CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Checkpoint QoS on Vlan interface

  1. #1
    Join Date
    2012-01-10
    Posts
    4
    Rep Power
    0

    Default Checkpoint QoS on Vlan interface

    Hi everybody,

    I have an R77.20 GAIA Checkpoint appliance on which i would like to enable a QOS policy.

    My goal is to enable it on one subinterface. For example on the FW: eth2 is divided into 3 subinterfaces eth2.32 , eth2.33, eth2.34.


    eth2 is directly connected to an external router via a 10 Mbps link.


    I would like to restrict traffic on subinterface eth2.32 on a TCP port (for example 788) to maximum 512 Kbps.

    I can't find out how to do it correctly.

    Please, do you have some advises?

    Thanks

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,250
    Rep Power
    14

    Default Re: Checkpoint QoS on Vlan interface

    Quote Originally Posted by karfera View Post
    Hi everybody,

    I have an R77.20 GAIA Checkpoint appliance on which i would like to enable a QOS policy.

    My goal is to enable it on one subinterface. For example on the FW: eth2 is divided into 3 subinterfaces eth2.32 , eth2.33, eth2.34.


    eth2 is directly connected to an external router via a 10 Mbps link.


    I would like to restrict traffic on subinterface eth2.32 on a TCP port (for example 788) to maximum 512 Kbps.

    I can't find out how to do it correctly.

    Please, do you have some advises?

    Thanks
    As you've noticed you are not able to directly specify a QoS rule to be assigned to a particular interface. The QoS policy is enforced across all interfaces that have "Inbound Active" and/or "Outbound Active" checked in the QoS tab of their topology settings. So in your QoS policy you can definitely use TCP port 788 as a discriminator in the Service field, but if Source and Destination are Any in the rule it could potentially apply to that port on any interface with QoS enabled presently or in the future. Since you can't specify the interface directly is there a possibility of using the source IP addresses/networks behind that interface as an additional discriminator in your QoS policy rule for inbound enforcement, or use the destination IP addresses/networks on that network in the Destination of your QoS rule for outbound enforcement? Combining one or both of those with the Service field set to 788 should only enforce that QoS rule for traffic when it is crossing the desired interface. That setup should indirectly do what you want.

    This is a situation where Security Zones would come in very handy assuming you were allowed to leverage them in a QoS policy. Just associate the subinterface with a Security Zone, reference the Security Zone in the QoS policy rule and it would meet your needs exactly without having to mess around with IP addresses. Not currently possible on Check Point but all I can say for now is to be patient...

  3. #3
    Join Date
    2012-01-10
    Posts
    4
    Rep Power
    0

    Default Re: Checkpoint QoS on Vlan interface

    Quote Originally Posted by ShadowPeak.com View Post
    As you've noticed you are not able to directly specify a QoS rule to be assigned to a particular interface. The QoS policy is enforced across all interfaces that have "Inbound Active" and/or "Outbound Active" checked in the QoS tab of their topology settings. So in your QoS policy you can definitely use TCP port 788 as a discriminator in the Service field, but if Source and Destination are Any in the rule it could potentially apply to that port on any interface with QoS enabled presently or in the future. Since you can't specify the interface directly is there a possibility of using the source IP addresses/networks behind that interface as an additional discriminator in your QoS policy rule for inbound enforcement, or use the destination IP addresses/networks on that network in the Destination of your QoS rule for outbound enforcement? Combining one or both of those with the Service field set to 788 should only enforce that QoS rule for traffic when it is crossing the desired interface. That setup should indirectly do what you want.

    This is a situation where Security Zones would come in very handy assuming you were allowed to leverage them in a QoS policy. Just associate the subinterface with a Security Zone, reference the Security Zone in the QoS policy rule and it would meet your needs exactly without having to mess around with IP addresses. Not currently possible on Check Point but all I can say for now is to be patient...



    Thank you with your answer!!

    I noticed that i can't specify the interface or subinterface on my QoS rule base.

    Behind eth2.32, I can have a source network (for instance 10.10.10.0/24) even if more networks are behind this interface. Then in my rule base I will define 10.10.10.0/24 as source.
    Behind another interface (lets say eth5) I can have a server with IP address 2.2.1.1. Then in my rule base I will define 2.2.1.1 as destination.
    Service will be TCP 788.

    In my opinion I would then apply QoS only on eth2.32 and only "Inbound Active".
    In this rule I could add a bandwidth rule limit of 1 Mbps during business hours.

    Correct?
    Bu I have another question:
    What bandwidth rate would I have to put on eth2.32? Eth2 bandwidth 10 Mbps?


    Best Regards

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,250
    Rep Power
    14

    Default Re: Checkpoint QoS on Vlan interface

    Quote Originally Posted by karfera View Post
    In my opinion I would then apply QoS only on eth2.32 and only "Inbound Active".
    In this rule I could add a bandwidth rule limit of 1 Mbps during business hours.

    Correct?
    Yep that should work.

    Bu I have another question:
    What bandwidth rate would I have to put on eth2.32? Eth2 bandwidth 10 Mbps?


    Best Regards
    The bandwidth limit for the interface should probably be set to the actual link speed of the eth2 leading physical interface, unless that interface leads to another network or circuit that is lower speed. So for example if the line speed of eth2 is 1 gigabit, but further back behind eth2 everything is forced through a 100Mbps link you would set the QoS speed to 100Mbps on the firewall. The QoS speed settings are mainly to ensure that the WFQ algorithm is divvying up the correct amount of bandwidth when applying weights, and to ensure that the line is not being oversubscribed with an excessive amount of guaranteed bandwidth. The QoS interface speed doesn't really affect limits like the one you are applying unless it is set way too low below the value of the limit itself.

  5. #5
    Join Date
    2012-01-10
    Posts
    4
    Rep Power
    0

    Default Re: Checkpoint QoS on Vlan interface

    Thank you so much!!!
    I'll give that a try and let you know.

    Best regards

Similar Threads

  1. no vlan 1 in gaia interface configuration
    By kwm30 in forum R75.40 (GAiA)
    Replies: 13
    Last Post: 2017-02-20, 13:56
  2. Bulk VLAN interface migration
    By Sn1ffer in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2013-03-07, 05:59
  3. Add VLAN interface on XOS
    By lpsuerj in forum Crossbeam
    Replies: 1
    Last Post: 2011-02-11, 18:10
  4. UTM-1 Interface VLAN issues
    By cpguy in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2010-05-26, 15:03
  5. Secondary IP on VLAN interface
    By jeremiahnz in forum Topology Issues
    Replies: 5
    Last Post: 2007-08-17, 03:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •