This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Network_M
Collaborator
‎2019-01-10 02:15 AM
Jump to solution

Limit speed of internet to some hosts

Let's say I have 20 Mbit/s Internet and 2 Checkpoint Firewalls working in Load Balance mode.

In security policy, there are some rules.

Let's say I want to limit speed of internet to 2 Mbit/s to one group object (some hosts), how can I do it correctly?

Labels
2 Solutions

Accepted Solutions
Network_M
Collaborator
‎2019-01-10 03:58 AM
In response to G_W_Albrecht
Jump to solution

If I limit one IP (one host) to 2Mbit/s upload and download, will other 18 Mbit/s be able for other IPs?

View solution in original post

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-01-10 07:54 AM
Jump to solution

If you just want to limit bandwidth, I'd strongly suggest just using a Limit action in the Action field of your APCL/URLF policy layer.   Enabling QoS opens up a bit of a can of worms and is really only appropriate if you want to do bandwidth guarantees, Weighted Fair Queuing, DiffServ or Low-latency Queuing.  So just define a network object or Access Role matching those you want to limit and use it as the source in a rule with a 2mbps Limit action defined.  All traffic that matches that rule will share the 2Mbps limit, the enforced limit is not per user or per connection.  Everything else will share the 20Mbps total along with the limited rule in a FIFO fashion; a Limit is not a guarantee or reservation of bandwidth.

Note that existing connections that are bandwidth-limited in this way will NOT retain their Limit after a stateful failover to the other firewall.  New connections initiated through the new cluster member handling the traffic will of course have their limit enforced as expected.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-01-10 03:38 AM
Jump to solution

You can use QoS - see the CheckPoint R80.10 QoS AdminGuide for details !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Network_M
Collaborator
‎2019-01-10 03:49 AM
In response to G_W_Albrecht
Jump to solution

Can it be done by Download and Upload Limit in Action field?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-01-10 03:50 AM
In response to Network_M
Jump to solution

The various possibilities are throughly explained in the admin guide.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Network_M
Collaborator
‎2019-01-10 03:58 AM
In response to G_W_Albrecht
Jump to solution

If I limit one IP (one host) to 2Mbit/s upload and download, will other 18 Mbit/s be able for other IPs?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-01-10 04:03 AM
In response to Network_M
Jump to solution

Using QoS will reduce the total throughput of the GW, so the rest will be smaller.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Network_M
Collaborator
‎2019-01-10 04:12 AM
In response to G_W_Albrecht
Jump to solution

If I have 20 Mbit/s of Internet and 20 users (hosts), and

If I limit 1 user (host) to 2 Mbit/s in Actions on Security Policy,

will other 19 users (hosts) share among speed of 18 Mbit/s of Internet?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-01-10 04:25 AM
In response to Network_M
Jump to solution

No, QoS will reduce the total throughput its much work to decide what to do with each packet...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Network_M
Collaborator
‎2019-01-10 04:50 AM
In response to G_W_Albrecht
Jump to solution

Do you mean that I should limit other hosts too? Or is that OK?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-01-10 07:54 AM
Jump to solution

If you just want to limit bandwidth, I'd strongly suggest just using a Limit action in the Action field of your APCL/URLF policy layer.   Enabling QoS opens up a bit of a can of worms and is really only appropriate if you want to do bandwidth guarantees, Weighted Fair Queuing, DiffServ or Low-latency Queuing.  So just define a network object or Access Role matching those you want to limit and use it as the source in a rule with a 2mbps Limit action defined.  All traffic that matches that rule will share the 2Mbps limit, the enforced limit is not per user or per connection.  Everything else will share the 20Mbps total along with the limited rule in a FIFO fashion; a Limit is not a guarantee or reservation of bandwidth.

Note that existing connections that are bandwidth-limited in this way will NOT retain their Limit after a stateful failover to the other firewall.  New connections initiated through the new cluster member handling the traffic will of course have their limit enforced as expected.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Network_M
Collaborator
‎2019-01-10 08:03 PM
In response to Timothy_Hall
Jump to solution

That is what I am talking about. I don't want to use complex things, so using limit in the actions is enough for limiting bandwidth for that particular host or network group.

Thank you.

G_W_Albrecht
Legend Legend
Legend
‎2019-01-10 11:51 PM
In response to Network_M
Jump to solution

Yes, this here is a most convenient way without using QoS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bruno_Petronio
Contributor
‎2020-03-27 07:02 AM
In response to Timothy_Hall
Jump to solution

Hello Timothy,
When speaking in "limit" action, are we talking about traffic shaping or policing ?
I would be interested in traffic shaping 🙂

Thanks in advance,
Bruno Petrónio
HristoGrigorov
Mentor
Mentor
‎2019-01-13 05:16 AM
Jump to solution

I believe this is what is known as "traffic shaping" in contrast with QoS which is more like "traffic balancing".

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events