This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Usercenter_Gene
Participant
‎2019-03-13 03:16 AM

Check Point & QoS (DSCP Marking)

Hello,

We have a Cisco network that has end-to-end QoS deployed using Cisco best practices. For example, we have access-layer switches that classify and mark packets from end-user PCs. Upstream switches / routers can then act on those markings and queue packets accordingly.

We also use Checkpoint firewalls between our HQ and remote offices and at the moment they do not have QoS enabled. So in effect we have end-to-end QoS from the Cisco point of view; but the firewall is a gap at present.

My question is does anyone know what's happening to our packets as things stand? For example I'm sending a mixture of services marked as EF, AF11, AF12, AF21, AF22 etc. Do the Checkpoints remark the Qos markings at all? I'm hoping that they don't alter to markings at all because I have a router the other side of the Checkpoint which needs to see those markings!

Thanks

 

Best regards

4 Replies
PhoneBoy
Admin
Admin
‎2019-03-16 09:55 PM

If you're using Check Point's QoS blade or you're using CPAS, then the DSCP tags won't be preserved, per sk145132.

That begs the question: What is CPAS and when does it get invoked? Check Point Active Streaming (CPAS) is technology that sends streams of data to be inspected in the kernel, since more than a single packet at a time is needed in order to understand the application that is running (such as HTTP data).

Several things might use CPAS:

  • HTTPS Inspection
  • Client Authentication (legacy auth method)
  • Security Servers (also legacy)
  • VoIP Inspection (SIP, Skinny/SCCP, H.323, etc)
  • DLP Blade
  • IPS Blade when certain "Web Intelligence" protections are enabled

 

Brandon_Cotter
Contributor
‎2020-02-11 11:34 AM
In response to PhoneBoy

This was very helpful. I have been looking to ensure that the DSCP tags assigned to VOIP traffic are preserved throughout our environment. Does, by any chance, simply enabling the QoS blade preserve received DSCP tags, or do you end up having to manually define tags to reapply?

Is it the case that all VOIP traffic through a gateway without QoS enabled will use the CPAS proxy, and have tags stripped?

If VOIP traffic is only inspected by the firewall blade (bypasses IPS etc.), does that change anything about its QoS?

 

0 Kudos
Brandon_Cotter
Contributor
‎2020-02-17 01:26 PM
In response to Brandon_Cotter

Quick followup - it appears DSCP tags are not getting stripped from my traffic, as shown by packet captures on the internal and external interfaces.
Paul_Warnagiris
Advisor
‎2021-08-09 10:01 AM
In response to Brandon_Cotter

Hi Brandon, I have a question.  In your last post you indicate DSCP tags are not getting stripped.  But in your first post you asked if enabling QoS preserves the tags. Then you asked, is it the case that all VOIP traffic through a gateway without QoS enabled will use the CPAS proxy, and have tags stripped?  And finally, if VOIP traffic is only inspected by the firewall blade (bypasses IPS etc.), does that change anything about its QoS?

So in your assessment where you stated that marking were not stripped, what was the configuration you used and what was on or off when the markings were not stripped?

Thanks,
Paul

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events