28 March 2016

Quality of Service

Pre-R80 Security Gateways with R80 Security Management

Administration Guide
Classification: [Protected]
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Check Point R80
For more about this release, see the R80 home page
http://supportcontent.checkpoint.com/solutions?id=sk108623.

Latest Version of this Document

Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=46533.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Quality of Service
Pre-R80 Security Gateways with R80 Security Management Administration Guide.

Searching in Multiple PDFs

To search for text in all the R80 PDF documents, download and extract the complete
R80 documentation package
http://supportcontent.checkpoint.com/documentation_download?ID=46577.
To search for all text in the R77 PDF documents, download and extract the R77
documentation package
http://supportcontent.checkpoint.com/documentation_download?ID=26770.
Use Shift-Control-F in Adobe Reader or Foxit reader.

Revision History
Date Description
28 March 2016 First release of this document
Contents
Important Information................................................................................................... 3
About this Guide ............................................................................................................ 5
Introduction to QoS ....................................................................................................... 6
Concurrent Sessions ................................................................................................. 6
R80 SmartConsole Toolbars ..................................................................................... 6
Opening the GUI Clients ............................................................................................ 7
Workflow ................................................................................................................... 8
Features and Benefits ............................................................................................... 8
QoS Policy Types ....................................................................................................... 9
QoS Tutorial ................................................................................................................ 11
Deployment Scenario for this Tutorial .................................................................... 11
Tutorial Workflow ................................................................................................... 12
Installing the System Components ......................................................................... 12
Creating a New QoS Policy ...................................................................................... 13
Configuring the Security Gateway ........................................................................... 13
Defining Interfaces on the Gateway ...............................................................................14
Creating and Configuring Rules .............................................................................. 15
Creating New Rules .......................................................................................................15
Changing New Rule Properties......................................................................................15
Installing a QoS Policy ............................................................................................. 16
Managing QoS.............................................................................................................. 17
Defining QoS Global Properties............................................................................... 17
Interface QoS Properties......................................................................................... 18
Working with QoS Policies ...................................................................................... 19
Creating a New QoS Policy.............................................................................................19
Opening an Existing QoS Policy......................................................................................19
Installing a QoS Policy ...................................................................................................20
Creating Rules ........................................................................................................ 20
Defining a DiffServ Class of Service ........................................................................ 21
Defining a DiffServ Class of Service Group ............................................................. 22
Configuring an Interface for DiffServ ...................................................................... 22
Defining a Low Latency Class.................................................................................. 23
Configuring an Interface for Low Latency ............................................................... 23
Authenticated QoS................................................................................................... 24
Logs & Monitor ............................................................................................................ 26
Overview of Logging ................................................................................................ 26
Confirming Rule is Logged ...................................................................................... 27
Index............................................................................................................................ 29
CHAPTE R 1

About this Guide

This guide explains how to manage backward compatible (R77.xx and lower) Security Gateways
with the R80 SmartConsole.
This guide shows only the updated procedures. To learn more about earlier features, see the R77
documentation http://supportcontent.checkpoint.com/documentation_download?ID=26770.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 5
CHAPTE R 2

Introduction to QoS
In This Section:
Concurrent Sessions ......................................................................................................6
R80 SmartConsole Toolbars ..........................................................................................6
Opening the GUI Clients .................................................................................................7
Workflow .........................................................................................................................8
Features and Benefits ....................................................................................................8
QoS Policy Types .............................................................................................................9

Concurrent Sessions
More than one administrator can work with QoS Policies at the same time, each in a different
session. A locking mechanism prevents administrators from working on the same object at one
time. After you complete you work in a session, click Publish to make your changes available to
other sessions and administrators.

R80 SmartConsole Toolbars

Global Toolbar (top left of R80 SmartConsole)
Description and Keyboard Shortcut
The main R80 SmartConsole Menu

The Objects menu.

Also leads to the Object Explorer Ctrl+E

Install policy on managed gateways

Ctrl+Shift+Enter

Navigation Toolbar (left side of R80 SmartConsole)

Description and Keyboard Shortcut
Gateway configuration view
Ctrl+1

Security Policies Access Control view

Security Policies Threat Prevention view
Ctrl+2

Logs & Monitor view

Ctrl+3
Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 6
 Introduction to QoS

Description and Keyboard Shortcut

Manage & Settings view - review and configure the Security Management
Server settings
Ctrl+4

Command Line Interface Button (left bottom corner of R80 SmartConsole)

Description and Keyboard Shortcut
Open a command line interface for management scripting and API
F9

What's New Button (left bottom corner of R80 SmartConsole)

Description and Keyboard Shortcut
Open a tour of the R80 SmartConsole

Objects and Validations Tabs (right side of R80 SmartConsole)

Description
Objects Manage security and network objects

Validations Validation warnings and errors

System Information Area (bottom of R80 SmartConsole)

Description
Task List Management activities, such as policy installation tasks

Server Details The IP address of the Security Management Server

Connected The administrators that are connected to the Security Management Server
Users

Opening the GUI Clients

To open R80 SmartConsole, click R80 SmartConsole in the Windows Start menu.
SmartDashboard opens automatically when you open an existing QoS Policy, or after you create a
new QoS Policy. It is generally not necessary to open SmartDashboard manually.

To open SmartDashboard manually:

1. In R80 SmartConsole, open a QoS Policy: click Security Policies > Access Control > QoS.
2. In the QoS view, click Open QoS Policy in SmartDashboard.
SmartDashboard opens and the QoS view shows.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 7
 Introduction to QoS

Workflow
This topic shows a high-level workflow for creating an effective QoS Policy.

Do these steps in R80 SmartConsole:

1. Enable QoS for each applicable Security Gateway.
2. Configure QoS Global Properties.
3. Create or change a QoS Policy ("Working with QoS Policies" on page 19).
4. Configure log collection and system monitoring for QoS.
5. Publish the changes.

Do these steps in SmartDashboard:

1. Define the gateway networks, services and other related objects.
2. Define QoS rules ("Creating Rules" on page 20) (basic and advanced).
3. Configure specialized QoS features:
a) Differentiated Services (DiffServ)
b) Low Latency Queuing
c) Authenticated QoS
d) Citrix ICA Applications

Go back to R80 SmartConsole to do these steps:

1. Publish the changes.
2. Install Policy.

Features and Benefits

QoS gives these features and benefits:
• Flexible QoS policies with weights, limits and guarantees
QoS lets you create basic policies that can be modified to include the Advanced QoS features
described in this section.
• Integration with the Security Gateway
The integration of an organization's security and bandwidth management policies enables
easier policy definition and system configuration. This lets you optimize network performance
for VPN and unencrypted traffic
• Performance analysis
• Monitor system performance with the Logs & Monitor features in R80 SmartConsole.
• Integrated DiffServ support
Add one or more Diffserv Classes of Service to the QoS Policy Rule Base.
• Integrated Low Latency Queuing
Define special classes of service for "delay sensitive" applications like voice and video to the
QoS Policy Rule Base.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 8
 Introduction to QoS

• Integrated Citrix MetaFrame support

QoS solution for the Citrix ICA protocol.
• No need to deploy separate VPN, Firewall and QoS devices
QoS and Firewall share a common architecture and many core technology components.
User-defined network objects can be used in both solutions.
• Proactive management of network costs
QoS monitoring systems let you to be proactive in managing your network and controlling
network costs.
• Support for end-to-end QoS for IP networks
QoS offers full support for end-to-end QoS for IP networks by distributing enforcement
throughout network hardware and software.
• CoreXL and SecureXL support
Packet acceleration.

QoS Policy Types

This release includes different QoS Policy types:
• Express - Quickly create basic QoS Policies
• Recommended - Create advanced Policies with the full set of QoS features
This table shows the difference between the Recommended and Express policy types.

Features Recommended Express To learn more

Weights Weight

Limits (whole rule) Limits

Authenticated QoS * Authenticated QoS (on page 24)

Logging Overview of Logging (on page 26)

Accounting *

Support for UTM-1

Edge Gateways

Support for hardware

acceleration

High Availability and

Load Sharing

Guarantees Guarantees
(Per connection)

Limits (Per connection) Limits

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 9
 Introduction to QoS

Features Recommended Express To learn more

LLQ (controlling Low Latency Queuing
packet delay in QoS)

DiffServ Differentiated Services (DiffServ)

Sub-rules

Matching by URI
resources

Matching by DNS
string

Matching Citrix ICA *

Applications

SecureXL support

CoreXL support

SmartLSM clusters

* You must disable SecureXL and CoreXL before you can use this feature.

To select a QoS Policy type:

1. In R80 SmartConsole menu, click Manage policies.
2. In the Manage Policies window, click New or select an existing Policy and then click Edit.
3. Select QoS, and then select Recommended or Express.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 10
CHAPTE R 3

QoS Tutorial
In This Section:
Deployment Scenario for this Tutorial ........................................................................11
Tutorial Workflow .........................................................................................................12
Installing the System Components..............................................................................12
Creating a New QoS Policy ...........................................................................................13
Configuring the Security Gateway ...............................................................................13
Creating and Configuring Rules...................................................................................15
Installing a QoS Policy ..................................................................................................16

This chapter includes a step by step guide for creating a sample deployment with a QoS Policy. We
recommend that you have a working knowledge of these Check Point products and concepts to
use this tutorial effectively:
• Security Gateways and management servers
• Security Policies and the Rule Base
• R80 SmartConsole and SmartDashboard
• Firewall and related Software Blades

Deployment Scenario for this Tutorial

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 11
 QoS Tutorial

Item Description
1 London - Security Gateway with QoS

2 Oxford - Security Management Server

3 Cambridge - R80 SmartConsole client

4 Local area network - Engineering and Marketing

5 Internet

6 DMZ with Web and FTP servers

This scenario is an organization with offices located in London, Oxford and Cambridge. The QoS
Security Gateway is in London and has three interfaces, one of which is connected to the Internet.
The Security Management Server is in Oxford and the R80 SmartConsole is in Cambridge. The
local network includes the Marketing and Engineering departments.

Tutorial Workflow
This tutorial is a simplified exercise that shows you how to do these QoS activities:
1. Install and configure the system components.
2. Create a new QoS Policy with R80 SmartConsole.
3. Select one of these QoS Policies types:
• Express - Quickly create basic QoS Policies.
• Recommended - Create advanced Policies with the full set of QoS features.
4. Configure the network objects used by QoS rules.
5. Configure specialized services for use in QoS rules.
6. Create QoS Policy rules.
7. Install the Policy on the Security Gateway.

Installing the System Components

To install and configure system components for this tutorial:
1. Enable QoS, Firewall, and other Software Blades on the London Security Gateway.
2. Install R80 Security Management Server on the Oxford server platform.
3. Install R80 SmartConsole on the Cambridge PC.
4. In R80 SmartConsole, define Cambridge as a trusted client.
5. In R80 SmartConsole, define the administrators who can manage the QoS Policy.
6. Make sure that there is SIC trust between the Oxford Security Management Server and the
London QoS Security Gateway.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 12
 QoS Tutorial

Creating a New QoS Policy

To create a new policy:
1. In R80 SmartConsole, click Security Policies > Manage Policies tab > Create New Policy.
2. In the Policy window, enter the Policy name.
This name cannot:
• Use reserved words or spaces.
• Start with a number.
• Use these characters: %, #, ', &, *, !, @, ?, <, >, /, \, :
• End with these suffixes: .w, .pf, .W
3. Select QoS and then select a QoS Policy type:
• Express - Quickly create basic QoS Policies
• Recommended (default) - Create advanced Policies with the full set of QoS features
Note: Do not enable SecureXL or CoreXL with QoS Policies.
4. Click OK.
The system saves the new Policy and SmartDashboard opens automatically. You can start to
define your rules here.

Configuring the Security Gateway

Define these Network Objects:
• London, the Security Gateway on which the QoS is enabled
• Sub-networks for the Marketing and Engineering departments

To define the London Security Gateway:

1. In R80 SmartConsole, click Gateways & Servers.
2. Click New > Gateway > Classic Mode.
3. Configure these parameters in the General Properties window.
Field Value Notes
Name London This is the name by which the object is known on
the network. It is the response to the hostname
command.

Platform Select an appliance The platform must be supported for R80.

type or Open Server

SIC Click Communication Establishes a secure communication channel

between the Security Gateway and the
management server.

Version R80

OS Gaia

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 13
 QoS Tutorial

Field Value Notes

IP Address 192.32.32.32 This is the interface associated with the host name
in the DNS. To get this, click Get Address.
For gateways, this should always be the IP address
of the external interface.

Network Security Firewall and QoS

Tab

Defining Interfaces on the Gateway

In this step you configure each interface and its QoS properties.

To configure interface properties:

1. Click Network Management in the navigation tree.
2. Click Get Interfaces on the toolbar.
The interfaces show in the Network Management window.
3. Double-click each interface and configure parameters in the Interface > General view.
eth0
Field Value Notes
Net Address 192.32.32.32

Net Mask 255.255.255.0

Topology Settings Internet External This interface connects to the Internet.

(Click Modify)

Anti-Spoofing Perform Anti-Spoofing Each incoming packet is examined to make

based on interface topology sure that the source IP address is valid.

Spoof Tracking Log Log Anti-Spoofing events.

eth1
Field Value Notes
Net Address 192.32.42.32

Net Mask 255.255.255.0

Topology Settings Internet External This interface connects to the Internet.

(Click Modify)

Anti-Spoofing Perform Anti-Spoofing Each incoming packet is examined to make

based on interface topology sure that the source IP address is valid.

Spoof Tracking Log Log Anti-Spoofing events.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 14
 QoS Tutorial

eth2
Field Value Notes
Net Address 192.199.199.32

Net Mask 255.255.255.0

Topology Settings Internet External This interface connects to the Internet.

(Click Modify)

Anti-Spoofing Perform Anti-Spoofing Each incoming packet is examined to make

based on interface topology sure that the source IP address is valid.

Spoof Tracking Log Log Anti-Spoofing events.

To configure interface QoS properties:

1. In the Interface window, click the QoS tab.
2. Select Inbound Active and Outbound Active.
3. Set Inbound Active and Outbound Active to 192000 - T1 (1.5 Mbps).

Creating and Configuring Rules

After you define your network objects and services, the next step is to create your QoS policy
rules. This tutorial shows you how to create two simple QoS rules. A new QoS Policy always
includes a Default Rule.

Creating New Rules

When you create a new QoS Policy, the system automatically adds a default rule, which must
always be the last rule in the Policy. Make sure that you add your new rules above the default rule.
Create these two rules: Web Rule and RealAudio Rule.
1. In SmartDashboard > QoS tab, select the default rule.
2. Click the Before current rule icon.
3. Enter Web Rule in the Rule Name window, and then click OK.
Do this procedure again for RealAudio Rule.

Changing New Rule Properties

The system automatically assigns the default parameters as defined in the Global Properties >
QoS to new rules. Use this procedure to change these rules to the values shown in the table
below.

Rule Name Source Destination Service Action

Web Rule Any Any HTTP Weight 35

RealAudio Rule Any Any RealAudio Weight 5

Default Any Any Any Weight 10

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 15
 QoS Tutorial

To change the properties in a rule:

1. In the QoS tab, right-click in the Service field of the Web Rule.
Select Add Objects, and then select HTTP from the list.
2. Double-click the Action field, and then change the Rule Weight (see "Defining QoS Global
Properties" on page 17) property to 35.
Do this procedure again for the RealAudio and Default rules.

Installing a QoS Policy

To install a QoS Policy:
1. In SmartDashboard, make changes to Policy rules and then click Update.
2. In R80 SmartConsole, click Install Policy.
3. From the Policy list, select the policy to install.
4. Click Policy Targets and select the Security Gateways that will get this Policy.
Note - By default, no gateways are selected for QoS. You must select them manually.
5. Click Install.
If the installation is successful, the new Policy is enforced by the Security Gateways on which it is
installed. If installation fails, do these steps to see the error messages:
1. Click the Task Information area, in the lower, left hand corner of R80 SmartConsole.
2. In the Recent Tasks area, click Details on the applicable error.
In the Install Policy Details window, click the ^ icon in the Status column to see the error
messages. You must resolve all errors before you can successfully install the Policy.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 16
CHAPTE R 4

Managing QoS
In This Section:
Defining QoS Global Properties ...................................................................................17
Interface QoS Properties ..............................................................................................18
Working with QoS Policies ...........................................................................................19
Creating Rules ..............................................................................................................20
Defining a DiffServ Class of Service ............................................................................21
Defining a DiffServ Class of Service Group .................................................................22
Configuring an Interface for DiffServ ..........................................................................22
Defining a Low Latency Class ......................................................................................23
Configuring an Interface for Low Latency ...................................................................23
Authenticated QoS ........................................................................................................24

This chapter shows you how to configure and manage QoS. These procedures assume that you
have opened R80 SmartConsole, as described in Opening the GUI Clients (on page 7).

Defining QoS Global Properties

The QoS global properties include default values for QoS rule parameters, unit of measure, and
QoS authentication timeouts. Configure QoS global properties in R80 SmartConsole.
Note: You must close SmartDashboard before you can work with global properties.

To configure QoS Global Properties:

1. In R80 SmartConsole click Application Menu > Global properties > QoS.
2. In the Global Properties window, configure these parameters, or click Set Default to save the
default values.
Weight:
• Maximum weight of rule: The maximum weight that can be assigned to rules. The default
value is 1000, but can be changed to any number.
• Default weight of rule: The weight to be assigned in the Action column by default to new
rules, including new Default rules.
Rate:
• Unit of measure: The unit specified in QoS windows by default for transmission rates (for
example, Bps - Bytes per second).
Authenticated timeout for QoS :
• Authenticated IP expires after: If a user has been authenticated, all connections that are
opened within the specified time receive the guaranteed bandwidth connection. Any
connection opened after the specified time will be queried with the User Authority Server
(UAS) again.
• Non authenticated IP expires after: If a user has previously tried and failed to be
authenticated by the QoS Policy, then all connections that are opened within the specified
time will not receive the guaranteed bandwidth connection. This means that they will not
match that specific rule during that time.
Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 17
 Managing QoS

• Unanswered queried IP expires after: The User Authority Server (UAS) database is queried
to see if a user's IP has been previously authenticated using Client Authentication or SSL.
Until an answer is received, connections from this user will be classified to the next
matching rule. If an answer is not received within the specified time, there will be another
query.

Interface QoS Properties

You must first define the network objects, that is, the Security Gateway and its interfaces on which
QoS controls traffic flow.
After defining the interfaces you can specify the QoS properties for those interfaces. This is done
in the QoS tab of the Interface Properties window. Defining the interface QoS properties involves
setting the Inbound and Outbound active transmission rates and specifying the Differentiated
Services (DiffServ) and Low Latency classes. You can change these definitions at any time.

Note - The QoS tab is only enabled for the interfaces of gateways that have QoS
selected on the General Properties page of the Security Gateway.

To configure Security Gateway interfaces:

1. Open R80 SmartConsole.
2. Click Gateways & Servers and double-click the applicable Security Gateway.
3. In the General Properties, click Network Management.
The Check Point Gateway - Topology window opens.
4. If a list of interfaces does not show, click Get Interface.
If you choose this method of configuring the Security Gateway, the topology fetched suggests
the external interface of the Security Gateway based on the QoS Security Gateway routing
table. You must make sure that this information is correct.
5. Double-click the appropriate interface.
6. In the Interface Properties window, click the QoS tab.
7. In the DiffServ and Low Latency classes area, you can specify the Differentiated Services
(DiffServ) and Low Latency Queuing classes to be used on the interface.
8. Click OK
Changes to the interface QoS properties are saved.
Do steps 4 - 7 for each applicable interface.

Notes:
• Interfaces on the WAN side (or interfaces connected to a slower network) are typically defined
as active. On a gateway with only two interfaces, enable QoS only on the interface connected to
the WAN. If the gateway controls DMZ traffic, you can install QoS on the interface connected to
the DMZ.
• Select Inbound Active to control traffic on this interface in the inbound direction.
• From the Rate list, select or enter the available bandwidth in the inbound direction.
• Check Outbound Active to control traffic on this interface in the outbound direction.
• From the Rate list select or enter the available bandwidth in the outbound direction.
• Make sure that the rates correspond to the actual physical capacity of the interfaces. QoS
cannot make sure the defined rates are compatible with the interface hardware.
Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 18
 Managing QoS

If the defined rate is less than the physical capacity, QoS uses only specified capacity. Excess
capacity is not used. If the defined rate greater than the physical capacity, QoS cannot control
traffic correctly.

Working with QoS Policies

QoS policy is an ordered set of QoS rules in the Rule Base. The Rule Base contains rules that you
create, and a default rule. The default rule is automatically created with the Rule Base. It can be
modified but cannot be deleted. The fundamental concept is that unless other rules apply, the
default rule is applied to all data packets. The default rule is therefore always the last rule in the
Rule Base.
The Rule Base specifies what actions are to be taken with the data packets. It specifies the source
and destination of the communication, what services can be used, at what times, whether to log
the connection and the logging level.
A QoS Rule Base is applied to specific gateways and interfaces. After you have created the Policy
and defined its QoS rules you must install it on the relevant QoS gateways.

Creating a New QoS Policy

To create a new policy:
1. In R80 SmartConsole, click Security Policies > Manage Policies tab > Create New Policy.
2. In the Policy window, enter the Policy name.
This name cannot:
• Use reserved words or spaces.
• Start with a number.
• Use these characters: %, #, ', &, *, !, @, ?, <, >, /, \, :
• End with these suffixes: .w, .pf, .W
3. Select QoS and then select a QoS Policy type:
• Express - Quickly create basic QoS Policies
• Recommended (default) - Create advanced Policies with the full set of QoS features
Note: Do not enable SecureXL or CoreXL with QoS Policies.
4. Click OK.
The system saves the new Policy and SmartDashboard opens automatically. You can start to
define your rules here.

Opening an Existing QoS Policy

To Open an Existing Policy:
1. In R80 SmartConsole, click Security Policies > Manage Policies.
2. In the Manage Policies window, double-click a QoS Policy.
SmartDashboard opens.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 19
 Managing QoS

Installing a QoS Policy

To install a QoS Policy:
1. In SmartDashboard, make changes to Policy rules and then click Update.
2. In R80 SmartConsole, click Install Policy.
3. From the Policy list, select the policy to install.
4. Click Policy Targets and select the Security Gateways that will get this Policy.
Note - By default, no gateways are selected for QoS. You must select them manually.
5. Click Install.
If the installation is successful, the new Policy is enforced by the Security Gateways on which it is
installed. If installation fails, do these steps to see the error messages:
1. Click the Task Information area, in the lower, left hand corner of R80 SmartConsole.
2. In the Recent Tasks area, click Details on the applicable error.
In the Install Policy Details window, click the ^ icon in the Status column to see the error
messages. You must resolve all errors before you can successfully install the Policy.

Creating Rules
You can change rule fields, as often as you like, until the rule is in the form that you require.
Configure the source and destination of each communication, services that can be used (TCP,
Compound TCP, UDP, and ICMP), actions to be taken with the data packets, whether to maintain a
log of the entries for the selected rule, and interfaces of the QoS Security Gateway that the rule is
enforced.

You work with rules in SmartDashboard. When you add rules, you can put the new rule anywhere
in the Rule Base except after the last rule. The Default Rule must always be at the bottom of the
Rule Base.

To create a new rule:

1. In the QoS tab, at the position where you want to add a new rule.
2. Add a new rule from the Rule menu, the toolbar, or right-click a name in the Name column of
a rule to display the Rule menu.
The Rule Name window opens.
3. Enter the name of the rule in the Rule Name field.
4. Click OK.
The rule is added to the Rule Base at the selected position, with the values defined in the QoS
page of the Global Properties window.

To add a rule Select from Menu Toolbar button

After the last rule Rules > Add Rule > Bottom

Before the first rule Rules > Add Rule > Top

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 20
 Managing QoS

To add a rule Select from Menu Toolbar button

After the current rule Rules > Add Rule > Below

Before the current rule Rules > Add Rule > Above

To the current rule Rules > Add Sub-Rule

Right-click a rule to use these menu commands:

Menu Option Explanation

Add Rule above Adds a rule before the current rule.

Add Rule below Adds a rule after the current rule.

Add Sub-Rule Deletes the current rule.

Delete Rule Deletes the current rule.

Copy Rule Copies the current rule to the clipboard.

Cut Rule Deletes the current rule and puts it in the clipboard.

Paste Rule Pastes the rule in the clipboard (a sub-menu is displayed from
which you can select whether to paste the rule above or below
the current rule).

Add Class of Service Specifies a Class of Service. A sub-menu is displayed from

which you can select whether the Class of Service is to be added
above or after the current rule.

Hide Rule Hides the current rule. The rule is still part of the Rule Base and
will be installed when the QoS Policy is installed.

Disable Rule Disables the current rule. The rule appears in the Rule Base but
is not enforced by the QoS Policy.

Rename Rule Renames the current rule.

Defining a DiffServ Class of Service

To define a DiffServ class of service:
1. From the SmartDashboard menu, select Manage > QoS > QoS Classes.
2. In the QoS Classes window, click New > DiffServ Class of Service.
3. In the Class of Service Properties window, configure these settings:
• Name - The name of the Class of Service.
• Comment - The text to be displayed when this class is selected in the QoS Classes window
• Color - Select a color from the list.
Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 21
 Managing QoS

• Type - Select a type from the list. You may select a predefined or user defined class.
• DiffServ code - This is a read-only field that displays the DiffServ marking as a bitmap.
4. Click OK.

Defining a DiffServ Class of Service Group

To define a DiffServ class of service group:
1. In SmartDashboard, click Manage > QoS > QoS Classes.
2. In the QoS Classes window, click New > DiffServ Class of Service Group.
3. In the Group Properties configure these properties:
• Name - The name of the group.
• Comment -The text to be displayed when this class is selected in the QoS Classes window.
• Color - Select a color from the list.
• To add a DiffServ class to the group, double-click a class in the list in the Not in Group list.
• To delete a class from the group, double-click a class In Group list.
4. Click OK.

Configuring an Interface for DiffServ

Use these procedures to configure interfaces and to add a DiffServ class to an interface.

To configure interface for DiffServ:

1. In R80 SmartConsole, go to Gateways & Servers.
2. Double-click the applicable Security Gateway.
3. In the Check Point Gateway window, click Network Management.
4. Double-click the applicable interface.
5. In the Interface window, click the QoS tab.
6. In the Diffserv and Low Latency classes section, click Add > DiffServ Classes > Others.
7. Select Inbound Active and/or Outbound Active and set the Rate properties.
8. In the Object Editor window, select a QoS Class from the list.
9. Select and configure these parameters for Inbound and/or Outbound traffic:
• Guaranteed bandwidth - The bandwidth guaranteed marked for priority. Make sure you do
not exceed this.
• Bandwidth Limit - The maximum bandwidth for this class.
Traffic volume greater than the Bandwidth Limit is marked for QoS priority.
Note: You must configure these properties for at least one traffic direction.
10. Click OK.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 22
 Managing QoS

To add QoS Classes to the Rule Base:

1. Open SmartDashboard.
2. Do one of these actions:
• In the Name column of a QoS rule, click the rule Add Class of Service > Above.
• In a class header, right click the header and then click Add Class of Service Above or Add
Class of Service Below.
3. Select a class from the list, and then click OK.
The DiffServ class header shows in the Rule Base. If this is the first defined class, the
Best_Effort header shows directly below the new DiffServ class header.
4. Follow the steps in the next sections to define the class properties.

Defining a Low Latency Class

To define a Low Latency class:
1. In SmartDashboard select Manage > QoS > QoS Classes.
2. In the QoS Classes window, click New > Low Latency Class of Service.
3. In the Class of Service Properties window, configure these class properties:
• Name - The name of the Class of Service.
• Comment -The text to be displayed when this class is selected in the QoS Classes window
• Color - Select a color from the list.
• Type - Select a type from the list.
4. Click OK.

Configuring an Interface for Low Latency

Use these procedures to configure interfaces to use a Low Latency or DiffServ Expedited
Forwarding class.

To configure an interface for Low Latency:

1. Make sure that SmartDashboard is closed.
2. In R80 SmartConsole, go to Gateways & Servers.
3. Double-click the applicable Security Gateway.
4. In the Check Point Gateway window, click Network Management.
5. Double-click the applicable interface.
6. In the Interface window, click the QoS tab.
7. Select Inbound Active and/or Outbound Active and set the Rate properties.
8. In the Diffserv and Low Latency classes section, click Add > Low Latency Classes.
9. In the Low Latency QoS window, select a class from the list.
10. Select Inbound Active and/or Outbound Active.
Note: You must set at least one traffic direction to Active.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 23
 Managing QoS

11. Configure these Low Latency properties:

• Constant Bit Rate - The constant bit rate at which packets of this class will be transmitted.
• Maximal Delay - The maximum delay allowed for packets of this class. Packets that exceed
this value are dropped.
Note: To configure an Expedited Forwarding interface to work as a DiffServ interface, set
the Maximal Delay property to 99999.
Do these steps for each applicable interface on a Security Gateway.

Authenticated QoS
Check Point Authenticated QoS gives Quality of Service (QoS) for end-users in dynamic IP
environments, such as remote access and DHCP environments. This lets priority users, such as
corporate CEOs, to receive priority service when remotely connecting to corporate resources.
Authenticated QoS dynamically prioritizes end-users, based on information gathered during
network or VPN authentication. The feature leverages Check Point UserAuthority technology to
classify both inbound and outbound user connections. The User Authority Server (UAS) maintains
a list of authenticated users. When you query the UAS, QoS retrieves the data and allocates
bandwidth accordingly.
QoS supports Client Authentication, Encrypted Client Authentication, and
SecuRemote/SecureClient Authentication. User and Session Authentication are not supported.
Note - Authenticated QoS is available for backward compatibility, but only works in QoS policy
mode and does not support CoreXL or SecureXL acceleration technologies.

To apply Authenticated QoS in a rule:

1. Make sure that the UAS package is installed on the Security Gateway that does Authenticated
QoS.
2. Make sure that the User Authority Server option under Check Point Products Installed is
selected on the Security Gateway on which you are installing the policy.
3. Open SmartDashboard.
4. Create a group in Manage > Users > New > Group.
5. In the Group Properties window, add all the priority users.
6. Create a rule.
7. In the Source column, right-click and select Add object > Add legacy user access.
Note - To minimize the resources taken up by Authenticated QoS, it is recommended that
Authenticated QoS rules refer to specific services, and unless absolutely necessary, you should
not include Any in the Service field.
8. Install the policy.
For example, if the CEO of your company is in a remote location and wants to access his email
and without waiting too long, create a rule like this:
Rule Name Source Destination Service Action
CEO CEO@localnet Any Pop-3 Weight 10
Guarantee 50,000 Bps

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 24
 Managing QoS

Notes -
• The user must be authenticated in the UAS, for the QoS policy to be enforced.
• Policy-wide properties for Authenticated QoS can be defined in the QoS page of the Global
Properties window.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 25
CHAPTE R 5

Logs & Monitor

In This Section:
Overview of Logging .....................................................................................................26
Confirming Rule is Logged ...........................................................................................27

This chapter shows you how configure rules to create logs for specified conditions. You can use
the powerful Logs & Monitor features in R80 SmartConsole to see logs and to monitor the
effectiveness of QoS Policies.

Overview of Logging
These events are logged. The table below describes features unique to event logs.
Non-Accounting Log Events

Log Event Data Returned Presentation Policy Mode

Connection Reject

QoS rejects a connection when The name of the matching Generated as a Recommended
the number of guaranteed rule on account of which reject log. policy only.
connections is exceeded the connection was Unified with the
and/or when you have rejected. initial
configured the system not to connection log.
accept additional connections.

Running Out of Packet Buffers

One of the A string explaining the New log record Recommended

interface-direction's packet nature of the problem created each policy only.
buffers is exhausted. A report and the size of the time a global
is generated a maximum of relevant pool. problem is
once per 12 hours. reported.

LLQ Packet Drop

When a packet is dropped Logged data: Unified with the Recommended

from an LLQ connection. A • Number of bytes dropped initial policy only.
report is generated a due to delay expiration connection log.
maximum of once per 5 • Average packet delay
minutes. • Jitter (maximum delay
difference between two
consecutive packets)

The next table describes the features unique to accounting logs.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 26
 Logs & Monitor

Explaining the Accounting Log

Logged Data Returned Policy Mode

General Statistics

The total bytes transmitted through QoS Inbound and outbound bytes Recommended and
for each relevant interface and transmitted by QoS. Express policies.
direction.

Drop Policy Statistics

• Total bytes dropped from the Recommended policy

connection as a result of the QoS mode only.
policy.
• Count of the bytes dropped from the
connection because the maximum
used memory fragments for a single
connection was exceeded.
LLQ Statistics

Statistics about the LLQ connection. Logged data: Recommended policy

• Number of bytes dropped due to mode only.
delay expiration
• Average packet delay
• Jitter (maximum delay difference
between two consecutive
packets)

These conditions must be met for a connection to be logged:

• The QoS logging checkbox must be selected in the Gateway Properties - Additional Logging
Configuration window. (By default this is automatically selected.)
• The connection's matching rule must be marked with either Log or Account in the Track field
of the rule.

Confirming Rule is Logged

1. In SmartDashboard, select the rule whose connection will be logged.
2. Confirm that either Log or Account appear in the Track field.

Quality of Service Administration Guide Pre-R80 Security Gateways with R80 Security Management | 27
 T

Index
Tutorial Workflow • 12

W
Workflow • 8
A
Working with QoS Policies • 19
About this Guide • 5
Authenticated QoS • 24

C
Changing New Rule Properties • 15
Concurrent Sessions • 6
Configuring an Interface for DiffServ • 22
Configuring an Interface for Low Latency • 23
Configuring the Security Gateway • 13
Confirming Rule is Logged • 27
Creating a New QoS Policy • 13, 19
Creating and Configuring Rules • 15
Creating New Rules • 15
Creating Rules • 20

D
Defining a DiffServ Class of Service • 21
Defining a DiffServ Class of Service Group • 22
Defining a Low Latency Class • 23
Defining Interfaces on the Gateway • 14
Defining QoS Global Properties • 17
Deployment Scenario for this Tutorial • 11

F
Features and Benefits • 8

I
Important Information • 3
Installing a QoS Policy • 16, 20
Installing the System Components • 12
Interface QoS Properties • 18
Introduction to QoS • 6

L
Logs & Monitor • 26

M
Managing QoS • 17

O
Opening an Existing QoS Policy • 19
Opening the GUI Clients • 7
Overview of Logging • 26

Q
QoS Policy Types • 9
QoS Tutorial • 11

R
R80 SmartConsole Toolbars • 6