Check Point QoS Administration Guide Version NGX R65 700726 March 2007 © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Guide 10 Summary of Contents 11 Appendices 11 Related Documentation 12 More Information 15 Feedback 16 Chapter 1 Overview What is Quality of Service 18 Internet Bandwidth Management Technologies 19 Overview 19 Superior QoS Solution Requirements 19 Benefits of a Policy-Based Solution 20 How Does Check Point Deliver QoS 21 Features and Benefits 23 Traditional Check Point QoS vs. Check Point QoS Express 24 Workflow 26 Chapter 2 Introduction to Check Point QoS Check Point QoS’s Innovative Technology 30 Technology Overview 31 Check Point QoS Architecture 33 Basic Architecture 33 Check Point QoS Configuration 35 Concurrent Sessions 38 Interaction with VPN-1Pro and VPN-1 Net 39 Interoperability 39 Chapter 3 Basic QoS Policy Management Overview 42 Rule Base Management 43 Overview 43 Connection Classification 44 Network Objects 44 Services and Resources 45 Time Objects 45 Bandwidth Allocation and Rules 45 Default Rule 47 QoS Action Properties 47 Example of a Rule Matching VPN Traffic 48 Bandwidth Allocation and Sub-Rules 49 6 Implementing the Rule Base 51 To Verify and View the QoS Policy 51 To Install and Enforce the Policy 51 To Uninstall the QoS Policy 52 To Monitor the QoS Policy 52 Chapter 4 Check Point QoS Tutorial Introduction 54 Building and Installing a QoS Policy 56 Step 1: Installing Check Point Modules 57 Step 2: Starting SmartDashboard 57 To Start SmartDashboard 58 Step 3: Determining QoS Policy 61 Step 4: Defining the Network Objects 61 To Define the Gateway London 62 To Define the Interfaces on Gateway London 66 To Define the QoS Properties for the Interfaces on Gateway London 72 Step 5: Defining the Services 73 Step 6: Creating a Rule Base 73 To Create a New Policy Package 74 To Create a New Rules 75 To Modify New Rules 76 Step 7: Installing a QoS Policy 82 Conclusion 84 Chapter 5 Advanced QoS Policy Management Overview 86 Examples: Guarantees and Limits 87 Per Rule Guarantees 87 Per Connections Guarantees 90 Limits 91 Guarantee - Limit Interaction 91 Differentiated Services (DiffServ) 93 Overview 93 DiffServ Markings for IPSec Packets 93 Interaction Between DiffServ Rules and Other Rules 94 Low Latency Queuing 95 Overview 95 Low Latency Classes 95 Interaction between Low Latency and Other Rule Properties 100 When to Use Low Latency Queuing 101 Low Latency versus DiffServ 102 Authenticated QoS 103 Citrix MetaFrame Support 104 Overview 104 Limitations 105 Load Sharing 106 Overview 106 Table of Contents 7 Check Point QoS Cluster Infrastructure 107 Chapter 6 Managing Check Point QoS Defining QoS Global Properties 112 To Modify the QoS Global Properties 112 Specifying Interface QoS Properties 114 To Define the Interface QoS Properties 114 Editing QoS Rule Bases 118 To Create a New Policy Package 118 To Open an Existing Policy Package 119 To Add a Rule 119 To Rename a Rule 121 To Copy, Cut or Paste a Rule 121 To Delete a Rule 122 Modifying Rules 123 Modifying Sources in a Rule 123 Modifying Destinations in a Rule 126 Modifying Services in a Rule 128 Modifying Rule Actions 130 Modifying Tracking for a Rule 135 Modifying Install On for a Rule 135 Modifying Time in a Rule 138 Adding Comments to a Rule 140 Defining Sub-Rules 142 Working with Differentiated Services (DiffServ) 144 To Define a DiffServ Class of Service 145 To Define a DiffServ Class of Service Group 146 To Add QoS Class Properties for Expedited Forwarding 147 To Add QoS Class Properties for Non Expedited Forwarding 148 Working with Low Latency Classes 150 To Implement Low Latency Queuing 150 To Define Low Latency Classes of Service 151 To Define Class of Service Properties for Low Latency Queuing 151 Working with Authenticated QoS 153 To Use Authenticated QoS 153 Managing QoS for Citrix ICA Applications 155 Disabling Session Sharing 155 Modifying your Security Policy 156 Discovering Citrix ICA Application Names 157 Defining a New Citrix TCP Service 160 Adding a Citrix TCP Service to a Rule (Traditional Mode Only) 161 Installing the Security and QoS Policies 161 Managing QoS for Citrix Printing 162 Configuring a Citrix Printing Rule (Traditional Mode Only) 162 Configuring Check Point QoS Topology 163 Viewing the Check Point QoS Modules Status 164 To Display the Status of Check Point QoS Modules Controlled by the SmartCenter Server 164 8 Enabling Log Collection 165 To Turn on QoS Logging 165 To Confirm that the Rule is Marked for Logging 166 To Start SmartView Tracker 167 Chapter 7 SmartView Tracker Overview of Logging 170 Examples of Log Events 174 Connection Reject Log 174 LLQ Drop Log 174 Pool Exceeded Log 175 Examples of Account Statistics Logs 177 General Statistics Data 177 Drop Policy Statistics Data 178 LLQ Statistics Data 178 Chapter 8 Command Line Interface Check Point QoS Commands 180 Setup 181 fgate Menu 182 Control 183 Monitor 185 Utilities 187 Chapter 9 Check Point QoS FAQ (Frequently Asked Questions) Questions and Answers 190 Introduction 190 Check Point QoS Basics 191 Other Check Point Products - Support and Management 194 Policy Creation 195 Capacity Planning 196 Protocol Support 197 Installation/Backward Compatibility/Licensing/Versions 198 How do I? 198 General Issues 199 Chapter 10 Deploying Check Point QoS Deploying Check Point QoS 202 Check Point QoS Topology Restrictions 202 Sample Bandwidth Allocations 204 Frame Relay Network 204 Appendix A Debug Flags fw ctl debug -m FG-1 Error Codes for Check Point QoS 208 Index 217 9 Preface P Preface In This Chapter Who Should Use This Guide page 10 Summary of Contents page 11 Related Documentation page 12 More Information page 15 Feedback page 16 Who Should Use This Guide 10 Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). [...]... Support for end-to-end QoS for IP networks: Check Point QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software Chapter 1 Overview 23 Traditional Check Point QoS vs Check Point QoS Express Traditional Check Point QoS vs Check Point QoS Express Both Traditional and Express modes of Check Point QoS are included in every product installation... advanced features of Check Point QoS You can specify whether you choose Traditional over Express or vice versa, each time you install a new policy Table 1-1 shows a comparative table of the features of the Traditional and Express modes of Check Point QoS Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features Feature Check Point QoS Traditional Check Point QoS Express Find out... “Per Connections Guarantees” on page 90 Limit (Per connection) * “Limits” on page 46 24 Traditional Check Point QoS vs Check Point QoS Express Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features Feature Check Point QoS Traditional LLQ (controlling packet delay in Check Point QoS) * “Low Latency Queuing” on page 95 DiffServ * “Differentiated Services (DiffServ)” on page 93... streams, capabilities that exist together only in FloodGate-1 32 Check Point QoS Architecture Check Point QoS Architecture In This Section Basic Architecture page 33 Check Point QoS Architecture page 33 Check Point QoS Configuration page 35 Basic Architecture The architecture and flow control of Check Point QoS is similar to Firewall Check Point QoS has three components: • SmartConsole • SmartCenter Server... administrators to define a network QoS policy to be enforced by Check Point QoS Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS modules and their policies 34 Check Point QoS Configuration Figure 2-1 Basic Architecture - Check Point QoS Components Check Point QoS in SmartDashboard Check Point SmartDashboard is... and tools that are available for monitoring Check Point QoS Chapter 8, “Command Line Interface” discusses how to work with Check Point QoS via the Command Line Chapter 9, Check Point QoS FAQ (Frequently Asked Questions)” a compilation of frequently asked questions and their answers Chapter 10, “Deploying Check Point QoS Describes how to deploy Check Point QoS and provides sample bandwidth allocations... Authenticated QoS See “Working with Authenticated QoS on page 153 • Define Citrix ICA Applications See “Managing QoS for Citrix ICA Applications” on page 155 Chapter 1 Overview 27 Workflow 28 2 Chapter Introduction to Check Point QoS In This Chapter Check Point QoS s Innovative Technology page 30 Check Point QoS Architecture page 33 Interaction with VPN-1Pro and VPN-1 Net page 39 29 Check Point QoS s Innovative... to manage a basic FloodGate-1 QoS Policy Rule Base Chapter 4, Check Point QoS Tutorial” is a short tutorial describing how to define a QoS Policy Chapter 5, “Advanced QoS Policy Management” describes the more advanced policy management features of Check Point QoS that enable you to refine basic QoS policies Chapter 6, “Managing Check Point QoS describes how to manage QoS, including modifying and changing... applications or customers need Guaranteeing levels of service How Does Check Point Deliver QoS How Does Check Point Deliver QoS Check Point QoS (previously called FloodGate-1), a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution Check Point QoS is a unique, software-only based application that manages traffic end-to-end... about Check Point products, consult Check Point s SecureKnowledge at https://secureknowledge.checkpoint.com/ • See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 15 Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com . 23 Traditional Check Point QoS vs. Check Point QoS Express 24 Workflow 26 Chapter 2 Introduction to Check Point QoS Check Point QoS s Innovative Technology. I? 198 General Issues 199 Chapter 10 Deploying Check Point QoS Deploying Check Point QoS 202 Check Point QoS Topology Restrictions 202 Sample Bandwidth