Can ToS flags (DSCP) be forwarded across Floodgate?

[drewishus]

Hi,
I'm not a pro with the QOS stuff, but I understand most of it. I've read the CP docs and scoured the forums and am really having trouble figuring this out:
If I have devices upstream and downstream of the firewall that are marking packets, can I simply allow the markings to persist through the firewall?
By default, it appears that the answer is 'no', but I'm hoping there is an easy way to preserve markings being sent across the firewall.

Currently:
[router-a]-->(dscp packet1)-->[FW]-->(no dscp)-->[router-b]
[router-a]<--(no dscp)<--[FW]<--(dscp packet2)<--[router-b]

Desired:
[router-a]-->(dscp packet1)-->[FW]-->(dscp packet1)-->[router-b]
[router-a]<--(dscp packet2)<--[FW]<--(dscp packet2)<--[router-b]

I know I could write a rule that identifies interesting traffic and rewrites the header for me, but then we've got a bit of a management nightmare for any policy changes to ToS. Does anyone have any ideas?
Thanks!

Andrew

[Routerkid1]

no, Checkpoint can not forward these flags. Checkpoint qos can create different classes but not forward from an upstream cisco.

[Tan Da Boss]

Thanks Routerkid1 for this answer.
Do you know if the next NGX R65 VoIP will include this functionnality?

Cheers

Tan

[Tan Da Boss]

Quote:

From Check Point's documentation

Question: Should I install Check Point QoS on the external or the internal interface?
While Check Point QoS can run on both interfaces, it is highly
recommended to position Check Point QoS on the external interface only.

Has anybody already implemented QOS on internal and external interfaces?
I chatted with CP's TAC and she just told me that it might be a performance issue.
One of my customer has a firewall "between" two WANs and he has to use Diffserv on both sides of his firewall.

any feedback would be appreciated.

Thanks

Tan