cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

QOS

I have configured QoS a a requirement from a client of mine.For test purposes I have added just one host but for some weird reason I don't seem to hit the rule configured on checking on Smartmonitor QoS.

I am running Checkpoint R80.10 OS build 421.

Any suggestions?

3 Replies

Re: QOS

Please have a look at the following articles:

Limitations of Check Point QoS 

Or problems with SecureXL QXL Path:

ATRG: SecureXL 

Regards

Heiko

Re: QOS

If you just need to enforce a bandwidth limit (which is one of the most common applications of QoS in the real world) you can specify a Limit action in an ordered APCL/URLF policy layer, or in an APCL/URLF-capable inline layer as part of the APCL blade.  Much cleaner than using the QoS blade for the same purpose.

In my experience the QoS blade is not heavily used in the real world, which stems from the longstanding incompatibility of QoS with CoreXL/SecureXL between versions R70 and R77 vanilla.  This limitation was lifted in version R77.10, which introduced the QXL path referenced by Heiko Ankenbrand‌.  I'd estimate the relative overhead associated with the QXL path is somewhere between the Medium Path (PXL) and Firewall Path (F2F). I had a customer with an already very busy firewall recently try to turn on QoS in R80.10, and they had to turn it back off almost immediately due to the serious performance impact it incurred.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: QOS

I agree with Timothy here. QXL with PXL path (SecureXL) can be a bit problematic. We also had customers where QXL with R80.10 didn't work 100% with enabled SecureXL. If you don't have any performance problems on the firewall, I would disable SecureXL and test it again. You can disable SecureXL with the following command  "fwaccel off". But please keep in mind that this can lead to performance problems.

You can take a look at the following article "R80.x Security Gateway Architecture (Logical Packet Flow)". QXL is between PXL path and the fast path. Unfortunately there is only limited information from Check Point here.

Regards

Heiko