cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Check Point & QoS (DSCP Marking)

Hello,

We have a Cisco network that has end-to-end QoS deployed using Cisco best practices. For example, we have access-layer switches that classify and mark packets from end-user PCs. Upstream switches / routers can then act on those markings and queue packets accordingly.

We also use Checkpoint firewalls between our HQ and remote offices and at the moment they do not have QoS enabled. So in effect we have end-to-end QoS from the Cisco point of view; but the firewall is a gap at present.

My question is does anyone know what's happening to our packets as things stand? For example I'm sending a mixture of services marked as EF, AF11, AF12, AF21, AF22 etc. Do the Checkpoints remark the Qos markings at all? I'm hoping that they don't alter to markings at all because I have a router the other side of the Checkpoint which needs to see those markings!

Thanks

 

Best regards

3 Replies
Highlighted
Admin
Admin

Re: Check Point & QoS (DSCP Marking)

If you're using Check Point's QoS blade or you're using CPAS, then the DSCP tags won't be preserved, per sk145132.

That begs the question: What is CPAS and when does it get invoked? Check Point Active Streaming (CPAS) is technology that sends streams of data to be inspected in the kernel, since more than a single packet at a time is needed in order to understand the application that is running (such as HTTP data).

Several things might use CPAS:

  • HTTPS Inspection
  • Client Authentication (legacy auth method)
  • Security Servers (also legacy)
  • VoIP Inspection (SIP, Skinny/SCCP, H.323, etc)
  • DLP Blade
  • IPS Blade when certain "Web Intelligence" protections are enabled

 

Highlighted

Re: Check Point & QoS (DSCP Marking)

This was very helpful. I have been looking to ensure that the DSCP tags assigned to VOIP traffic are preserved throughout our environment. Does, by any chance, simply enabling the QoS blade preserve received DSCP tags, or do you end up having to manually define tags to reapply?

Is it the case that all VOIP traffic through a gateway without QoS enabled will use the CPAS proxy, and have tags stripped?

If VOIP traffic is only inspected by the firewall blade (bypasses IPS etc.), does that change anything about its QoS?

 

0 Kudos
Highlighted

Re: Check Point & QoS (DSCP Marking)

Quick followup - it appears DSCP tags are not getting stripped from my traffic, as shown by packet captures on the internal and external interfaces.
0 Kudos