is a short tutorial describing how to define a QoS Policy.
Chapter 5, “Advanced QoS Policy Management”
describes the more advanced policy management features of Check Point QoS that enable you to refine basic QoS policies.
Chapter 6, “Managing Check Point QoS”
describes how to manage QoS, including modifying and changing policies and rules.
Chapter 7, “SmartView Tracker”
describes the features and tools that are available for monitoring Check Point QoS.
Chapter 8, “Command Line Interface”
discusses how to work with Check Point QoS via the Command Line.
Chapter 9, “Check Point QoS FAQ (Frequently Asked Questions)”
a compilation of frequently asked questions and their answers.
Chapter 10, “Deploying Check Point QoS”
Describes how to deploy Check Point QoS and provides sample bandwidth allocations.
Table A-2
Appendix Description
Appendix A, “Debug Flags” contains a list of debugging error codes.
Related Documentation
Related Documentation
The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation
Title Description
Internet Security Product Suite Getting Started Guide
Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65.
SmartCenter
Administration Guide
Explains SmartCenter Management solutions. This guide provides solutions for control over
configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints.
Firewall and SmartDefense Administration Guide
Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic.
Virtual Private Networks This guide describes the basic components of a
Related Documentation
Preface 13 Eventia Reporter
Administration Guide
Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense.
SecurePlatform™/
SecurePlatform Pro Administration Guide
Explains how to install and configure
SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols.
Provider-1/SiteManager-1 Administration Guide
Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management
architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-2 Integrity Server documentation
Title Description
Integrity Advanced Server Installation Guide
Explains how to install, configure, and maintain the Integrity Advanced Server.
Integrity Advanced Server Administrator Console Reference
Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system.
Integrity Advanced Server Administrator Guide
Explains how to managing administrators and endpoint security with Integrity Advanced Server.
Integrity Advanced Server Gateway Integration Guide
Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.
TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Description
Related Documentation
Integrity Advanced Server System Requirements
Provides information about client and server requirements.
Integrity Agent for Linux Installation and
Configuration Guide
Explains how to install and configure Integrity Agent for Linux.
Integrity XML Policy Reference Guide
Provides the contents of Integrity client XML policy files.
Integrity Client Management Guide
Explains how to use of command line parameters to control Integrity client installer behavior and
post-installation behavior.
TABLE P-2 Integrity Server documentation (continued)
Title Description
More Information
Preface 15
More Information
• For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/.
• See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:
17
Chapter 1
Overview
In This Chapter
What is Quality of Service page 18
Internet Bandwidth Management Technologies page 19
How Does Check Point Deliver QoS page 21
Features and Benefits page 23
Traditional Check Point QoS vs. Check Point QoS Express page 24
Workflow page 26
What is Quality of Service
What is Quality of Service
Quality of Service is a set of intelligent network protocols and services that are used to efficiently manage the movement of information through a local or wide area networks. QoS services sort and classify flows into different traffic classes, and allocate resources to network traffic flows based on user or application ID, source or destination IP address, time of day, application specific parameters, and other user-specified variables.
Fundamentally, QoS enables you to provide better service to certain flows. This is done by either raising the priority of a flow or limiting the priority of another flow.
Internet Bandwidth Management Technologies
When you connect your network to the Internet, it is most important to make efficient use of the available bandwidth. An effective bandwidth management policy ensures that even at times of network congestion, bandwidth is allocated in accordance with enterprise priorities.
In the past, network bandwidth problems have been addressed either by adding more bandwidth (an expensive and usually short term “solution”) or by router queuing, which is ineffective for complex modern Internet protocols.
Superior QoS Solution Requirements
In order to provide effective bandwidth management, a bandwidth management tool must track and control the flow of communication passing through, based on information derived from all communication layers and from other applications.
An effective bandwidth management tool must address all of the following issues:
• Fair Prioritization
It is not sufficient to simply prioritize communications, for example, to specify a higher priority for HTTP than for SMTP. The result may well be that all bandwidth resources are allocated to one service and none to another. A bandwidth management tool must be able to divide the available resources so that more important services are allocated more bandwidth, but all services are allocated some bandwidth.
• Minimum Bandwidth
Overview page 19
Superior QoS Solution Requirements page 19
Benefits of a Policy-Based Solution page 20
Benefits of a Policy-Based Solution
A bandwidth management tool must be able to guarantee a service’s minimum required bandwidth. It must also be able to allocate bandwidth preferentially, for example, to move a company’s video conference to the “head of the line” in preference to all other internet traffic.
• Classification
A bandwidth management tool must be able to accurately classify
communications. However, simply examining a packet in isolation does not provide all the information needed to make an informed decision. State information — derived from past communications and other applications — is also required. A packet’s contents, the communication state and the application state (derived from other applications) must all be considered when making control decisions.
Benefits of a Policy-Based Solution
Based on the principles discussed in the previous section, there are basically three ways to improve the existing best-effort service that enterprise networks and ISPs deliver today:
• Add more bandwidth to the network.
• Prioritize network traffic at the edges of the network.
• Guarantee QoS by enforcing a set of policies that are based on business priorities (policy-based network management) throughout the network.
Of these, only policy-based network management provides a comprehensive QoS solution by:
• Using policies to determine the level of service that applications or customers need.
• Prioritizing network requests.
How Does Check Point Deliver QoS
Chapter 1 Overview 21
How Does Check Point Deliver QoS
Check Point QoS (previously called FloodGate-1), a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution. Check Point QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software.
Check Point QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic. Check Point QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing. With highly granular controls, Check Point QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel.
Check Point QoS is deployed with VPN-1® Pro. These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network.
Figure 1-1 Check Point QoS Deployment
Check Point QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point-patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or
How Does Check Point Deliver QoS
application. After a packet has been classified, Check Point QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation.
Features and Benefits
Chapter 1 Overview 23
Features and Benefits
Check Point QoS provides the following features and benefits:
• Flexible QoS policies with weights, limits and guarantees: Check Point QoS enables you to develop basic policies specific to your requirements. These basic policies can be modified at any time to incorporate any of the Advanced Check Point QoS features described in this section.
• Integration with VPN-1 Power or VPN-1 Net: Optimize network performance for VPN and unencrypted traffic: The integration of an organization’s security and bandwidth management policies enables easier policy definition and system configuration.
• Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker.
• Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base.
• Integrated Low Latency Queuing: define special classes of service for “delay sensitive” applications like voice and video to the QoS Policy Rule Base.
• Integrated Authenticated QoS: provide QoS for end-users in dynamic IP environments, such as remote access and DHCP environments.
• Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol.
• No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS and VPN-1 Power share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects in both solutions.
• Proactive management of network costs: Check Point QoS’s monitoring systems enable you to be proactive in managing your network and thus controlling network costs.
• Support for end-to-end QoS for IP networks: Check Point QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software.
Traditional Check Point QoS vs. Check Point QoS Express
Traditional Check Point QoS vs. Check Point QoS Express
Both Traditional and Express modes of Check Point QoS are included in every product installation. Express mode enables you to define basic policies quickly and easily and thus “get up and running” without delay. Traditional mode incorporates the more advanced features of Check Point QoS.
You can specify whether you choose Traditional over Express or vice versa, each time you install a new policy.
Table 1-1 shows a comparative table of the features of the Traditional and Express modes of Check Point QoS.
Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check Point
Weights * * “Weight” on page 45
Limits (whole rule) * * “Limits” on page 46
Guarantees (whole rule) * * “Guarantees” on
page 46
Authenticated QoS * “Authenticated QoS” on
page 103
Logging * * “Overview of Logging”
on page 170
Accounting * *
Supported by VPN-1 UTM Edge Gateways
* Check Point
VPN-1 UTM Edge
Traditional Check Point QoS vs. Check Point QoS Express
Chapter 1 Overview 25 LLQ (controlling packet
delay in Check Point QoS)
* “Low Latency Queuing”
on page 95
DiffServ * “Differentiated Services
(DiffServ)” on page 93
Sub-rules *
Matching by URI resources * Matching by DNS string * TCP Retransmission
Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check Point
Workflow
Workflow
The following workflow shows both the basic and advanced steps that the System Administrator may follow in the installation, setup and operational procedures of Check Point QoS:
Figure 1-2 Workflow Steps
1. Verify that Check Point QoS is installed on top of VPN-1Pro or VPN-1 Net.
2. Start SmartDashboard. See “Step 2: Starting SmartDashboard” on page 57.
3. Define the Global Properties of Check Point QoS. See “Defining QoS Global Properties” on page 112.
4. Define the Check Point Gateway’s Network Objects. See the SmartCenter Administration Guide.
5. Setup the basic rules and sub-rules governing the allocation of QoS flows on the network. See “Editing QoS Rule Bases” on page 118. After the basic rules have been defined, you may modify these rules to add any of the more
advanced features described in step 8.
6. Implement the Rule Base. See “Implementing the Rule Base” on page 51.
Workflow
Chapter 1 Overview 27
• Define Authenticated QoS. See “Working with Authenticated QoS” on page 153
• Define Citrix ICA Applications. See “Managing QoS for Citrix ICA Applications” on page 155.
Workflow
29
Chapter 2
Introduction to Check Point QoS
In This Chapter
Check Point QoS’s Innovative Technology page 30
Check Point QoS Architecture page 33
Interaction with VPN-1Pro and VPN-1 Net page 39
Check Point QoS’s Innovative Technology
Check Point QoS’s Innovative Technology
FloodGate-1 is a bandwidth management solution for Internet and Intranet
gateways that enables network administrators to set bandwidth policies to solve or alleviate network problems like the bandwidth congestion at network access points.
The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic, as well as individual connections. FloodGate-1 controls both inbound and outbound traffic flows.
Network traffic can be classified by Internet service, source or destination IP address, Internet resource (for example, specific URL designators), user or traffic direction (inbound or outbound). A Check Point QoS Policy consists of rules that specify the weights, limits and guarantees that are applied to the different classifications of traffic.
A rule can have multiple sub-rules, enabling an administrator to define highly granular Bandwidth Policies.
FloodGate-1 provides its real benefits when the network lines become congested.
Instead of allowing all traffic to flow arbitrarily, FloodGate-1 ensures that important traffic takes precedence over less important traffic so that the enterprise can continue to function with minimum disruption, despite network congestion.
FloodGate-1 ensures that an enterprise can make the most efficient use of a congested network.
FloodGate-1 is completely transparent to both users and applications.
FloodGate-1 implements four innovative technologies:
• Stateful Inspection: FloodGate-1 incorporates Check Point’s patented Stateful Inspection technology to derive complete state and context information for all network traffic.
• Intelligent Queuing Engine: This traffic information derived by the Stateful
Technology Overview
Chapter 2 Introduction to Check Point QoS 31
• RDED (Retransmission Detection Early Drop): FloodGate-1 makes use of RDED, a mechanism for reducing the number of retransmits and retransmit storms.
This Check Point mechanism, drastically reduces retransmit counts, greatly improving the efficiency of the enterprise’s existing lines. The increased bandwidth that FloodGate-1 makes available to important applications comes at the expense of less important (or completely unimportant) applications. As a result purchasing more bandwidth can be significantly delayed.
Technology Overview
FloodGate-1’s four innovative technologies are discussed in more detail in this section.
Stateful Inspection
Employing Stateful Inspection technology, FloodGate-1 accesses and analyzes data derived from all communication layers. This state and context data is stored and updated dynamically, providing virtual session information for tracking both connection-oriented and connectionless protocols (for example, UDP-based applications). Cumulative data from the communication and application states, network configuration and bandwidth allocation rules are used to classify communications.
Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based on file types. For example, FloodGate-1 can identify HTTP file downloads with
*.exe or *.zip extensions and allocates bandwidth accordingly.
Intelligent Queuing Engine
FloodGate-1 uses an enhanced WFQ algorithm to manage bandwidth allocation. A FloodGate-1 packet scheduler moves packets through a dynamically changing scheduling tree at different rates in accordance with the QoS Policy. High priority packets move through the scheduling tree more quickly than low priority packets.
Check Point QoS leverages TCP’s throttling mechanism to automatically adjust bandwidth consumption per individual connections or classes of traffic. Traffic bursts are delayed and smoothed by FloodGate-1’s packet scheduler, holding back the traffic and forcing the application to fit the traffic to the QoS Policy. By intelligently delaying traffic, the IQ Engine effectively controls the bandwidth of all IP traffic.
The preemptive IQ Engine responds immediately to changing traffic conditions and guarantees that high priority traffic always takes precedence over low priority traffic. Accurate bandwidth allocation is achieved even when there are large
Technology Overview
differences in the weighted priorities (for example 50:1). In addition, since packets are always available for immediate transmission, the IQ Engine provides precise bandwidth control for both inbound and outbound traffic, and ensures 100%
bandwidth utilization during periods of congestion. In addition, in Traditional mode it uses per connection queuing to ensure that every connection receives its fair share of bandwidth.
WFRED (Weighted Flow Random Early Drop)
WFRED is a mechanism for managing the packet buffers of FloodGate-1. WFRED does not need any preconfiguring. It adjusts automatically and dynamically to the situation and is transparent to the user.
Because the connection of a LAN to the WAN creates a bottleneck, packets that arrive from the LAN are queued before being retransmitted to the WAN. When traffic in the LAN is very intense, queues may become full and packets may be dropped arbitrarily. Dropped packets may reduce the throughput of TCP
connections, and the quality of streaming media.
WFRED prevents FloodGate-1’s buffers from being filled by sensing when traffic becomes intense and dropping packets selectively. The mechanism considers every connection separately, and drops packets according to the connection
characteristics and overall state of the buffer.
Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the connection, and then uses this information. WFRED protects “fragile”
connections from more “aggressive” ones, whether they are TCP or UDP, and always leaves some buffer space for new connections to open.
RDED (Retransmit Detect Early Drop)
TCP exhibits extreme inefficiency under certain bandwidth and latency conditions.
Check Point QoS Architecture
Chapter 2 Introduction to Check Point QoS 33
Check Point QoS Architecture
In This Section
Basic Architecture
The architecture and flow control of Check Point QoS is similar to Firewall.
Check Point QoS has three components:
• SmartConsole
• SmartCenter Server
• Module
The components can be installed on one machine or in a distributed configuration on a number of machines.
The components can be installed on one machine or in a distributed configuration on a number of machines.