https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/104009#M4443 <P>Actually it is possible to differentiate traffic traversing a VPN tunnel in your QoS policy via a checkbox in the Action of a QoS rule like this, which applies this sample rule only to encrypting/decrypting traffic:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="QoS_VPN.png" style="width: 912px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9459iAAE502D4EB53BD4C/image-size/large?v=v2&amp;px=999" role="button" title="QoS_VPN.png" alt="QoS_VPN.png" /></span></P> Wed, 02 Dec 2020 14:32:59 GMT Timothy_Hall 2020-12-02T14:32:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/103797#M4439 <P>Hi there is there any way to prioritize the site to site vpn traffic on a checkpoint vpn network? we are doing full mesh vpn for the inter-site voice calls primarily but I would say its more of a hub/spoke topology for the data network where all branch sites connect back to hub site over vpn for data traffic.&nbsp;</P><P>&nbsp;</P><P>is there any way using QoS to guarantee that these VPN tunnels have a certain amount of bandwidth at all time?</P> Mon, 30 Nov 2020 23:02:32 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/103797#M4439 nflnetwork29 2020-11-30T23:02:32Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/103802#M4440 <P>You can do QoS on the traffic inside a VPN tunnel (assuming it's a domain-based VPN, route-based VPNs are not supported per <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk36157" target="_self">sk36157</A>), but I don't believe you can do QoS on the VPN tunnel itself.<BR />In any case, QoS doesn't make much sense over the public Internet since there is zero guarantee anything there will honor the DSCP tags.&nbsp;</P> Tue, 01 Dec 2020 00:48:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/103802#M4440 PhoneBoy 2020-12-01T00:48:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/104009#M4443 <P>Actually it is possible to differentiate traffic traversing a VPN tunnel in your QoS policy via a checkbox in the Action of a QoS rule like this, which applies this sample rule only to encrypting/decrypting traffic:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="QoS_VPN.png" style="width: 912px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9459iAAE502D4EB53BD4C/image-size/large?v=v2&amp;px=999" role="button" title="QoS_VPN.png" alt="QoS_VPN.png" /></span></P> Wed, 02 Dec 2020 14:32:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/104009#M4443 Timothy_Hall 2020-12-02T14:32:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/110250#M4861 <P>i tried to create a similar policy but i receive the following error when i try to install policy on the gateway.</P><P><STRONG>Error - QoS Policy does not apply to any network interface.</STRONG></P><P>Can anyone tell me what I missed?</P> Tue, 09 Feb 2021 04:07:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/110250#M4861 nflnetwork29 2021-02-09T04:07:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/110281#M4862 <P>I would suggest to follow the QoS Tutorial starting at QoS R80.40 Administration Guide p.32 ! Network Interfaces are the enforcement points for QoS, so QoS has to be enabled on one interface for QoS to be able work on it...</P> Tue, 09 Feb 2021 08:55:36 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/110281#M4862 G_W_Albrecht 2021-02-09T08:55:36Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/134102#M6030 <P>Hey&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>,</P><P>&nbsp;</P><P>Can you clarify the situation outlined in SK36157, please? Does it mean QoS is unsupported on Route-based VPNs, or we cannot implement QoS on any interface if a VTI exists on the gateway?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Aaron.</P> Mon, 15 Nov 2021 17:28:48 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/134102#M6030 AaronCP 2021-11-15T17:28:48Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/134114#M6031 <P>It just can't be done on any traffic to/from VTI interfaces:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34086" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34086</A>&nbsp;<BR />It should work on other interfaces.</P> Mon, 15 Nov 2021 21:25:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/checkpoint-QoS-on-site-to-site-vpn-traffic/m-p/134114#M6031 PhoneBoy 2021-11-15T21:25:41Z