This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gareth_Kik
Participant
‎2019-02-13 05:31 AM

How to create QoS rule to limit bandwith per user

Friends,

I need your support in configuring QoS policy on GAiA R80.10

We have specific requirement. We need to create rule to limit bandwidth per user.

In our scenario we have about 3000 users. Our management decided give users some limit when they use internet. FOr example 10Mbps per user.

In QoS blade I see I can create rules to limit sources: per network object, per host objects but how to do it per user? I cannot create 2000-3000 hosts manually for all users, correct? it is not logical Smiley Happy.

I am sure you faced such requirements before and give me good advise?

Many thanks

10 Replies
Alessandro_Marr
Advisor
‎2019-02-13 06:27 AM

I think you should create a rule for bandwidth control of applications like video streams and ftp sftp....

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-02-13 07:09 AM

See here: Re: How to apply QoS on a User for restricting Bandwidth?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Vladimir
Champion
Champion
‎2019-02-13 08:30 AM

Something like this should work for simple bandwidth limitations:

You do not have to use the content awareness, so long as you have a category and limits defined to your satisfaction.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-02-13 10:45 AM
In response to Vladimir

An APCL limit like this will work, but the limit will be shared by all traffic matching the rule.  It will not be per user.  The thread linked by Gunther should be helpful to Gareth.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Vato_Chantladze
Contributor
Contributor
‎2019-02-13 12:40 PM

Hi!

APCL limits are working per-rule not per-user. It means all objects in the rule will share the limit what you will set in a single rule. In fact, you may create a rule and specify one host object - this will be a rule with the limit for one user only. But It will not solve your problem because you want to set the limit for each user in the network and they are several thousand as you describe.

Timothy Hall‌ I made some research and many NGFW on the market have Per-IP/Per-User Traffic Limit. Is this something technologically hard to archive in QoS blade or there is a specific reason why CP is not doing it?

BR

Vato

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-02-13 03:20 PM
In response to Vato_Chantladze

The lack of per-user QoS is probably due to the following sequence of events:

- QoS/Floodgate-1 feature was used a fair amount in releases prior to R70

- In R70 CoreXL was introduced but was incompatible with the QoS blade

- As a result QoS blade falls into disuse (penalty box)

- Identity Awareness (IA) is introduced in version R75 while QoS is still used very rarely, so there is really no need to update QoS for IA

- APCL is introduced around the same time as IA and has its own Limit feature to help compensate for QoS being in the penalty box

- CoreXL/QoS conflict is resolved in R77.10 and later, but practically no one is using QoS at this point due to the longstanding incompatibility with CoreXL

This sounds like a good candidate for an RFE though, talk to your Check Point SE or submit it here:  http://www.checkpoint.com/rfe/rfe.htm

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion
‎2019-02-13 04:02 PM
In response to Timothy_Hall

I'm with you 100% on the need for RFE, but going through the list of products there, I do not even see QoS as one of the options.

In addition to IA in QoS, I'd like to see the Domain objects, namely FQDN objects fully supported there. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-02-13 06:58 PM
In response to Vladimir

Pretty sure QoS is now part of the Advanced Networking Blade (ADN) which is in the list on that RFE page.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Vladimir
Champion
Champion
‎2019-02-14 06:28 AM
In response to Timothy_Hall

Thank you for the pointer!

I'll post my requests in ADN section.

Ryan_Ryan
Advisor
‎2020-03-04 05:03 PM
In response to Timothy_Hall

I may be mistaken, but I believe there is an IPS Protection that would allow you to rate limit each user / number of connections. It was of high impact and they always recommended disabling it, does anyone recall what its called or where it is?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events