Thông tin tài liệu
Check Point QoS
Administration Guide
Version NGX R65
700726 March 2007
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Table of Contents 5
Contents
Preface Who Should Use This Guide 10
Summary of Contents 11
Appendices 11
Related Documentation 12
More Information 15
Feedback 16
Chapter 1 Overview
What is Quality of Service 18
Internet Bandwidth Management Technologies 19
Overview 19
Superior QoS Solution Requirements 19
Benefits of a Policy-Based Solution 20
How Does Check Point Deliver QoS 21
Features and Benefits 23
Traditional Check Point QoS vs. Check Point QoS Express 24
Workflow 26
Chapter 2 Introduction to Check Point QoS
Check Point QoS’s Innovative Technology 30
Technology Overview 31
Check Point QoS Architecture 33
Basic Architecture 33
Check Point QoS Configuration 35
Concurrent Sessions 38
Interaction with VPN-1Pro and VPN-1 Net 39
Interoperability 39
Chapter 3 Basic QoS Policy Management
Overview 42
Rule Base Management 43
Overview 43
Connection Classification 44
Network Objects 44
Services and Resources 45
Time Objects 45
Bandwidth Allocation and Rules 45
Default Rule 47
QoS Action Properties 47
Example of a Rule Matching VPN Traffic 48
Bandwidth Allocation and Sub-Rules 49
6
Implementing the Rule Base 51
To Verify and View the QoS Policy 51
To Install and Enforce the Policy 51
To Uninstall the QoS Policy 52
To Monitor the QoS Policy 52
Chapter 4 Check Point QoS Tutorial
Introduction 54
Building and Installing a QoS Policy 56
Step 1: Installing Check Point Modules 57
Step 2: Starting SmartDashboard 57
To Start SmartDashboard 58
Step 3: Determining QoS Policy 61
Step 4: Defining the Network Objects 61
To Define the Gateway London 62
To Define the Interfaces on Gateway London 66
To Define the QoS Properties for the Interfaces on Gateway London 72
Step 5: Defining the Services 73
Step 6: Creating a Rule Base 73
To Create a New Policy Package 74
To Create a New Rules 75
To Modify New Rules 76
Step 7: Installing a QoS Policy 82
Conclusion 84
Chapter 5 Advanced QoS Policy Management
Overview 86
Examples: Guarantees and Limits 87
Per Rule Guarantees 87
Per Connections Guarantees 90
Limits 91
Guarantee - Limit Interaction 91
Differentiated Services (DiffServ) 93
Overview 93
DiffServ Markings for IPSec Packets 93
Interaction Between DiffServ Rules and Other Rules 94
Low Latency Queuing 95
Overview 95
Low Latency Classes 95
Interaction between Low Latency and Other Rule Properties 100
When to Use Low Latency Queuing 101
Low Latency versus DiffServ 102
Authenticated QoS 103
Citrix MetaFrame Support 104
Overview 104
Limitations 105
Load Sharing 106
Overview 106
Table of Contents 7
Check Point QoS Cluster Infrastructure 107
Chapter 6 Managing Check Point QoS
Defining QoS Global Properties 112
To Modify the QoS Global Properties 112
Specifying Interface QoS Properties 114
To Define the Interface QoS Properties 114
Editing QoS Rule Bases 118
To Create a New Policy Package 118
To Open an Existing Policy Package 119
To Add a Rule 119
To Rename a Rule 121
To Copy, Cut or Paste a Rule 121
To Delete a Rule 122
Modifying Rules 123
Modifying Sources in a Rule 123
Modifying Destinations in a Rule 126
Modifying Services in a Rule 128
Modifying Rule Actions 130
Modifying Tracking for a Rule 135
Modifying Install On for a Rule 135
Modifying Time in a Rule 138
Adding Comments to a Rule 140
Defining Sub-Rules 142
Working with Differentiated Services (DiffServ) 144
To Define a DiffServ Class of Service 145
To Define a DiffServ Class of Service Group 146
To Add QoS Class Properties for Expedited Forwarding 147
To Add QoS Class Properties for Non Expedited Forwarding 148
Working with Low Latency Classes 150
To Implement Low Latency Queuing 150
To Define Low Latency Classes of Service 151
To Define Class of Service Properties for Low Latency Queuing 151
Working with Authenticated QoS 153
To Use Authenticated QoS 153
Managing QoS for Citrix ICA Applications 155
Disabling Session Sharing 155
Modifying your Security Policy 156
Discovering Citrix ICA Application Names 157
Defining a New Citrix TCP Service 160
Adding a Citrix TCP Service to a Rule (Traditional Mode Only) 161
Installing the Security and QoS Policies 161
Managing QoS for Citrix Printing 162
Configuring a Citrix Printing Rule (Traditional Mode Only) 162
Configuring Check Point QoS Topology 163
Viewing the Check Point QoS Modules Status 164
To Display the Status of Check Point QoS Modules Controlled by the SmartCenter
Server 164
8
Enabling Log Collection 165
To Turn on QoS Logging 165
To Confirm that the Rule is Marked for Logging 166
To Start SmartView Tracker 167
Chapter 7 SmartView Tracker
Overview of Logging 170
Examples of Log Events 174
Connection Reject Log 174
LLQ Drop Log 174
Pool Exceeded Log 175
Examples of Account Statistics Logs 177
General Statistics Data 177
Drop Policy Statistics Data 178
LLQ Statistics Data 178
Chapter 8 Command Line Interface
Check Point QoS Commands 180
Setup 181
fgate Menu 182
Control 183
Monitor 185
Utilities 187
Chapter 9 Check Point QoS FAQ (Frequently Asked Questions)
Questions and Answers 190
Introduction 190
Check Point QoS Basics 191
Other Check Point Products - Support and Management 194
Policy Creation 195
Capacity Planning 196
Protocol Support 197
Installation/Backward Compatibility/Licensing/Versions 198
How do I? 198
General Issues 199
Chapter 10 Deploying Check Point QoS
Deploying Check Point QoS 202
Check Point QoS Topology Restrictions 202
Sample Bandwidth Allocations 204
Frame Relay Network 204
Appendix A Debug Flags
fw ctl debug -m FG-1 Error Codes for Check Point QoS 208
Index 217
9
Preface
P
Preface
In This Chapter
Who Should Use This Guide page 10
Summary of Contents page 11
Related Documentation page 12
More Information page 15
Feedback page 16
Who Should Use This Guide
10
Who Should Use This Guide
This guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
• System administration.
• The underlying operating system.
• Internet protocols (IP, TCP, UDP etc.).
[...]... Support for end-to-end QoS for IP networks: Check Point QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software Chapter 1 Overview 23 Traditional Check Point QoS vs Check Point QoS Express Traditional Check Point QoS vs Check Point QoS Express Both Traditional and Express modes of Check Point QoS are included in every product installation... advanced features of Check Point QoS You can specify whether you choose Traditional over Express or vice versa, each time you install a new policy Table 1-1 shows a comparative table of the features of the Traditional and Express modes of Check Point QoS Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features Feature Check Point QoS Traditional Check Point QoS Express Find out... “Per Connections Guarantees” on page 90 Limit (Per connection) * “Limits” on page 46 24 Traditional Check Point QoS vs Check Point QoS Express Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features Feature Check Point QoS Traditional LLQ (controlling packet delay in Check Point QoS) * “Low Latency Queuing” on page 95 DiffServ * “Differentiated Services (DiffServ)” on page 93... streams, capabilities that exist together only in FloodGate-1 32 Check Point QoS Architecture Check Point QoS Architecture In This Section Basic Architecture page 33 Check Point QoS Architecture page 33 Check Point QoS Configuration page 35 Basic Architecture The architecture and flow control of Check Point QoS is similar to Firewall Check Point QoS has three components: • SmartConsole • SmartCenter Server... administrators to define a network QoS policy to be enforced by Check Point QoS Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS modules and their policies 34 Check Point QoS Configuration Figure 2-1 Basic Architecture - Check Point QoS Components Check Point QoS in SmartDashboard Check Point SmartDashboard is... and tools that are available for monitoring Check Point QoS Chapter 8, “Command Line Interface” discusses how to work with Check Point QoS via the Command Line Chapter 9, Check Point QoS FAQ (Frequently Asked Questions)” a compilation of frequently asked questions and their answers Chapter 10, “Deploying Check Point QoS Describes how to deploy Check Point QoS and provides sample bandwidth allocations... Authenticated QoS See “Working with Authenticated QoS on page 153 • Define Citrix ICA Applications See “Managing QoS for Citrix ICA Applications” on page 155 Chapter 1 Overview 27 Workflow 28 2 Chapter Introduction to Check Point QoS In This Chapter Check Point QoS s Innovative Technology page 30 Check Point QoS Architecture page 33 Interaction with VPN-1Pro and VPN-1 Net page 39 29 Check Point QoS s Innovative... to manage a basic FloodGate-1 QoS Policy Rule Base Chapter 4, Check Point QoS Tutorial” is a short tutorial describing how to define a QoS Policy Chapter 5, “Advanced QoS Policy Management” describes the more advanced policy management features of Check Point QoS that enable you to refine basic QoS policies Chapter 6, “Managing Check Point QoS describes how to manage QoS, including modifying and changing... applications or customers need Guaranteeing levels of service How Does Check Point Deliver QoS How Does Check Point Deliver QoS Check Point QoS (previously called FloodGate-1), a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution Check Point QoS is a unique, software-only based application that manages traffic end-to-end... about Check Point products, consult Check Point s SecureKnowledge at https://secureknowledge.checkpoint.com/ • See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 15 Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com . 23
Traditional Check Point QoS vs. Check Point QoS Express 24
Workflow 26
Chapter 2 Introduction to Check Point QoS
Check Point QoS s Innovative Technology. I? 198
General Issues 199
Chapter 10 Deploying Check Point QoS
Deploying Check Point QoS 202
Check Point QoS Topology Restrictions 202
Sample Bandwidth
Ngày đăng: 25/01/2014, 06:24
Xem thêm: Tài liệu Check Point QoS pdf, Tài liệu Check Point QoS pdf, Traditional Check Point QoS vs. Check Point QoS Express