Managing QoS
This chapter shows you how to configure and manage QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.. These procedures assume that you have opened SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., as described in Opening the GUI Clients .
Defining QoS Global Properties
Watch the Video
The QoS global properties include default values for QoS rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. parameters and unit of measure.
Configure QoS global properties in SmartConsole.
|
Note: You must close SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. before you can work with global properties. |
To configure QoS Global Properties:
-
In SmartConsole click Application > Global properties > QoS.
-
In the Global Properties window, configure these parameters:
Weight:
-
Maximum weight of rule: The maximum weight that can be assigned to rules. The default value is 1000.
-
Default weight of rule: The weight to be assigned in the Action column by default to new rules, including new Default rules.
Rate:
-
Unit of measure: The unit specified in QoS windows by default for transmission rates (for example, Bps - Bytes per second).
-
-
Click Set Default to save the default values.
Changing QoS Global Properties
To configure QoS Global Properties:
-
From the Policy menu, choose Global Properties or click the Edit Global Properties icon in the toolbar.
The Global Properties window opens showing these fields:
In the Weight area:
-
Maximum weight of rule: The maximum weight that can be assigned to rules. The default value is 1000, but can be changed to any number.
-
Default weight of rule: The weight to be assigned in the Action column by default to new rules, including new Default rules.
In the Rate area:
-
Unit of measure: The unit specified in QoS windows by default for transmission rates (for example, Bps - Bytes per second).
-
-
Click OK to save the changes to the QoS Global Properties.
Interface QoS Properties
You must first define the network objects, that is, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and its interfaces on which QoS controls traffic flow.
After defining the interfaces you can specify the QoS properties for those interfaces. This is done in the QoS tab of the Interface Properties window. Defining the interface QoS properties involves setting the Inbound and Outbound active transmission rates and specifying the Differentiated Services (DiffServ) and Low Latency classes. You can change these definitions at any time.
|
Note - The QoS tab is only enabled for the interfaces of gateways that have QoS selected on the General Properties page of the Security Gateway. |
Configuring Interface QoS Properties
To configure Security Gateway interfaces
-
Open SmartConsole.
-
Click Gateways & Servers and double-click the applicable Security Gateway object.
-
In the General Properties, click Network Management.
The Check Point Gateway - Topology window opens.
-
If a list of interfaces does not show, click Get Interface.
If you choose this method of configuring the Security Gateway, the topology fetched suggests the external interface of the Security Gateway based on the QoS Security Gateway routing table. You must make sure that this information is correct.
-
Double-click the appropriate interface.
-
In the Interface Properties window, click the QoS tab.
-
In the DiffServ and Low Latency classes area, you can specify the Differentiated Services (DiffServ) and Low Latency Queuing classes to be used on the interface.
You can Add, Edit or Remove a class. Refer to Working with Differentiated Services (DiffServ) and Defining a Low Latency Class for more details on adding or editing DiffServ and Low Latency Classes.
For information about DiffServ and Low Latency classes, see Differentiated Services (DiffServ) and Low Latency Queuing.
-
Click OK.
Changes to the interface QoS properties are saved.
Do steps 4 - 7 for each applicable interface.
Notes:
-
Interfaces on the WAN side (or interfaces connected to a slower network) are typically defined as active. On a gateway with only two interfaces, enable QoS only on the interface connected to the WAN. If the gateway controls DMZ traffic, you can install QoS on the interface connected to the DMZ.
-
Select Inbound Active to control traffic on this interface in the inbound direction.
-
From the Rate list, select or enter the available bandwidth in the inbound direction.
-
Check Outbound Active to control traffic on this interface in the outbound direction.
-
From the Rate list select or enter the available bandwidth in the outbound direction.
-
-
Make sure that the rates correspond to the actual physical capacity of the interfaces.
QoS cannot not make sure the defined rates are compatible with the interface hardware.
If the defined rate is less than the physical capacity, QoS uses only specified capacity. Excess capacity is not used. If the defined rate greater than the physical capacity, QoS cannot control traffic correctly.
Working with QoS Policies
QoS policy is an ordered set of QoS rules in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The Rule Base contains rules that you create, and a default rule. The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. The fundamental concept is that unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base.
The Rule Base specifies what actions are to be taken with the data packets. It specifies the source and destination of the communication, what services can be used, at what times, whether to log the connection and the logging level.
A QoS Rule Base is applied to specific gateways and interfaces. After you have created the Policy and defined its QoS rules you must install it on the relevant QoS gateways.
To Create New QoS Policy
-
On the gateway, make sure that the QoS blade is enabled.
-
In SmartConsole, from the File menu, select Manage Policies and Layers.
-
Click New.
-
In the Policy window, enter a Policy name.
This name cannot:
-
Contain any reserved words or spaces.
-
Start with a number.
-
Contain any of the following characters: %, #, ', &, *, !, @, ?, <, >, /, \, :.
-
End with any of the following suffixes: .pf, .W.
-
-
Select QoS and then select a QoS Policy type:
-
Express - Quickly create basic QoS Policies
-
Recommended (default) - Create advanced Policies with the full set of QoS features
Note: There are some limitations that can prevent you from enabling SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. or CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. with QoS Policies. For more, see: Acceleration Support for R77 Policies.
-
-
Click OK.
The system saves the new Policy and SmartDashboard opens automatically. You can start to define your rules here.
Opening an Existing QoS Policy
To Open an Existing Policy:
-
In SmartConsole, click Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Manage Policies.
-
In the Manage Policies window, double-click a QoS Policy.
SmartDashboard opens.
Creating New Rules
You work with rules in SmartDashboard. When you add rules, you can put the new rule anywhere in the Rule Base except after the last rule. The Default Rule must always be at the bottom of the Rule Base.
To create a new rule:
-
In the QoS tab, at the position where you want to add a new rule.
-
Add a new rule from the Rule menu, the toolbar, or right-click a name in the Name column of a rule to display the Rule menu.
The Rule Name window opens.
-
Enter the name of the rule in the Rule Name field.
-
Click OK.
The rule is added to the Rule Base at the selected position, with the values defined in the QoS page of the Global Properties window.
To add a rule |
Select from |
---|---|
After the last rule |
Rules > Add Rule > Bottom |
Before the first rule |
Rules > Add Rule > Top |
After the current rule |
Rules > Add Rule > Below |
Before the current rule |
Rules > Add Rule > Above |
To the current rule |
Rules > Add Sub-Rule |
Right-click a rule to use these menu commands:
Option |
Explanation |
---|---|
Add Rule above |
Adds a rule before the current rule. |
Add Rule below |
Adds a rule after the current rule. |
Add Sub-Rule |
Deletes the current rule. |
Delete Rule |
Deletes the current rule. |
Copy Rule |
Copies the current rule to the clipboard. |
Cut Rule |
Deletes the current rule and puts it in the clipboard. |
Paste Rule |
Pastes the rule in the clipboard (a sub-menu is displayed from which you can select whether to paste the rule above or below the current rule). |
Add Class of Service |
Specifies a Class of Service (see Differentiated Services (DiffServ) and Low Latency Queuing ). A sub-menu is displayed from which you can select whether the Class of Service is to be added above or after the current rule. |
Hide Rule |
Hides the current rule. The rule is still part of the Rule Base and will be installed when the QoS Policy is installed. |
Disable Rule |
Disables the current rule. The rule appears in the Rule Base but is not enforced by the QoS Policy. |
Rename Rule |
Renames the current rule. |
> |
Best Practice - For adding new QoS rules in an environment with limited bandwidth. Open Global Properties and set a default weight for each new rule. Weight is the percentage of the available bandwidth allocated to a rule. Leave the default weight at 10. Changing the value to less than 10 can result in a complete loss of bandwidth for that rule. |
Changing the Rule Name
To change the rule name:
-
In the QoS tab, double-click the Name column in the rule to rename.
-
In the Rule Name window, enter the new rule name in the Rule Name field.
-
Click OK.
To Copy, Cut or Paste a Rule
You can copy, cut or paste a rule using either the Edit or Rules menus or the right-click menu of the selected rule.
-
In the QoS tab, select the rule you want to copy, cut or paste.
-
From the Edit or Rules menu, select one these options:
Action
From
selectCut
Edit > Cut
Copy
Edit > Copy
Paste
Edit > Paste
If you select Paste, then the Paste menu will be opened. You must then select Bottom, Top, Above, or Below to specify where in the Rule Base to paste the rule.
To Delete a Rule
You can delete a rule using either the right-click menu of the selected rule or clicking the Delete button on the toolbar.
-
In the QoS tab, select the rule you want to delete.
-
Click Delete on the toolbar.
-
Click Yes to delete the selected rule.
Working with Rules
You can change rule fields, as often as you like, until the rule is in the form that you require. Configure the source and destination of each communication, services that can be used (TCP, Compound TCP, UDP, and ICMP), actions to be taken with the data packets, whether to maintain a log of the entries for the selected rule, and interfaces of the QoS Security Gateway that the rule is enforced.
This section describes the procedures for modifying the various fields in a rule. Refer to Basic Policy Management for more details about rules.
Modifying Sources in a Rule
You can modify the source(s) of the communication in a rule. You can add as many sources as required. In addition, you can restrict the sources of the rule to particular user groups, or to user groups originating from specific locations.
To Add Sources to a Rule
-
From the Rule Base select the rule to modify.
-
Right-click the Source column of the selected rule and select Add.
The Add Object window shows listing the network objects defined in the Security Policy and the QoS Policy.
Note - You can also use the Add Object window to define new objects and delete or modify objects.
-
Select one or more network objects (using the standard Windows selection keys) to add to the rule's Source.
-
Click OK.
-
The objects are added to the Source field.
-
You can add as many sources as required.
-
To Add User Access to the Sources of a Rule
-
From the Rule Base select the rule you want to modify.
-
Right-click in the Source column of the selected rule and select Add Users Access.The User Access window is displayed.
-
Select one of the user groups to add to the rule's Source.
-
Select whether you want to restrict the Location, as follows:
-
No restriction: There is no restriction on the source of the users. For example, if you select All Users and check No restriction, then AllUsers@Any will be inserted under Source in the rule.
-
Restrict to: The source is restricted to the network object you select in the list box. For example, the source object in the rule will be AllUsers@Local_Net.
-
-
Click OK to add the user access to the rule source.
To Edit, Delete, Cut, Copy or Paste a Source in a Rule
You can edit, delete, cut, copy or paste a source in a rule using the right-click menu of the selected source.
-
From the Rule Base select the rule to modify.
-
Right-click on the Source of the selected rule.
-
Select one of these options:
-
Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. Alternatively, you can double-click on an object in the Source column of the selected rule to edit it.
-
Delete: The selected object is deleted. If you delete the last source object in the rule it is replaced by Any.
-
Cut: The selected object is cut and put it in the clipboard.
-
Copy: The selected object is copied to the clipboard.
-
Paste: The object is pasted from the clipboard to the rule's Source.
-
To View Where an Object is Used
You can view where the selected object is used (in queries, active policies, and so on).
-
From the Rule Base select the rule to modify.
-
Right-click on the Source of the selected rule.
-
Select Where Used.
The Object References window opens showing where the selected object is used (in queries, active policies, and so on).
-
Click Close to return to the rule.
Modifying Destinations in a Rule
You can modify the destination(s) of the communication in a rule. You can add as many destinations as required.
To Add Destinations to a Rule
-
From the Rule Base select the rule to modify.
-
Right-click in the Destination column of the selected rule.
-
Select Add.
The Add Object window opens), listing the network objects defined in the Security Policy and the QoS Policy.
Note - You can also use the Add Object window to define new objects and delete or modify objects.
-
Select one or more network objects (using the standard Windows selection keys) to add to the rule's Destination.
-
Click OK.
The objects are added to the Destination field. Add as many destinations as required.
To Edit, Delete, Cut, Copy or Paste a Destination in a Rule
You can edit, delete, cut, copy or paste a destination in a rule using the right-click menu of the selected source.
-
From the Rule Base select the rule you want to modify.
-
Right-click on the Destination of the selected rule and select one of the following options:
-
Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. Alternatively, you can double-click on an object in the Destination column of the selected rule to edit it.
-
Delete: The selected object is deleted. If you delete the last destination object in the rule it is replaced by Any.
-
Cut: The selected object is cut and put it in the clipboard.
-
Copy: The selected object is copied to the clipboard.
-
Paste: The object is pasted from the clipboard to the rule's Destination.
-
To View Where an Object is Used
You can view where the selected object is used (in queries, active policies, and so on).
-
From the Rule Base choose the rule you want to modify.
-
Right-click on the Source of the selected rule and choose Where Used. The Object References window is displayed showing you where the selected object is used (in queries, active policies, and so on).
-
Click Close to return to the rule.
Modifying Services in a Rule
You can modify the service(s) in a rule. You can add as many services as required, however, you can only add one URI for QoS resource in a single rule.
|
Note - Previous versions of QoS have not limited the number of URIs for QoS resources allowed per rule. If you are using a QoS Policy originally designed for use with a previous QoS version, be sure to redefine any rule that has more than one resource in its Service Field. |
To Add Services to a Rule
-
From the Rule Base select the rule to modify.
-
Right-click in the Service column of the selected rule.
-
Select Add.
The Add Object window shows listing the network objects defined in the Security Policy and the QoS Policy.
-
Select one or more network objects (using the standard Windows selection keys) to add to the rule's Service.
-
Click OK.
The objects are added to the Service field.
-
You can add as many services as required.
-
Only one URI for QoS service is allowed.
-
To Add a Service with a Resource to a Rule
-
From the Rule Base choose the rule you want to modify.
-
Right-click in the Service column of the selected rule and select Add with Resources.
The Services with Resource window opens.
You can only add one service with a resource to a rule, so this option will only be available if you have not already added a service with a resource to this rule.
-
Select one of the services in the Location area.
-
Select the appropriate resource from the Resource list.
-
Only resources of type URI for QoS can be added to the QoS Rule Base. URI for QoS is used for identifying HTTP traffic according to the URL (URI).
-
Do not use the protocol prefix (
http://
) when setting up a URI resource. HTTP services with URI for QoS resources can be defined on all ports. -
The regular expression supported by QoS is of form a*b where a and b are strings and * is wildcard. See Appendix: Regular Expressions.
-
Both full and relative URI are supported:
-
Full URI: Use the full URI but without protocol prefix (for example, do not use "
http://
"). Valid full URI example: "www.my-site.com/pic/qos.gif
" -
Relative URI: Use the URI that starts just after the domain name. The relative URI must start with slash. For example: "
/pic/qos.gif
"
-
-
-
Click OK to add the service with a URI for QoS resource to the rule.
Note - Only one resource is allowed in a single rule.
To Edit, Delete, Cut, Copy or Paste a Service in a Rule
You can edit, delete, cut, copy or paste a service in a rule using the right-click menu of the selected service.
-
From the Rule Base the select the rule to modify.
-
Right-click on the Service of the selected rule.
-
Select one of these options:
-
Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. Alternatively, you can double-click on an object in the Service column of the selected rule to edit it.
-
Delete: The selected object is deleted. If you delete the last service object in the rule it is replaced by Any.
-
Cut: The selected object is cut and put it in the clipboard.
-
Copy: The selected object is copied to the clipboard.
-
Paste: The object is pasted from the clipboard to the rule's Service.
-
To View Where an Object is Used
You can view where the selected object is used (in queries, active policies, and so on).
-
From the Rule Base select the rule to modify.
-
Right-click on the Service of the selected rule.
-
Select Where Used.
The Object References window opens showing you where the selected object is used (in queries, active policies, and so on).
-
Click Close to return to the rule.
Modifying Rule Actions
You can modify the default properties of a rule. The available options depend on whether it is a simple or advanced type of rule. The advanced rule action type enables you to specify limits and guarantee allocation on a per connection basis.
To Edit the Rule Actions
-
From the Rule Base choose the rule you want to modify.
-
Right-click in the Action column of the selected rule and select Edit Properties.
The QoS Action Properties window opens.
-
If the Action Type of the rule is defined as Simple, the QoS Action Properties window opens.
-
If the Action Type of the rule is defined as Advanced, the QoS Action Properties window opens.
Note - When Express QoS has been installed, Advanced Actions are not available.
-
-
The following properties are displayed for a QoS rule with a simple action type. You can change any of these fields:
In the Action Type area:
-
Simple: The full set of actions with the exception of the Guarantee Allocation and the per connection limit features.
-
Advanced: The full set of actions with the Guarantee Allocation feature included.
-
In the VPN Traffic area:
-
Allow rule only to encrypted traffic
Check this box if you want the rule to be matched only by VPN traffic. If you do not check this field, rules will be matched by all traffic types, both VPN and non-VPN traffic. VPN traffic means traffic that is encrypted in this same Security Gateway by IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.. This field does not apply to traffic that was encrypted prior to arriving to this Security Gateway. This type of traffic can be matched using the "IPSec" service. For further explanation on how to use this check box for prioritizing VPN traffic over non-VPN, see Example of a Rule Matching VPN Traffic .
-
-
In the Action Properties area you can define the restrictions on bandwidth for connections to which the rule applies in the following fields:
-
Rule Weight: Enables you to define the weight of the rule. This field is checked by default and has the value defined in the Global Properties window in Defining QoS Global Properties. Leave this value as is to avoid a complete loss of bandwidth. For detailed information see Weight .
Important - 0 rate in conjunction with 0 guarantee can lead to the rule's complete loss of bandwidth. To prevent this from happening, retain some ratio in the Rule Weight. The default is 10.
-
Rule Limit: Enables you to restrict the total bandwidth consumed by the rule. For detailed information see Limits .
Note - When using weights or guarantees, the weighted fair queuing algorithm that QoS makes use of assures that no bandwidth is ever wasted. Spare bandwidth is divided among the backlogged rules. However, if you set a rule limit, it will not use spare bandwidth above this limit.
-
Rule Guarantee: Enables you to define the absolute bandwidth allocated to the rule. For detailed information see Guarantees .
Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit.
-
-
(Optional) The following additional properties are displayed for a QoS rule with an advanced action type. You can change any of these fields:
In the Limit area:
-
Rule Limit: Enables you to restrict the total bandwidth consumed by the rule. For detailed information see Limits .
Note - When using weights or guarantees, the weighted fair queuing algorithm that QoS makes use of assures that no bandwidth is ever wasted. Spare bandwidth is divided among the backlogged rules. However, if you set a rule limit, it will not use spare bandwidth above this limit.
-
Per connection limit: Enables you to set a rule limit per connection.
Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit.
In the Guarantee Allocation area:
-
Guarantee: Enables you to allocate a minimum bandwidth to the connections matched with a rule. For detailed information see Guarantees .
-
Per rule: Enables you to define the absolute bandwidth allocated to the rule.
Note - The number you enter for the Per rule cannot be larger than the Rule Limit.
-
Per connection: Enables you to manage the bandwidth at the connection-level.
-
Per connection guarantee: Enables you to restrict the absolute bandwidth allocated per connection.
-
Number of guaranteed connections: Enables you to allocate a minimum number of guaranteed connections.
Note - The Number of guaranteed connections multiplied by the Per connection guarantee cannot be greater than the rule limit.
-
Accept additional connections: Check this option to allow connections without per connection guarantees to pass through this rule and receive any leftover bandwidth. Enter the maximum amount of bandwidth that is allowed for this option in the text box. This only occurs if all other conditions have been met.
Note - Select a non-zero rule weight when Accept additional non-guaranteed connections is checked.
-
-
Click OK to update the QoS Action Properties for the rule.
To Reset the Rule Actions to Default Values
-
From the Rule Base select the rule you want to modify.
-
Right-click in the Action column of the selected rule and select Reset to Default. The action properties for the selected rule are reset to their default values. The default values are defined in the QoS page of the Global Properties window (see Defining QoS Global Properties).
Modifying Tracking for a Rule
You can choose whether you want to maintain a log of the entries for the selected rule. If you do want to log the entries, you also have the option of logging the entries in account format. For further information on tracking and logging, see Overview of Logging . For information on how to turn logging on, see Enabling Log Collection.
-
From the Rule Base select the rule you want to modify.
-
Right-click in the Track column of the selected rule. The menu that is displayed has the following options:
-
None. No logging is done for this connection.
-
Log. Logging is done for this connection.
-
Account. Logging for this connection is done in Accounting format.
-
-
Select the required option.
Modifying Install On for a Rule
The Install On field specifies on which interfaces of the QoS Security Gateway the rule is enforced. You can select any number of Install On objects.
|
Note -.To install a QoS Policy on a Security Gateway, make sure that:
|
To Modify Install On for a Rule
-
From the Rule Base select the rule you want to modify.
-
Right-click in the Install On column of the selected rule and select Add. The Add Interface window is displayed.
-
(Optional) Click Select Targets to select additional installable targets. The Select Installation Targets window is displayed.
-
To add any target(s) to the list of Installed Targets, select the target(s) in the Not in Installation Targets area and click Add.
The selected target(s) are added to the In Installation Targets area.
-
To remove a target(s) from the In Installation Targets area, select the target(s) and click Remove.
The selected targets are returned to the Not in Installation Targets area.
-
Click OK. The selected targets now appear in the Add Interface window.
-
Select from the list of targets in the Add Interface window:
-
A Security Gateway (and all its interfaces on which QoS is defined), or
-
An interface (in both directions), or
-
One direction of an interface
-
-
Click OK. The selected interface is added to the Install On field.
To Delete an Install On for a Rule
You can remove an interface for a rule. The rule will no longer be enforced for the interface.
-
From the Rule Base select the rule to modify.
-
Right-click on the Service of the selected rule.
-
Select Delete.
The selected object is deleted.
To View Where an Object is Used
You can view where the selected object is used.
-
From the Rule Base select the rule to modify.
-
Right-click on the Install On of the selected rule.
-
Select Where Used.
The Object References window opens showing where the selected object is used.
-
Click Close to return to the rule.
Modifying Time in a Rule
You can specify the times that the rule is enforced. You add any number of time objects to a rule.
To Modify Time in Rules
-
From the Rule Base select the rule to modify.
-
Right-click in the Time column of the selected rule.
-
Select Add.
The Add Object window opens.
-
(Optional) You can edit a time object:
-
Select the required time object and click Edit to modify a time object.
The Time Properties window opens. (Alternatively, you can double-click on an object in the Time column of the selected rule to edit it.)
-
Edit the fields in the Time Properties window, as required.
-
Click OK.
-
-
Select the required time object in the Add Object window.
The time object is added to the rule.
To Edit or Delete a Time Object for a Rule
You can edit or delete a time object in a rule using the right-click menu of the selected service.
-
From the Rule Base choose the rule to modify.
-
Right-click on the Time column of the selected rule.
-
Select one of these options:
-
Edit: The appropriate window is opened, according to the type of object selected, and you can change the object's properties. Alternatively, you can double-click on an object in the Time column of the selected rule to edit it.
-
Delete: The selected object is deleted. If you delete the last time object in the rule it is replaced by Any.
-
To View Where an Object is Used
You can view where the selected object is used (in queries, active policies, and so on).
-
From the Rule Base select the rule to modify.
-
Right-click on the Service of the selected rule.
-
Select Where Used.
The Object References window opens showing you where the selected object is used (in queries, active policies, and so on).
-
Click Close to return to the rule.
Adding Comments to a Rule
You can add a comment to a rule.
To Add Comments to Rules
-
From the Rule Base select the rule to modify.
-
Right-click in the Comment column of the selected rule.
-
Select Edit.
The Comment window opens. You can also open this window by double-clicking in the Comment column of the selected rule.
-
Type relevant comments in the text box.
-
Click OK.
The comment is added to the rule.
Defining Sub-Rules
Sub-rules are rules that allocate bandwidth more specifically within a rule. For example, consider the rule shown in the figure below.
The bandwidth allocated to the ABC_VPN rule is further allocated among the sub-rules ABC_VPN_ERP through Default under ABC_VPN.
To Define Sub-Rules
-
Select the rule under which the sub-rule is to be defined.
-
Right-click in the Rule Name column.
-
Select Add Sub-Rule from the menu.
The Rule Name window is displayed.
-
Enter the sub-rule name and click OK. The new sub-rule together with a default sub‑rule is automatically created, under the rule selected in 1 above, using the default values defined.
-
You may modify the sub-rules by following the same procedures for editing rules described in Working with QoS Policies.
-
Add new sub-rules by following the same procedures for creating rules described in Working with QoS Policies
Viewing Sub-Rules
The sub-rules under a main rule can be seen by expanding the rule in the QoS Rule Tree. To view sub-rules in the Rule Base, click one of the sub-rules in the relevant main rule. The Rule Base shows all the sub-rules for that rule.
Working with Differentiated Services (DiffServ)
A DiffServ rule specifies not only a QoS Class, but also a weight, in the same way that other QoS Policy Rules do. These weights are enforced only on the interfaces on which the rule is installed.
For more on DiffServ, see: Differentiated Services (DiffServ).
Defining a DiffServ Class of Service
To define a DiffServ class of service:
-
From the SmartDashboard menu, select Manage > QoS > QoS Classes.
-
In the QoS Classes window, click New > DiffServ Class of Service.
-
In the Class of Service Properties window, configure these settings:
-
Name - The name of the Class of Service.
-
Comment - The text to be displayed when this class is selected in the QoS Classes window.
-
Color - Select a color from the list.
-
Type - Select a type from the list. You may select a predefined or user defined class.
-
DiffServ code - This is a read-only field that displays the DiffServ marking as a bitmap.
-
-
Click OK.
Defining a DiffServ Class of Service Group
To define a DiffServ class of service group:
-
In SmartDashboard, click Manage > QoS > QoS Classes.
-
In the QoS Classes window, click New > DiffServ Class of Service Group.
-
In the Group Properties configure these properties:
-
Name - The name of the group.
-
Comment -The text to be displayed when this class is selected in the QoS Classes window.
-
Color - Select a color from the list.
-
To add a DiffServ class to the group, double-click a class in the list in the Not in Group list.
-
To delete a class from the group, double-click a class In Group list.
-
-
Click OK.
Configuring an Interface for DiffServ
Use these procedures to configure interfaces and to add a DiffServ class to an interface.
To configure interface for DiffServ:
-
In SmartConsole, go to Gateways & Servers.
-
Double-click the applicable Security Gateway.
-
In the Check Point Gateway window, click Network Management.
-
Double-click the applicable interface.
-
In the Interface window, click the QoS tab.
-
In the Diffserv and Low Latency classes section, click Add > DiffServ Classes > Others.
-
Select Inbound Active and/or Outbound Active and set the Rate properties.
-
In the Object Editor window, select a QoS Class from the list.
-
Select and configure these parameters for Inbound and/or Outbound traffic:
-
Guaranteed bandwidth -The bandwidth guaranteed marked for priority.
IMPORTANT: Make sure you do not exceed the guaranteed bandwidth.
-
Bandwidth Limit - The maximum bandwidth for this class.
Traffic volume greater than the Bandwidth Limit is marked for QoS priority.
Note: You must configure these properties for at least one traffic direction.
-
-
Click OK.
To add QoS Classes to the Rule Base:
-
Open SmartDashboard.
-
Do one of these actions:
-
In the Name column of a QoS rule, click the rule Add Class of Service > Above.
-
In a class header, right-click the header and then click Add Class of Service Above or Add Class of Service Below.
-
-
Select a class from the list. Click OK.
The DiffServ class header shows in the Rule Base. If this is the first defined class, the Best_Effort header shows directly below the new DiffServ class header.
-
Follow the steps in the next sections to define the class properties.
Defining Expedited Forwarding Class Properties
To define Expedited Forward class properties:
-
In the SmartDashboard Network Objects tree, double-click the applicable Security Gateway.
-
In the Gateway window, click Network Management.
-
In the Interface window, click the QoS tab.
-
In the DiffServ and Low Latency classes section, click Add or Edit.
-
Click DiffServ Classes > Expedited Forwarding.
-
Configure these properties:
-
Class: Select a Low Latency class from the list of defined classes.
-
Inbound:Define the portion of the interface's inbound capacity to be reserved.
-
Constant Bit Rate: The constant bit rate at which packets of this class will be transmitted.
-
Maximal Delay: The maximum delay that will be tolerated for packets of this class. Those packets that exceed this delay are dropped.
-
Outbound: Define the portion of the interface's outbound capacity to be reserved by defining a Constant Bit Rate and a Maximum Delay as described above.
You must configure at least one of the two directional properties (Inbound / Outbound), and you can configure both.
-
-
Click OK.
Defining DiffServ Class Properties
To define DiffServ class properties:
-
In SmartDashboard, locate the relevant Security Gateway.
-
In the Gateway Properties window, click Network Management.
-
In the Interface window, click the QoS tab.
-
In the DiffServ and Low Latency classes section, click Add or Edit.
-
Click DiffServ Classes > Others.
-
Configure these properties:
-
Class: Select a DiffServ class from the list of defined classes.
-
Inbound:Define the portion of the interface's inbound capacity to be reserved.
-
Guaranteed bandwidth: The bandwidth guaranteed to be marked with the QoS Class.
-
Bandwidth Limit: The upper limit of the bandwidth to be marked with the QoS Class. Traffic in excess of the Bandwidth Limit: will not be marked. For example, if the interface's capacity is 256MB and Bandwidth Limit to 192MB, then traffic beyond 192MB will not be marked.
-
Outbound: Define the portion of the interface's outbound capacity to be marked by defining a Guaranteed Bandwidth and a Bandwidth Limit as described above.
-
-
Click OK.
Working with Low Latency Queuing
QoS Low Latency Queuing makes it possible to define special classes of service for "delay sensitive" applications like voice and video. Rules under these classes can be used together with other rules in the QoS Policy Rule Base. Low Latency classes require you to specify the maximal delay that is tolerated and a Constant Bit Rate. QoS then guarantees that traffic matching rules of this type are forwarded within the limits of the bounded delay.
For more, see: Low Latency Queuing .
Defining a Low Latency Class
To define a Low Latency class:
-
In SmartDashboard select Manage > QoS > QoS Classes.
-
In the QoS Classes window, click New > Low Latency Class of Service.
-
In the Class of Service Properties window, configure these class properties:
-
Name - The name of the Class of Service.
-
Comment -The text to be displayed when this class is selected in the QoS Classes window.
-
Color - Select a color from the list.
-
Type - Select a type from the list.
-
-
Click OK.
Configuring an Interface for Low Latency
Use these procedures to configure interfaces to use a Low Latency or DiffServ Expedited Forwarding class.
To configure an interface for Low Latency:
-
Make sure that SmartDashboard is closed.
-
In SmartConsole, go to Gateways & Servers.
-
Double-click the applicable Security Gateway.
-
In the Check Point Gateway window, click Network Management.
-
Double-click the applicable interface.
-
In the Interface window, click the QoS tab.
-
Select Inbound Active and/or Outbound Active and set the Rate properties.
-
In the Diffserv and Low Latency classes section, click Add > Low Latency Classes.
-
In the Low Latency QoS window, select a class from the list.
-
Select Inbound Active and/or Outbound Active.
Note: You must set at least one traffic direction to Active.
-
Configure these Low Latency properties:
-
Constant Bit Rate - The constant bit rate at which packets of this class will be transmitted.
-
Maximal Delay - The maximum delay allowed for packets of this class. Packets that exceed this value are dropped.
Note: To configure an Expedited Forwarding interface to work as a DiffServ interface, set the Maximal Delay property to 99999.
-
Do these steps for each applicable interface on a Security Gateway.
Defining Low Latency Class Properties
To define Low Latency class properties:
-
In SmartDashboard, click a Gateways & Servers and double click the applicable Security Gateway.
-
In the Gateway window, click Network Management.
-
In the Interface window, click the QoS tab.
-
In the DiffServ and Low Latency classes section, click Add or Edit.
-
Click Low Latency.
-
Configure these properties:
-
Class: Select a Low Latency class from the list of defined classes.
-
Inbound:Define the portion of the interface's inbound capacity to be reserved.
-
Constant Bit Rate: The constant bit rate at which packets of this class will be transmitted.
-
Maximal Delay: The maximum delay that will be tolerated for packets of this class. Those packets that exceed this delay are dropped.
-
Outbound: Define the portion of the interface's outbound capacity to be reserved by defining a Constant Bit Rate and a Maximal Delay as described above.
You must configure at least one of the two directional properties (Inbound / Outbound), and you can configure both.
-
-
Click OK.
Viewing QoS Security Gateway Status
To see the QoS Security Gateway status, click Security Gateway in the Gateways & Servers view in SmartConsole. The status information shows on the Summary tab at the bottom of the view.
Enabling Log Collection
In order for a connection to be logged, the QoS logging flag must be turned on and the connection's matching rule must be marked with either Log or Account in the Track field of the rule. For further information on how logging features work, see Overview of Logging .
To Turn on QoS Logging
A QoS Security Gateway logs to the log if Turn on QoS Logging is checked in the Additional Logging page (under Logs and Masters) of the Properties window. By default, QoS Logging is turned on.
Confirming a Rule is logged
-
In SmartDashboard, select the rule whose connection will be logged.
-
Confirm that either Log or Account appear in the Track field.