Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gareth_Kik
Participant

How to create QoS rule to limit bandwith per user

Friends,

I need your support in configuring QoS policy on GAiA R80.10

We have specific requirement. We need to create rule to limit bandwidth per user.

In our scenario we have about 3000 users. Our management decided give users some limit when they use internet. FOr example 10Mbps per user.

In QoS blade I see I can create rules to limit sources: per network object, per host objects but how to do it per user? I cannot create 2000-3000 hosts manually for all users, correct? it is not logical Smiley Happy.

I am sure you faced such requirements before and give me good advise?

Many thanks

10 Replies
Alessandro_Marr
Advisor

I think you should create a rule for bandwidth control of applications like video streams and ftp sftp....

0 Kudos
G_W_Albrecht
Legend
Legend

Vladimir
Champion
Champion

Something like this should work for simple bandwidth limitations:

You do not have to use the content awareness, so long as you have a category and limits defined to your satisfaction.

0 Kudos
Timothy_Hall
Champion
Champion

An APCL limit like this will work, but the limit will be shared by all traffic matching the rule.  It will not be per user.  The thread linked by Gunther should be helpful to Gareth.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Vato_Chantladze
Contributor

Hi!

APCL limits are working per-rule not per-user. It means all objects in the rule will share the limit what you will set in a single rule. In fact, you may create a rule and specify one host object - this will be a rule with the limit for one user only. But It will not solve your problem because you want to set the limit for each user in the network and they are several thousand as you describe.

Timothy Hall‌ I made some research and many NGFW on the market have Per-IP/Per-User Traffic Limit. Is this something technologically hard to archive in QoS blade or there is a specific reason why CP is not doing it?

BR

Vato

0 Kudos
Timothy_Hall
Champion
Champion

The lack of per-user QoS is probably due to the following sequence of events:

- QoS/Floodgate-1 feature was used a fair amount in releases prior to R70

- In R70 CoreXL was introduced but was incompatible with the QoS blade

- As a result QoS blade falls into disuse (penalty box)

- Identity Awareness (IA) is introduced in version R75 while QoS is still used very rarely, so there is really no need to update QoS for IA

- APCL is introduced around the same time as IA and has its own Limit feature to help compensate for QoS being in the penalty box

- CoreXL/QoS conflict is resolved in R77.10 and later, but practically no one is using QoS at this point due to the longstanding incompatibility with CoreXL

This sounds like a good candidate for an RFE though, talk to your Check Point SE or submit it here:  http://www.checkpoint.com/rfe/rfe.htm

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

I'm with you 100% on the need for RFE, but going through the list of products there, I do not even see QoS as one of the options.

In addition to IA in QoS, I'd like to see the Domain objects, namely FQDN objects fully supported there. 

0 Kudos
Timothy_Hall
Champion
Champion

Pretty sure QoS is now part of the Advanced Networking Blade (ADN) which is in the list on that RFE page.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Vladimir
Champion
Champion

Thank you for the pointer!

I'll post my requests in ADN section.

Ryan_Ryan
Advisor

I may be mistaken, but I believe there is an IPS Protection that would allow you to rate limit each user / number of connections. It was of high impact and they always recommended disabling it, does anyone recall what its called or where it is?

0 Kudos