Introduction to QoS

Important - From R81, Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. also refers to a VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual System.

The Check Point QoS Solution

QoSClosed Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. is a policy based bandwidth management solution that lets you:

  • Prioritize business-critical traffic, such as ERP, database and Web services traffic, over lower priority traffic.

  • Guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing.

  • Give guaranteed or priority access to specified employees, even if they are remotely accessing network resources.

You deploy QoS with the Security Gateway.

QoS is enabled for both encrypted and unencrypted traffic.

Item

Description

1

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

2

Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.

3

QoS Policy

4

Security Gateway with QoS Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.

5

Internet

6

Internal network

QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or application. After traffic has been classified, QoS applies an innovative, hierarchical, Weighted Fair Queuing (WFQClosed Weighted Fair Queuing. An algorithm to precisely control bandwidth allocation in QoS.) algorithm to accurately control bandwidth allocation.

Features and Benefits

QoS gives these features and benefits:

  • Flexible QoS policies with weights, limits and guarantees

    QoS lets you create basic policies that can be modified to include the Advanced QoS features described in this section.

  • Integration with the Security Gateway

    The integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration. This lets you optimize network performance for VPN and unencrypted traffic.

  • Performance analysis

    Monitor system performance with the Logs & Monitor view in SmartConsole.

  • Integrated DiffServ support

    Add one or more Diffserv Classes of Service to the QoS Policy Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

  • Integrated Low Latency Queuing

    Define special classes of service for "delay sensitive" applications like voice and video to the QoS Policy RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.

  • No need to deploy separate VPN, Firewall and QoS devices

    QoS and Firewall share a common architecture and many core technology components. User-defined network objects can be used in both solutions.

  • Proactive management of network costs

    QoS monitoring systems let you to be proactive in managing your network and controlling network costs.

  • Support for end-to-end QoS for IP networks

    QoS offers full support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software.

  • CoreXL and SecureXL support

    Packet acceleration. IPv6 Support.

  • VSX Support

    QoS fully supports VSX.

QoS Policy Types

This release includes two QoS Policy types:

  • Express - Quickly create basic QoS Policies

  • Recommended - Create advanced Policies with the full set of QoS features

This table shows the difference between the Recommended and Express policy types.

Features

Recommended

Express

To learn more

IPv6 Support

 

Weights

Weight

Limits (whole rule)

Limits

Logging

Overview of Logging

Accounting

*

 

Support for hardware acceleration

 

 

High Availability and Load Sharing

 

Guarantees
(Per connection)

 

Guarantees

Limits (Per connection)

 

 

LLQClosed Low Latency Queuing is a feature developed by Cisco to bring strict priority queuing (PQ) to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data (such as voice) to be given preferential treatment over other traffic by letting the data to be dequeued and sent first. (controlling packet delay in QoS)

 

Low Latency Queuing

DiffServ

 

Differentiated Services (DiffServ)

Sub-rules

 

 

Matching by URI resources

 

 

Matching by DNS string

 

 

SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. support

 

 

CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. support

 

 

SmartLSM clusters

 

 

VSX Support

 

 

If you select Paste, then the Paste menu will be opened. You must then select Bottom, Top, Above, or Below to specify where in the Rule Base to paste the rule.

* You must disable SecureXL and CoreXL before you can use this feature.

To select a QoS Policy type:

  1. In SmartConsole menu, click Manage policies and layers.

  2. In the Manage Policies window, click New or select an existing Policy and then click Edit.

  3. Select QoS, and then select Recommended or Express.

Acceleration Support for R77 Policies

After a clean install or upgrade to R81.20, QoS supports SecureXL and CoreXL acceleration technologies.

Important: After a clean install or upgrade, SecureXL and CoreXL are enabled by default. If you have a QoS policy created for R77 and earlier, these features are not supported when acceleration is enabled:

  • IPSO

  • Security Gateways below R77.10

  • SmartView Monitor - QoS views do not correctly show traffic accelerated by SecureXL

To use these features you must disable QoS. See: Disabling QoS Acceleration Support

Workflow

This topic shows a high-level workflow for creating an effective QoS Policy.

Note: QoS must be enabled on the gateway and at least one interface for the workflow to succeed. If QoS is not enabled on at least one interface, Install Policy will fail.

Do these steps in SmartConsole:

  1. Enable QoS for each applicable Security Gateway.

  2. Configure QoS Global Properties.

  3. Create or change a QoS Policy.

  4. Configure log collection and system monitoring for QoS.

  5. Publish the SmartConsole session.

Do these steps in SmartDashboard:

  1. Define the gateway networks, services and other related objects.

  2. Define QoS rules (basic and advanced).

  3. Configure specialized QoS features.

    1. Differentiated Services (DiffServ).

    2. Low Latency Queuing.

Go back to SmartConsole to do these steps:

  1. Publish the SmartConsole session.

  2. Install Policy.

    Note - In the SmartConsole Install Policy window, make sure you select QoS.

Limitations

These limitations apply to Scalable Platforms:

  • QoS is not supported when a Security Group is configured in the Layer 4 distribution mode.

  • QoS policy is applied on each Security Group Member.