Introduction to QoS

In This Section: Important The Check Point QoS Solution QoS Deployment QoS Architecture Interaction with VPN

Important

This guide is only for R80.10 and higher.

The Check Point QoS Solution

QoS is a policy based bandwidth management solution that lets you:

• Prioritize business-critical traffic, such as ERP, database and Web services traffic, over lower priority traffic.
• Guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing.
• Give guaranteed or priority access to specified employees, even if they are remotely accessing network resources.

You deploy QoS with the Security Gateway. QoS is enabled for both encrypted and unencrypted traffic.

Item	Description
1	SmartConsole
2	Security Management Server
3	QoS Policy
4	Security Gateway with QoS Software Blade
5	Internet
6	Internal network

QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or application. After traffic has been classified, QoS applies an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to accurately control bandwidth allocation.

Features and Benefits

QoS gives these features and benefits:

• Flexible QoS policies with weights, limits and guarantees

  QoS lets you create basic policies that can be modified to include the Advanced QoS features described in this section.

• Integration with the Security Gateway

  The integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration. This lets you optimize network performance for VPN and unencrypted traffic

• Performance analysis
• Monitor system performance with the Logs & Monitor features in SmartConsole.
• Integrated DiffServ support

  Add one or more Diffserv Classes of Service to the QoS Policy Rule Base.

• Integrated Low Latency Queuing

  Define special classes of service for "delay sensitive" applications like voice and video to the QoS Policy Rule Base.

• No need to deploy separate VPN, Firewall and QoS devices

  QoS and Firewall share a common architecture and many core technology components. User-defined network objects can be used in both solutions.

• Proactive management of network costs

  QoS monitoring systems let you to be proactive in managing your network and controlling network costs.

• Support for end-to-end QoS for IP networks

  QoS offers full support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software.

• CoreXL and SecureXL support

  Packet acceleration. IPv6 Support.

QoS Policy Types

R80.30 includes two QoS Policy types:

• Express - Quickly create basic QoS Policies
• Recommended - Create advanced Policies with the full set of QoS features

This table shows the difference between the Recommended and Express policy types.

Features	Recommended	Express	To learn more
IPv6 Support
Weights			Weight
Limits (whole rule)			Limits
Logging			Overview of Logging
Accounting	*
Support for UTM-1 Edge Gateways
Support for hardware acceleration
High Availability and Load Sharing
Guarantees (Per connection)			Guarantees
Limits (Per connection)			Limits
LLQ (controlling packet delay in QoS)			Low Latency Queuing
DiffServ			Differentiated Services (DiffServ)
Sub-rules
Matching by URI resources
Matching by DNS string
SecureXL support
CoreXL support
SmartLSM clusters

* You must disable SecureXL and CoreXL before you can use this feature.

To select a QoS Policy type:

1. In SmartConsole menu, click Manage policies and layers.
2. In the Manage Policies window, click New or select an existing Policy and then click Edit.
3. Select QoS, and then select Recommended or Express.

Acceleration Support for R77 Policies

After a clean install or upgrade to R80.30, QoS supports SecureXL and CoreXL acceleration technologies.

Important: After a clean install or upgrade, SecureXL and CoreXL are enabled by default. If you have a QoS policy created for R77 and earlier, these features are not supported when acceleration is enabled:

• IPSO
• Security Gateways below R77.10
• SmartView Monitor - QoS views do not correctly show traffic accelerated by SecureXL

To use these features you must disable QoS.

Workflow

This topic shows a high-level workflow for creating an effective QoS Policy.

Note: QoS must be enabled on the gateway and at least one interface for the workflow to succeed. If QoS is not enabled on at least one interface, Install Policy will fail.

Do these steps in SmartConsole:

1. Enable QoS for each applicable Security Gateway.
2. Configure QoS Global Properties.
3. Create or change a QoS Policy.
4. Configure log collection and system monitoring for QoS.
5. Publish the changes.

Do these steps in SmartDashboard:

1. Define the gateway networks, services and other related objects.
2. Define QoS rules (basic and advanced).
3. Configure specialized QoS features:
   1. Differentiated Services (DiffServ)
   2. Low Latency Queuing

Go back to SmartConsole to do these steps:

1. Publish the changes.
2. Install Policy.

   Note: In the SmartConsole Install Policy window, make sure you select QoS.

   See Implementing the Rule Base.