FAQ
QoS Basics
When should I use Traditional mode and when should I use Express mode? — Traditional mode should be used if you need fine-tuned functionality and enhanced QoS features. Express mode should be selected if your system requires only basic QoS.
What are the benefits of using each mode? — Traditional mode provides you with optimal QoS functionality, whereas Express mode increases performance and needs less CPU and less memory.
Can I change from Express mode to Traditional mode and vice versa? — You can change a policy from Express mode to Traditional mode, however, you cannot change a policy from Traditional mode to Express mode. Therefore it is recommended that if you are unsure which to install, you should begin with Express mode, maintaining the option to transition to Traditional mode, if you find that your policy required heightened QoS functionality.
What is the highest weight I can use in a rule? — Weights are relative. The only limitation is the Maximum weight of rule parameter, which is defined in the Global Properties window under QoS. The default parameter is 1000, but can be changed to any number.
|
Note - This parameter is only used to assist in input validation.
|
In the example shown here:
Example of Highest Weight Differentiation
|
|
|
|
Policy 1
|
HTTP gets
|
...and equals
|
Comment
|
HTTP weight = 500, FTP weight =500
|
500/(500+500)
|
= ½
|
Equal weight is given to each rule.
|
Policy 2
|
HTTP weight = 2, FTP weight =2;
|
2/(2+2)
|
= ½
|
Equal weight is given to each
|
|
Policy 1 + third rule
|
|
|
|
HTTP weight = 500, FTP weight =500, SMTP weight = 100
|
500/(500+500+100)
|
= 500/1100
|
Due to the initial high value of the weights in Policy 1, the amount of bandwidth available to the HTTP connection is only marginally less than in Policy 1 even after the introduction of the third rule.
|
Policy 2 + third rule
|
|
|
|
HTTP weight = 2, FTP weight =2; SMTP weight = 100
|
2/(2+2+100)
|
= 2/104
|
Due to the low value of the weights in Policy 2, the amount of bandwidth available to the HTTP connection is now significantly less as a result of the introduction of the third rule.
|
You can see the significance of the value of the weight allocated in two different policies. In the example both the HTTP and FTP connections initially enjoy an equal share of the available bandwidth, although they each had a weight of 500 in Policy 1 and a weight of 2 in Policy 2.
By adding a third rule to both policies you can significantly change the result. For example, an SMTP connection with a weight of 100 can be added to each policy. Due to the high initial weights used in Policy 1, there is an insignificant change to the amount of bandwidth available for the HTTP connection in Policy 1 + third rule. However, due to the low initial weights used in Policy 2, the amount of bandwidth that is available to the HTTP connection in Policy 2 + third rule is significantly reduced.
Should I install QoS on the external or the internal interface? — While QoS can run on both interfaces, it is highly recommended to position QoS on the external interface only.
What is the difference between guarantees and weights? — Guarantees and weights are similar in their behavior. Despite the difference in their dictionary meaning, they both guarantee the allocated bandwidth to the matched traffic. The differences between them are:
- Guarantees are stated in absolute numbers (for example, 20000bps) and weights are stated in relative numbers (for example, 100).
- Guarantees are allocated their share of bandwidth before weights. For example if you have a link of 1.5 MB:
Your Rule Base is:
- HTTP Guarantee 1Mb
- FTP Weight 40
- SMTP Weight 10
The result is:
- first 1 MB for HTTP is allocated, then
- 0.4 MB for FTP is allocated and 0.1MB for SMTP is allocated.
Use guarantees to define bandwidth in absolute terms or for per connection guarantees.
How does QoS handle TCP retransmitted packets? — When a retransmission is detected, QoS checks to see if the retransmitted data is already contained in the QoS queue. If so, the packet is dropped. This unique QoS capability eliminates retransmissions that consume up to 40% of a WAN link, and saves memory required to store duplicated packets.
Which Firewall resources does QoS support in the Rule Base? — QoS can use its resources to inspect HTTP traffic. Resources are defined using the URI for QoS option and can contain specific URLs or files. For example, you can limit Web surfing to the site http://www.restrict-access-to-this-site.com. You need to add a QOS URI resource that looks for the string "www.restrict-access-to-this-site.com" (without http://). Then use the resource in a QoS rule and add a limit.
Do guarantees waste bandwidth? — No. QoS uses a sophisticated queuing mechanism. An application only takes as much bandwidth as it needs. Any unused bandwidth is then available for use by other applications.
How do I know if loaned bandwidth is available for applications that may need it back? — There is no loaned bandwidth in QoS. Bandwidth that is not utilized by a guarantee/weighted rule is immediately (on a per-packet basis) distributed to the other connections, according to their relative priorities. The important thing to remember is Resolution (referring to level of granularity). QoS allocates bandwidth on a per packet basis. Therefore, only one packet is allocated at a time, resulting in the most accurate scheduling policy.
Other Check Point Products - Support and Management
Where is QoS placed in the Multi-Domain Security Management Inspection chain? — QoS is composed of two components:
- QoS Policy, which is in charge of rule matching
- QoS Scheduling, which is in charge of packet scheduling
Does QoS work With Multi-Domain Security Management? — Yes. One of QoS's most important features is its unique and sophisticated integration with Multi-Domain Security Management. Its integration features include:
- accurate classification of VPN traffic (inside the VPN tunnel)
- classification of NATed traffic
- shared network objects and topology (that save you time and effort in administration)
- common SmartDashboard with an advanced GUI but a familiar look and feel
- authenticated Quality of Service allows you to assign bandwidth to VPN remote users
- DiffServ Support and QoS bring Better than Frame Relay QoS to the VPN world
- log verification
Is SmartView Monitor a part of QoS? — No. As of NG with Application Intelligence (R55), SmartView is a separate product that is bundled with QoS.
Does QoS support Load Sharing configurations? — Yes, QoS supports all ClusterXL configurations. QoS supports the SYNC mechanism and therefore can be used with CPLS/CPHA or third-party solutions. For OPSEC partner solutions, see the OPSEC Website.
Does QoS support NATed traffic? — QoS has full support for NATed traffic, including matching, scheduling, limiting and all other QoS features.
What is the maximum number of QoS gateways I can manage? — QoS gateway management is identical to that for any gateway. Thus, the maximum number of gateways is identical to the maximum number of gateways that are managed.
Do I need to run QoS on the Security Management Server? — Yes, in order to manage a QoS gateway you need to install QoS on the Security Management Server.
Policy Creation
When should I use LLQ (Low Latency Queuing)? — LLQ is best suited for VoIP applications, Video conferencing and other multimedia applications. LLQ is targeted for applications where:
- a minimal guaranteed bandwidth is required for adequate performance
- low delay and Jitter are required
Is QoS Rule Base "first match"? — From QoS NG forward, all QoS rules are matched on the "first match" principle. Meaning that only the first rule that applies to a connection is activated.
For example, if you have a rule for CEO traffic and a rule for HTTP traffic, the rule that appears first within the Rule Base will be matched to all CEO surfing.
Correct Rule Base (CEO is the first match)
- SRC=CEO => Guarantee = 128Kbps
- Service=HTTP => Limit = 64Kbps
Incorrect Rule Base (CEO traffic will be limited)
- Service=HTTP => Limit = 64Kbps
- SRC=CEO => Guarantee = 128Kbps
- I am using QoS on multiple gateways. What is the best way to organize my Rule Base?97 •If you are managing gateways with identical bandwidth and you want an identical policy for all gateways, define as All in the Install On field.
- If you are managing gateways with varied bandwidths and want an identical policy for all gateways, you can have one policy installed on all gateways. It is best to use weights since they assign relative bandwidth and not a fixed one. Remember that weights also guarantee bandwidth allocation.
- If you are managing gateways with varied bandwidths and want a different policy for all gateways, you can use different sub-rules for each gateway. You can also use common rules that are matched for gateways.
When should I use Sub-rules? — Sub-rules should be used when there is hierarchy between objects. For example, when you want to manage bandwidth according to organizational structure, such as within an organization that has R&D, Marketing and operation divisions.
How can I see the top bandwidth-hogging applications? — From the command line run the command rtmtopsvc.
Capacity Planning
What are QoS's memory requirements? — To run QoS, the following amount of free memory is needed (in addition to the memory needed for Multi-Domain Security Management):
QoS memory requirements
Number of connections
|
Management
|
Gateway (or Management and gateway)
|
5,000
|
0 MB
|
32.5 MB
|
10,000
|
0 MB
|
39 MB
|
25,000
|
0 MB
|
57 MB
|
50,000
|
0 MB
|
91 MB
|
100,000
|
0 MB
|
156 MB
|
- These numbers include SmartView Monitor and UserAuthority.
- Connections are counted in the Firewall connection table.
- Note that the default size for the connection table is 25,000.
- On an average, each connection requires 1300 bytes.
How do I know which machine I need to run QoS? — Deciding on a hardware platform and vendors involves many aspects and each buyer has their own specific considerations such as support, price, appliances, knowledge, and so on.
As far as performance is concerned, CPU performance is the main factor in QoS performance. With QoS's reduced memory footprint and 2003 memory prices, memory should not usually be the cause of a bottleneck.
How do I tune QoS performance? — Here are some tips on fine-tuning QoS performance:
- Upgrade to the newest QoS version available. Major improvements in performance have been introduced in
QoS NG FP1 and NG FP2. - In most cases you need to install QoS only on the external interfaces of the gateway.
- Unless you are using limits for inbound traffic, installing QoS only in the outbound direction will provide you with most of the functionality and improvements.
- Put more frequent rules at the top of your Rule Base. You can use SmartView Monitor to analyze how much a rule is used.
- Turn "per connection limits" into "per rule limits".
- Turn "per connection guarantees" into "per rule guarantees".
What is the maximum bandwidth supported by QoS? — QoS NG FP1 can support up to 1.13MBps and 890MBps (in Traditional Mode) of traffic of long UDP packets. In real-world traffic and in the Rule Base, QoS supports 330MBps (In Express Mode) and 255 MBps (in Traditional Mode) of traffic.
Protocol Support
What protocols/services are supported by QoS? — See: http://www.checkpoint.com/products/downloads/vpn-1_fw-1_fg-1_app_support.pdf
|
Note - New services and applications are added on a permanent basis.
|
Can I prioritize system administration traffic? — Yes. This can be done in any of the following ways:
- Guarantees for administrators based on authentication
- Guarantees for administrators based on IPs, networks
- Guarantees for applications only administrators use (for example, Multi-Domain Security Management control protocols, PC-Anywhere)
- Combinations of all the above
Does QoS support Citrix applications? — Yes, Citrix applications can be differentiated from one another. In addition, QoS can identify Citrix ICA printing traffic and re-classify it to a proper rule.
Does QoS support SIP? — Yes. Starting from QoS FP2, the SIP protocol is supported.
Does QoS support H323? — Yes. Starting from QoS FP1, the H323 protocol is supported
Does QoS support GRE? — Yes. This protocol is supported.
Installation/Backward Compatibility/Licensing/Versions
When will QoS next feature pack be available? — QoS feature packs/releases are usually shipped at the same time Multi-Domain Security Management feature packs are released.
How do I?
How do I guarantee performance for my mail server? — You need to add a rule matching your email traffic. You can do this by either matching the source/destination of your mail server, or matching mail protocols (SMTP, POP3, Exchange). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set.
How do I ensure Quality of Service for Voice Over IP? — QoS FP1 introduced the VoIP-tuned mechanism Low Latency Queuing (LLQ). This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP.
To limit the number of connections admitted, use LLQ with a per connection guarantee. For voice, you want to give each conversation a guaranteed bandwidth. Usually you would want an admission policy that does not accept additional calls if bandwidth is not adequate.
|
Note - This is equivalent to the busy tone in old voice system.
|
How can I prioritize traffic for remote users? — Using the Authenticated QoS feature of QoS, you can prioritize bandwidth allocation for remote VPN users and Windows domain user groups.
How do I guarantee performance for my ERP applications? — You need to add a rule matching your ERP traffic. You can do this by either matching the source/destination of your ERP server, or matching application protocols (SAP, BAAN, ORACLE). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set. If your ERP application is not a predefined service, you can either add it manually or use the first method.
If you are using ERP over HTTP, check "How can I provide bandwidth for my intranet applications"?
Can I use QoS to prevent Denial of Service Attacks? — QoS's main goal is not an Anti-Denial of Service tool. However, there are many situations in which QoS can be used to detect, monitor and prevent such attacks. Using SmartView Monitor and QoS you can perform detection and monitoring.
Prevention can be achieved in the following ways:
- by limiting applications that are known to be a part of DOS attacks (for example, ICMP, suspicious URLs).
- by providing guarantees for important traffic (for example, ERP, MAIL, VoIP).
- by providing guaranteed bandwidth for authenticated users using Authenticated QoS. Authenticated users can be identified with digital signatures and can rely on VPN authentication and encryption. QoS guarantees that these users will get their bandwidth. The attacker cannot authenticate to the VPN and will not get bandwidth for the attack.
Why is limiting bandwidth for Napster better than blocking it? — Blocking "nonwork-related" applications might cause users to find a way to bypass blocking. Prioritizing bandwidth lets users continue with their activities without damaging critical business processes. Consider a university where the Internet connection is being used for peer-to-peer file downloads like Napster and Kazaa. Blocking these services completely may encourage the students find a smart way to bypass the block, which in turn might cause legal problems. QoS offers smarter solutions:
- Limiting the allocated bandwidth for such applications – this can be done with or without the students' knowledge.
- Limiting the allocated bandwidth during daytime, and providing more bandwidth at night.
- Providing guarantees to important users (Professors, MIS) while allowing students to use the reminder of the bandwidth.
General Issues
My machine is experiencing certain technical failures. What should I do? — Check the Web for updated release notes on known issues and limitations. Contact your vendor for further support.
I set up a guarantee/limit but in SmartView Monitor it seems to be broken? — If you are looking at very low traffic limit (for example, 1000 Bytes per second) at a high frequency (update every 2 seconds) it might look, as if the limit is broken since QoS does not fragment packets. If you lower the sampling frequency of SmartView Monitor (update every 8 seconds) you will see that limits are kept.
Can QoS prompt a user for authentication in order to use the Authenticated QoS feature? — No. In order to use Authenticated QoS, Multi-Domain Security Management must perform an authentication session prior to the classification of the connection by QoS.
Can I deploy QoS on LAN environments? — Yes. You will need to position the hardware to support the network traffic you want to prioritize. QoS is best deployed in congestion points for network traffic.
What happens if a line's bandwidth (as defined in the QoS tab of the Interface Properties window) is less than its physical ("real") bandwidth? — QoS will only allocate as much bandwidth as is defined in the Interface Properties window. Additional bandwidth will not be allocated regardless of the physical bandwidth of the interface.
What happens if a link bandwidth (of the link defined in QoS) is more than its physical ("real") bandwidth? — QoS will attempt to transmit more than the physical bandwidth allows. This can cause random traffic drops in the next hop that result in the loss of critical packets.
|