This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
496fedef-6258-4
Participant
‎2018-11-03 06:34 AM

How to apply QoS on a User for restricting Bandwidth?

Hi,

Background: We have 15600 Next Generation Firewall (in HA). We have an AD Server where we have different category of users (like faculty, staff, students) and also we have our Radius Server to meet the SSO requirements.

Objective:

  • We want all the users under studentsOU, login at every 1st of the month, should be monitored for bandwidth utilization.
  • In case, for a particular user, the data usage  exceeds (more than say 60GB per month) than a threshold limit, the user will be automatically transferred to a Bandwidth Restriction Group or OU where there will be restrictive speed limit.
  • The monitoring of all students to be done everyday (at any given time) continuing for a month. That is, whenever any student reaches 60GB (say) within 1st day of the month, OR cumulatively (1st + 2nd) days of the month, OR (1st + 2nd + 3rd .. and so on) days of the month, his/her Net ID would be put under Restrictive Group (with less speed)

How do we proceed in this case? Do we have any API or script handy or is there any other mechanism?

Regards,

Sudeep

5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2018-11-03 08:35 AM

What you are describing sounds a lot more like the function of a dedicated QoS system rather than what a typical firewall might be able to provide.  The Check Point QoS blade (weights, limits, guarantees, LLQ, DiffServ) and Application Control bandwidth limit capabilities do not really have long-term monitoring capabilities; they are more about immediate management of bandwidth.

I suppose one could parse all firewall Accounting logs on some kind of third-party system and keep running totals of bandwidth utilization per user, utilize the fw samp/sim_dos commands on the firewall to start limiting individuals that have gone over their limit for the month, and then clear those imposed limits at the start of a new month.  So yes there is a mechanism for enforcement on the Check Point once someone goes over the monthly limit, but not really a long-term monitoring mechanism to determine when someone has gone "over" and to punish them accordingly.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
496fedef-6258-4
Participant
‎2018-11-03 11:34 AM

Thanks for your response.

but not really a long-term monitoring mechanism to determine when someone has gone "over" and to punish them accordingly.  🙂

By the way what is your recommendation to achieve my requirement. Please help and guide me.

0 Kudos
Vladimir
Champion
Champion
‎2018-11-04 04:35 AM

What you are looking for is the comprehensive traffic shaping solution.

Those are outside of the scope of services that Check Point provides.

Some of it capabilities are present in Cisco, but I am not sure how flexible those are or if they could be user specific.

Simple, but a bit limited, is the Meraki offering on their switches, MX and MR devices.

Look up "traffic shaping" in Google and see what your options are.

Tiago_Marques
Participant
‎2018-11-22 11:05 AM

Hi,

  as supposed by Timothy above I had the need to grant the download limitation at 5 Mbps per user IP.

  I did the following command, verify if it helps:

fw samp -a d -l r -n WIFI_5Mbps -c Limit_5Mbps service any source cidr:192.168.0.0/16 pkt-rate 625000 track source flush true

Sincerely.

Tiago Marques.

rohit_chaudhary
Explorer
‎2019-05-06 12:21 AM

Hello, I have the same requirement, If you achieve your requirement then, It would be nice if you could share your solution.

Thanks,
RC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events