Create a Post
Showing results for 
Search instead for 
Did you mean: 

How to apply QoS on a User for restricting Bandwidth?


Background: We have 15600 Next Generation Firewall (in HA). We have an AD Server where we have different category of users (like faculty, staff, students) and also we have our Radius Server to meet the SSO requirements.


  • We want all the users under studentsOU, login at every 1st of the month, should be monitored for bandwidth utilization.
  • In case, for a particular user, the data usage  exceeds (more than say 60GB per month) than a threshold limit, the user will be automatically transferred to a Bandwidth Restriction Group or OU where there will be restrictive speed limit.
  • The monitoring of all students to be done everyday (at any given time) continuing for a month. That is, whenever any student reaches 60GB (say) within 1st day of the month, OR cumulatively (1st + 2nd) days of the month, OR (1st + 2nd + 3rd .. and so on) days of the month, his/her Net ID would be put under Restrictive Group (with less speed)

How do we proceed in this case? Do we have any API or script handy or is there any other mechanism?



5 Replies

What you are describing sounds a lot more like the function of a dedicated QoS system rather than what a typical firewall might be able to provide.  The Check Point QoS blade (weights, limits, guarantees, LLQ, DiffServ) and Application Control bandwidth limit capabilities do not really have long-term monitoring capabilities; they are more about immediate management of bandwidth.

I suppose one could parse all firewall Accounting logs on some kind of third-party system and keep running totals of bandwidth utilization per user, utilize the fw samp/sim_dos commands on the firewall to start limiting individuals that have gone over their limit for the month, and then clear those imposed limits at the start of a new month.  So yes there is a mechanism for enforcement on the Check Point once someone goes over the monthly limit, but not really a long-term monitoring mechanism to determine when someone has gone "over" and to punish them accordingly.  🙂

Second Edition of my "Max Power" Firewall Book
Now Available at

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"

Thanks for your response.

but not really a long-term monitoring mechanism to determine when someone has gone "over" and to punish them accordingly.  🙂

By the way what is your recommendation to achieve my requirement. Please help and guide me.

0 Kudos

What you are looking for is the comprehensive traffic shaping solution.

Those are outside of the scope of services that Check Point provides.

Some of it capabilities are present in Cisco, but I am not sure how flexible those are or if they could be user specific.

Simple, but a bit limited, is the Meraki offering on their switches, MX and MR devices.

Look up "traffic shaping" in Google and see what your options are.



  as supposed by Timothy above I had the need to grant the download limitation at 5 Mbps per user IP.

  I did the following command, verify if it helps:

fw samp -a d -l r -n WIFI_5Mbps -c Limit_5Mbps service any source cidr: pkt-rate 625000 track source flush true


Tiago Marques.


Hello, I have the same requirement, If you achieve your requirement then, It would be nice if you could share your solution.


0 Kudos