This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Keneth_Gitonga_
Explorer
‎2018-09-24 02:31 AM

QOS

I have configured QoS a a requirement from a client of mine.For test purposes I have added just one host but for some weird reason I don't seem to hit the rule configured on checking on Smartmonitor QoS.

I am running Checkpoint R80.10 OS build 421.

Any suggestions?

3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2018-09-24 03:53 AM

Please have a look at the following articles:

Limitations of Check Point QoS 

Or problems with SecureXL QXL Path:

ATRG: SecureXL 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend
‎2018-09-24 05:20 AM

If you just need to enforce a bandwidth limit (which is one of the most common applications of QoS in the real world) you can specify a Limit action in an ordered APCL/URLF policy layer, or in an APCL/URLF-capable inline layer as part of the APCL blade.  Much cleaner than using the QoS blade for the same purpose.

In my experience the QoS blade is not heavily used in the real world, which stems from the longstanding incompatibility of QoS with CoreXL/SecureXL between versions R70 and R77 vanilla.  This limitation was lifted in version R77.10, which introduced the QXL path referenced by Heiko Ankenbrand‌.  I'd estimate the relative overhead associated with the QXL path is somewhere between the Medium Path (PXL) and Firewall Path (F2F). I had a customer with an already very busy firewall recently try to turn on QoS in R80.10, and they had to turn it back off almost immediately due to the serious performance impact it incurred.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
HeikoAnkenbrand
Champion Champion
Champion
‎2018-09-24 12:55 PM
In response to Timothy_Hall

I agree with Timothy here. QXL with PXL path (SecureXL) can be a bit problematic. We also had customers where QXL with R80.10 didn't work 100% with enabled SecureXL. If you don't have any performance problems on the firewall, I would disable SecureXL and test it again. You can disable SecureXL with the following command  "fwaccel off". But please keep in mind that this can lead to performance problems.

You can take a look at the following article "R80.x Security Gateway Architecture (Logical Packet Flow)". QXL is between PXL path and the fast path. Unfortunately there is only limited information from Check Point here.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events