Re: Limit the bandwidth of a single interface

Tim_Bernat · ‎2019-03-27

Hi All,

and thanks in advance for any replies. We are looking at limiting a single interface; we have a part of a network that we want on 150 or 200 Mbps, and it's connected to one of the gateways through a single interface.

We are not currently using QoS, so and I am looking for an easy way to implement that. There are some QoS guides out there that describe policing, but as part of full setup. Can anyone please point me towards something more condensed?

Cheers, Tim

Timothy_Hall · ‎2019-03-27

I think you can use fw samp to do what you want, see:

sk112454: How to configure Rate Limiting rules for DoS Mitigation

Using this command you can set bandwidth/connection quotas that are efficiently enforced by SecureXL; this mechanism is vastly preferred to the Network Quota IPS signature which kills practically all SecureXL acceleration on the gateway. Unfortunately you cannot directly specify a certain interface for enforcement in the matching criteria, but hopefully you could do the same thing with carefully selected source and/or destination networks in your fw samp statement.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Tim_Bernat · ‎2019-04-04

Thanks Jade,

will play with this in our test environment and share my experience here. Might be some time though, I'm off for a week and busy with other projects, I will update as soon as possible.

Cheers.

Di_Junior · ‎2019-11-15

Hi Tim

I am currently going through the same need.

Did you perhaps managed to get a solution for this requirement?

Thanks in advance

Wolfgang · ‎2019-11-15

Hi,

why not using the QoS blade ?

You can limit all or only one connection or networks or services or a mix of all.

Wolfgang

Timothy_Hall · ‎2019-11-15

The QoS blade is now a possibility to do this as long as R80.20+ is in use on the gateway. In R80.10 and earlier switching on QoS would cause practically all traffic to hit the QXL path, and cause a lot of overhead in the firewall along with some other odd problems. Definitely not recommended to use QoS on R80.10 and earlier in most cases.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Di_Junior · ‎2019-11-15

Hi Tim,

Perhaps I should give more details as to why we need to do this.

We have IPSEC connection with our partners that are currently configured on routers, and according to the agreement, the link must support up to 20MB.

Since we wish to migrate the IPSec tunnel to Check Point, we want to make sure that we can limit this connection to 20MB.

I saw a clish command "set interface ethX link-speed YY". Could this help?

We are using R80.20 gateways and Management Server.
Thanks

Wolfgang · ‎2019-11-15

Sounds like QoS blade is your solution 🙂

Simple, take a look at the configuration in Smartconsole, it is an extra blade configuration.

Wolfgang

Di_Junior · ‎2019-11-15

Hi Wolfgang

Thanks. I will read up about that.

Wolfgang · ‎2019-11-15

That's the absolute truth Timothy.

But I think now it's time for newer releases like R80.20 or R80.30 😉

We use QoS with R80.30 and it works fine too with the acceleration features.

Wolfgang

Are you a member of CheckMates?

Limit the bandwidth of a single interface