topic Re: Copying DiffServ code from IP-header to IPSec-header in Spark Firewall (SMB)

Copying DiffServ code from IP-header to IPSec-header

mikdemin — Thu, 12 Nov 2020 13:48:50 GMT

Hello everyone.

I have some QoS question. As i think traffic handling on CP consist of: firstly adding QoS parameters to IP-header and secondly there is encryption of packet. Also parameter :ipsec.copy_TOS_to_outer allows to copy DiffServ code from IP-header to IPSec-header. I turned on this parameter on the relevant GW (1490 appliance) on my SMS and install the policy (according to which traffic should be marked DiffServ code cs5), but traffic from GW is still marking by DiffServ code by default (cs0). I don't understand why.

Re: Copying DiffServ code from IP-header to IPSec-header

G_W_Albrecht — Thu, 12 Nov 2020 14:33:43 GMT

Im SMB documentation, a chapter like the one for GAiA "QoS Advanced QoS Policy Management - Differentiated Services (DiffServ)" does not exist, and i think that is because Embedded GAiA has only a subset of features implemented to keep the small footprint. The sk105722 reffered by you has Platform / Model : All, so i have asked for feedback concerning support on SMB devices. But according to sk104861, use of the feature has only been possible since R77.30 !

Further, in sk105380 i see for SMB:

Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.

QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging.

Re: Copying DiffServ code from IP-header to IPSec-header

mikdemin — Thu, 12 Nov 2020 20:14:45 GMT

Thanks!

I'm interested on marking traffic with special DiffServ Code, not matching.

With regads to last paragrraph as i understand correctly that Express QoS mode only supports in SG80 and UTM-1 Edge appliances and not supports in 1490 appliance?

Re: Copying DiffServ code from IP-header to IPSec-header

G_W_Albrecht — Thu, 12 Nov 2020 21:33:21 GMT

I would assume this is also true for 1490.

Re: Copying DiffServ code from IP-header to IPSec-header

mikdemin — Mon, 16 Nov 2020 12:09:08 GMT

Ok. I'm understand that i must to create a new QoS policy package in Express Mode. But i also have a one question. For example, i create a new QoS policy package in Express Mode with one rule on one link and configure 80k kbps as guaranteed in action column. So then what i must configure in QoS tab in Topology of the relevant interface? I'm add the relevant QoS Class in this tab (REA Beeline). So what the guarantee bandwidth for this QoS class i must configure? The same 80k kpbs that i configure in rule? I'm attach the screenshots of the QoS rule and QoS tab of the relevant interface.

Re: Copying DiffServ code from IP-header to IPSec-header

G_W_Albrecht — Sun, 06 Dec 2020 09:33:17 GMT

I have asked for feedback in sk105722 concerning support on SMB devices and received the following answer:

SecureKnowledge solution ID: sk105722 and Title: "How to configure Check Point Security Gateway to copy DiffServ mark between packet's headers" has now been edited based on your feedback.

This article is supported on centrally-managed SMB appliances starting from version R77.20.20. It is not supported on locally managed appliances.
For traffic with pre-existing diffserv marks, default behavior is to copy diffserv mark to encapsulated traffic on outgoing and not to copy from encapsulated or incoming traffic.
Enabling copying diffserv marks from incoming encapsulated traffic or decrypted traffic can be done via GuiDbEdit, as described in sk105722.

Anyway, only copying or removing DiffServ code is possible, not actively marking traffic.

Re: Copying DiffServ code from IP-header to IPSec-header

mikdemin — Mon, 07 Dec 2020 09:51:53 GMT

Thanks a lot for update! In this case i'll have to organize marking on my Cisco devices.