[Yasushi Kono]

Because of lack of time I just described the steps necessary to configure a QoS rule for ToS Marking. That's the way I do when teaching the QoS chapter in Security Administration II NGX !

Maybe, I will write a Word document with all the Screen shots inserted there tomorrow or the day after tomorrow. This week, I have to go to the customer's site in order to add a new Nokia box into an existing IP cluster. Piece of cake, as you all know.

Perhaps, the desciption above is good enough to understand what I am trying to tell. You could try to do the exercise in your Lab!

Kind regards,
Yasushi

Lab 14: CONFIGURING QoS CLASS FOR MARKING THE TOS FIELD

Our aim is to configure a new QoS Class. You will then see that Check Point VPN-1 Pro/Power is able to mark the Type of Service field of the IP header.

1) First of all, you have to add a new QoS Class: To accomplish this task click on Manage -> QoS -> QoS Classes. Then configure the appropriate settings for this Class.




2.) To insert the new QoS Class you have to click on the QoS Tab of SmartDashboard. Then insert this Class by right-clicking on the Best Effort Class and choosing the option “Add Class of Service Above”.
3.) Then right-click on this QoS class in order to add a new QoS rule by choosing the Add Rule below option.
4.) Specify a particular service under the Service column. Just as a Lab, you can add FTP into the cell.


Then, you have to associate the appropriate QoS class to the interface of your Security Gateway and install the QoS policy.

To prove that Check Point is indeed able to mark the ToS field, you can capture the ftp packets with fw monitor:

fw monitor –e “accept (([12:4,b]=10.1.1.101 and [16:4,b]=172.29.109.1) or ([12:4,b]=172.29.109.1 and [16,b]=10.1.1.101));” –o ~/ftp_dscp.out


Finally, you have to load the output file into Ethereal. There expand one of the FTP packets to look at the IP header information. Look at the DSCP field and you will notice that a Code Point is being inserted by Check Point.