connection and the logging level.
The Rule Base comprises the rules you create and a default rule (see Default Rule). The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. The fundamental concept of the Rule Base is that unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule BaseRule Base.
An important aspect of Rule Base management is reviewing and paying attention to SmartView Tracker traffic logs.
QoS works by inspecting packets in a sequential manner. When QoS receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second, then the third, and so on. When it finds a rule that matches, it stops checking and applies that rule. If the matching rule has sub-rules the packets are then compared against the first sub-rule, then the second and so on until it finds a match. If the packet goes through all the rules or sub-rules without finding a match, then the default rule or default sub-rule is applied. It is important to understand that the first rule that matches is applied to the packet, not the rule that best matches.
After you have defined your network objects, services and resources, you can use them in building a Rule Base. For installation instructions and instructions on building a Rule Base, see Editing QoS Rules.
The QoS Policy Rule Base concept is similar to the Security Policy Rule Base. General information about Policy Rule Bases can be found in the R77 Security Management Administration Guide.
|
Note - It is best to organize lists of objects (network objects and services) in groups rather than in long lists. Using groups gives you a better overview of your QoS Policy and leads to a more readable Rule Base. In addition, objects added to groups are automatically included in the rules.
|
Connection Classification
A connection is classified according to four criteria:
- Source: A set of network objects, including specific computers, entire networks, user groups or domains.
- Destination: A set of network objects, including specific computers, entire networks or domains.
- Service: A set of IP services, TCP, UDP, ICMP or URLs.
- Time: Specified days or time periods.
Network Objects
Network objects serve as the sources and destinations that are defined in QoS Policy rules. The network objects that can be used in QoS rules include workstations, networks, domains, and groups.
For more on network objects, see the R77 Security Management Administration Guide.
User Groups
QoS allows you to define User Groups that are comprised of predefined users. For example, all the users in the marketing department can be grouped together in a User Group called Marketing. When defining a Source in a rule you can then use this group as a possible Source, instead of adding individual users to the Source of the rule.
Services and Resources
QoS allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in QoS rules include TCP, Compound TCP, UDP, ICMP and Citrix TCP services, IP services
Resources can also be used in a QoS Rule Base. They must be of type URI for QoS.
Time Objects
QoS allows you to define Time objects that are used is defining the time that a rule is operational. Time objects can be defined for specific times and/or for specific days. The days can further be divided into days of the month or specific days of the week.
Bandwidth Allocation and Rules
A rule can specify three factors to be applied to bandwidth allocation for classified connections:
Weight
Weight is the relative portion of the available bandwidth that is allocated to a rule.
To calculate what portion of the bandwidth the connections matched to a rule receives, use this formula:
this rule's portion = this rule's weight / total weight of all rules with open connections
For example, if this rule's weight is 12 and the total weight of all the rules under which connections are currently open is 120, then all the connections open under this rule are allocated 12/120 (or 10%) of the available bandwidth.
In practice, a rule may get more than the bandwidth allocated by this formula, if other rules are not using their maximum allocated bandwidth.
Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal weight.
Allocating bandwidth according to weights ensures full utilization of the line even if a specific class is not using all of its bandwidth. In such a case, the left over bandwidth is divided among the remaining classes in accordance with their relative weights. Units are configurable, see Defining QoS Global Properties.
Guarantees
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
- the sum of all connections within a rule
A total rule guarantee reserves a minimum bandwidth for all the connections under a rule combined. The actual bandwidth allocated to each connection depends on the number of open connections that match the rule. The total bandwidth allocated to the rule can be no less than the guarantee, but the more connections that are open, the less bandwidth each one receives.
- individual connections within a rule
A per-connection guarantee means that each connection that matches the particular rule is guaranteed a minimum bandwidth.
Although weights do in fact guarantee the bandwidth share for specific connections, only a guarantee allows you to specify an absolute bandwidth value.
Limits
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point beyond which connections under a rule are not allocated bandwidth, even if there is unused bandwidth available.
Limits can also be defined for the sum of all connections within a rule or for individual connections within a rule.
For more information on weights, guarantees and limits, see Action Type.
|
Note - Bandwidth allocation is not fixed. As connections are opened and closed, QoS continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy.
|
Default Rule
A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the QoS page of the Global Properties window. You can modify the weight, but you cannot delete the default rule (see Weight).
The default rule applies to all connections not matched by the other rules or sub-rules in the Rule Base.
In addition, a default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group (see To Verify and View the QoS Policy).
QoS Action Properties
In the QoS Action Properties window you can define bandwidth allocation properties, limits and guarantees for a rule.
Action Type
By this stage, you should already have decided whether your policy is Traditional mode or Express mode, see Traditional QoS vs. QoS Express.
You can select one of the following Action Types:
The table below shows which Action Types you can select in Traditional or Express modes.
Action Types Available
Action Type
|
Traditional Mode
|
Express
|
Simple
|
Yes
|
Yes
|
Advanced
|
Yes
|
No
|
Simple
The following actions are available:
- Apply rule to encrypted traffic only
- Rule weight
- Rule limit
- Rule guarantee
Advanced
The same actions that are available in Simple mode are available in Advanced mode with the addition of the following:
- Per connection limit
- Per rule guarantee
- Per connection guarantee
- Number of permanent connections
- Accept additional connections
Example of a Rule Matching VPN Traffic
VPN traffic is traffic that is encrypted in the same gateway by the Security Gateway. VPN traffic does not refer to traffic that was encrypted by a non-Check Point product prior to arriving at this gateway. This type of traffic can be matched using the IPSec service.
When Apply rule only to encrypted traffic is checked in the QoS Action Properties window, only VPN traffic is matched to the rule. If this field is not checked, all types of traffic (both VPN and non-VPN) are matched to the rule.
Use the Apply rule only to encrypted traffic field to build a Rule Base in which you define QoS actions for VPN traffic which are different than the actions that are applied to non‑VPN traffic. Since QoS uses the First Rule Match concept, the VPN traffic rules should be defined as the top rules in the Rule Base. Below them rules which apply to all types of traffic should be defined. Other types of traffic skip the top rules and match to one of the non-VPN rules defined below the VPN traffic rules. In order to completely separate VPN traffic from non-VPN traffic, define the following rule at the top of the QoS Rule Base:
VPN Traffic Rule
Name
|
Source
|
Destination
|
Service
|
Action
|
VPN rule
|
Any
|
Any
|
Any
|
VPN Encrypt, and other configured actions
|
All the VPN traffic is matched to this rule. The rules following this VPN Traffic Rule are then matched only by non-VPN traffic. You can define sub-rules below the VPN Traffic rule that classify the VPN traffic more granularly.
Bandwidth Allocation and Sub-Rules
When a connection is matched to a rule with sub-rules, a further match is sought among the sub-rules. If none of the sub-rules apply, the default rule for the specific group of sub-rules is applied (see Default Rule).
Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The same rules then apply to the nested sub-rules. If the connection matches a sub-rule that has sub-rules itself, a further match is sought among the nested sub-rules. Again if none of the sub-rules apply, the default rule for the specific group of sub-rules is applied.
Bandwidth is allocated on a top/down approach. This means that sub-rules cannot allocate more bandwidth to a matching rule, than the rule in which the sub-rule is located. A nested sub-rule, therefore, cannot allocate more bandwidth than the sub-rule in which it is located.
A Rule Guarantee must likewise always be greater than or equal to the Rule Guarantee of any sub‑rule within that rule. The same applies to Rule Guarantees in sub-rules and their nested sub-rules., as shown in the following example.
Example:
Bandwidth Allocation in Nested Sub-Rules
|
|
|
|
|
Rule Name
|
Source
|
Destination
|
Service
|
Action
|
Rule A
|
Any
|
Any
|
ftp
|
Rule Guarantee - 100KBps
Weight 10
|
Start of Sub-Rule A
|
Rule A 1
|
Client-1
|
Any
|
ftp
|
Rule Guarantee - 100KBps
Weight 10
|
Start of Sub-Rule A1
|
Rule A1.1
|
Any
|
Any
|
ftp
|
Rule Guarantee - 80KBps
Weight 10
|
Rule A1.2
|
Any
|
Any
|
ftp
|
Weight 10
|
End of sub-rule A1
|
RuleA2
|
Client-1
|
Any
|
ftp
|
Weight 10
|
End of sub-rule A
|
Rule B
|
Any
|
Any
|
http
|
Weight30
|
In this example any extra bandwidth from the application of Rule A1.1 is applied to Rule A2 before it is applied to Rule A1.2.
Implementing the Rule Base
When you have defined the desired rules, you should perform a heuristic check on the Rule Base to check that the rules are consistent. If a Rule Base fails the verification, an appropriate message is displayed.
You must save the Policy Package before verifying. Otherwise, changes made since the last save will not be checked.
After verifying the correctness of the Rule Base, it must be installed on the QoS Gateways that will enforce it. When you install a QoS Policy, the policy is downloaded to these QoS Gateways. There must be a QoS gateway running on the object which receives the QoS Policy.
|
Note - The QoS gateway machine and the SmartConsole gateway machine must be properly configured before a QoS Policy can be installed.
|
To Verify and View the QoS Policy
- Select Policy>Verify to perform a heuristic check on the Rule Base to check that the rules are consistent.
- Select Policy>View to view the generated rules as ASCII text.
To Install and Enforce the Policy
To install and enforce the QoS policy:
- Once the rule base is complete, from the Policy menu, select Install. The Install Policy window is displayed. Specify the QoS gateways on which you would like to install your new QoS policy. By default, all QoS gateways are already selected. (In order for an object to be a QoS gateway, it needs to have QoS checked under Check Point Products in the Object Properties window).
The objects in the list are those that have QoS Installed checked in their definition (see Specifying Interface QoS Properties).
You may deselect and reselect specific items, if you wish. The QoS Policy is not installed on unselected items.
- Click OK to install the QoS Policy on all selected hosts. The installation progress window is displayed.
To Uninstall the QoS Policy
You can uninstall QoS Policy from any or all of the QoS gateways in which it is installed.
- Choose Uninstall from the Policy menu to remove the QoS Policy from the selected QoS gateway. The Install Policy window is displayed.
- Deselect those QoS gateways from which you would like to uninstall the QoS policy.
- Click OK.
To Monitor the QoS Policy
SmartView Monitor allows you to monitor traffic through a QoS interface. For more, see the R77 SmartView Monitor Administration Guide.
|