This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrickc
Explorer
‎2025-02-16 09:36 PM

CheckPoint QOS issue

Hi All,

 

I would like to confirm whether Check Point can guarantee bandwidth for applications using QoS.
In SmartDashboard, I can only see "Service" but not "Application" as a selectable option.

 

 

Thanks

0 Kudos
8 Replies
AkosBakos
MVP Silver
MVP Silver
‎2025-02-17 12:59 AM

Hi @Patrickc 

According to the guide: 

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/Workin...

This refers only services:

to create a QoS rule:

  1. Click the arrow next to New.

  2. Click one of the available positioning options for the rule: On TopOn BottomAbove Selected, or Under Selected.

    The Add Rule window opens. It shows the rule fields in two manners:

    • A rule summary sentence with default values.

    • A table with the rule base fields in a table.

  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

    Note - You can select for a specified rule to have a specified guarantee and/or limit or be marked as low latency traffic. In case of the latter, there is a single maximum limit percentage for ALL low latency traffic which can be configured globally. See above.

  4. To match only for encrypted (VPN) traffic, select Match only for encrypted traffic. The Service column shows "encrypted" if selected.

  5. To limit the rule to a specified time range, select Apply only during this time and select the start and end times. Only connections that begin during this time range are inspected.

  6. DiffServ Mark is a way to mark connections so a third party handles it. To mark packets that are given priority on the public network based on their DSCP, select DiffServ Mark (1-63) and select a value. To use this option, your ISP or private WAN must support DiffServ. You can get the DSCP value from your ISP or private WAN administrator.

  7. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule.

  8. Click Apply.

Note - You can drag and drop rules to change the order of rules in the QoS Rule Base

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Patrickc
Explorer
‎2025-02-17 01:47 AM
In response to AkosBakos

Hi Akos,

Thnaks your reply,but i want to know How to guarantee bandwidth for an application?

0 Kudos
Patrickc
Explorer
‎2025-02-17 01:47 AM
In response to Patrickc

like google meeting or teams

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-02-17 01:59 AM
In response to Patrickc

Hi @Patrickc 

Hm... maybe this is what you are looking for:

https://community.checkpoint.com/t5/Security-Gateways/Bandwidth-Rate-Limit/td-p/132777

 From @Timothy_Hall:

The Limit feature is a function of the APCL/URLF blades which typically inspect traffic to and from the Internet, so you must be matching traffic against an application or site object to use it.  Not really applicable for your situation of trying to limit bandwidth consumed by a VPN tunnel, but I suppose you could create some custom application/site objects to match traffic in that tunnel and limit it in an APCL/URLF-capable layer.  Here is some more info:

Applying APCL/URLF Bandwidth Limits

  • One very nice feature of APCL/URLF is the ability to enforce bandwidth limits for undesirable sites/applications that cannot be flat-out blocked due to political reasons. A classic example is Media Streaming sites than can consume very large amounts of bandwidth but are not directly required for typical business functions:

AkosBakos_0-1739786334814.png

 

  • Bandwidth limits for APCL/URLF are applied directly by these features, and the full-fledged Quality of Service (QoS) feature does not need to be enabled by the firewall to use them.

  • Bandwidth guarantees cannot be specified; the full QoS blade is required for that functionality.

  • Upload bandwidth limits, download bandwidth limits, or both can be specified.

  • Note that any bandwidth limit enforced will be shared by all connections matching that particular rule; the limits are not per-connection or per-user. It is also not currently possible to enforce overall bandwidth limits over a certain timeframe (i.e. allow 1GByte of streaming data per 24-hour period and then no more until the next day when another 1GByte is allowed).

  • Packets in excess of the configured bandwidth limit are simply dropped by the firewall (this forcing TCP to slow its send rate); these packets are not queued or shaped by the firewall.

The QoS blade is probably more appropriate for what you are trying to do, and it is very easy to tag/match VPN traffic specifically when enforcing a QoS limit or guarantee by checking the Apply rule only to encrypted traffic checkbox in the QoS rule specifying the limit.

Akos

----------------
\m/_(>_<)_\m/
the_rock
MVP Platinum
MVP Platinum
‎2025-02-17 04:35 PM
In response to AkosBakos

Yep, thats perfect option.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-17 03:45 PM

The QoS blade does not currently support Applications.
However, you should look at Quantum SD-WAN, which should be able to do this and more.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-02-18 09:54 AM
In response to PhoneBoy

This is the best, on CPX I got a live demo and it looks wayyy better then traditional QoS blade. 

SD-WAN is the new QoS and ISP redundancy. 

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Platinum
MVP Platinum
‎2025-02-18 10:20 AM
In response to Lesley

Looks very promising!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events