This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-12-06 04:14 PM

How to prioritize bandwidth allocation in R80.20?

If I recall accurately, in the past, use of QOS was associated with some serious limitations.

One of potential customers is inquiring about the possibility of using Check Point gateways for bandwidth prioritization for specific sites.

Now that we are on R80.20 and have the ability to use Domain objects in QOS, would this be acceptable configuration?

I would also appreciate any advise or shared experience with QOS on R80.20 and if any issues were encountered that I should be aware of.

The bandwidth limiters available in the APCTL are not really an option due to hard limits and method used to enforce those.

Thank you,

Vladimir

14 Replies
PhoneBoy
Admin
Admin
‎2018-12-06 09:25 PM

QoS had some limitations with CoreXL that were resolved in R77.10, FWIW.

0 Kudos
Vladimir
Champion
Champion
‎2018-12-07 05:00 AM
In response to PhoneBoy

Thank you for clarification. Can you confirm that the approach depicted in my post above would achieve desired result or am I missing something? I'll have a call with the potential client today at 3:00 pm EDT and would like to give him unambiguous answer.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-07 06:28 AM
In response to Vladimir

The way I understand it, this should do what you're after.

It looks like the ability to use Domain objects in QoS predates R80, so it's not a "new" feature.

That said, with FQDN domains (which ARE new in R80.x), I imagine they work better in QoS as well Smiley Happy

0 Kudos
Vladimir
Champion
Champion
‎2018-12-08 09:01 AM

What are the steps to achieve creation of equivalent settings from embedded systems in a centrally managed environments?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-08 09:46 AM
In response to Vladimir

Offhand, I don't know.

0 Kudos
Vladimir
Champion
Champion
‎2018-12-18 09:40 AM
In response to PhoneBoy

Dameon,

Can you get someone from QoS group to take a look at this thread?

One of the CP SEs I am working with and I are conducting the simulations with the use of the FQDNs in QoS by limiting bandwidth allocation and so far we were not able to do it successfully.

Thank you,

Vladimir

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-18 10:03 AM
In response to Vladimir

"Limit Bandwidth Consuming Application is disabled" is a no-op here since it's disabled.

You would not use the QoS blade for this, since it has no concept of applications, you would use App Control.

"Limit low latency traffic to 20%" refers to these services:

Which suggests a rule that looks something like (will have to play with weight and/or rule limit):

0 Kudos
Vladimir
Champion
Champion
‎2018-12-18 10:29 AM
In response to PhoneBoy

Thanks!

The issue that I am trying to resolve is the bandwidth limit per site accessed based on FQDN Domain object.

There are options of using URIs for QoS as well, creating resources in the format of, for instance, www.samplesite.com/* , associating them with HTTP and HTTPS and placing them in the "Services" sections of the QoS policy.

I am trying to figure out which is the appropriate way to achieve this.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-18 10:39 AM
In response to Vladimir

You could do this a couple of ways:

  • Specify the precise limit in terms of "Rule Limit"
  • Specify a "weight" for each rule
    • If all rules are weighted are the same, then each rule will be allocated roughly the same amount of bandwidth.
    • If one rule has a higher weight than another, then that rule will get a proportionally higher amount of bandwidth (percentage based on total weight of all rules).
      • For example, if the weight of all rules totals 100 and you give rule 5 a weight of 20, it will get 20 percent of the available bandwidth.
0 Kudos
Vladimir
Champion
Champion
‎2018-12-18 10:44 AM
In response to PhoneBoy

But that is the problem: with absolute limit specified and the destination defined as the FQDN Domain object, I do not see the limit being enforced when, for instance, the download is initiated (irrespective of the protocol used).

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-18 11:04 AM
In response to Vladimir

Sounds like a TAC case may be in order. 

0 Kudos
Vladimir
Champion
Champion
‎2019-01-06 02:05 PM
In response to PhoneBoy

Dameon Welch-Abernathy The SE that I am working with has opened the SR#6-0001181586

If possible, please see if we can get some traction on it, as we are being asked the same questions that were already answered. It was initiated on December the 21st.

Thank you,

Vladimir

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-07 10:39 PM
In response to Vladimir

Usually better send me those privately Smiley Happy

But will look into it 

0 Kudos
Vladimir
Champion
Champion
‎2019-01-08 06:47 AM
In response to PhoneBoy

My bad. Will do so in the future and thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events