Basic Policy Management
This section covers basic policy management.
Overview
This chapter describes the basic QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Policy management that is required to enable you to define and implement a working QoS Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. More advanced QoS Policy management features are discussed in Advanced QoS Policy Management.
Rule Base Management
Opening the GUI Clients
To open SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click SmartConsole in the Windows Start menu.
SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens automatically when you open an existing QoS Policy, or after you create a new QoS Policy. It is generally not necessary to open SmartDashboard manually.
To open SmartDashboard manually:
-
In SmartConsole, open a QoS Policy.
-
Click Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Access Control > QoS.
-
In the QoS view, click Open QoS Policy in SmartDashboard.
SmartDashboard opens and the QoS view shows.
|
Important - Legacy SmartDashboard does not show the QoS and Desktop policies when an administrator with read-only permissions is logged in, and the "Desktop Security" policy is enabled in the policy package. |
Overview
QoS policy is implemented by defining a set of rules in the Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base. The Rule Base specifies what actions are to be taken with the data packets. The Rule Base specifies:
-
Source and destination of the traffic
-
Services that can be used
-
Times
-
Logging and logging level
The Rule Base comprises the rules you create and a default rule (see: Default Rule). The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. Unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base.
> |
Best Practice - Create your QoS rules based on actual traffic patterns. Use the Logs & Monitor features in SmartConsole to analyze traffic logs. |
QoS inspects packets in a sequential manner. When QoS receives a packet for a connection, it compares it against the first rule in the Rule Base. Then against the second, then the third. When QoS finds a rule that matches, it stops checking and applies that rule.
If the matching rule has sub-rules the packets are then compared against the first sub-rule. Then the second, third, and other sub-rules until it finds a match.
If the packet fails to match a rule or sub-rule, the default rule or default sub-rule is applied. The first rule that matches is applied to the packet, not the rule that best matches.
After you have defined your network objects, services and resources, you can use them in building a Rule Base. For instructions on building a Rule Base, see: Managing QoS.
The QoS Policy Rule Base concept is equivalent to the Security Policy Rule Base. For more, see the: R81 Security Management Administration Guide.
|
Note - It is best to organize lists of objects (network objects and services) into groups. Using groups gives you a better overview of your QoS Policy and leads to a more readable Rule Base. New objects added to groups are automatically included in the rules. |
Connection Classification
A connection is classified according to four criteria:
-
Source
A set of network objects such as specified computers, networks, user groups or domains.
-
Destination
A set of network objects such as specified computers, networks, user groups or domains.
-
Service
A set of IP services, TCP, UDP, ICMP or URLs.
-
Time
Specified days or time periods.
Network Objects
The network objects that can be used in QoS rules include workstations, networks, domains, and groups.
User Groups
QoS lets you define Groups of predefined users. For example, all the users in the marketing department can be grouped together in a User Group called Marketing. When defining a rule, you can use this group as the Source instead of adding individual users to the Source column of the rule.
Services and Resources
QoS allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in QoS rules include TCP, Compound TCP, UDP, ICMP and IP services.
Resources can also be used in a QoS Rule Base. They must be of type URI for QoS.
Time Objects
QoS allows you to define Time objects. Time objects are used to specify when a rule is enforced. Time objects can be defined for specified times or days. Days can be divided into days of the month or days of the week.
Bandwidth Allocation and Rules
A rule can specify three factors to be applied to bandwidth allocation for classified connections:
Weight
Weight is the percentage of the available bandwidth allocated to a rule. This is not the same as the weight in the QoS Rule Base, which is a manually assigned priority.
To calculate what percentage of the bandwidth the connections matched to a rule receives:
The weight = (Priority in SmartDashboard) / (Total priority of all the rules with open connections)
For example:
-
If this rule's weight (priority in SmartDashboard) is 12
-
The total weight (priority in SmartDashboard) of all the rules, for which connections are currently open, is 120
Then all the connections open under this rule are allocated 12 / 120, or 10%. The weight of this rule is 10%. The rule gets 10% of the available bandwidth if the rule is active. In practice, if other rules are not using their maximum allocated bandwidth, a rule can get more than the bandwidth allocated by this formula. Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal weight.
Allocating bandwidth according to weights ensures full use of the line even if a specified class is not using all of its bandwidth. In such a case, the left over bandwidth is divided between the remaining classes in accordance with their relative weights. Units are configurable, see Defining QoS Global Properties
Guarantees
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
-
The sum of all connections in a rule.
A total rule guarantee reserves a minimum bandwidth for all the connections below a rule. The actual bandwidth allocated to each connection depends on the number of open connections that match the rule. The total bandwidth allocated to the rule cannot be less than the guarantee. The more connections that are open, the less bandwidth each connection receives.
-
Individual connections in a rule.
A per-connection guarantee means that each connection that matches the specified rule is guaranteed a minimum bandwidth.
|
Note - Although weights guarantee the bandwidth share for specified connections, only a guarantee lets you to specify an absolute bandwidth value. |
Limits
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point after which connections below a rule are not allocated more bandwidth, even if there is surplus bandwidth available.
Limits can also be defined for the sum of all connections in a rule or for individual connections within a rule.
For more information on weights, guarantees and limits, see Action Type.
|
Note - Bandwidth allocation is not fixed. As connections are opened and closed, QoS continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy. |
Default Rule
A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the QoS page of the Global Properties window. You can change the weight, but you cannot delete the default rule.
The default rule applies to all connections not matched by the other rules or sub-rules in the Rule Base.
A default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group.
QoS Action Properties
In the QoS Action Properties window you can define bandwidth allocation properties, limits and guarantees for a rule.
Action Type
These are the two types of QoS actions:
Action Type |
Recommended |
Express |
---|---|---|
Simple |
Yes |
Yes |
Advanced |
Yes |
No |
Simple
The Simple action type has these action properties:
-
Apply rule only to encrypted traffic
-
Rule weight
-
Rule limit
-
Rule guarantee
Advanced
The Advanced rule type has these properties:
-
Per rule
-
Per connection
-
Per rule guarantee
-
Per connection guarantee
-
Number of permanent connections
-
Accept additional connections
Example of a Rule Matching VPN Traffic
VPN traffic is traffic that is encrypted by the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. VPN traffic does not refer to traffic that was encrypted by a non-Check Point product prior to arriving at this Security Gateway. This type of traffic can be matched using the IPSec service.
When Apply rule only to encrypted traffic is selected in the QoS Action Properties window, only VPN traffic is matched to the rule. If this field is not checked, all types of traffic (both VPN and non-VPN) are matched to the rule.
Use the Apply rule only to encrypted traffic option to create a Rule Base that applies only to VPN traffic. These actions are different from actions applied to non‑VPN traffic. Since QoS uses the First Rule Match concept, the VPN traffic rules must be defined as the top rules in the Rule Base. Below them define rules that apply to all other types of traffic. Other types of traffic skip the top rules and match to one of the non-VPN rules. To separate VPN traffic from non-VPN traffic, define this rule at the top of the QoS Rule Base:
Name |
Source |
Destination |
Service |
Action |
---|---|---|---|---|
VPN rule |
Any |
Any |
Any |
VPN Encrypt, and other configured actions |
All the VPN traffic is matched to this rule. The rules below this VPN Traffic Rule are then checked only against non-VPN traffic. You can define sub-rules below the VPN Traffic rule that classify the VPN traffic with more granularity.
Bandwidth Allocation and Sub-Rules
When a connection is matched to a rule with sub-rules, the sub-rules are checked for match. If none of the sub-rules apply, the default rule for the sub-rules is applied (see Default Rule).
Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The same rules then apply to the nested sub-rules. If the connection matches a sub-rule that has sub-rules, the nested sub-rules are checked for a match. If none of the nested sub-rules apply, the default rule for the nested sub-rules is applied.
Bandwidth is allocated on a top/down basis. This means that:
-
Sub-rules cannot give more bandwidth to a matching rule, than the rule in which the sub-rule is located.
-
A nested sub-rule cannot give more bandwidth than the sub-rule in which it is located.
A Rule Guarantee must always be greater than or equal to the Rule Guarantee of a sub‑rule in that rule. The same applies to Rule Guarantees in sub-rules and their nested sub-rules.
For example:
Bandwidth Allocation in Nested Sub-Rules:
Rule Name |
Source |
Destination |
Service |
Action |
---|---|---|---|---|
Rule A |
Any |
Any |
ftp |
Rule Guarantee - 100KBps Weight 10 |
Start of Sub-Rule A |
||||
Rule A 1 |
Client-1 |
Any |
ftp |
Rule Guarantee - 100KBps Weight 10 |
Start of Sub-Rule A1 |
||||
Rule A1.1 |
Any |
Any |
ftp |
Rule Guarantee - 80KBps Weight 10 |
Rule A1.2 |
Any |
Any |
ftp |
Weight 10 |
End of sub-rule A1 |
||||
RuleA2 |
Client-1 |
Any |
ftp |
Weight 10 |
End of sub-rule A |
||||
Rule B |
Any |
Any |
http |
Weight30 |
In this example, surplus bandwidth from the application of Rule A1.1 is applied to Rule A2 before it is applied to Rule A1.2.
Using Policies
After you define your QoS rules in the Rule Base, you must publish your SmartConsole session, and then install the policies on your Security Gateways. The policy installation procedure automatically validates the rules and objects. If there verification errors, a message shows in the in the Install Policy Details tab.
After policy installs successfully, the Security Gateways enforce the policy rules.
|
Note - Make sure the QoS blade is enabled on the Security Gateway before you install the policy. |
Installing a QoS Policy
To install a QoS Policy:
-
In SmartDashboard, make changes to Policy rules and then click Update.
-
In SmartConsole, click Install Policy.
-
From the Policy list, select the policy to install.
-
Click Policy Targets and select the Security Gateways that will get this Policy.
Note -By default, no gateways are selected for QoS. You must select them manually.
-
Click Install.
If the installation is successful, the new Policy is enforced by the Security Gateways on which it is installed. If installation fails, do these steps to see the error messages:
-
Click the Task Information area, in the lower, left hand corner of SmartConsole.
-
In the Recent Tasks area, click Details on the applicable error.
In the Install Policy Details window, click the ^ icon in the Status column to see the error messages. You must resolve all errors before you can successfully install the Policy.