Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Copying DiffServ code from IP-header to IPSec-header

Jump to solution

Hello everyone.

 

I have some QoS question. As i think traffic handling on CP consist of: firstly adding QoS parameters to IP-header and secondly there is encryption of packet. Also parameter :ipsec.copy_TOS_to_outer allows to copy DiffServ code from IP-header to IPSec-header. I turned on this parameter on the relevant GW (1490 appliance) on my SMS and install the policy (according to which traffic should be marked DiffServ code cs5), but traffic from GW is still marking by DiffServ code by default (cs0). I don't understand why.

0 Kudos
Reply
1 Solution

Accepted Solutions
Champion
Champion

I have asked for feedback in sk105722 concerning support on SMB devices and received the following answer:

SecureKnowledge solution ID: sk105722  and Title: "How to configure Check Point Security Gateway to copy DiffServ mark between packet's headers" has now been edited based on your feedback. 

This article is supported on centrally-managed SMB appliances starting from version R77.20.20. It is not supported on locally managed appliances.
For traffic with pre-existing diffserv marks, default behavior is to copy diffserv mark to encapsulated traffic on outgoing and not to copy from encapsulated or incoming traffic. 
Enabling copying diffserv marks from incoming encapsulated traffic or decrypted traffic can be done via GuiDbEdit, as described in sk105722.

Anyway, only copying or removing DiffServ code is possible, not actively marking traffic.

View solution in original post

6 Replies
Champion
Champion

Im SMB documentation, a chapter like the one for GAiA "QoS Advanced QoS Policy Management - Differentiated Services (DiffServ)" does not exist, and i think that is because Embedded GAiA has only a subset of features implemented to keep the small footprint. The sk105722 reffered by you has Platform / Model : All, so i have asked for feedback concerning support on SMB devices. But according to sk104861, use of the feature has only been possible since R77.30 !

Further, in sk105380 i see for SMB:

Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.

QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging.

Participant

Thanks!

I'm interested on marking traffic with special DiffServ Code, not matching.

With regads to last paragrraph as i understand correctly that Express QoS mode only supports in SG80 and UTM-1 Edge appliances and not supports in 1490 appliance?

0 Kudos
Reply
Champion
Champion

I would assume this is also true for 1490.

Participant

Ok. I'm understand that i must to create a new QoS policy package in Express Mode. But i also have a one question. For example, i create a new QoS policy package in Express Mode with one rule on one link and configure 80k kbps as guaranteed in action column. So then what i must configure in QoS tab in Topology of the relevant interface? I'm add the relevant QoS Class in this tab (REA Beeline). So what the guarantee bandwidth for this QoS class i must configure? The same 80k kpbs that i configure in rule? I'm attach the screenshots of the QoS rule and QoS tab of the relevant interface.

0 Kudos
Reply
Champion
Champion

I have asked for feedback in sk105722 concerning support on SMB devices and received the following answer:

SecureKnowledge solution ID: sk105722  and Title: "How to configure Check Point Security Gateway to copy DiffServ mark between packet's headers" has now been edited based on your feedback. 

This article is supported on centrally-managed SMB appliances starting from version R77.20.20. It is not supported on locally managed appliances.
For traffic with pre-existing diffserv marks, default behavior is to copy diffserv mark to encapsulated traffic on outgoing and not to copy from encapsulated or incoming traffic. 
Enabling copying diffserv marks from incoming encapsulated traffic or decrypted traffic can be done via GuiDbEdit, as described in sk105722.

Anyway, only copying or removing DiffServ code is possible, not actively marking traffic.

View solution in original post

Participant

Thanks a lot for update! In this case i'll have to organize marking on my Cisco devices.

0 Kudos
Reply