|
|
|
In This Section: |
This section covers basic policy management.
This chapter describes the basic QoS Policy management that is required to enable you to define and implement a working QoS Rule Base. More advanced QoS Policy management features are discussed in Advanced QoS Policy Management.
To open SmartConsole, click SmartConsole in the Windows Start menu.
SmartDashboard opens automatically when you open an existing QoS Policy, or after you create a new QoS Policy. It is generally not necessary to open SmartDashboard manually.
To open SmartDashboard manually:
SmartDashboard opens and the QoS view shows.
QoS policy is implemented by defining a set of rules in the Rule Base. The Rule Base specifies what actions are to be taken with the data packets. The Rule Base specifies:
The Rule Base comprises the rules you create and a default rule (see Default Rule). The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. Unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base.
It is a best practice to create your QoS rules based on actual traffic patterns. Use the Logs & Monitor features in SmartConsole to analyze traffic logs.
QoS inspects packets in a sequential manner. When QoS receives a packet for a connection, it compares it against the first rule in the Rule Base. Then against the second, then the third. When QoS finds a rule that matches, it stops checking and applies that rule.
If the matching rule has sub-rules the packets are then compared against the first sub-rule. Then the second, third, and other sub-rules until it finds a match.
If the packet fails to match a rule or sub-rule, the default rule or default sub-rule is applied. The first rule that matches is applied to the packet, not the rule that best matches.
After you have defined your network objects, services and resources, you can use them in building a Rule Base. For instructions on building a Rule Base, see Editing QoS Rules.
The QoS Policy Rule Base concept is equivalent to the Security Policy Rule Base. For more, see the: R80.30 Security Management Administration Guide.
Note - It is best to organize lists of objects (network objects and services) into groups. Using groups gives you a better overview of your QoS Policy and leads to a more readable Rule Base. New objects added to groups are automatically included in the rules.
A connection is classified according to four criteria:
A set of network objects such as specified computers, networks, user groups or domains.
A set of network objects such as specified computers, networks, user groups or domains.
A set of IP services, TCP, UDP, ICMP or URLs.
Specified days or time periods.
The network objects that can be used in QoS rules include workstations, networks, domains, and groups.
QoS lets you define Groups of predefined users. For example, all the users in the marketing department can be grouped together in a User Group called Marketing. When defining a rule, you can use this group as the Source instead of adding individual users to the Source column of the rule.
QoS allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in QoS rules include TCP, Compound TCP, UDP, ICMP and IP services.
Resources can also be used in a QoS Rule Base. They must be of type URI for QoS.
QoS allows you to define Time objects. Time objects are used to specify when a rule is enforced. Time objects can be defined for specified times or days. Days can be divided into days of the month or days of the week.
A rule can specify three factors to be applied to bandwidth allocation for classified connections:
Weight is the percentage of the available bandwidth allocated to a rule. This is not the same as the weight in the QoS Rule Base, which is a manually assigned priority.
To calculate what percentage of the bandwidth the connections matched to a rule receives:
Priority in SmartDashboard The weight = ----------------------------------------------------- Total priority of all the rules with open connections |
For example:
Then all the connections open under this rule are allocated 12/120, or 10%. The weight of this rule is 10%. The rule gets 10% of the available bandwidth if the rule is active. In practice, if other rules are not using their maximum allocated bandwidth, a rule can get more than the bandwidth allocated by this formula. Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal weight.
Allocating bandwidth according to weights ensures full use of the line even if a specified class is not using all of its bandwidth. In such a case, the left over bandwidth is divided between the remaining classes in accordance with their relative weights. Units are configurable, see Defining QoS Global Properties.
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
A total rule guarantee reserves a minimum bandwidth for all the connections below a rule. The actual bandwidth allocated to each connection depends on the number of open connections that match the rule. The total bandwidth allocated to the rule cannot be less than the guarantee. The more connections that are open, the less bandwidth each connection receives.
A per-connection guarantee means that each connection that matches the specified rule is guaranteed a minimum bandwidth.
Note: Although weights guarantee the bandwidth share for specified connections, only a guarantee lets you to specify an absolute bandwidth value.
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point after which connections below a rule are not allocated more bandwidth, even if there is surplus bandwidth available.
Limits can also be defined for the sum of all connections in a rule or for individual connections within a rule.
For more information on weights, guarantees and limits, see Action Type.
Note - Bandwidth allocation is not fixed. As connections are opened and closed, QoS continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy.
A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the QoS page of the Global Properties window. You can change the weight, but you cannot delete the default rule (see Weight).
The default rule applies to all connections not matched by the other rules or sub-rules in the Rule Base.
A default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group.
In the QoS Action Properties window you can define bandwidth allocation properties, limits and guarantees for a rule.
These are the two types of QoS actions:
Action Type |
Recommended |
Express |
|---|---|---|
Simple |
Yes |
Yes |
Advanced |
Yes |
No |
The Simple action type has these action properties:
The Advanced rule type has these properties:
VPN traffic is traffic that is encrypted by the Security Gateway. VPN traffic does not refer to traffic that was encrypted by a non-Check Point product prior to arriving at this Security Gateway. This type of traffic can be matched using the IPSec service.
When Apply rule only to encrypted traffic is selected in the QoS Action Properties window, only VPN traffic is matched to the rule. If this field is not checked, all types of traffic (both VPN and non-VPN) are matched to the rule.
Use the Apply rule only to encrypted traffic option to create a Rule Base that applies only to VPN traffic. These actions are different from actions applied to non‑VPN traffic. Since QoS uses the First Rule Match concept, the VPN traffic rules must be defined as the top rules in the Rule Base. Below them define rules that apply to all other types of traffic. Other types of traffic skip the top rules and match to one of the non-VPN rules. To separate VPN traffic from non-VPN traffic, define this rule at the top of the QoS Rule Base:
Name |
Source |
Destination |
Service |
Action |
|---|---|---|---|---|
VPN rule |
Any |
Any |
Any |
VPN Encrypt, and other configured actions |
All the VPN traffic is matched to this rule. The rules below this VPN Traffic Rule are then checked only against non-VPN traffic. You can define sub-rules below the VPN Traffic rule that classify the VPN traffic more granularly.
When a connection is matched to a rule with sub-rules, the sub-rules are checked for match. If none of the sub-rules apply, the default rule for the sub-rules is applied (see Default Rule).
Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The same rules then apply to the nested sub-rules. If the connection matches a sub-rule that has sub-rules, the nested sub-rules are checked for a match. If none of the nested sub-rules apply, the default rule for the nested sub-rules is applied.
Bandwidth is allocated on a top/down basis. This means that:
A Rule Guarantee must always be greater than or equal to the Rule Guarantee of a sub‑rule in that rule. The same applies to Rule Guarantees in sub-rules and their nested sub-rules.
Bandwidth Allocation in Nested Sub-Rules:
Rule Name |
Source |
Destination |
Service |
Action |
|---|---|---|---|---|
Rule A |
Any |
Any |
ftp |
Rule Guarantee - 100KBps Weight 10 |
Start of Sub-Rule A |
||||
Rule A 1 |
Client-1 |
Any |
ftp |
Rule Guarantee - 100KBps Weight 10 |
Start of Sub-Rule A1 |
||||
Rule A1.1 |
Any |
Any |
ftp |
Rule Guarantee - 80KBps Weight 10 |
Rule A1.2 |
Any |
Any |
ftp |
Weight 10 |
End of sub-rule A1 |
||||
RuleA2 |
Client-1 |
Any |
ftp |
Weight 10 |
End of sub-rule A |
||||
Rule B |
Any |
Any |
http |
Weight30 |
In this example, surplus bandwidth from the application of Rule A1.1 is applied to Rule A2 before it is applied to Rule A1.2.
After you define your QoS rules in the Rule Base, you must publish your session in SmartConsole, and then install the Policies on your Security Gateways. The policy installation procedure automatically validates the rules and objects. If there verification errors, a message shows in the in the Install Policy Details tab.
After policy installs successfully, the Security Gateways enforce the policy rules.
Note - Make sure the QoS blade is enabled on the Security Gateway before you install the policy.
To install a QoS Policy:
Note - By default, no gateways are selected for QoS. You must select them manually.
If the installation is successful, the new Policy is enforced by the Security Gateways on which it is installed. If installation fails, do these steps to see the error messages:
In the Install Policy Details window, click the ^ icon in the Status column to see the error messages. You must resolve all errors before you can successfully install the Policy.
