Solved: QoS Bandwith Control per User/IP

Bernardes · ‎2023-08-21

Dear colleagues,

I have a client request to implement bandwidth control per (IP/user), but I'm facing challenges in finding a solution.

If I use the bandwidth control in the rule base, it will limit the entire network to the defined value, which is not the desired outcome.

I'm currently testing with the QoS Blade and I've reviewed the guide, but the 'limit' function's exact purpose and operation aren't clear.

I conducted tests in a lab environment, and even with a limit set in QoS, the bandwidth continued to be used without restriction.

In other words, the 'limit' function doesn't seem to work for bandwidth control.

How can I achieve bandwidth control per connection/IP/user?

Is it possible to achieve this using the QoS Blade?

Salom_Idhogela · ‎2023-09-01

I have managed to get it working on R81.10 per IP. See below screenshot

View solution in original post

the_rock · ‎2023-08-21

Let me see if I can dig out some notes about this, because customer asked me about same subject few years ago and I know there was TAC case about it, but cant remember now what happened. If I find anything, will share.

Andy

Best,
Andy

Bernardes · ‎2023-08-22

Hello @the_rock thank you for your help!

Can you confirm whether the 'limit' function of the QoS blade is supposed to actually restrict bandwidth as defined, or does it have another purpose?

I configured it both in a lab and a client's production environment, and it didn't work as expected.

The guide doesn't make it clear what the intended application of this function is.

the_rock · ‎2023-08-22

Based on below, it would appear so

Andy

https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/96089/FILE/CP_R80.40_QoS_AdminGuide.pdf

Limits
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a
point after which connections below a rule are not allocated more bandwidth, even if there is surplus
bandwidth available.
Limits can also be defined for the sum of all connections in a rule or for individual connections within a rule.
For more information on weights, guarantees and limits, see Action Type.
Note - Bandwidth allocation is not fixed. As connections are opened and closed, QoS
continuously changes the bandwidth allocation to accommodate competing
connections, in accordance with the QoS Policy.

Best,
Andy

the_rock · ‎2023-08-22

Btw, I set up qos in my lab again (latest jumbo on R81.20), so can do any testing you need.

Andy

Best,
Andy

Salom_Idhogela · ‎2023-08-30

I have the same issue as well, I have assigned a per connection limit for each rule in the QoS blade however it seems not to be working. Did you manage to have it working in R81.20?

Regards,

Salom

the_rock · ‎2023-08-30

Sorry, been super busy, but can try today. Can you send how you configured it and I can give it a go as per same?

Andy

Best,
Andy

Salom_Idhogela · ‎2023-08-30

Please see attached.

the_rock · ‎2023-08-30

Sorry, just have to do some Fortigate lab stuff, but will test in a bit.

Andy

Best,
Andy

the_rock · ‎2023-08-30

Ok, I can multitask, so did below and works fine for me in R81.20

Andy

Best,
Andy

Salom_Idhogela · ‎2023-08-31

Thanks, I will log a TAC why it's not working on R81.10 before considering an upgrade to R81.20.

Regards,

Salom

Salom_Idhogela · ‎2023-09-01

I have managed to get it working on R81.10 per IP. See below screenshot

Jeffgo · ‎2025-06-05

@Salom_Idhogela What is your source,single or networks. what is your 'Number of guaranteed connections'.Thanks!

Salom_Idhogela · ‎2025-06-06

Source is network block, number of guaranteed connections is per IP.

Duane_Toler · ‎2023-08-30

QoS blade can work per-IP, but this is unreliable if your hosts are dynamically-assigned. However, AppControl/URLF blade will work for user identities via access roles.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

QoS Bandwith Control per User/IP