Check Point QoS Administration Guide Version NGX R65 700726 January 2007
2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Contents Preface Who Should Use This Guide... 10 Summary of Contents... 11 Appendices... 11 Related Documentation... 12 More Information... 15 Feedback... 16 Chapter 1 Chapter 2 Chapter 3 Overview What is Quality of Service... 18 Internet Bandwidth Management Technologies... 19 Overview... 19 Superior QoS Solution Requirements... 19 Benefits of a Policy-Based Solution... 20 How Does Check Point Deliver QoS... 21 Features and Benefits... 23 Traditional Check Point QoS vs. Check Point QoS Express... 24 Workflow... 26 Introduction to Check Point QoS Check Point QoS s Innovative Technology... 30 Technology Overview... 31 Check Point QoS Architecture... 33 Basic Architecture... 33 Check Point QoS Configuration... 35 Concurrent Sessions... 38 Interaction with VPN-1Pro and VPN-1 Net... 39 Interoperability... 39 Basic QoS Policy Management Overview... 42 Rule Base Management... 43 Overview... 43 Connection Classification... 44 Network Objects... 44 Services and Resources... 45 Time Objects... 45 Bandwidth Allocation and Rules... 45 Default Rule... 47 QoS Action Properties... 47 Example of a Rule Matching VPN Traffic... 48 Bandwidth Allocation and Sub-Rules... 49 Table of Contents 5
Implementing the Rule Base... 51 To Verify and View the QoS Policy... 51 To Install and Enforce the Policy... 51 To Uninstall the QoS Policy... 52 To Monitor the QoS Policy... 52 Chapter 4 Chapter 5 Check Point QoS Tutorial Introduction... 54 Building and Installing a QoS Policy... 56 Step 1: Installing Check Point Modules... 57 Step 2: Starting SmartDashboard... 57 To Start SmartDashboard... 58 Step 3: Determining QoS Policy... 61 Step 4: Defining the Network Objects... 61 To Define the Gateway London... 62 To Define the Interfaces on Gateway London... 66 To Define the QoS Properties for the Interfaces on Gateway London... 72 Step 5: Defining the Services... 73 Step 6: Creating a Rule Base... 73 To Create a New Policy Package... 74 To Create a New Rules... 75 To Modify New Rules... 76 Step 7: Installing a QoS Policy... 82 Conclusion... 84 Advanced QoS Policy Management Overview... 86 Examples: Guarantees and Limits... 87 Per Rule Guarantees... 87 Per Connections Guarantees... 90 Limits... 91 Guarantee - Limit Interaction... 91 Differentiated Services (DiffServ)... 93 Overview... 93 DiffServ Markings for IPSec Packets... 93 Interaction Between DiffServ Rules and Other Rules... 94 Low Latency Queuing... 95 Overview... 95 Low Latency Classes... 95 Interaction between Low Latency and Other Rule Properties... 100 When to Use Low Latency Queuing... 101 Low Latency versus DiffServ... 102 Authenticated QoS... 103 Citrix MetaFrame Support... 104 Overview... 104 Limitations... 105 Load Sharing... 106 Overview... 106 6
Check Point QoS Cluster Infrastructure... 107 Chapter 6 Managing Check Point QoS Defining QoS Global Properties... 112 To Modify the QoS Global Properties... 112 Specifying Interface QoS Properties... 114 To Define the Interface QoS Properties... 114 Editing QoS Rule Bases... 118 To Create a New Policy Package... 118 To Open an Existing Policy Package... 119 To Add a Rule... 119 To Rename a Rule... 121 To Copy, Cut or Paste a Rule... 121 To Delete a Rule... 122 Modifying Rules... 123 Modifying Sources in a Rule... 123 Modifying Destinations in a Rule... 126 Modifying Services in a Rule... 128 Modifying Rule Actions... 130 Modifying Tracking for a Rule... 135 Modifying Install On for a Rule... 135 Modifying Time in a Rule... 138 Adding Comments to a Rule... 140 Defining Sub-Rules... 142 Working with Differentiated Services (DiffServ)... 144 To Define a DiffServ Class of Service... 145 To Define a DiffServ Class of Service Group... 146 To Add QoS Class Properties for Expedited Forwarding... 147 To Add QoS Class Properties for Non Expedited Forwarding... 148 Working with Low Latency Classes... 150 To Implement Low Latency Queuing... 150 To Define Low Latency Classes of Service... 151 To Define Class of Service Properties for Low Latency Queuing... 151 Working with Authenticated QoS... 153 To Use Authenticated QoS... 153 Managing QoS for Citrix ICA Applications... 155 Disabling Session Sharing... 155 Modifying your Security Policy... 156 Discovering Citrix ICA Application Names... 157 Defining a New Citrix TCP Service... 160 Adding a Citrix TCP Service to a Rule (Traditional Mode Only)... 161 Installing the Security and QoS Policies... 161 Managing QoS for Citrix Printing... 162 Configuring a Citrix Printing Rule (Traditional Mode Only)... 162 Configuring Check Point QoS Topology... 163 Viewing the Check Point QoS Modules Status... 164 To Display the Status of Check Point QoS Modules Controlled by the SmartCenter Server... 164 Table of Contents 7
Enabling Log Collection... 165 To Turn on QoS Logging... 165 To Confirm that the Rule is Marked for Logging... 166 To Start SmartView Tracker... 167 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Appendix A SmartView Tracker Overview of Logging... 170 Examples of Log Events... 174 Connection Reject Log... 174 LLQ Drop Log... 174 Pool Exceeded Log... 175 Examples of Account Statistics Logs... 177 General Statistics Data... 177 Drop Policy Statistics Data... 178 LLQ Statistics Data... 178 Command Line Interface Check Point QoS Commands... 180 Setup... 181 fgate Menu... 182 Control... 183 Monitor... 185 Utilities... 187 Check Point QoS FAQ (Frequently Asked Questions) Questions and Answers... 190 Introduction... 190 Check Point QoS Basics... 191 Other Check Point Products - Support and Management... 194 Policy Creation... 195 Capacity Planning... 196 Protocol Support... 197 Installation/Backward Compatibility/Licensing/Versions... 198 How do I?... 198 General Issues... 199 Deploying Check Point QoS Deploying Check Point QoS... 202 Check Point QoS Topology Restrictions... 202 Sample Bandwidth Allocations... 204 Frame Relay Network... 204 Debug Flags fw ctl debug -m FG-1 Error Codes for Check Point QoS... 208 Index... 217 8
Preface P Preface In This Chapter Who Should Use This Guide page 10 Summary of Contents page 11 Related Documentation page 12 More Information page 15 Feedback page 16 9
Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of System administration. The underlying operating system. Internet protocols (IP, TCP, UDP etc.). 10
Summary of Contents Summary of Contents This guide describes QoS components and contains the following chapters and appendices. Table A-1 Chapter Chapter 1, Overview Chapter 2, Introduction to Check Point QoS Chapter 3, Basic QoS Policy Management Chapter 4, Check Point QoS Tutorial Chapter 5, Advanced QoS Policy Management Chapter 6, Managing Check Point QoS Chapter 7, SmartView Tracker Chapter 8, Command Line Interface Chapter 9, Check Point QoS FAQ (Frequently Asked Questions) Chapter 10, Deploying Check Point QoS Description presents an overview of Quality of Service and how it is delivered by Check Point QoS. presents an overview of QoS, including technologies and architecture. describes how to manage a basic FloodGate-1 QoS Policy Rule Base. is a short tutorial describing how to define a QoS Policy. describes the more advanced policy management features of Check Point QoS that enable you to refine basic QoS policies. describes how to manage QoS, including modifying and changing policies and rules. describes the features and tools that are available for monitoring Check Point QoS. discusses how to work with Check Point QoS via the Command Line. a compilation of frequently asked questions and their answers. Describes how to deploy Check Point QoS and provides sample bandwidth allocations. Appendices This guide contains the following appendices Table A-2 Appendix Appendix A, Debug Flags Description contains a list of debugging error codes. Preface 11
Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Internet Security Product Suite Getting Started Guide Upgrade Guide SmartCenter Administration Guide Firewall and SmartDefense Administration Guide Virtual Private Networks Administration Guide Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about What s New, Licenses, Minimum hardware and software requirements, etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure. 12
Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Eventia Reporter Administration Guide SecurePlatform / SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. TABLE P-2 Integrity Server documentation Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide Description Explains how to install, configure, and maintain the Integrity Advanced Server. Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Explains how to managing administrators and endpoint security with Integrity Advanced Server. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. Preface 13
Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide Description Provides information about client and server requirements. Explains how to install and configure Integrity Agent for Linux. Provides the contents of Integrity client XML policy files. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior. 14
More Information More Information For additional technical information about Check Point products, consult Check Point s SecureKnowledge at https://secureknowledge.checkpoint.com/. See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 15
Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com 16
Chapter 1 Overview In This Chapter What is Quality of Service page 18 Internet Bandwidth Management Technologies page 19 How Does Check Point Deliver QoS page 21 Features and Benefits page 23 Traditional Check Point QoS vs. Check Point QoS Express page 24 Workflow page 26 17
What is Quality of Service What is Quality of Service Quality of Service is a set of intelligent network protocols and services that are used to efficiently manage the movement of information through a local or wide area networks. QoS services sort and classify flows into different traffic classes, and allocate resources to network traffic flows based on user or application ID, source or destination IP address, time of day, application specific parameters, and other user-specified variables. Fundamentally, QoS enables you to provide better service to certain flows. This is done by either raising the priority of a flow or limiting the priority of another flow. 18
Internet Bandwidth Management Technologies Overview In This Section Internet Bandwidth Management Technologies Overview page 19 Superior QoS Solution Requirements page 19 Benefits of a Policy-Based Solution page 20 When you connect your network to the Internet, it is most important to make efficient use of the available bandwidth. An effective bandwidth management policy ensures that even at times of network congestion, bandwidth is allocated in accordance with enterprise priorities. In the past, network bandwidth problems have been addressed either by adding more bandwidth (an expensive and usually short term solution ) or by router queuing, which is ineffective for complex modern Internet protocols. Superior QoS Solution Requirements In order to provide effective bandwidth management, a bandwidth management tool must track and control the flow of communication passing through, based on information derived from all communication layers and from other applications. An effective bandwidth management tool must address all of the following issues: Fair Prioritization It is not sufficient to simply prioritize communications, for example, to specify a higher priority for HTTP than for SMTP. The result may well be that all bandwidth resources are allocated to one service and none to another. A bandwidth management tool must be able to divide the available resources so that more important services are allocated more bandwidth, but all services are allocated some bandwidth. Minimum Bandwidth Chapter 1 Overview 19
Benefits of a Policy-Based Solution A bandwidth management tool must be able to guarantee a service s minimum required bandwidth. It must also be able to allocate bandwidth preferentially, for example, to move a company s video conference to the head of the line in preference to all other internet traffic. Classification A bandwidth management tool must be able to accurately classify communications. However, simply examining a packet in isolation does not provide all the information needed to make an informed decision. State information derived from past communications and other applications is also required. A packet s contents, the communication state and the application state (derived from other applications) must all be considered when making control decisions. Benefits of a Policy-Based Solution Based on the principles discussed in the previous section, there are basically three ways to improve the existing best-effort service that enterprise networks and ISPs deliver today: Add more bandwidth to the network. Prioritize network traffic at the edges of the network. Guarantee QoS by enforcing a set of policies that are based on business priorities (policy-based network management) throughout the network. Of these, only policy-based network management provides a comprehensive QoS solution by: Using policies to determine the level of service that applications or customers need. Prioritizing network requests. Guaranteeing levels of service. 20
How Does Check Point Deliver QoS How Does Check Point Deliver QoS Check Point QoS (previously called FloodGate-1), a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution. Check Point QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software. Check Point QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic. Check Point QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing. With highly granular controls, Check Point QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel. Check Point QoS is deployed with VPN-1 Pro. These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network. Figure 1-1 Check Point QoS Deployment Check Point QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point-patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or Chapter 1 Overview 21
How Does Check Point Deliver QoS application. After a packet has been classified, Check Point QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation. 22
Features and Benefits Check Point QoS provides the following features and benefits: Features and Benefits Flexible QoS policies with weights, limits and guarantees: Check Point QoS enables you to develop basic policies specific to your requirements. These basic policies can be modified at any time to incorporate any of the Advanced Check Point QoS features described in this section. Integration with VPN-1 Power or VPN-1 Net: Optimize network performance for VPN and unencrypted traffic: The integration of an organization s security and bandwidth management policies enables easier policy definition and system configuration. Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker. Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base. Integrated Low Latency Queuing: define special classes of service for delay sensitive applications like voice and video to the QoS Policy Rule Base. Integrated Authenticated QoS: provide QoS for end-users in dynamic IP environments, such as remote access and DHCP environments. Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol. No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS and VPN-1 Power share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects in both solutions. Proactive management of network costs: Check Point QoS s monitoring systems enable you to be proactive in managing your network and thus controlling network costs. Support for end-to-end QoS for IP networks: Check Point QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hardware and software. Chapter 1 Overview 23
Traditional Check Point QoS vs. Check Point QoS Express Traditional Check Point QoS vs. Check Point QoS Express Both Traditional and Express modes of Check Point QoS are included in every product installation. Express mode enables you to define basic policies quickly and easily and thus get up and running without delay. Traditional mode incorporates the more advanced features of Check Point QoS. You can specify whether you choose Traditional over Express or vice versa, each time you install a new policy. Table 1-1 shows a comparative table of the features of the Traditional and Express modes of Check Point QoS. Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features Feature Check Point QoS Traditional Check Point QoS Express Find out more... Weights * * Weight on page 45 Limits (whole rule) * * Limits on page 46 Guarantees (whole rule) * * Guarantees on page 46 Authenticated QoS * Authenticated QoS on page 103 Logging * * Overview of Logging on page 170 Accounting * * Supported by VPN-1 UTM Edge Gateways * Check Point VPN-1 UTM Edge Management Solutions Administration Guide Support of platforms and * * HW accelerator High Availability and Load * * Sharing Guarantee (Per connection) * Per Connections Guarantees on page 90 Limit (Per connection) * Limits on page 46 24
Traditional Check Point QoS vs. Check Point QoS Express Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features Feature LLQ (controlling packet delay in Check Point QoS) * Low Latency Queuing on page 95 DiffServ * Differentiated Services (DiffServ) on page 93 Sub-rules * Matching by URI resources * Matching by DNS string * TCP Retransmission Detection Mechanism (RDED) * Matching Citrix ICA Applications Check Point QoS Traditional * Check Point QoS Express Find out more... Chapter 1 Overview 25
Workflow Workflow The following workflow shows both the basic and advanced steps that the System Administrator may follow in the installation, setup and operational procedures of Check Point QoS: Figure 1-2 Workflow Steps 1. Verify that Check Point QoS is installed on top of VPN-1Pro or VPN-1 Net. 2. Start SmartDashboard. See Step 2: Starting SmartDashboard on page 57. 3. Define the Global Properties of Check Point QoS. See Defining QoS Global Properties on page 112. 4. Define the Check Point Gateway s Network Objects. See the SmartCenter Administration Guide. 5. Setup the basic rules and sub-rules governing the allocation of QoS flows on the network. See Editing QoS Rule Bases on page 118. After the basic rules have been defined, you may modify these rules to add any of the more advanced features described in step 8. 6. Implement the Rule Base. See Implementing the Rule Base on page 51. 7. Enable log collection and monitor the system. See Enabling Log Collection on page 165. 8. Modify the rules defined in step 4 by adding any of the following advanced features: DiffServ Markings. See Working with Differentiated Services (DiffServ) on page 144. Define Low Latency Queuing. See Working with Low Latency Classes on page 150. 26
Workflow Define Authenticated QoS. See Working with Authenticated QoS on page 153 Define Citrix ICA Applications. See Managing QoS for Citrix ICA Applications on page 155. Chapter 1 Overview 27
Workflow 28
Chapter 2 Introduction to Check Point QoS In This Chapter Check Point QoS s Innovative Technology page 30 Check Point QoS Architecture page 33 Interaction with VPN-1Pro and VPN-1 Net page 39 29
Check Point QoS s Innovative Technology Check Point QoS s Innovative Technology FloodGate-1 is a bandwidth management solution for Internet and Intranet gateways that enables network administrators to set bandwidth policies to solve or alleviate network problems like the bandwidth congestion at network access points. The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic, as well as individual connections. FloodGate-1 controls both inbound and outbound traffic flows. Network traffic can be classified by Internet service, source or destination IP address, Internet resource (for example, specific URL designators), user or traffic direction (inbound or outbound). A Check Point QoS Policy consists of rules that specify the weights, limits and guarantees that are applied to the different classifications of traffic. A rule can have multiple sub-rules, enabling an administrator to define highly granular Bandwidth Policies. FloodGate-1 provides its real benefits when the network lines become congested. Instead of allowing all traffic to flow arbitrarily, FloodGate-1 ensures that important traffic takes precedence over less important traffic so that the enterprise can continue to function with minimum disruption, despite network congestion. FloodGate-1 ensures that an enterprise can make the most efficient use of a congested network. FloodGate-1 is completely transparent to both users and applications. FloodGate-1 implements four innovative technologies: Stateful Inspection: FloodGate-1 incorporates Check Point s patented Stateful Inspection technology to derive complete state and context information for all network traffic. Intelligent Queuing Engine: This traffic information derived by the Stateful Inspection technology is used by FloodGate-1 s Intelligent Queuing Engine (IQ Engine TM ) to accurately classify traffic and place it in the proper transmission queue. The network traffic is then scheduled for transmission based on the QoS Policy. The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ) algorithm to precisely control the allocation of available bandwidth and ensure efficient line utilization. WFRED (Weighted Flow Random Early Drop): FloodGate-1 makes use of WFRED, a mechanism for managing packet buffers that is transparent to the user and requires no pre-configuration. 30
Technology Overview RDED (Retransmission Detection Early Drop): FloodGate-1 makes use of RDED, a mechanism for reducing the number of retransmits and retransmit storms. This Check Point mechanism, drastically reduces retransmit counts, greatly improving the efficiency of the enterprise s existing lines. The increased bandwidth that FloodGate-1 makes available to important applications comes at the expense of less important (or completely unimportant) applications. As a result purchasing more bandwidth can be significantly delayed. Technology Overview FloodGate-1 s four innovative technologies are discussed in more detail in this section. Stateful Inspection Employing Stateful Inspection technology, FloodGate-1 accesses and analyzes data derived from all communication layers. This state and context data is stored and updated dynamically, providing virtual session information for tracking both connection-oriented and connectionless protocols (for example, UDP-based applications). Cumulative data from the communication and application states, network configuration and bandwidth allocation rules are used to classify communications. Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based on file types. For example, FloodGate-1 can identify HTTP file downloads with *.exe or *.zip extensions and allocates bandwidth accordingly. Intelligent Queuing Engine FloodGate-1 uses an enhanced WFQ algorithm to manage bandwidth allocation. A FloodGate-1 packet scheduler moves packets through a dynamically changing scheduling tree at different rates in accordance with the QoS Policy. High priority packets move through the scheduling tree more quickly than low priority packets. Check Point QoS leverages TCP s throttling mechanism to automatically adjust bandwidth consumption per individual connections or classes of traffic. Traffic bursts are delayed and smoothed by FloodGate-1 s packet scheduler, holding back the traffic and forcing the application to fit the traffic to the QoS Policy. By intelligently delaying traffic, the IQ Engine effectively controls the bandwidth of all IP traffic. The preemptive IQ Engine responds immediately to changing traffic conditions and guarantees that high priority traffic always takes precedence over low priority traffic. Accurate bandwidth allocation is achieved even when there are large Chapter 2 Introduction to Check Point QoS 31
Technology Overview differences in the weighted priorities (for example 50:1). In addition, since packets are always available for immediate transmission, the IQ Engine provides precise bandwidth control for both inbound and outbound traffic, and ensures 100% bandwidth utilization during periods of congestion. In addition, in Traditional mode it uses per connection queuing to ensure that every connection receives its fair share of bandwidth. WFRED (Weighted Flow Random Early Drop) WFRED is a mechanism for managing the packet buffers of FloodGate-1. WFRED does not need any preconfiguring. It adjusts automatically and dynamically to the situation and is transparent to the user. Because the connection of a LAN to the WAN creates a bottleneck, packets that arrive from the LAN are queued before being retransmitted to the WAN. When traffic in the LAN is very intense, queues may become full and packets may be dropped arbitrarily. Dropped packets may reduce the throughput of TCP connections, and the quality of streaming media. WFRED prevents FloodGate-1 s buffers from being filled by sensing when traffic becomes intense and dropping packets selectively. The mechanism considers every connection separately, and drops packets according to the connection characteristics and overall state of the buffer. Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the connection, and then uses this information. WFRED protects fragile connections from more aggressive ones, whether they are TCP or UDP, and always leaves some buffer space for new connections to open. RDED (Retransmit Detect Early Drop) TCP exhibits extreme inefficiency under certain bandwidth and latency conditions. For example, the bottleneck that results from the connection of a LAN to the WAN causes TCP to retransmit packets. RDED prevents inefficiencies by detecting retransmits in TCP streams and preventing the transmission of redundant packets when multiple copies of a packet are concurrently queued on the same flow. The result is a dramatic reduction of retransmit counts and positive feedback retransmit loops. Implementing RDED requires the combination of intelligent queuing and full reconstruction of TCP streams, capabilities that exist together only in FloodGate-1. 32
Check Point QoS Architecture Check Point QoS Architecture In This Section Basic Architecture The architecture and flow control of Check Point QoS is similar to Firewall. Check Point QoS has three components: SmartConsole SmartCenter Server Module Basic Architecture page 33 Check Point QoS Architecture page 33 Check Point QoS Configuration page 35 The components can be installed on one machine or in a distributed configuration on a number of machines. Bandwidth policy is created using SmartDashboard. The policy is downloaded to the SmartCenter Server where it is verified and downloaded to the QoS Modules using CPD (Check Point Daemon), which is run on the module and the SmartCenter Server. The QoS module uses the Firewall chaining mechanism (see below) to receive, process and send packets. QoS uses a proprietary classifying and rule-matching infrastructure to examine a packet. Logging information is provided using Firewall kernel API. QoS Module The major role of the QoS module is to implement a QoS policy at network access points and control the flow of inbound and outbound traffic. It includes two main parts: QoS kernel driver QoS daemon Chapter 2 Introduction to Check Point QoS 33
Basic Architecture QoS Kernel Driver The kernel driver is the heart of QoS operations. It is in the kernel driver that IP packets are examined, queued, scheduled and released, enabling QoS traffic control abilities. Utilizing Firewall kernel module services, QoS functionality is a part of the cookie chain, a Check Point infrastructure mechanism that allows modules to operate on each packet as it travels from the link layer (the machine network card driver) to the network layer (its IP stack), or vice versa. QoS Daemon (fgd50) The QoS daemon is a user mode process used to perform tasks that are difficult for the kernel. It currently performs 2 tasks for the kernel (using Traps): Resolving DNS for the kernel (used for Rule Base matching). Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base matching). In CPLS configuration, the daemon updates the kernel of any change in the cluster status. For example, if a cluster member goes down the daemon recalculates the relative loads of the modules and updates the kernel. QoS SmartCenter Server The QoS SmartCenter Server is an add-on to the SmartCenter Server (fwm). The SmartCenter Server, which is controlled by Check Point SmartConsole clients, provides general services to Check Point QoS and is capable of issuing QoS functions by running QoS command line utilities. It is used to configure the bandwidth policy and control QoS modules. A single SmartCenter Server can control multiple QoS modules running either on the same machine as the SmartCenter Server or on remote machines. The SmartCenter Server also manages the Check Point Log Repository and acts as a log server for the SmartView Tracker. The SmartCenter server is a user mode process that communicates with the module using CPD. QoS SmartConsole The main SmartConsole application is Check Point SmartDashboard. By creating "bandwidth rules" the SmartDashboard allows system administrators to define a network QoS policy to be enforced by Check Point QoS. Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS modules and their policies. 34
Check Point QoS Configuration Figure 2-1 Basic Architecture - Check Point QoS Components Check Point QoS in SmartDashboard Check Point SmartDashboard is used to create and modify the QoS Policy and define the network objects and services. If both VPN-1Pro and Check Point QoS are licensed, they each have a tab in SmartDashboard. Figure 2-2 QoS Rules in SmartDashboard The QoS Policy rules are displayed in both the SmartDashboard Rule Base, on the right side of the window, and the QoS tree, on the left (see Figure 2-2). Check Point QoS Configuration The SmartCenter Server and the QoS Module can be installed on the same machine or on two different machines. When they are installed on different machines, the configuration is known as distributed (see Figure 2-3). Chapter 2 Introduction to Check Point QoS 35
Check Point QoS Configuration Figure 2-3 Distributed FloodGate-1 Configuration Figure 2-3 shows a distributed configuration, in which one SmartCenter Server (consisting of a SmartCenter Server and a SmartConsole) controls four QoS Modules, which in turn manage bandwidth allocation on three FloodGated lines. A single SmartCenter Server can control and monitor multiple QoS Modules. The QoS Module operates independently of the SmartCenter Server. QoS Modules can operate on additional Internet gateways and interdepartmental gateways. Client/Server Interaction The SmartConsole and the SmartCenter Server can be installed on the same machine or on two different machines. When they are installed on two different machines, FloodGate-1 implements the Client/Server model, in which a SmartConsole controls a SmartCenter Server running on another workstation. 36
Check Point QoS Configuration Figure 2-4 QoS Client/Server Configuration In the configuration depicted in Figure 2-4, the functionality of the SmartCenter Server is divided between two workstations (Tower and Bridge). The SmartCenter Server, including the database, is on Tower. The SmartConsole is on Bridge. The user, working on Bridge, maintains the QoS Policy and database, which reside on Tower. The QoS Module on London enforces the QoS Policy on the FloodGated line. The SmartCenter Server is started with the cpstart command, and must be running if you wish to use the SmartConsole on one of the client machines. A SmartConsole can manage the Server (that is, run the SmartConsole to communicate with a SmartCenter Server) only if both the administrator running the SmartConsole and the machine on which the SmartConsole is running have been authorized to access the SmartCenter Server. In practice, this means that the following conditions must be met: The machine on which the Client is running is listed in the $FWDIR/conf/gui-clients file. You can add or delete SmartConsoles using the Check Point configuration application (cpconfig). The administrator (user) running the GUI has been defined for the SmartCenter Server. You can add or delete administrators using the Check Point configuration application (cpconfig). Chapter 2 Introduction to Check Point QoS 37
Concurrent Sessions Concurrent Sessions In order to prevent more than one administrator from modifying a QoS Policy at the same time, FloodGate-1 implements a locking mechanism. All but one open policy is Read Only. 38
Interaction with VPN-1Pro and VPN-1 Net Interaction with VPN-1Pro and VPN-1 Net In This Section Interoperability page 39 Interoperability FloodGate-1 must be installed together with VPN-1 Power or VPN-1 Net on the same system. FloodGate-1 is installed on top of a VPN-1 Power or VPN-1 Net. Because FloodGate-1 and VPN-1 Power or VPN-1 Net share a similar architecture and many core technology components, users can utilize the same user-defined network objects in both solutions. This integration of an organization s security and bandwidth management policies enables easier policy definition and system configuration. Both products can also share state table information which provides efficient traffic inspection and enhanced product performance. FloodGate-1 s tight integration with VPN-1 Power or VPN-1 Net provides the unique ability to enable users that deploy the solutions in tandem to define bandwidth allocation rules for encrypted and network-address-translated traffic. SmartCenter Server If FloodGate-1 is installed on a machine on which VPN-1 Power or VPN-1 Net is also installed, FloodGate-1 uses the VPN-1 Power or VPN-1 Net SmartCenter Server and shares the same objects database (network objects, services and resources) with VPN-1 Power or VPN-1 Net. Some types of objects have properties which are product specific. For example, a VPN-1 Power has encryption properties which are not relevant to FloodGate-1, and a FloodGate-1 network interface has speed properties which are not relevant to VPN-1 Power. Chapter 2 Introduction to Check Point QoS 39
Interoperability 40
Chapter 3 Basic QoS Policy Management In This Chapter Overview page 42 Rule Base Management page 43 Implementing the Rule Base page 51 41
Overview Overview This chapter describes the basic QoS policy management that is required to enable you to define and implement a working QoS Rule Base. More advanced QoS policy management features are discussed in Chapter 5, Advanced QoS Policy Management. 42
Rule Base Management Rule Base Management Overview In This Section Overview page 43 Connection Classification page 44 Services and Resources page 45 Time Objects page 45 Bandwidth Allocation and Rules page 45 Default Rule page 47 QoS Action Properties page 47 Example of a Rule Matching VPN Traffic page 48 Bandwidth Allocation and Sub-Rules page 49 QoS policy is implemented by defining an ordered set of rules in the Rule Base. The Rule Base specifies what actions are to be taken with the data packets. It specifies the source and destination of the communication, what services can be used, and at what times, whether to log the connection and the logging level. The Rule Base comprises the rules you create and a default rule (see Default Rule page 47). The default rule is automatically created with the Rule Base. It can be modified but cannot be deleted. The fundamental concept of the Rule Base is that unless other rules apply, the default rule is applied to all data packets. The default rule is therefore always the last rule in the Rule Base. A very important aspect of Rule Base management is reviewing SmartView Tracker traffic logs and particular attention should be paid to this aspect of management. Check Point QoS works by inspecting packets in a sequential manner. When Check Point QoS receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second, then the third, and so on. When it finds a rule that matches, it stops checking and applies that rule. If the matching rule has sub-rules the packets are then compared against the first sub-rule, then the second and so on until it finds a match. If the packet goes through all the rules or sub-rules without finding a match, then the default rule or default sub-rule is applied. It is important to understand that the first rule that matches is applied to the packet, not the rule that best matches. Chapter 3 Basic QoS Policy Management 43
Connection Classification After you have defined your network objects, services and resources, you can use them in building a Rule Base. For installation instructions and instructions on building a Rule Base, see Editing QoS Rule Bases on page 118. The QoS Policy Rule Base concept is similar to the Security Policy Rule Base. General information about Policy Rule Bases can be found in the SmartCenter Administration Guide. Figure 3-1 SmartDashboard Rule Base Window Note - It is best to organize lists of objects (network objects and services) in groups rather than in long lists. Using groups gives you a better overview of your QoS Policy and leads to a more readable Rule Base. In addition, objects added to groups are automatically included in the rules. Connection Classification A connection is classified according to four criteria: Source: A set of network objects, including specific computers, entire networks, user groups or domains. Destination: A set of network objects, including specific computers, entire networks or domains. Service: A set of IP services, TCP, UDP, ICMP or URLs. Time: Specified days or time periods. Network Objects Network objects serve as the sources and destinations that are defined in QoS Policy rules. The network objects that can be used in FloodGate-1 rules include workstations, networks, domains, and groups. 44
Services and Resources Information about network objects can be found in the SmartCenter Administration Guide. User Groups Check Point QoS allows you to define User Groups that are comprised of predefined users. For example, all the users in the marketing department can be grouped together in a User Group called Marketing. when defining a Source in a rule you can then use this group as a possible Source, instead of adding individual users to the Source of the rule. Services and Resources FloodGate-1 allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in FloodGate-1 rules include TCP, Compound TCP, UDP, ICMP and Citrix TCP services, IP services Resources can also be used in a FloodGate-1 Rule Base. They must be of type URI for QoS. Time Objects Check Point QoS allows you to define Time objects that are used is defining the time that a rule is operational. Time objects can be defined for specific times and/or for specific days. The days can further be divided into days of the month or specific days of the week. Bandwidth Allocation and Rules A rule can specify three factors to be applied to bandwidth allocation for classified connections: Weight Weight is the relative portion of the available bandwidth that is allocated to a rule. To calculate what portion of the bandwidth the connections matched to a rule receive, use the following formula: this rule s portion = this rule s weight / total weight of all rules with open connections Chapter 3 Basic QoS Policy Management 45
Bandwidth Allocation and Rules For example, if this rule s weight is 12 and the total weight of all the rules under which connections are currently open is 120, then all the connections open under this rule are allocated 12/120 (or 10%) of the available bandwidth. In practice, a rule may get more than the bandwidth allocated by this formula, if other rules are not using their maximum allocated bandwidth. Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal weight. Allocating bandwidth according to weights ensures full utilization of the line even if a specific class is not using all of its bandwidth. In such a case, the left over bandwidth is divided among the remaining classes in accordance with their relative weights. Units are configurable, see Defining QoS Global Properties on page 112. Guarantees A guarantee allocates a minimum bandwidth to the connections matched with a rule. Guarantees can be defined for: the sum of all connections within a rule A total rule guarantee reserves a minimum bandwidth for all the connections under a rule combined. The actual bandwidth allocated to each connection depends on the number of open connections that match the rule. The total bandwidth allocated to the rule can be no less than the guarantee, but the more connections that are open, the less bandwidth each one receives. individual connections within a rule A per connection guarantee means that each connection that matches the particular rule is guaranteed a minimum bandwidth. Although weights do in fact guarantee the bandwidth share for specific connections, only a guarantee allows you to specify an absolute bandwidth value. Limits A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point beyond which connections under a rule are not allocated bandwidth, even if there is unused bandwidth available. Limits can also be defined for the sum of all connections within a rule or for individual connections within a rule. 46
Default Rule For more information on weights, guarantees and limits, see Action Type on page 47. Note - Bandwidth allocation is not fixed. As connections are opened and closed, FloodGate-1 continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy. Default Rule A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the QoS (FloodGate-1) page of the Global Properties window. You can modify the weight, but you cannot delete the default rule (see Weight on page 45). The default rule applies to all connections not matched by the other rules or sub-rules in the Rule Base. In addition, a default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group (see To Verify and View the QoS Policy on page 51). QoS Action Properties In the QoS Action Properties window you can define bandwidth allocation properties, limits and guarantees for a rule. Action Type By this stage, you should already have decided whether your policy is Traditional mode or Express mode, see Traditional Check Point QoS vs. Check Point QoS Express on page 24. You can select one of the following Action Types: Simple Advanced Chapter 3 Basic QoS Policy Management 47