Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Keneth_Gitonga_
Explorer

QOS

I have configured QoS a a requirement from a client of mine.For test purposes I have added just one host but for some weird reason I don't seem to hit the rule configured on checking on Smartmonitor QoS.

I am running Checkpoint R80.10 OS build 421.

Any suggestions?

3 Replies
HeikoAnkenbrand
Champion Champion
Champion

Please have a look at the following articles:

Limitations of Check Point QoS 

Or problems with SecureXL QXL Path:

ATRG: SecureXL 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend

If you just need to enforce a bandwidth limit (which is one of the most common applications of QoS in the real world) you can specify a Limit action in an ordered APCL/URLF policy layer, or in an APCL/URLF-capable inline layer as part of the APCL blade.  Much cleaner than using the QoS blade for the same purpose.

In my experience the QoS blade is not heavily used in the real world, which stems from the longstanding incompatibility of QoS with CoreXL/SecureXL between versions R70 and R77 vanilla.  This limitation was lifted in version R77.10, which introduced the QXL path referenced by Heiko Ankenbrand‌.  I'd estimate the relative overhead associated with the QXL path is somewhere between the Medium Path (PXL) and Firewall Path (F2F). I had a customer with an already very busy firewall recently try to turn on QoS in R80.10, and they had to turn it back off almost immediately due to the serious performance impact it incurred.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
HeikoAnkenbrand
Champion Champion
Champion

I agree with Timothy here. QXL with PXL path (SecureXL) can be a bit problematic. We also had customers where QXL with R80.10 didn't work 100% with enabled SecureXL. If you don't have any performance problems on the firewall, I would disable SecureXL and test it again. You can disable SecureXL with the following command  "fwaccel off". But please keep in mind that this can lead to performance problems.

You can take a look at the following article "R80.x Security Gateway Architecture (Logical Packet Flow)". QXL is between PXL path and the fast path. Unfortunately there is only limited information from Check Point here.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events