Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Usercenter_Gene
Participant

Check Point & QoS (DSCP Marking)

Hello,

We have a Cisco network that has end-to-end QoS deployed using Cisco best practices. For example, we have access-layer switches that classify and mark packets from end-user PCs. Upstream switches / routers can then act on those markings and queue packets accordingly.

We also use Checkpoint firewalls between our HQ and remote offices and at the moment they do not have QoS enabled. So in effect we have end-to-end QoS from the Cisco point of view; but the firewall is a gap at present.

My question is does anyone know what's happening to our packets as things stand? For example I'm sending a mixture of services marked as EF, AF11, AF12, AF21, AF22 etc. Do the Checkpoints remark the Qos markings at all? I'm hoping that they don't alter to markings at all because I have a router the other side of the Checkpoint which needs to see those markings!

Thanks

 

Best regards

4 Replies
PhoneBoy
Admin
Admin

If you're using Check Point's QoS blade or you're using CPAS, then the DSCP tags won't be preserved, per sk145132.

That begs the question: What is CPAS and when does it get invoked? Check Point Active Streaming (CPAS) is technology that sends streams of data to be inspected in the kernel, since more than a single packet at a time is needed in order to understand the application that is running (such as HTTP data).

Several things might use CPAS:

  • HTTPS Inspection
  • Client Authentication (legacy auth method)
  • Security Servers (also legacy)
  • VoIP Inspection (SIP, Skinny/SCCP, H.323, etc)
  • DLP Blade
  • IPS Blade when certain "Web Intelligence" protections are enabled

 

Brandon_Cotter
Contributor

This was very helpful. I have been looking to ensure that the DSCP tags assigned to VOIP traffic are preserved throughout our environment. Does, by any chance, simply enabling the QoS blade preserve received DSCP tags, or do you end up having to manually define tags to reapply?

Is it the case that all VOIP traffic through a gateway without QoS enabled will use the CPAS proxy, and have tags stripped?

If VOIP traffic is only inspected by the firewall blade (bypasses IPS etc.), does that change anything about its QoS?

 

0 Kudos
Brandon_Cotter
Contributor

Quick followup - it appears DSCP tags are not getting stripped from my traffic, as shown by packet captures on the internal and external interfaces.
Paul_Warnagiris
Advisor

Hi Brandon, I have a question.  In your last post you indicate DSCP tags are not getting stripped.  But in your first post you asked if enabling QoS preserves the tags. Then you asked, is it the case that all VOIP traffic through a gateway without QoS enabled will use the CPAS proxy, and have tags stripped?  And finally, if VOIP traffic is only inspected by the firewall blade (bypasses IPS etc.), does that change anything about its QoS?

So in your assessment where you stated that marking were not stripped, what was the configuration you used and what was on or off when the markings were not stripped?

Thanks,
Paul

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events