Tài liệu Check Point QoS pdf

Check Point QoS

Administration Guide

Version NGX R65

700726 March 2007

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,

distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written

authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or

omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer

Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point

Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,

Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,

FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless

Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,

Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,

SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,

SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,

TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN￾1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web

Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,

Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check

Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The

products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by

other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 10

Summary of Contents....................................................................................... 11

Appendices ................................................................................................ 11

Related Documentation .................................................................................... 12

More Information............................................................................................. 15

Feedback ........................................................................................................ 16

Chapter 1 Overview

What is Quality of Service................................................................................. 18

Internet Bandwidth Management Technologies ................................................... 19

Overview .................................................................................................... 19

Superior QoS Solution Requirements ............................................................ 19

Benefits of a Policy-Based Solution .............................................................. 20

How Does Check Point Deliver QoS.................................................................... 21

Features and Benefits ...................................................................................... 23

Traditional Check Point QoS vs. Check Point QoS Express ................................... 24

Workflow......................................................................................................... 26

Chapter 2 Introduction to Check Point QoS

Check Point QoS’s Innovative Technology........................................................... 30

Technology Overview ................................................................................... 31

Check Point QoS Architecture ........................................................................... 33

Basic Architecture ...................................................................................... 33

Check Point QoS Configuration..................................................................... 35

Concurrent Sessions.................................................................................... 38

Interaction with VPN-1Pro and VPN-1 Net ......................................................... 39

Interoperability ........................................................................................... 39

Chapter 3 Basic QoS Policy Management

Overview ......................................................................................................... 42

Rule Base Management.................................................................................... 43

Overview .................................................................................................... 43

Connection Classification............................................................................. 44

Network Objects ......................................................................................... 44

Services and Resources ............................................................................... 45

Time Objects.............................................................................................. 45

Bandwidth Allocation and Rules................................................................... 45

Default Rule............................................................................................... 47

QoS Action Properties ................................................................................. 47

Example of a Rule Matching VPN Traffic....................................................... 48

Bandwidth Allocation and Sub-Rules ............................................................ 49

6

Implementing the Rule Base............................................................................. 51

To Verify and View the QoS Policy ................................................................ 51

To Install and Enforce the Policy.................................................................. 51

To Uninstall the QoS Policy ......................................................................... 52

To Monitor the QoS Policy ........................................................................... 52

Chapter 4 Check Point QoS Tutorial

Introduction .................................................................................................... 54

Building and Installing a QoS Policy.................................................................. 56

Step 1: Installing Check Point Modules......................................................... 57

Step 2: Starting SmartDashboard ................................................................. 57

To Start SmartDashboard............................................................................. 58

Step 3: Determining QoS Policy ................................................................... 61

Step 4: Defining the Network Objects ........................................................... 61

To Define the Gateway London..................................................................... 62

To Define the Interfaces on Gateway London ................................................. 66

To Define the QoS Properties for the Interfaces on Gateway London................. 72

Step 5: Defining the Services....................................................................... 73

Step 6: Creating a Rule Base ....................................................................... 73

To Create a New Policy Package................................................................... 74

To Create a New Rules ................................................................................ 75

To Modify New Rules .................................................................................. 76

Step 7: Installing a QoS Policy..................................................................... 82

Conclusion...................................................................................................... 84

Chapter 5 Advanced QoS Policy Management

Overview ......................................................................................................... 86

Examples: Guarantees and Limits...................................................................... 87

Per Rule Guarantees ................................................................................... 87

Per Connections Guarantees ........................................................................ 90

Limits........................................................................................................ 91

Guarantee - Limit Interaction ....................................................................... 91

Differentiated Services (DiffServ) ...................................................................... 93

Overview .................................................................................................... 93

DiffServ Markings for IPSec Packets............................................................. 93

Interaction Between DiffServ Rules and Other Rules ...................................... 94

Low Latency Queuing ....................................................................................... 95

Overview .................................................................................................... 95

Low Latency Classes ................................................................................... 95

Interaction between Low Latency and Other Rule Properties.......................... 100

When to Use Low Latency Queuing............................................................. 101

Low Latency versus DiffServ....................................................................... 102

Authenticated QoS......................................................................................... 103

Citrix MetaFrame Support............................................................................... 104

Overview .................................................................................................. 104

Limitations............................................................................................... 105

Load Sharing................................................................................................. 106

Overview .................................................................................................. 106

Table of Contents 7

Check Point QoS Cluster Infrastructure ....................................................... 107

Chapter 6 Managing Check Point QoS

Defining QoS Global Properties ....................................................................... 112

To Modify the QoS Global Properties........................................................... 112

Specifying Interface QoS Properties................................................................. 114

To Define the Interface QoS Properties ....................................................... 114

Editing QoS Rule Bases.................................................................................. 118

To Create a New Policy Package................................................................. 118

To Open an Existing Policy Package............................................................ 119

To Add a Rule .......................................................................................... 119

To Rename a Rule .................................................................................... 121

To Copy, Cut or Paste a Rule...................................................................... 121

To Delete a Rule....................................................................................... 122

Modifying Rules............................................................................................. 123

Modifying Sources in a Rule ...................................................................... 123

Modifying Destinations in a Rule ................................................................ 126

Modifying Services in a Rule...................................................................... 128

Modifying Rule Actions.............................................................................. 130

Modifying Tracking for a Rule .................................................................... 135

Modifying Install On for a Rule................................................................... 135

Modifying Time in a Rule........................................................................... 138

Adding Comments to a Rule....................................................................... 140

Defining Sub-Rules........................................................................................ 142

Working with Differentiated Services (DiffServ) ................................................. 144

To Define a DiffServ Class of Service .......................................................... 145

To Define a DiffServ Class of Service Group................................................. 146

To Add QoS Class Properties for Expedited Forwarding ................................. 147

To Add QoS Class Properties for Non Expedited Forwarding .......................... 148

Working with Low Latency Classes................................................................... 150

To Implement Low Latency Queuing ........................................................... 150

To Define Low Latency Classes of Service.................................................... 151

To Define Class of Service Properties for Low Latency Queuing...................... 151

Working with Authenticated QoS ..................................................................... 153

To Use Authenticated QoS......................................................................... 153

Managing QoS for Citrix ICA Applications......................................................... 155

Disabling Session Sharing.......................................................................... 155

Modifying your Security Policy ................................................................... 156

Discovering Citrix ICA Application Names.................................................... 157

Defining a New Citrix TCP Service .............................................................. 160

Adding a Citrix TCP Service to a Rule (Traditional Mode Only)....................... 161

Installing the Security and QoS Policies...................................................... 161

Managing QoS for Citrix Printing ..................................................................... 162

Configuring a Citrix Printing Rule (Traditional Mode Only)............................. 162

Configuring Check Point QoS Topology........................................................ 163

Viewing the Check Point QoS Modules Status ................................................... 164

To Display the Status of Check Point QoS Modules Controlled by the SmartCenter

Server ................................................................................................... 164

8

Enabling Log Collection.................................................................................. 165

To Turn on QoS Logging ............................................................................ 165

To Confirm that the Rule is Marked for Logging ........................................... 166

To Start SmartView Tracker........................................................................ 167

Chapter 7 SmartView Tracker

Overview of Logging ....................................................................................... 170

Examples of Log Events.................................................................................. 174

Connection Reject Log .............................................................................. 174

LLQ Drop Log........................................................................................... 174

Pool Exceeded Log.................................................................................... 175

Examples of Account Statistics Logs................................................................ 177

General Statistics Data.............................................................................. 177

Drop Policy Statistics Data......................................................................... 178

LLQ Statistics Data................................................................................... 178

Chapter 8 Command Line Interface

Check Point QoS Commands........................................................................... 180

Setup ........................................................................................................... 181

fgate Menu ................................................................................................... 182

Control ......................................................................................................... 183

Monitor......................................................................................................... 185

Utilities ........................................................................................................ 187

Chapter 9 Check Point QoS FAQ (Frequently Asked Questions)

Questions and Answers................................................................................... 190

Introduction ............................................................................................. 190

Check Point QoS Basics ............................................................................ 191

Other Check Point Products - Support and Management ............................... 194

Policy Creation ......................................................................................... 195

Capacity Planning..................................................................................... 196

Protocol Support....................................................................................... 197

Installation/Backward Compatibility/Licensing/Versions................................. 198

How do I? ................................................................................................ 198

General Issues.......................................................................................... 199

Chapter 10 Deploying Check Point QoS

Deploying Check Point QoS............................................................................. 202

Check Point QoS Topology Restrictions ....................................................... 202

Sample Bandwidth Allocations........................................................................ 204

Frame Relay Network ................................................................................ 204

Appendix A Debug Flags

fw ctl debug -m FG-1 Error Codes for Check Point QoS...................................... 208

Index.......................................................................................................... 217

9

Preface P Preface

In This Chapter

Who Should Use This Guide page 10

Summary of Contents page 11

Related Documentation page 12

More Information page 15

Feedback page 16

Who Should Use This Guide

10

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

• System administration.

• The underlying operating system.

• Internet protocols (IP, TCP, UDP etc.).

Summary of Contents

Preface 11

Summary of Contents

This guide describes QoS components and contains the following chapters and

appendices.

Appendices

This guide contains the following appendices

Table A-1

Chapter Description

Chapter 1, “Overview” presents an overview of Quality of Service and

how it is delivered by Check Point QoS.

Chapter 2, “Introduction to

Check Point QoS”

presents an overview of QoS, including

technologies and architecture.

Chapter 3, “Basic QoS Policy

Management”

describes how to manage a basic FloodGate-1

QoS Policy Rule Base.

Chapter 4, “Check Point QoS

Tutorial”

is a short tutorial describing how to define a QoS

Policy.

Chapter 5, “Advanced QoS

Policy Management”

describes the more advanced policy management

features of Check Point QoS that enable you to

refine basic QoS policies.

Chapter 6, “Managing Check

Point QoS”

describes how to manage QoS, including

modifying and changing policies and rules.

Chapter 7, “SmartView

Tracker”

describes the features and tools that are

available for monitoring Check Point QoS.

Chapter 8, “Command Line

Interface”

discusses how to work with Check Point QoS via

the Command Line.

Chapter 9, “Check Point QoS

FAQ (Frequently Asked

Questions)”

a compilation of frequently asked questions and

their answers.

Chapter 10, “Deploying

Check Point QoS”

Describes how to deploy Check Point QoS and

provides sample bandwidth allocations.

Table A-2

Appendix Description

Appendix A, “Debug Flags” contains a list of debugging error codes.

Related Documentation

12

Related Documentation

The NGX R65 release includes the following documentation

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step

product installation and upgrade procedures. This

document also provides information about What’s

New, Licenses, Minimum hardware and software

requirements, etc.

Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward. This

guide is specifically geared towards upgrading to

NGX R65.

SmartCenter

Administration Guide

Explains SmartCenter Management solutions. This

guide provides solutions for control over

configuring, managing, and monitoring security

deployments at the perimeter, inside the network, at

all user endpoints.

Firewall and

SmartDefense

Administration Guide

Describes how to control and secure network

access; establish network connectivity; use

SmartDefense to protect against network and

application level attacks; use Web Intelligence to

protect web servers and applications; the integrated

web security capabilities; use Content Vectoring

Protocol (CVP) applications for anti-virus protection,

and URL Filtering (UFP) applications for limiting

access to web sites; secure VoIP traffic.

Virtual Private Networks

Administration Guide

This guide describes the basic components of a

VPN and provides the background for the

technology that comprises the VPN infrastructure.

Related Documentation

Preface 13

Eventia Reporter

Administration Guide

Explains how to monitor and audit traffic, and

generate detailed or summarized reports in the

format of your choice (list, vertical bar, pie chart

etc.) for all events logged by Check Point VPN-1

Power, SecureClient and SmartDefense.

SecurePlatform™/

SecurePlatform Pro

Administration Guide

Explains how to install and configure

SecurePlatform. This guide will also teach you how

to manage your SecurePlatform machine and

explains Dynamic Routing (Unicast and Multicast)

protocols.

Provider-1/SiteManager-1

Administration Guide

Explains the Provider-1/SiteManager-1 security

management solution. This guide provides details

about a three-tier, multi-policy management

architecture and a host of Network Operating Center

oriented features that automate time-consuming

repetitive tasks common in Network Operating

Center environments.

TABLE P-2 Integrity Server documentation

Title Description

Integrity Advanced

Server Installation

Guide

Explains how to install, configure, and maintain the

Integrity Advanced Server.

Integrity Advanced

Server Administrator

Console Reference

Provides screen-by-screen descriptions of user

interface elements, with cross-references to relevant

chapters of the Administrator Guide. This document

contains an overview of Administrator Console

navigation, including use of the help system.

Integrity Advanced

Server Administrator

Guide

Explains how to managing administrators and

endpoint security with Integrity Advanced Server.

Integrity Advanced

Server Gateway

Integration Guide

Provides information about how to integrating your

Virtual Private Network gateway device with Integrity

Advanced Server. This guide also contains information

regarding deploying the unified SecureClient/Integrity

client package.

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description

Related Documentation

14

Integrity Advanced

Server System

Requirements

Provides information about client and server

requirements.

Integrity Agent for Linux

Installation and

Configuration Guide

Explains how to install and configure Integrity Agent

for Linux.

Integrity XML Policy

Reference Guide

Provides the contents of Integrity client XML policy

files.

Integrity Client

Management Guide

Explains how to use of command line parameters to

control Integrity client installer behavior and

post-installation behavior.

TABLE P-2 Integrity Server documentation (continued)

Title Description

More Information

Preface 15

More Information • For additional technical information about Check Point products, consult Check

Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/.

• See the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents