This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ok1
Participant
‎2024-08-26 07:58 AM

QoS R81.20 - Guarantee not working

Hi everyone!

I'm asking for help in understanding how QoS works, and how to debug correctly when QoS problems occur.
About the problem:
I have 2 security gateways with hosts behind them:
Gateway A has hosts 192.168.1.1 and 192.168.2.2.
Behind gateway B - hosts 192.168.3.1 and 192.168.4.2.

I enable the QoS module and configure the Simple rule and apply it. I configure the rule to target traffic between hosts 192.168.1.1 and 192.168.3.1. I create a load between the other hosts.

I made a rule with a guaranteed bandwidth of 200 Mb/sec. I have attached a photo of the rules from both gateways.

Rules were created on external interfaces of both gateways. The total channel speed is 307 Mb/sec.
As a result, when running Iperf3 between hosts (target and load) the speed does not reach 200 mb/sec according to the rule. In waves the speed varies from 30 to 170 Mb/sec. And on the channel with load the speed is 5-7 mb/sec. As a result, the total utilisation reaches 80%! The QoS module itself works, because under the condition of LIMIT, the speed is really limited. Also the guaranteed bandwidth works if you don't run Iperf on other hosts to create load.

I am asking for help or ideas on how to solve the problem and how to debug correctly.

Thank you in advance for your help!

QoS.png
Preview file
37 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-08-26 09:58 AM

We need a lot more information, such as:

 

0 Kudos
Ok1
Participant
‎2024-08-28 02:45 AM
In response to PhoneBoy

@PhoneBoy @the_rock Greetings

Attached, screenshots of Iperf measurements, and debugs.

To answer your questions:

What is the device under test? - VM
What JHF are you running? - No hotfix, clean install.
Super Seven debug output attached

The rule essentially works, but with very very high traffic uctilisation

Screenshot of Iperf targeted traffic, while loading on traffic platforms that don't fall under the rules attached. Second screenshot, measuring the speed of all other traffic.(for load). 

 

According to the debug, there are no errors, but there is this entry fg_dns_initarray: Could not open

 

Very please advise in which direction to look for the problem. I don't understand it yet

DebugSuperSeven.png
Preview file
57 KB
DebugSuperSevenCouldNotOpen.png
Preview file
10 KB
Device information.png
Preview file
124 KB
TrafficForLoad.png
Preview file
152 KB
TargetGuaranteeRule.png
Preview file
219 KB
Properties.png
Preview file
75 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-28 06:57 AM
In response to Ok1

A single core and 4GB of RAM is below the minimum hardware requirements in the release notes for R81.20: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Open-Se...

Personally, I would allocate no less than 4 cores and no less than 8GB of RAM to the VM.

the_rock
Legend
Legend
‎2024-08-26 10:22 AM

To debug (maybe TAC has better commands)

Andy

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_QoS_AdminGuide/html_frameset...

 

?s:

-did it ever work?

-brand new setup?

-what versions?

-all users have same problem?

0 Kudos
Ok1
Participant
‎2024-08-26 07:22 AM

Hello everyone!

Please help in understanding how QoS works, and how to debug correctly when QoS problems occur.
About the problem:
I have 2 security gateways with hosts behind them:
Gateway A has hosts 192.168.1.1 and 192.168.2.2.
Behind gateway B - hosts 192.168.3.1 and 192.168.4.2

I enable the QoS module and configure the Simple rule and apply it. I configure the rule to target traffic between hosts 192.168.1.1 and 192.168.3.1. Create a load between the other hosts.

I made a rule with a guaranteed bandwidth of 200 Mb/sec. I have attached a photo of the rule.

Rules are created on the external interfaces of both gateways. The total channel speed is 307 Mb/sec.
As a result, when running Iperf3 between hosts (target and load) the speed does not reach 200 mb/sec according to the rule. In waves the speed varies from 30 to 170 Mb/sec. And on the channel with load the speed is 5-7 mb/sec. As a result, the total utilisation reaches 80%! The QoS module itself works, because under the LIMIT condition, the speed is really limited. Also the guaranteed bandwidth works if you don't run Iperf on other hosts to create load.

I am asking for help or ideas on how to solve the problem and how to debug correctly.

Thank you in advance for your help!

QoS.png
Preview file
37 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top