Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nflnetwork29
Advisor

checkpoint QoS on site to site vpn traffic

Hi there is there any way to prioritize the site to site vpn traffic on a checkpoint vpn network? we are doing full mesh vpn for the inter-site voice calls primarily but I would say its more of a hub/spoke topology for the data network where all branch sites connect back to hub site over vpn for data traffic. 

 

is there any way using QoS to guarantee that these VPN tunnels have a certain amount of bandwidth at all time?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

You can do QoS on the traffic inside a VPN tunnel (assuming it's a domain-based VPN, route-based VPNs are not supported per sk36157), but I don't believe you can do QoS on the VPN tunnel itself.
In any case, QoS doesn't make much sense over the public Internet since there is zero guarantee anything there will honor the DSCP tags. 

AaronCP
Advisor

Hey @PhoneBoy,

 

Can you clarify the situation outlined in SK36157, please? Does it mean QoS is unsupported on Route-based VPNs, or we cannot implement QoS on any interface if a VTI exists on the gateway?

 

Thanks,

 

Aaron.

0 Kudos
PhoneBoy
Admin
Admin

It just can't be done on any traffic to/from VTI interfaces: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
It should work on other interfaces.

Timothy_Hall
Champion
Champion

Actually it is possible to differentiate traffic traversing a VPN tunnel in your QoS policy via a checkbox in the Action of a QoS rule like this, which applies this sample rule only to encrypting/decrypting traffic:

QoS_VPN.png

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
0 Kudos
nflnetwork29
Advisor

i tried to create a similar policy but i receive the following error when i try to install policy on the gateway.

Error - QoS Policy does not apply to any network interface.

Can anyone tell me what I missed?

0 Kudos
G_W_Albrecht
Legend
Legend

I would suggest to follow the QoS Tutorial starting at QoS R80.40 Administration Guide p.32 ! Network Interfaces are the enforcement points for QoS, so QoS has to be enabled on one interface for QoS to be able work on it...

CCSE CCTE CCSM SMB Specialist
0 Kudos