Deployment Scenario for this Tutorial

Item	Description
1	Oxford - Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.
2	Cambridge - SmartConsole client
3	Local area network - Engineering and Marketing
4	London - Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with QoS
4a	Interface eth2 - 199.199.199.32
4b	Interface eth1 - 199.32.43.32
4c	Interface eth0 - 199.32.32.32
5	DMZ with Web and FTP servers
6	Internet

This scenario is an organization with offices located in London, Oxford and Cambridge. The QoS Security Gateway is in London and has three interfaces, one of which is connected to the Internet. The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in Oxford and the SmartConsole is in Cambridge. The local network includes the Marketing and Engineering departments.

Starting SmartConsole

This section describes how to open SmartDashboard and access the QoS tab.

To Create a New QoS Policy

1. On the gateway, make sure that the QoS blade is enabled.

2. In SmartConsole, from the File menu, select Manage Policies and Layers.

3. Click New.

4. In the Policy window, enter a Policy name.

   This name cannot:

   • Contain any reserved words or spaces.

   • Start with a number.

   • Contain any of the following characters: %, #, ', &, *, !, @, ?, <, >, /, \, :.

   • End with any of the following suffixes: .pf, .W.

5. Select QoS and then select a QoS Policy type:

   • Express - Quickly create basic QoS Policies

   • Recommended (default) - Create advanced Policies with the full set of QoS features

   Note: There are some limitations that can prevent you from enabling SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. or CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. with QoS Policies. For more, see: Acceleration Support for R77 Policies .

6. Click OK.

   The system saves the new Policy and SmartDashboard opens automatically. You can start to define your rules here.

Planning the QoS Policy

To implement a good QoS Policy, find out how the network is used. Identify and prioritize the types of traffic. Identify users and their needs. For example:

• HTTP traffic must be allocated more bandwidth than RealAudio.

• Marketing must be allocated more bandwidth than Engineering.

Configuring the Security Gateway

Define these Network Objects:

• London, the Security Gateway on which the QoS is enabled

• Sub-networks for the Marketing and Engineering departments

Defining Interfaces on the Gateway

In this step you configure each interface and its QoS properties.

To configure interface properties:

1. Click Network Management in the navigation tree.

2. Click Get Interfaces on the toolbar.

   The interfaces show in the Network Management window.

3. Double-click each interface and configure parameters in the Interface > General window.

   eth0

   Field	Value	Notes
   Net Address	192.32.32.32
   Net Mask	255.255.255.0
   Topology Settings (Click Modify)	Internet External	This interface connects to the Internet.
   Anti-Spoofing	Perform Anti-Spoofing based on interface topology	Each incoming packet is examined to make sure that the source IP address is valid.
   Spoof Tracking	Log	Log Anti-Spoofing events.

   eth1

   Field	Value	Notes
   Net Address	192.32.42.32
   Net Mask	255.255.255.0
   Topology Settings (Click Modify)	Internet External	This interface connects to the Internet.
   Anti-Spoofing	Perform Anti-Spoofing based on interface topology	Each incoming packet is examined to make sure that the source IP address is valid.
   Spoof Tracking	Log	Log Anti-Spoofing events.

   eth2

   Field	Value	Notes
   Net Address	192.199.199.32
   Net Mask	255.255.255.0
   Topology Settings (Click Modify)	Internet External	This interface connects to the Internet.
   Anti-Spoofing	Perform Anti-Spoofing based on interface topology	Each incoming packet is examined to make sure that the source IP address is valid.
   Spoof Tracking	Log	Log Anti-Spoofing events.

Defining the Services

The QoS Policy required for this tutorial does not require the definition of new proprietary services. The commonly used services HTTP and RealAudio are already defined in QoS.

Creating and Configuring Rules

After you define your network objects and services, the next step is to create your QoS policy rules. This tutorial shows you how to create two simple QoS rules. A new QoS Policy always includes a Default Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. (see Default Rule ).

To Create a New Policy

1. In SmartConsole select New from the File menu.

   The New Policy window opens.

2. Enter the name in the New policy Package Name field.

3. Select QoS.

4. Select QoS policy (recommended).

5. Click OK.

   The new Policy is created together with a Default Rule and is displayed in the QoS tab.

Creating New Rules

When you create a new QoS Policy, the system automatically adds a default rule, which must always be the last rule in the Policy. Make sure that you add your new rules above the default rule.

Create these two rules: Web Rule and RealAudio Rule.

1. In SmartDashboard > QoS tab, select the default rule.

2. Click the Before current rule icon.

3. Enter Web Rule in the Rule Name window, and then click OK.

Do this procedure again for RealAudio Rule.

Rule Properties

A new rule has the default values assigned by the administrator. The next procedure describes how to change these rules to the values shown in the table below.

Changing New Rule Properties

To change the properties in a rule:

1. In the QoS tab, right-click in the Service field of the Web Rule.

   Select Add Objects, and then select HTTP from the list.

2. Double-click the Action field, and then change the Rule Weight property to 35. For more, see: Changing QoS Global Properties

Do this procedure again for the RealAudio and Default rules.

Classifying Traffic by Service

Usually, a full Rule Base will not explicitly define rules for all the "background" services (such as DNS and ARP). Background services are handled by the Default rule.

The structure of the Rule Base is shown at the left of the window as a tree, with the Default Rule at the bottom. (For a description of the Rule Base window, see Basic Policy Management).

Connections receive bandwidth according to the weights (priority) assigned to the rules that apply to them. The table below describes what occurs when there are four active connections. Note that bandwidth allocation is constantly changing.

Bandwidth is allocated between connections according to relative weight. As connections are opened and closed, QoS changes the bandwidth allocation according to the QoS Policy.

Although RealAudio is assigned a very small weight compared to HTTP, it will not be starved of bandwidth no matter how heavy the HTTP traffic.

In practice, you will probably want to give a high relative weight to interactive services such as TELNET, which transfers small amounts of data but involves users issuing commands.

Classifying Traffic by Source

The second part of the QoS Policy (Marketing must be allocated more bandwidth than Engineering) is implemented by these rules:

Using the same principles described in Creating New Rules and Changing New Rule Properties, create new rules in SmartConsole and change them to match the values shown in the table above. The effect of these rules is equivalent to the rules shown here:

Connections	Relevant rule	Bandwidth	Comments
HTTP	Web Rule	70%	35 / 50 (the total weights)
RealAudio	RealAudio Rule	10%	5 / 50
FTP	Default	sharing 20%	10 /50 A rule applies to all the connections together
TELNET	Default	sharing 20%	10 /50 A rule applies to all the connections together

In this Rule Base, bandwidth allocation is based both on sub-networks and on services.

In a production environment, a connection can match more than one rule. QoS works according to a first rule match principle. Each connection is examined against the QoS Policy and receives bandwidth according to the Action defined in the first rule that is matched.

If a user in Marketing initiates an HTTP connection, the connection matches the Web Rule and the Marketing Rule. The Web Rule comes before the Marketing Rule in the Rule Base, so the connection is matched to the Web Rule and given a weight of 35.

To differentiate HTTP traffic by source, create sub-rules for the Web Rule. See Sub-Rules.

Guarantees and Limits

Bandwidth allocation can also be defined using guarantees and limits. You can define guarantees and limits for rules or for individual connections in a rule.

Rule Name	Source	Destination	Service	Action
Web Rule	Any	Any	HTTP	Weight 35
RealAudio Rule	Any	Any	RealAudio	Weight 5
Marketing Rule	Marketing	Any	Any	Weight 30
Engineering Rule	Engineering	Any	Any	Weight 20
Default	Any	Any	Any	Weight 10

The Web Rule shown in the Rule Base allocates 35% of available bandwidth to all the HTTP connections combined. The actual bandwidth allocated to connections that match this rule depends on:

• Total available bandwidth

• Open connections that match other rules

Note - 35% of available bandwidth (specified in the example above) is assured to Web Rule. Web Rule will get more bandwidth if there are fewer connections matched to other rules, but never less than 35%.

As an alternative to relative weights, a guarantee can be used to specify bandwidth as an absolute value (in Bytes per second). In this table, Web Rule is guaranteed 20 KBps:

Connections matched to Web Rule will receive a total bandwidth of 20 KBps. Remaining bandwidth will be allocated to all the rules, Web Rule included, according to their weights.

For more on guarantees and limits, see Examples: Guarantees and Limits and Bandwidth Allocation and Sub-Rules.

Sub-Rules

Sub-rules are rules nested in a rule. For example, you can create a sub-rule that allocates more bandwidth to HTTP connections that originate in Marketing. Connections whose Source is marketing receive more bandwidth than other HTTP traffic. In this example, the marketing sub-rule and default sub-rule is below the Web Rule:

Bandwidth is allocated to Web Rule according to its weight (20). This weight is divided between its sub-rules in a 10:1 ratio. Connections below Web Rule are allocated bandwidth according to the weights specified:

• 10 for HTTP traffic from the Marketing department

• 1 for everything else.

Notes: There are two Default rules: one for the Rule Base and one for the Web Rule sub-rule. The Source, Destination and Service fields of the sub-rule must always be a "sub-set" of the parent rule.

To create a sub-rule:

1. Right-click in the Name field of the rule in which you want to create the sub-rule.

2. Select Add Sub-Rule.

Installing a QoS Policy

To install a QoS Policy:

1. In SmartDashboard, make changes to Policy rules and then click Update.

2. In SmartConsole, click Install Policy.

3. From the Policy list, select the policy to install.

4. Click Policy Targets and select the Security Gateways that will get this Policy.

   Note -By default, no gateways are selected for QoS. You must select them manually.

5. Click Install.

If the installation is successful, the new Policy is enforced by the Security Gateways on which it is installed. If installation fails, do these steps to see the error messages:

1. Click the Task Information area, in the lower, left hand corner of SmartConsole.

2. In the Recent Tasks area, click Details on the applicable error.

In the Install Policy Details window, click the ^ icon in the Status column to see the error messages. You must resolve all errors before you can successfully install the Policy.