This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mikdemin
Participant
‎2020-11-12 05:48 AM
Jump to solution

Copying DiffServ code from IP-header to IPSec-header

Hello everyone.

 

I have some QoS question. As i think traffic handling on CP consist of: firstly adding QoS parameters to IP-header and secondly there is encryption of packet. Also parameter :ipsec.copy_TOS_to_outer allows to copy DiffServ code from IP-header to IPSec-header. I turned on this parameter on the relevant GW (1490 appliance) on my SMS and install the policy (according to which traffic should be marked DiffServ code cs5), but traffic from GW is still marking by DiffServ code by default (cs0). I don't understand why.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-12-06 01:27 AM
In response to G_W_Albrecht
Jump to solution

I have asked for feedback in sk105722 concerning support on SMB devices and received the following answer:

SecureKnowledge solution ID: sk105722  and Title: "How to configure Check Point Security Gateway to copy DiffServ mark between packet's headers" has now been edited based on your feedback. 

This article is supported on centrally-managed SMB appliances starting from version R77.20.20. It is not supported on locally managed appliances.
For traffic with pre-existing diffserv marks, default behavior is to copy diffserv mark to encapsulated traffic on outgoing and not to copy from encapsulated or incoming traffic. 
Enabling copying diffserv marks from incoming encapsulated traffic or decrypted traffic can be done via GuiDbEdit, as described in sk105722.

Anyway, only copying or removing DiffServ code is possible, not actively marking traffic.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-11-12 06:17 AM
Jump to solution

Im SMB documentation, a chapter like the one for GAiA "QoS Advanced QoS Policy Management - Differentiated Services (DiffServ)" does not exist, and i think that is because Embedded GAiA has only a subset of features implemented to keep the small footprint. The sk105722 reffered by you has Platform / Model : All, so i have asked for feedback concerning support on SMB devices. But according to sk104861, use of the feature has only been possible since R77.30 !

Further, in sk105380 i see for SMB:

Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.

QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mikdemin
Participant
‎2020-11-12 12:14 PM
In response to G_W_Albrecht
Jump to solution

Thanks!

I'm interested on marking traffic with special DiffServ Code, not matching.

With regads to last paragrraph as i understand correctly that Express QoS mode only supports in SG80 and UTM-1 Edge appliances and not supports in 1490 appliance?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-11-12 01:33 PM
In response to mikdemin
Jump to solution

I would assume this is also true for 1490.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mikdemin
Participant
‎2020-11-16 04:09 AM
In response to G_W_Albrecht
Jump to solution

Ok. I'm understand that i must to create a new QoS policy package in Express Mode. But i also have a one question. For example, i create a new QoS policy package in Express Mode with one rule on one link and configure 80k kbps as guaranteed in action column. So then what i must configure in QoS tab in Topology of the relevant interface? I'm add the relevant QoS Class in this tab (REA Beeline). So what the guarantee bandwidth for this QoS class i must configure? The same 80k kpbs that i configure in rule? I'm attach the screenshots of the QoS rule and QoS tab of the relevant interface.

Preview file
21 KB
Preview file
4 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-12-06 01:27 AM
In response to G_W_Albrecht
Jump to solution

I have asked for feedback in sk105722 concerning support on SMB devices and received the following answer:

SecureKnowledge solution ID: sk105722  and Title: "How to configure Check Point Security Gateway to copy DiffServ mark between packet's headers" has now been edited based on your feedback. 

This article is supported on centrally-managed SMB appliances starting from version R77.20.20. It is not supported on locally managed appliances.
For traffic with pre-existing diffserv marks, default behavior is to copy diffserv mark to encapsulated traffic on outgoing and not to copy from encapsulated or incoming traffic. 
Enabling copying diffserv marks from incoming encapsulated traffic or decrypted traffic can be done via GuiDbEdit, as described in sk105722.

Anyway, only copying or removing DiffServ code is possible, not actively marking traffic.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mikdemin
Participant
‎2020-12-07 01:51 AM
In response to G_W_Albrecht
Jump to solution

Thanks a lot for update! In this case i'll have to organize marking on my Cisco devices.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events