|
|
|
In This Section: |
When should I use Recommended Policy type and when should I use Express Policy type? — Use the Recommended Policy type when you need fine-tuned functionality and advanced QoS features. Use Express if your system requires only basic QoS.
What are the benefits of using each mode? — Recommended gives you advanced QoS functionality. Express mode gives you better performance and requires less CPU and memory.
Can I change the Policy types? — You can change a policy type from Express to Recommended, but you cannot change Recommend to Express. We recommend that you start with Express if you are not certain. This way, you can change to Recommended if you require advanced QoS functionality.
What is the highest weight I can use in a rule? — Weights are relative. The only limitation is the Maximum weight of rule parameter, which is defined in the Global Properties window under QoS. The default parameter is 1000, but can be changed to any number.
Note - This parameter is only used to assist in input validation.
In the example shown here:
Example of Highest Weight Differentiation
Policy 1 |
HTTP gets |
...and equals |
Comment |
|---|---|---|---|
HTTP weight = 500, |
500/(500+500) |
= ½ |
Equal weight is given to each rule. |
Policy 2 |
|||
HTTP weight = 2, |
2/(2+2) |
= ½ |
Equal weight is given to each |
|
|||
Policy 1 + third rule |
|
|
|
HTTP weight = 500, |
500/(500+500+100) |
= 500/1100 |
Due to the initial high value of the weights in Policy 1, the amount of bandwidth available to the HTTP connection is only marginally less than in Policy 1 even after the introduction of the third rule. |
Policy 2 + third rule |
|
|
|
HTTP weight = 2, |
2/(2+2+100) |
= 2/104 |
Due to the low value of the weights in Policy 2, the amount of bandwidth available to the HTTP connection is now significantly less as a result of the introduction of the third rule. |
You can see the significance of the value of the weight allocated in two different policies. In the example both the HTTP and FTP connections initially enjoy an equal share of the available bandwidth, although they each had a weight of 500 in Policy 1 and a weight of 2 in Policy 2.
By adding a third rule to both policies you can significantly change the result. For example, an SMTP connection with a weight of 100 can be added to each policy. Due to the high initial weights used in Policy 1, there is an insignificant change to the amount of bandwidth available for the HTTP connection in Policy 1 + third rule. However, due to the low initial weights used in Policy 2, the amount of bandwidth that is available to the HTTP connection in Policy 2 + third rule is significantly reduced.
Should I install QoS on the external or the internal interface? — While QoS can run on both interfaces, it is highly recommended to position QoS on the external interface only.
What is the difference between guarantees and weights? — Guarantees and weights are similar in their behavior. Despite the difference in their dictionary meaning, they both guarantee the allocated bandwidth to the matched traffic. The differences between them are:
Your Rule Base is:
The result is:
Use guarantees to define bandwidth in absolute terms or for per connection guarantees.
How does QoS handle TCP retransmitted packets? — When a retransmission is detected, QoS checks to see if the retransmitted data is already contained in the QoS queue. If so, the packet is dropped. This unique QoS capability eliminates retransmissions that consume up to 40% of a WAN link, and saves memory required to store duplicated packets.
Which Firewall resources does QoS support in the Rule Base? — QoS can use its resources to inspect HTTP traffic. Resources are defined using the URI for QoS option and can contain specific URLs or files. For example, you can limit Web surfing to the site
http://www.restrict-access-to-this-site.com. You need to add a QOS URI resource that looks for the string "www.restrict-access-to-this-site.com" (without http://). Then use the resource in a QoS rule and add a limit.
Do guarantees waste bandwidth? — No. QoS uses a sophisticated queuing mechanism. An application only takes as much bandwidth as it needs. Any unused bandwidth is then available for use by other applications.
How do I know if loaned bandwidth is available for applications that may need it back? — There is no loaned bandwidth in QoS. Bandwidth that is not utilized by a guarantee/weighted rule is immediately (on a per-packet basis) distributed to the other connections, according to their relative priorities. The important thing to remember is Resolution (referring to level of granularity). QoS allocates bandwidth on a per packet basis. Therefore, only one packet is allocated at a time, resulting in the most accurate scheduling policy.
Where is QoS placed in the Multi-Domain Security Management Inspection chain? — QoS is composed of two components:
Does QoS work With Multi-Domain Security Management? — Yes. One of the most important QoS features is its unique and sophisticated integration with Multi-Domain Security Management. Its integration features include:
Is SmartView Monitor a part of QoS? — No. As of NG with Application Intelligence (R55), SmartView Monitor is a separate product that is bundled with QoS.
Does QoS support Load Sharing configurations? — Yes, QoS supports all ClusterXL configurations. QoS supports the SYNC mechanism and therefore can be used with CPLS/CPHA or third-party solutions. For OPSEC partner solutions, see the OPSEC Website.
Does QoS support NATed traffic? — QoS has full support for NATed traffic, including matching, scheduling, limiting and all other QoS features.
What is the maximum number of QoS gateways I can manage? — QoS Security Gateway management is identical to that for any Security Gateway. Thus, the maximum number of gateways is identical to the maximum number of gateways that are managed.
Do I need to run QoS on the Security Management Server? — Yes, in order to manage a QoS Security Gateway you need to install QoS on the Security Management Server.
When should I use LLQ (Low Latency Queuing)? — LLQ is best suited for VoIP applications, Video conferencing and other multimedia applications. LLQ is targeted for applications where:
Is QoS Rule Base "first match"? — From QoS NG forward, all QoS rules are matched on the "first match" principle. Meaning that only the first rule that applies to a connection is activated.
For example, if you have a rule for CEO traffic and a rule for HTTP traffic, the rule that appears first within the Rule Base will be matched to all CEO surfing.
Correct Rule Base (CEO is the first match)
Incorrect Rule Base (CEO traffic will be limited)
I am using QoS on multiple gateways. What is the best way to organize my Rule Base?
When should I use Sub-rules? — Sub-rules should be used when there is hierarchy between objects. For example, when you want to manage bandwidth according to organizational structure, such as within an organization that has R&D, Marketing and operation divisions.
How can I see the top bandwidth-hogging applications? — From the command line run the command rtmtopsvc.
What are the QoS memory requirements? — To run QoS, the following amount of free memory is needed (in addition to the memory needed for Multi-Domain Security Management):
QoS memory requirements
Number of connections |
Management |
Gateway (or Management and gateway) |
|---|---|---|
5,000 |
0 MB |
32.5 MB |
10,000 |
0 MB |
39 MB |
25,000 |
0 MB |
57 MB |
50,000 |
0 MB |
91 MB |
100,000 |
0 MB |
156 MB |
How do I know which machine I need to run QoS? — Deciding on a hardware platform and vendors involves many aspects and each buyer has their own specific considerations such as support, price, appliances, knowledge, and so on.
As far as performance is concerned, CPU performance is the main factor in QoS performance. The reduced memory footprint and low memory prices, memory should not usually be the cause of a bottleneck.
How do I tune QoS performance? — Here are some tips on fine-tuning QoS performance:
What is the maximum bandwidth supported by QoS? — 10Gbps.
When will QoS next feature pack be available? — QoS feature packs/releases are usually shipped at the same time Multi-Domain Security Management feature packs are released.
How do I guarantee performance for my mail server? — You need to add a rule matching your email traffic. You can do this by either matching the source/destination of your mail server, or matching mail protocols (SMTP, POP3, Exchange). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set.
How do I ensure Quality of Service for Voice Over IP? — QoS uses VoIP-tuned mechanism Low Latency Queuing (LLQ). This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP.
To limit the number of connections admitted, use LLQ with a per connection guarantee. For voice, you want to give each conversation a guaranteed bandwidth. Usually you would want an admission policy that does not accept additional calls if bandwidth is not adequate.
Note - This is equivalent to the busy tone in old voice system.
How do I guarantee performance for my ERP applications? — You need to add a rule matching your ERP traffic. You can do this by either matching the source/destination of your ERP server, or matching application protocols (SAP, BAAN, ORACLE). For this rule, define a weight or guarantee that meets the needs of the priorities you want to set. If your ERP application is not a predefined service, you can either add it manually or use the first method.
If you are using ERP over HTTP, check "How can I provide bandwidth for my intranet applications"?
Can I use QoS to prevent Denial of Service Attacks? — QoS is not an Anti-Denial of Service tool. However, there are many situations in which QoS can be used to detect, monitor and prevent such attacks. Using SmartView Monitor and QoS you can perform detection and monitoring.
Prevention can be achieved in the following ways:
Why is limiting bandwidth for an application better than blocking it? — Blocking "non-work related" applications might cause users to find a way to bypass blocking. Prioritizing bandwidth lets users continue with their activities without damaging critical business processes. Consider a university where the Internet connection is being used for peer-to-peer file downloads. Blocking these services completely may encourage the students find a way to bypass the block, which in turn might cause legal problems. QoS offers smarter solutions:
My machine is experiencing certain technical failures. What should I do? — Check the Web for updated release notes on known issues and limitations. Contact your vendor for further support.
I set up a guarantee/limit but in SmartView Monitor it seems to be broken? — If you are looking at very low traffic limit (for example, 1000 Bytes per second) at a high frequency (update every 2 seconds) it might look, as if the limit is broken since QoS does not fragment packets. If you lower the sampling frequency of SmartView Monitor (update every 8 seconds) you will see that limits are kept.
Can I deploy QoS on LAN environments? — Yes. You will need to position the hardware to support the network traffic you want to prioritize. QoS is best deployed in congestion points for network traffic.
What happens if a line's bandwidth (as defined in the QoS tab of the Interface Properties window) is less than its physical ("real") bandwidth? — QoS will only allocate as much bandwidth as is defined in the Interface Properties window. Additional bandwidth will not be allocated regardless of the physical bandwidth of the interface.
What happens if a link bandwidth (of the link defined in QoS) is more than its physical ("real") bandwidth? — QoS will attempt to transmit more than the physical bandwidth allows. This can cause random traffic drops in the next hop that result in the loss of critical packets.
