topic Re: CheckPoint QOS issue in Firewall and Security Management

CheckPoint QOS issue

Patrickc — Mon, 17 Feb 2025 05:36:05 GMT

Hi All,

I would like to confirm whether Check Point can guarantee bandwidth for applications using QoS.
In SmartDashboard, I can only see "Service" but not "Application" as a selectable option.

Thanks

Re: CheckPoint QOS issue

AkosBakos — Mon, 17 Feb 2025 08:59:56 GMT

Hi @Patrickc

According to the guide:

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/Working-with-QoS-Policy.htm?tocpath=Appliance%20Configuration%7CManaging%20the%20Access%20Policy%7C_____8

This refers only services:

to create a QoS rule:

Click the arrow next to New.
Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

The Add Rule window opens. It shows the rule fields in two manners:
- A rule summary sentence with default values.
- A table with the rule base fields in a table.
Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

Note - You can select for a specified rule to have a specified guarantee and/or limit or be marked as low latency traffic. In case of the latter, there is a single maximum limit percentage for ALL low latency traffic which can be configured globally. See above.
To match only for encrypted (VPN) traffic, select Match only for encrypted traffic. The Service column shows "encrypted" if selected.
To limit the rule to a specified time range, select Apply only during this time and select the start and end times. Only connections that begin during this time range are inspected.
DiffServ Mark is a way to mark connections so a third party handles it. To mark packets that are given priority on the public network based on their DSCP, select DiffServ Mark (1-63) and select a value. To use this option, your ISP or private WAN must support DiffServ. You can get the DSCP value from your ISP or private WAN administrator.
In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule.
Click Apply.

Note - You can drag and drop rules to change the order of rules in the QoS Rule Base

Akos

Re: CheckPoint QOS issue

Patrickc — Mon, 17 Feb 2025 09:47:15 GMT

Hi Akos,

Thnaks your reply,but i want to know How to guarantee bandwidth for an application?

Re: CheckPoint QOS issue

Patrickc — Mon, 17 Feb 2025 09:47:49 GMT

like google meeting or teams

Re: CheckPoint QOS issue

AkosBakos — Mon, 17 Feb 2025 13:49:32 GMT

Hi @Patrickc

Hm... maybe this is what you are looking for:

https://community.checkpoint.com/t5/Security-Gateways/Bandwidth-Rate-Limit/td-p/132777

From @Timothy_Hall:

The Limit feature is a function of the APCL/URLF blades which typically inspect traffic to and from the Internet, so you must be matching traffic against an application or site object to use it. Not really applicable for your situation of trying to limit bandwidth consumed by a VPN tunnel, but I suppose you could create some custom application/site objects to match traffic in that tunnel and limit it in an APCL/URLF-capable layer. Here is some more info:

Applying APCL/URLF Bandwidth Limits

One very nice feature of APCL/URLF is the ability to enforce bandwidth limits for undesirable sites/applications that cannot be flat-out blocked due to political reasons. A classic example is Media Streaming sites than can consume very large amounts of bandwidth but are not directly required for typical business functions:

Bandwidth limits for APCL/URLF are applied directly by these features, and the full-fledged Quality of Service (QoS) feature does not need to be enabled by the firewall to use them.
Bandwidth guarantees cannot be specified; the full QoS blade is required for that functionality.
Upload bandwidth limits, download bandwidth limits, or both can be specified.
Note that any bandwidth limit enforced will be shared by all connections matching that particular rule; the limits are not per-connection or per-user. It is also not currently possible to enforce overall bandwidth limits over a certain timeframe (i.e. allow 1GByte of streaming data per 24-hour period and then no more until the next day when another 1GByte is allowed).
Packets in excess of the configured bandwidth limit are simply dropped by the firewall (this forcing TCP to slow its send rate); these packets are not queued or shaped by the firewall.

The QoS blade is probably more appropriate for what you are trying to do, and it is very easy to tag/match VPN traffic specifically when enforcing a QoS limit or guarantee by checking the Apply rule only to encrypted traffic checkbox in the QoS rule specifying the limit.

Akos

Re: CheckPoint QOS issue

PhoneBoy — Mon, 17 Feb 2025 23:45:36 GMT

The QoS blade does not currently support Applications.
However, you should look at Quantum SD-WAN, which should be able to do this and more.

Re: CheckPoint QOS issue

the_rock — Tue, 18 Feb 2025 00:35:50 GMT

Yep, thats perfect option.

Andy

Re: CheckPoint QOS issue

Lesley — Tue, 18 Feb 2025 17:54:26 GMT

This is the best, on CPX I got a live demo and it looks wayyy better then traditional QoS blade.

SD-WAN is the new QoS and ISP redundancy.

Re: CheckPoint QOS issue

the_rock — Tue, 18 Feb 2025 18:20:02 GMT

Looks very promising!