Check Point FloodGate-1 Guide

Transcription

1 Check Point FloodGate-1 Guide NG FP3 For additional technical information about Check Point products, consult Check Point s SecureKnowledge at Part No.: September 2002

2 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Appliance, VPN-1 Certificate Manager, VPN-1 Gateway, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer VPN-1 SmallOffice and VPN1 VSX are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications. THIRD PARTIES: Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group. Check Point Software Technologies Ltd. International Headquarters: 3A Jabotinsky Street Ramat Gan 52520, Israel Tel: Fax: info@checkpoint.com U.S. Headquarters: Three Lagoon Drive, Suite 400 Redwood City, CA Tel: ; (650) Fax: (650) Please direct all comments regarding this publication to techwriters@checkpoint.com. September 2002

3 Table Of Contents Preface Chapter 1 Chapter 2 Chapter 3 Introduction to FloodGate-1 Internet Bandwidth Management Technologies 19 Overview 19 FloodGate Requirements 19 FloodGate-1 s Innovative Technology 20 Technology Overview 21 Regular FloodGate-1 vs. FloodGate-1 Express 23 FloodGate-1 Rule Base 25 FloodGate-1 Architecture 27 FloodGate-1 Components 27 FloodGate-1 Configuration 29 Concurrent Sessions 30 Installing and Configuring FloodGate-1 30 FloodGate-1 GUI FloodGate-1 Global Properties 31 Interface Properties 33 Editing a Rule Base 35 Modifying a Rule 39 Sub-Rules 52 DiffServ 53 Low Latency Classes 58 Completing the Rule Base 61 FloodGate Modules Status 63 Enabling Log Collection 63 QoS Policy Management Network Objects 67 Services and Resources 67 Rule Base Management 68 Default Rule 68 Matching VPN Traffic 69 Simple or Advanced QoS 69 Weights 70 Guarantees 70 Limits 71 Bandwidth Allocation and Sub-Rules 71 Using Guarantees and Limits 71 Table of Contents 3

4 Per Rule Guarantees 71 Per Connections Guarantees 74 Limits 75 Guarantee - Limit Interaction 75 Diffserv 76 DiffServ Markings for IPSec Packets 77 Interaction Between DiffServ Rules and Other Rules 77 Low Latency Queuing 77 Overview 77 Low Latency Classes 78 Interaction between Low Latency and Other Rule Properties 82 When to Use Low Latency Queuing 83 Low Latency versus DiffServ 84 Authenticated QoS 84 Chapter 4 Chapter 5 Chapter 6 Chapter 7 SmartView Tracker Overview of Logging 87 Examples of Log Events 89 Connection Reject Log 90 LLQ Drop Log 90 Pool Exceeded Log 91 Examples of Account Statistics Logs 91 General Statistics Data 92 Drop Policy Statistics Data 92 LLQ Statistics Data 93 Deploying FloodGate-1 Deploying FloodGate-1 95 FloodGate-1 Topology Restrictions 95 Interaction with Check Point VPN-1/FireWall-1 96 Interoperability 96 Sample Bandwidth Allocations 97 FloodGate-1 Tutorial Introduction 101 Building a QoS Policy 102 Installation 103 Starting the GUI Client 103 QoS Policy 106 Defining the Network Objects 106 Defining the Services 116 Defining a Rule Base 116 Sub-Rules 121 Installing a QoS Policy 122 Command Line Interface Interaction with VPN-1/FireWall

5 Setup 124 fgate Menu 124 Control 125 Monitor 126 Utilities 128 FloodGate-1 FAQ (Frequently Asked Questions) Questions and Answers 131 Introduction 131 FloodGate-1 Basics 132 Other Check Point Products - Support and Management 134 Hardware Support 135 Policy Creation 136 Capacity Planning 138 Protocol Support 139 Installation/Backward Compatibility/Licensing/Versions 140 How do I? 141 General Issues 143 Appendix A Debug Flags fw ctl debug -m FG-1 error codes for FloodGate fw ctl debug -m FG-1 error codes for FloodGate Table of Contents 5

6 6

7 List of Figures Chapter 1 Chapter 2 Introduction to FloodGate-1 FIGURE 1-1 New Policy Package window 24 FIGURE 1-2 FloodGate-1 Components 28 FIGURE 1-3 QoS Rules in the SmartDashboard GUI 28 FIGURE 1-4 Distributed FloodGate-1 configuration 29 FIGURE 1-5 FloodGate-1 Client/Server configuration 29 FloodGate-1 GUI FIGURE 2-1 Global Properties window FloodGate-1 page 32 FIGURE 2-2 QoS tab Interface Properties window 34 FIGURE 2-3 Add a QoS Class 35 FIGURE 2-4 Rule menu 37 FIGURE 2-5 Rule Name window 38 FIGURE 2-6 Source Object menu 41 FIGURE 2-7 Add Object window (network objects) 41 FIGURE 2-8 User Access window 42 FIGURE 2-9 Destination Object menu 43 FIGURE 2-10 Services menu 44 FIGURE 2-11 Add Object window (services) 44 FIGURE 2-12 Services with Resource window 45 FIGURE 2-13 Action menu 46 FIGURE 2-14 Add Interface window 49 FIGURE 2-15 Properties window General page 50 FIGURE 2-16 Add Object window - Time Objects 51 FIGURE 2-17 Comment window 51 FIGURE 2-18 Rule Base with Sub-Rules 52 FIGURE 2-19 Add Class of Service window 54 FIGURE 2-20 QoS Classes window 54 FIGURE 2-21 Class of Service Properties window 55 FIGURE 2-22 QoS Class of Services Group window 56 FIGURE 2-23 Add Low Latency QoS Class Properties window 57 FIGURE 2-24 Add Class of Service window 59 FIGURE 2-25 Class of Services window - Low Latency Queuing 60 FIGURE 2-26 Add QoS Class Properties window Low Latency Queuing 60 FIGURE 2-27 Properties window - Additional Logging Configuration 64 List of Figures 7

8 FIGURE 2-28 Track Logging or Accounting 64 FIGURE 2-29 Log showing FloodGate-1 entries 65 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 QoS Policy Management FIGURE 3-1 SmartDashboard Rule Base window 68 FIGURE 3-2 Group Properties window 85 SmartView Tracker Deploying FloodGate-1 FIGURE 5-1 Two lines connected to a single interface 95 FIGURE 5-2 Two lines connected to a router 96 FIGURE 5-3 Correct configuration 96 FIGURE 5-4 Frame Relay Network example 97 FloodGate-1 Tutorial FIGURE 6-1 Example Network configuration 102 FIGURE 6-2 Welcome to Check Point SmartDashboard window 104 FIGURE 6-3 (SmartDashboard login window - more options) 105 FIGURE 6-4 SmartDashboard window with empty QoS Policy Rule Base 106 FIGURE 6-5 Network Objects window 107 FIGURE 6-6 Object Tree toolbar 107 FIGURE 6-7 Object Tree tabs 108 FIGURE 6-8 Right-clicking in the Network Objects tree 108 FIGURE 6-9 Network Objects menu 108 FIGURE 6-10 Properties window - General page 110 FIGURE 6-11 Properties window - Topology page 111 FIGURE 6-12 Topology page 115 FIGURE 6-13 Interface Properties window - QoS tab 116 FIGURE 6-14 Service Rules in the GUI 117 Command Line Interface FIGURE 7-1 fgate menu 124 FIGURE 7-2 fgate stat output 126 FloodGate-1 FAQ (Frequently Asked Questions) FIGURE 7-3 FloodGate-1 memory requirements 138 8

9 List of Tables Preface TABLE P-1 Typographic Conventions 15 TABLE P-2 Shell Prompts 16 Chapter 1 Chapter 2 Chapter 3 Chapter 4 Introduction to FloodGate-1 TABLE 1-1 FloodGate-1 Features vs. FloodGate Express Features 25 FloodGate-1 GUI TABLE 2-1 Adding a Rule 36 TABLE 2-2 Rule Menu Items 37 TABLE 2-3 Copying, Cutting and Pasting Rules 38 TABLE 2-4 Deleting a Rule 39 TABLE 2-5 Network Objects Roadmap 40 TABLE 2-6 Action Menu Selections 46 TABLE 2-7 Track Menu 49 QoS Policy Management TABLE 3-1 VPN Traffic Rule 69 TABLE 3-2 Total Rule Guarantees 72 TABLE 3-3 Guarantee is Defined in Sub-rule A1, But Not in Rule A. 72 TABLE 3-4 Example of an Incorrect Rule Base 73 TABLE 3-5 If a Rule s Weight is Low, Some Connections May Receive Very Little Bandwidth 74 TABLE 3-6 No Bandwidth Received 76 TABLE 3-7 SmartView Tracker A Rule that Allows Access to from a Remote Location 86 TABLE 4-1 Explaining the Event SmartView Tracker Logs (non-accounting) 88 TABLE 4-2 Explaining the Accounting SmartView Tracker Log 89 TABLE 4-3 Connection Reject Log example 90 TABLE 4-4 LLQ Drop Log example 90 TABLE 4-5 Pool Exceeded Log example 91 TABLE 4-6 The mandatory fields in account logs 91 List of Tables 9

10 TABLE 4-7 General Statistics Data example 92 TABLE 4-8 Drop Policy Statistics Data example 92 Chapter 5 Chapter 6 Chapter 7 Deploying FloodGate-1 TABLE 5-1 Main Rules 98 TABLE 5-2 Office Sub-Rules 98 FloodGate-1 Tutorial TABLE 6-1 Check Point Modules to Install on Each Machine 102 TABLE 6-2 Creating a new workstation 107 TABLE 6-3 London s Properties window General page 109 TABLE 6-4 Field Values Interface Properties window le0 112 TABLE 6-5 Field Values Interface Properties window le1 113 TABLE 6-6 Field Values Interface Properties window le2 114 TABLE 6-7 Allocating More Bandwidth Than RealAudio 117 TABLE 6-8 Service Rules - four active connections 118 TABLE 6-9 Service Rules - two active connections 118 TABLE 6-10 Marketing is Allocated More Bandwidth Than Engineering 119 TABLE 6-11 All the Rules Together 119 TABLE 6-12 Guarantee Example 121 TABLE 6-13 Defining Sub-Rules 121 Command Line Interface TABLE 7-1 FloodGate-1 command names 123 FloodGate-1 FAQ (Frequently Asked Questions) TABLE 7-2 Example of Highest Weight Differentiation 132 Appendix A Debug Flags TABLE A-1 fw ctl debug -m FG-1 error codes for FloodGate

11 List of Procedures Chapter 1 Chapter 2 Introduction to FloodGate-1 How to define whether the Policy is Traditional or Express 24 FloodGate-1 GUI To display the FloodGate-1 page 31 To define the interfaces on which FloodGate-1 will control traffic 33 To create a new Rule Base 36 To add a Rule 36 To Name a Rule 38 To Copy, Cut or Paste Rules 38 To Delete a Rule 39 To Modify a Rule 40 To Affect the Rule s Source 40 To Affect the Rule s Destination 43 To Affect Services in the Rule 44 To Affect Actions in the Rule 46 To Affect Tracking in the Rule 48 To Affect Time in the Rule 50 To Add a Comment to the Rule 51 To define a sub-rule 52 To View Sub-Rules 52 To Implement DiffServ Marking in FloodGate-1 53 To Define a DiffServ Class 54 To Define a DiffServ Class of Service Groups 56 To Add Qos Class Properties for Expedited Forwarding 57 To Add Qos Class Properties for Non Expedited Forwarding 57 To Implement Low Latency Queuing 58 To Define Low Latency Classes of Service 59 To Define class of Service Properties for Low Latency Queuing 60 To Add QoS Class Properties Window Low Latency Queuing 60 To Verify and View the QoS Policy 61 To Install and Enforce the Policy 62 To Uninstall the QoS Policy 63 To Monitor the QoS Policy 63 To display the status of FloodGate-1 Modules controlled by the SmartCenter Server 63 To Turn on QoS Logging 64 To Create a Track Log or Account Rule 64 To Start the SmartView Tracker 65 List of Procedures 11

12 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 QoS Policy Management To Use Authenticated QoS 85 SmartView Tracker Deploying FloodGate-1 FloodGate-1 Tutorial To display the QoS tab 106 Command Line Interface FloodGate-1 FAQ (Frequently Asked Questions) Appendix A Debug Flags 12

13 Preface Who Should Use this User Guide This User Guide is written for system administrators who are responsible for maintaining networks. It assumes you have a basic understanding and a working knowledge of: system administration the Unix or Windows operating system the Windows GUI Internet protocols (IP,TCP, UDP, etc.) Summary of Contents Chapter 1, Introduction to FloodGate-1, presents an overview of FloodGate-1, including technologies and architecture. Chapter 2, FloodGate-1 GUI presents an overview of the FloodGate-1 User Interface. Chapter 3, QoS Policy Management, describes how to manage a FloodGate-1 QoS Policy Rule Base. Chapter 4, SmartView Tracker, describes how to use the SmartView Tracker for FloodGate-1. Chapter 5, Deploying FloodGate-1, presents example network configurations. Chapter 6, FloodGate-1 Tutorial, is a short tutorial describing how to define a QoS Policy. Chapter 7, Command Line Interface discusses how to work with FloodGate-1 via the Command Line. 13

14 FloodGate-1 FAQ (Frequently Asked Questions) is a compilation of frequently asked questions and their answers. Appendix A, Error Codes is a list of debugging error codes. Check Point Documentation User Guides are available for each product in Portable Document Format (PDF) in the Check Point Enterprise Suite. The Adobe Acrobat Reader is required to view PDF files and is also available on the Check Point Enterprise Suite CD-ROM. Alternatively, you can download the Acrobat Reader from the Adobe Web site ( The following User Guides are available for Check Point Enterprise Suite products. 1) Check Point Getting Started Guide This book is an introduction to Check Point products. 2) Check Point SmartCenter Guide This book describes the Check Point Management GUI, which is used to manage VPN-1/FireWall-1 and other Check Point products. 3) Check Point FireWall-1 Guide This book describes Check Point VPN-1/FireWall-1. 4) Check Point Virtual Private Networks Guide This book describes the Check Point VPN-1/FireWall-1 encryption features. 5) Check Point Desktop Security Guide This book describes Check Point security as implemented by SecuRemote and SecureClient. 6) Check Point FloodGate-1 Guide This book describes Check Point FloodGate-1, which enables administrators to manage the quality of service on their networks. 7) Check Point SmartView Monitor User Guide This book describes the Check Point Real Time Monitor, which enables administrators to monitor quality of service on their network links, as well as Service Level Agreement compliance. 8) Check Point Provider-1/SiteManager-1 Guide This book describes Check Point Provider-1/SiteManager-1, which enables service providers and managers of large networks to provide Check Point products-based services to large numbers of subscribers. 9) Check Point SmartView Reporter Guide This book describes the Check Point Reporting Module, which enables administrators to manage databases of Check Point log-based information. 14 Check Point FloodGate-1 Guide September 2002

15 10) Check Point UserAuthority User Guide This book describes Check Point UserAuthority, which enables third-party and Web applications to leverage Check Point s sophisticated authentication and authorization technologies. 11) Check Point User Management Guide This book describes Check Point LDAP-based user management. Note - For additional technical information about Check Point products, consult Check Point s SecureKnowledge database at What Typographic Changes Mean The following table describes the typographic changes used in this book. TABLE P-1 Typographic Conventions Typeface or Symbol AaBbCc123 Meaning The names of commands, files, and directories; on-screen computer output Example Edit your.login file. Use ls -a to list all files. machine_name% You have mail. AaBbCc123 AaBbCc123 AaBbCc123 Save What you type, contrasted with on-screen computer output Command-line placeholder: replace with a real name or value Book titles, new words or terms, or words to be emphasized Text that appears on an object in a window machine_name% su Password: To delete a file, type rm filename. Read Chapter 6 in the User s Guide. These are called class options. You must be root to do this. Click on the Save button. 15

16 Shell Prompts in Command Examples The following table shows the default system prompt and superuser prompt for the C shell, Bourne shell, Korn shell and DOS. TABLE P-2 Shell Prompts Shell C shell prompt C shell superuser prompt Bourne shell and Korn shell prompt Bourne shell and Korn shell superuser prompt DOS Prompt machine_name% machine_name# $ # current-directory> What s New in FloodGate-1 Express Mode FloodGate-1 can run in Express mode. In this mode the products performance is greatly enhanced. The functionality is this mode is limited. To activate Express mode, edit and install an Express QoS policy. Product Directory FloodGate-1 files are now installed in a new location. A new environment variable that contains this path was introduced: FGDIR. In Linux, Nokia and Solaris platforms the directory is located: /opt/cpfg1-53/ In Windows platforms the directory is located: \program files\checkpoint\fg1\ng\ Dynamic IP Address Module (DAIP) FloodGate-1 Modules can now be defined as DAIPs, or in other words, they can now be assigned dynamic IP Addresses. For more information, see the Check Point SmartCenter Guide. 16 Check Point FloodGate-1 Guide September 2002

17 Prioritizing VPN Traffic It is possible to mark a QoS rule as applicable only to VPN traffic. This is achieved by checking Apply rule only to encrypted traffic in the QoS Action window. Install Policy Window The new Install Policy window with enhanced functionlity. QoS Action Window The QoS Action window is used to determine the actions in a FloodGate-1 rule. This window now contains a Simple and an Advanced mode. See QoS Action Properties Window on page 46. Logging of Events and Statistics FloodGate-1 now logs and accounts the following: Connections rejected by the admission policy (Per Connection Guarantee). Packet dropped on account of: Buffer saturation Drop policy LLQ (Low Latency Queuing) drops. LLQ statistics. These statistics can be used to configure the Maximal Delay in LLQ. Installing FloodGate-1 on a cluster member It is possible to install FloodGate-1 on cluster members (both in High Availability and Load Sharing modes). Each cluster member is allocated bandwidth independently, there is no synchronization of bandwidth allocation among cluster members. Enhanced Support of IP Services FloodGate-1 now supports more IP services. The new set includes all the IP services supported by FireWall-1. Supported Platforms FloodGate-1 now supports Linux Red-Hat 7.3 (Kernel ) 17

18 18 Check Point FloodGate-1 Guide September 2002

19 CHAPTER 1 Introduction to FloodGate-1 In This Chapter Internet Bandwidth Management Technologies Overview Internet Bandwidth Management Technologies page 19 FloodGate-1 s Innovative Technology page 20 Regular FloodGate-1 vs. FloodGate-1 Express page 23 FloodGate-1 Architecture page 27 Installing and Configuring FloodGate-1 page 30 When you connect your network to the Internet, it is vitally important to make the most efficient use of the available bandwidth. An effective bandwidth management policy ensures that even at times of network congestion, bandwidth is allocated in accordance with enterprise priorities. In the past, network bandwidth problems have been addressed either by adding more bandwidth (an expensive and usually short term solution ) or by router queuing, which is ineffective for complex modern Internet protocols. FloodGate Requirements In order to provide effective bandwidth management, a bandwidth management tool must track and control the flow of communication passing through it, based on information derived from all communication layers and from other applications. 19

20 FloodGate-1 s Innovative Technology An effective bandwidth management tool must address all of the following issues: Flexible Prioritization It is not sufficient to simply prioritize communications, for example, to specify a higher priority for HTTP than for SMTP. The result may well be that all bandwidth resources are allocated to one service and none to another. A bandwidth management tool must be able to divide the available resources so that more important services are allocated more bandwidth, but all services are allocated some bandwidth. Minimum Bandwidth A bandwidth management tool must be able to guarantee a service s minimum required bandwidth. It must also be able to allocate bandwidth preferentially, for example, to move a company s CEO to the head of the line when he or she browses the Web. Classification A bandwidth management tool must be able to accurately classify communications. However, simply examining a packet in isolation does not provide all the information needed to make an informed decision. State information derived from past communications and other applications is also required. A packet s contents, the communication state and the application state (derived from other applications) must all be considered when making control decisions. FloodGate-1 s Innovative Technology FloodGate-1 is a bandwidth management solution for Internet and Intranet gateways that enables network administrators to set bandwidth policies to alleviate the bandwidth congestion at network access points. The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic, as well as individual connections. FloodGate-1 controls both inbound and outbound traffic flows. Using Check Point s RDED (Retransmission Detection Early Drop) mechanism, FloodGate-1 drastically reduces retransmit counts, greatly improving the efficiency of the enterprise s existing lines. The increased bandwidth that FloodGate-1 makes available to important applications comes at the expense of less important (or completely unimportant) applications. Purchasing more bandwidth can be significantly delayed. Network traffic can be classified by Internet service, source or destination IP address, Internet resource (for example, specific URL designators), user or traffic direction (inbound or outbound). A FloodGate-1 QoS Policy consists of rules that specify the weights, limits and guarantees that are applied to the different classifications of traffic. 20 Check Point FloodGate-1 Guide September 2002

21 Technology Overview A rule can have multiple sub-rules (see Sub-Rules on page 52), enabling an administrator to define highly granular Bandwidth Policies. FloodGate-1 incorporates Check Point s patented Stateful Inspection technology to derive complete state and context information for all network traffic. This traffic information is used by FloodGate-1 s Intelligent Queuing Engine (IQ Engine TM ) to accurately classify traffic and place it in the proper transmission queue. The network traffic is then scheduled for transmission based on the QoS Policy. The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ) algorithm to precisely control the allocation of available bandwidth and ensure efficient line utilization. FloodGate-1 also makes use of WFRED (Weighted Flow Random Early Drop), a mechanism for managing packet buffers that is transparent to the user and requires no pre-configuring. Technology Overview It is when the network lines become congested that FloodGate-1 provides its real benefits. Instead of allowing all traffic to flow arbitrarily, FloodGate-1 ensures that important traffic takes precedence over less important traffic so that the enterprise can continue to function with minimum disruption possible, despite network congestion. FloodGate-1 ensures that an enterprise can make the most efficient use of a congested network. FloodGate-1 is completely transparent to both users and applications. FloodGate-1 implements four innovative technologies: Intelligent Queuing Engine for allocating bandwidth Stateful Inspection for classifying communications RDED (Retransmission Detection Early Drop) for reducing the number of retransmits and retransmit storms WFRED (Weighted Flow Random Early Drop) for managing packet buffers Intelligent Queuing Engine FloodGate-1 uses an enhanced Weighted Fair Queuing algorithm to manage bandwidth allocation. A FloodGate-1 packet scheduler moves packets through a dynamically changing scheduling tree at different rates in accordance with the QoS Policy. High priority packets move through the scheduling tree more quickly than low priority packets. It leverages TCP s throttling mechanism to automatically adjust bandwidth consumption by individual connections or classes of traffic. Traffic bursts are delayed and smoothed by FloodGate-1 s packet scheduler, pushing back on the traffic and forcing the application to fit the traffic to the QoS Policy. By intelligently delaying traffic, the IQ Engine effectively controls the bandwidth of all IP traffic. Chapter 1 Introduction to FloodGate-1 21

22 FloodGate-1 s Innovative Technology The preemptive IQ Engine responds immediately to changing traffic conditions and guarantees that high priority traffic always takes precedence over low priority traffic. Accurate bandwidth allocation is achieved even when there are large differences in the weighted priorities (for example 50:1). In addition, since packets are always available for immediate transmission, the IQ Engine provides precise bandwidth control for both inbound and outbound traffic and ensures 100% bandwidth utilization during periods of congestion. In addition, it uses per connection queuing to ensure that every connection receives its fair share of bandwidth. Stateful Inspection Employing Stateful Inspection technology, FloodGate-1 accesses and analyzes data derived from all communication layers. This state and context data are stored and updated dynamically, providing virtual session information for tracking both connection-oriented and connectionless protocols (for example, UDP-based applications). Cumulative data from the communication and application states, network configuration and bandwidth allocation rules are used to classify communications. Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based on file types. For example, FloodGate-1 can identify HTTP file downloads with *.exe or *.zip extensions and allocates bandwidth accordingly. RDED (Retransmit Detect Early Drop) TCP exhibits extreme inefficiency under certain bandwidth and latency conditions. For example, the bottleneck that results from the connection of a LAN to the WAN causes TCP to retransmit packets. RDED prevents inefficiencies by detecting retransmits in TCP streams and preventing the transmission of redundant packets when multiple copies of a packet are concurrently queued on the same flow. The result is a dramatic reduction of retransmit counts and positive feedback retransmit loops. Implementing RDED requires the combination of intelligent queuing and full reconstruction of TCP streams, capabilities that exist together only in FloodGate-1. WFRED (Weighted Flow Random Early Drop) WFRED is a mechanism for managing the packet buffers of FloodGate-1. WFRED does not need any preconfiguring. It adjusts automatically and dynamically to the situation and is transparent to the user. Because the connection of a LAN to the WAN is a bottleneck, packets that arrive from the LAN are queued before being retransmitted to the WAN. When the traffic in the LAN is very intense, queues may become full and packets may be dropped arbitrarily. Dropped packets may reduce the throughput of TCP connections, and the quality of streaming media. 22 Check Point FloodGate-1 Guide September 2002

23 Technology Overview WFRED prevents FloodGate-1 s buffers from being filled by sensing when traffic becomes intense and dropping packets selectively. The mechanism considers every connection separately, and drops packets according to the connection characteristics and overall state of the buffer. For more information see Running Out of Packet Buffers on page 88 Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the connection, and then uses this information. WFRED protects fragile connections from more aggressive ones, whether they are TCP or UDP, and always leaves some buffer space for new connections to open. Regular FloodGate-1 vs. FloodGate-1 Express Both traditional and FloodGate-1 Express are included in every installation and are installed per policy. You can specify whether you choose regular over Express or vice versa, each time you install a new policy. When selecting between Regular and Express, here are some questions which you can ask yourself. When should I use Regular and when should I use Express? Regular should be used if you need fine-tuned functionality, and enhanced FloodGate-1 features. Express should be selected, if your system requires only basic QoS. What are the benefits of using each? Regular provides you with optimal QoS functionality, whereas Express has increased performance and needs less CPU and less memory. Can I change from Express to Regular and vice versa? You can change a policy from Express to Regular, however, you cannot change a policy from Regular to Express. Therefore it is recommended that if you are unsure which to install, you should begin with Express, with an option to transition to Regular, if you find that your policy required heightened FloodGate-1 functionality. Chapter 1 Introduction to FloodGate-1 23

24 Regular FloodGate-1 vs. FloodGate-1 Express How to define whether the Policy is Traditional or Express 1 From the File menu select New. Note - When switching to Traditional from Express mode nothing is lost. 2 Whether installing a new policy or switching from traditional to Express mode, click save and continue when the message In order to proceed with the operation you must first save appears. FIGURE 1-1 opens: FIGURE 1-1 New Policy Package window 3 Fill in the following: New Policy Package Name required field QoS check the QoS type that best meets your needs See TABLE 1-1 for a list of each product s feature set. Traditional select Traditional to install the full FloodGate-1 feature set Express select Express to install a sub-set of the full FloodGate-1 feature set 24 Check Point FloodGate-1 Guide September 2002

25 FloodGate-1 Rule Base To proceed click OK. TABLE 1-1 FloodGate-1 Features vs. FloodGate Express Features feature FloodGate-1 Rule Base Flood- Gate-1 Flood- Gate-1 Express A FloodGate-1 Rule Base consists of any number of rules, each of which classifies connections and indicates how to allocate bandwidth for them: Connection Classification A connection is classified according to four criteria: find out more on page... Weights * * Simple or Advanced QoS on page 69 Limits (whole rule) * * Simple or Advanced QoS on page 69 Guarantees (whole rule) * * Simple or Advanced QoS on page 69 Authenticated QoS * * Logging * * Accounting * * Support of platforms and HW accelerator * * HighAvailability * * Guarantee (Per connection) * Limit (Per connection) * LLQ (controlling packet delay * in FloodGate-1) DiffServ * Sub-rules * Matching by URI resources * Matching by DNS string * TCP Retransmission * Detection Mechanism (RDED) Chapter 1 Introduction to FloodGate-1 25

26 Regular FloodGate-1 vs. FloodGate-1 Express source a set of network objects, including specific computers, entire networks or domains destination a set of network objects, including specific computers, entire networks or domains service a set of IP services, sub-services or URLs time specified days or time periods Bandwidth Allocation A rule can specify three factors to be applied to bandwidth allocation: 1) weights Available bandwidth at any given moment is divided among the connections according to weights. For example, suppose Web traffic is deemed to be three times as important as FTP traffic, and these services are assigned weights of 30 and 10 respectively. Then when lines are congested, FloodGate-1 will always accurately maintain the ratio of bandwidth allocated to Web traffic and FTP traffic at 3:1. If only two connections are active: the first has a weight of 30 and the second has a weight of 10. Then as long as they are competing, the first receives 75% (that is, 30 /40) of the remaining bandwidth and the second receives 25% (10 /40) of the remaining bandwidth. If the first closes, the second will receive 100% of the bandwidth. Allocating bandwidth according to weights ensures full utilization of the line even if a specific class is not using all of its bandwidth. In such a case, the left over bandwidth will be divided among the remaining classes in accordance with their relative weights. 2) guarantees A guarantee allocates a minimum bandwidth to the connections matched with a rule. Although weights do in fact guarantee the bandwidth share for specific connections, only a guarantee allows you to specify an absolute bandwidth value. 3) limits A limit specifies the maximum bandwidth that will be assigned to all the guaranteed connections together. A limit defines a point beyond which connections under a rule will not be allocated bandwidth, even if there is unused bandwidth available. 26 Check Point FloodGate-1 Guide September 2002

27 FloodGate-1 Components For more information on weights, guarantees and limits, see Simple or Advanced QoS on page 69. Note - Bandwidth allocation is not fixed. As connections are opened and closed, FloodGate-1 continuously changes the bandwidth allocation to accommodate competing connections, in accordance with the QoS Policy. FloodGate-1 Architecture FloodGate-1 Components A typical FloodGate-1 installation includes the following components: FloodGate Module SmartCenter Server Check Point SmartDashboard FloodGate Module The FloodGate Module implements the QoS Policy at network access (or enforcement) points and controls the flow of inbound and outbound traffic. The FloodGate Module is inside the operating system kernel, between the Data Link and the Network layers (layers 2 and 3). Since the data link is the actual network interface card (NIC) and the network link is the first layer of the protocol stack (for example, IP), FloodGate-1 is positioned at the lowest software layer. SmartCenter Server The SmartCenter Server controls and distributes the enterprise-wide QoS Policy to all FloodGate Modules. A set of command line utilities enable its operation from a standard terminal. (See Check Point Reference Guide) QoS Policy A FloodGate-1 QoS Policy is defined in terms of FloodGate Modules, interfaces, services, resources and the rules that govern the interactions between them. Once these have been specified, the QoS Policy is installed from the SmartCenter Server to the FloodGate Modules that will enforce it on their networks. The QoS Policy is transmitted on a secured control channel from the FloodGate-1 SmartCenter Server to the FloodGate Modules. The FloodGate-1 kernel enforces the QoS Policy. Chapter 1 Introduction to FloodGate-1 27

28 FloodGate-1 Architecture FIGURE 1-2 FloodGate-1 Components FireWalled Gateway secured* communication channel Management Station FireWall Module Management Module FireWall-1 Inspection Module Graphical User Interface logging and status status FireWall-1 Daemon status/logs/alerts commands Management Server logs/alerts GUI Client log-alert * This channel is authenticated, and also encrypted if the FireWall-1 Encryption feature is installed. FIGURE 1-2 depicts a configuration where the FloodGate Module and the SmartCenter Server are installed on different machines. They can also be installed on the same machine. FloodGate-1 GUI Management Client The Check Point SmartDashboard is used to create and modify the QoS Policy and define the network objects and services. If both VPN-1/FireWall-1 and FloodGate-1 are licensed, they will each have a tab in the SmartDashboard. FIGURE 1-3 QoS Rules in the SmartDashboard GUI The QoS Policy rules are displayed both in the SmartDashboard Rule Base, on the right side of the window, and QoS Rule tree, on the left (see FIGURE 1-3 on page 28). 28 Check Point FloodGate-1 Guide September 2002

29 FloodGate-1 Configuration FloodGate-1 Configuration The SmartCenter Server and the FloodGate Module can be installed on the same machine or on two different machines. When they are installed on different machines, the configuration is known as distributed (see FIGURE 1-4). FIGURE 1-4 Distributed FloodGate-1 configuration 1 This Management Server... Management Server Campus Intranet GUI Client FloodGate Module router Internet FloodGate Module router router FloodGate Module 2... manages these FloodGate Modules... router FloodGate Module 3... that manage bandwidth on these lines. FIGURE 1-4 shows a distributed configuration, in which one SmartCenter Server (consisting of a SmartCenter Server and a GUI Client) controls four FloodGate Modules, which in turn manage bandwidth allocation on three FloodGated lines. A single SmartCenter Server can control and monitor multiple FloodGate Modules. The FloodGate Module operates independently of the SmartCenter Server. FloodGate Modules can operate on additional Internet gateways and interdepartmental gateways. Client/Server Interaction The SmartDashboard GUI and the SmartCenter Server can be installed on the same machine or on two different machines. When they are installed on two different machines, FloodGate-1 implements the Client/Server model, in which a GUI Client controls a SmartCenter Server running on another workstation. FIGURE 1-5 FloodGate-1 Client/Server configuration Bridge Tower London FloodGated Line GUI Client Management Server FloodGate Module router Internet Chapter 1 Introduction to FloodGate-1 29

30 Installing and Configuring FloodGate-1 In the configuration depicted in FIGURE 1-5, the functionality of the SmartCenter Server is divided between two workstations (Tower and Bridge). The SmartCenter Server, including the database, is on Tower. The GUI is on Bridge, the GUI Client. The user, working on Bridge, maintains the FloodGate-1 QoS Policy and database, which reside on Tower. The FloodGate Module on London enforces the QoS Policy on the Floodgated line. The SmartCenter Server is started with the cpstart command (see Check Point Reference Guide), and must be running on the SmartCenter Server computer if you wish to use the GUI client on one of the client machines. A GUI Client can manage the Server (that is, run the GUI Client to communicate with a SmartCenter Server) only if both the administrator running the GUI Client and the machine on which the GUI Client is running have been authorized to access the SmartCenter Server. In practice, this means that the following conditions must both be met: The machine on which the Client is running is listed in the $FWDIR/conf/gui-clients file. You can add or delete GUI Clients by using the Check Point configuration application (cpconfig). The administrator (user) running the GUI has been defined to the SmartCenter Server. You can add or delete administrators by using the Check Point configuration application (cpconfig). Concurrent Sessions In order to prevent more than one administrator from modifying a QoS Policy at the same time, FloodGate-1 implements a locking mechanism. All but one open policy will be Read Only. Installing and Configuring FloodGate-1 FloodGate-1 is installed on top of VPN-1/FireWall Check Point FloodGate-1 Guide September 2002

31 CHAPTER 2 FloodGate-1 GUI In This Chapter FloodGate-1 Global Properties on page 31 Interface Properties on page 33 Editing a Rule Base on page 35 Sub-Rules on page 52 DiffServ on page 53 Low Latency Classes on page 58 Completing the Rule Base on page 61 FloodGate Modules Status on page 63 Enabling Log Collection on page 63 FloodGate-1 Global Properties Policy-wide properties enable you to set default values for display units and new rules. FloodGate-1 policy-wide properties are defined in the FloodGate-1 page of the Global Properties window (FIGURE 2-1 on page 32). To display the FloodGate-1 page 1 Choose Global Properties from the Policy menu or click on in the toolbar. The Global Properties window is displayed. 2 Click on FloodGate-1 in the window that appears on the left side of the page. 31

32 FloodGate-1 Global Properties FIGURE 2-1 Global Properties window FloodGate-1 page The following properties apply to QoS rules: Maximum Weight of rule the maximum weight that can be assigned to rules Default Weight of rule the weight to be assigned in the Action column by default to new rules, including new Default rules Rate: Unit of measure the unit specified in FloodGate-1 windows by default for transmission rates (for example, in the Interface Properties window) The following properties apply to Authenticated QoS: Authenticated IP expired after If a user has previously been authenticated, all connections that are opened within the specified time will receive the guaranteed bandwidth connection. Any connection opened after the specified time will need to be authenticated again. 32 Check Point FloodGate-1 Guide September 2002

33 Non authenticated IP expires after If a user has previously tried and failed to be authenticated by the QoS Policy, then all connections that are opened within the specified time will not receive the guaranteed bandwidth connection. Unresponded queried IP expires after The User Authority Server (UAS) database is queried to see if a user s IP has been previously authenticated using Client Authentication or SSL. Until an answer is received, connections from this user will be classified as non authenticated. If an answer is not received within the specified time, there will be another query. For more information about Authenticated QoS, see Use the Check Point Status Manager application and the SmartView Monitor. For information about the Check Point Status Manager, see Status Manager in the Check Point SmartCenter Guide. on page 63. Set Defaults Restore the default settings of Authentication timeout for Qos parameters. Interface Properties To define the interfaces on which FloodGate-1 will control traffic proceed as follows: open the QoS tab of the Interface Properties window (FIGURE 2-2 on page 34): 1) In the SmartDashboard, open the Properties window for the appropriate gateway by double-clicking the gateway in the Objects Tree, or by choosing the gateway from the list in the Network Objects window. 2) Open the Topology page of the Properties window. 3) If a list of the gateway s interfaces is not already present, click Get Interfaces to retrieve the interfaces information. You may also add interfaces manually by clicking Add and entering the information, but using the Get Interfaces button is recommended. 4) Double-click the appropriate interface, or select it and click Edit. The Interface Properties window will be opened. 5) Click the QoS tab. Chapter 2 FloodGate-1 GUI 33

34 Interface Properties The other tabs of the Interface Properties window are described in the Network Objects chapter of the Check Point SmartCenter Guide. The QoS tab will be enabled only for the interfaces of gateways that have FloodGate-1 checked under Check Point products installed in the General page of the Properties window. QoS tab Interface Properties window FIGURE 2-2 Note - Usually, the interfaces on the WAN side (or the interface connected to the slower network) should be set to active. On a simple gateway with only two interfaces, FloodGate-1 should be installed only on the interface connected to the WAN. If the gateway also controls DMZ traffic, you may want to install FloodGate-1 on the interface connected to the DMZ. Inbound Active enables FloodGate-1 control of traffic on this interface in the inbound direction Rate the available bandwidth in the inbound direction Outbound Active enables FloodGate-1 control of traffic on this interface in the outbound direction Rate the available bandwidth in the outbound direction Default interface rates and rate units can be specified in the FloodGate-1 page of Global Properties the window (see FloodGate-1 Global Properties on page 31). 34 Check Point FloodGate-1 Guide September 2002

35 FloodGate-1 does not verify that the entry in the rate fields correspond to the actual, physical capacity of the interface. Note - FloodGate-1 will not use more than the capacity as defined in this window, so if it is incorrectly defined as less than the line s real capacity, the excess will be unused. If it is incorrectly defined as more than the line s real capacity, then FloodGate-1 will not control traffic correctly. DiffServ and Low Latency classes specifies the DiffServ and Low Latency Queuing classes to be used on the interface. Click: Add to add a class to the list of supported classes for this interface. A menu appears, listing the types of classes you can add: FIGURE 2-3 Add a QoS Class Low Latency Classes opens the same window as DiffServ Classes>Expedited Forwarding, FIGURE 2-23 on page 57 DiffServ Classes>Expedited Forwarding opens the same window as Low Latency Classes, FIGURE 2-23 on page 57 DiffServ Classes>Others opens the Add Qos Class Properties window. Edit to edit the properties of an existing, supported class Remove to delete a selected class For information about Diffserv and Low Latency classes, see Diffserv on page 76 and To Define Low Latency Classes of Service on page 59. Editing a Rule Base For a discussion of Rule Base Management, see Rule Base Management on page 68. If the Rule Base you wish to edit is not the one currently displayed, then choose Open from the File menu and specify the Rule Base to open. In This Section To create a new Rule Base on page 36 To add a Rule on page 36 To Name a Rule on page 38 To Copy, Cut or Paste Rules on page 38 To Delete a Rule on page 39 Chapter 2 FloodGate-1 GUI 35

36 Editing a Rule Base To create a new Rule Base choose New from the File menu. Use Save As in the File menu to save the Rule Base to a new file. To add a Rule You can add a rule at any point in the Rule Base: TABLE 2-1 Adding a Rule To add a rule Select from menu Toolbar Button after the last rule Rules>Add Rule>Bottom before the first rule after the current rule Rules>Add Rule>Top Rules>Add Rule>After before the current rule Rules>Add Rule>Before to the current rule Rules>Add Sub-Rule Note - The current rule is the one that is highlighted. To select a rule, click on its number. A new rule will be added to the Rule Base, and default values will appear in all the data fields. You can modify the default values as needed. You can also right-click in the Name column of a rule to display the Rule menu (FIGURE 2-4). 36 Check Point FloodGate-1 Guide September 2002

37 FIGURE 2-4 Rule menu TABLE 2-2 Rule Menu Items Menu Option Add Rule Above Add Rule Below Add Sub-Rule Delete Rule Copy Rule Cut Rule Paste Rule Add Class of Service Hide Rule Disable Rule Rename Rule Matching Method Explanation Add a rule before the current rule. Add a rule after the current rule. Add a sub-rule after the current rule. Delete the current rule. Copy the current rule to the clipboard. Delete the current rule and put it on the clipboard. Paste the rule on the clipboard (a menu will be displayed where you can specify whether to paste the rule above or below the current rule). Specify a Class of Service (see Diffserv on page 76). Hide the current rule. The rule is still part of the Rule Base and will be installed when the QoS Policy is installed. Disable the selected rule. The rule appears in the Rule Base but is not enforced by the QoS Policy. Rename the current rule. This feature is not relevant in FloodGate-1 NG. It is kept for backward compatibility only. The current rule is the currently selected rule. Chapter 2 FloodGate-1 GUI 37

38 Editing a Rule Base To Name a Rule When you add a new rule to the Rule Base and when you rename a rule, you will be asked to specify the rule s name in the Rule Name window (FIGURE 2-5). FIGURE 2-5 Rule Name window To Copy, Cut or Paste Rules To copy, cut or paste a rule, first make sure it is selected. TABLE 2-3 Copying, Cutting and Pasting Rules Action Select from menu Toolbar Button Cut Edit>Cut Copy Paste Edit>Copy Edit>Paste If you choose Paste, then the Paste menu will be opened. You must then select Before, After, Top, or Bottom to specify where in the Rule Base to paste the rule. 38 Check Point FloodGate-1 Guide September 2002

39 To Delete a Rule To delete a rule, select it, and then delete it using the following menu commands or toolbar buttons. TABLE 2-4 Deleting a Rule Action Select from menu Toolbar Button Cut Edit>Cut or You can also use the right-click menu of the selected rule to delete it. Modifying a Rule In This Section To Modify a Rule on page 40 To Affect the Rule s Source on page 40 To Affect the Rule s Destination on page 43 To Affect Services in the Rule on page 44 To Affect Actions in the Rule on page 46 To Affect Tracking in the Rule on page 48 To Affect Time in the Rule on page 50 To Add a Comment to the Rule on page 51 Chapter 2 FloodGate-1 GUI 39

40 Modifying a Rule To Modify a Rule To modify a rule, add, modify, or delete data field values until the rule is as desired. Right click in a data field to open an Object menu. The choices displayed in the menu will depend on the field in which you right-clicked. TABLE 2-5 Network Objects Roadmap network object GUI instructions further information Source To Affect the Rule s Rule Base Management on Source on page 40 page 68 Destination Service Action Track To Affect the Rule s Destination on page 43 To Affect Services in the Rule on page 44 To Affect Actions in the Rule on page 46 To Affect Tracking in the Rule on page 48 To Affect the Rule s Source Rule Base Management on page 68 Rule Base Management on page 68 Rule Base Management on page 68 Rule Base Management on page 68 Install On Install On on page 49 Rule Base Management on page 68 Time Comments To Affect Time in the Rule on page 50 To Add a Comment to the Rule on page 51 Rule Base Management on page 68 Rule Base Management on page 68 When you right-click in the Source column, the following menu is displayed (FIGURE 2-6). 40 Check Point FloodGate-1 Guide September 2002

41 FIGURE 2-6 Source Object menu Add The Add Object window (FIGURE 2-7) is displayed, from which you can select network objects to add to the rule s Source. You can define any number of items in Source. The Add Object window displays network objects defined in the FireWall-1 Security Policy and the FloodGate-1 QoS Policy. You can use the Add Object window to define new objects and delete or modify objects. For more information, see Chapter 5, Network Objects in Check Point SmartCenter Guide. FIGURE 2-7 Add Object window (network objects) Add Users Access The Users Access window (FIGURE 2-8) is displayed, from which you can select a user group(s) to add to the rule s Source. Chapter 2 FloodGate-1 GUI 41

42 Modifying a Rule FIGURE 2-8 User Access window 1 Choose one of the user groups. 2 Make the appropriate choice under Location. If you check No Restriction, then there will be no restriction on the source of the users. For example, if you choose AllUsers and check No Restriction, then AllUsers@Any will be inserted under Source in the rule. If you check Restrict To, then the source will be restricted to the network object you select in the list box. For example, in FIGURE 2-8, the source object in the rule will be AllUsers@Local_Net. 3 Click on OK. Edit Edit the selected object. You must first select one of the objects already defined under Source. The appropriate window is opened (depending on the type of the selected object), and you can change the object s properties. Alternatively, you can double-click on an object to edit it. Delete Delete the selected object. You must first select one of the objects already defined under Source. If you delete the last object, it is replaced by Any. Cut Delete the selected object and put it on the clipboard. You must first select one of the objects already defined under Source. Copy Copy the selected object to the clipboard. 42 Check Point FloodGate-1 Guide September 2002

43 You must first select one of the objects already defined under Source. Paste Paste the object from the clipboard to the rule s Source. Show Show the object in the Topology view. To Affect the Rule s Destination FIGURE 2-9 Destination Object menu Add The Add Object window (FIGURE 2-7 on page 41) is displayed, from which you can select network objects to add to the rule s Destination. You can define any number of items in Destination. Edit Edit the selected object. You must first select one of the objects already defined under Destination. The appropriate window is opened (depending on the type of the selected object), and you can change the object s properties. Alternatively, you can double-click on an object to edit it. Delete Delete the selected object. You must first select one of the objects already defined under Destination. If you delete the last object, it is replaced by Any. Cut Delete the selected object and put it on the clipboard. You must first select one of the objects already defined under Destination. Copy Copy the selected object to the clipboard. You must first select one of the objects already defined under Destination. Paste Paste the object from the clipboard to the rule s Destination. Show Show the object in the Topology view. Chapter 2 FloodGate-1 GUI 43

44 Modifying a Rule To Affect Services in the Rule FIGURE 2-10 Services menu Add The Add Object window (FIGURE 2-11) is displayed, from which you can select services to add to the rule. FIGURE 2-11 Add Object window (services) You can also add, delete or modify services from this window. See Service and Resources in Check Point SmartCenter Guide for more information. Add with Resource Add a resource to the Service field. The Services with Resource window (FIGURE 2-12) is displayed. 44 Check Point FloodGate-1 Guide September 2002

45 FIGURE 2-12 Services with Resource window Uri for QoS is used for identifying HTTP traffic according to the URL (URI). Do not use the protocol prefix ( when setting up a URI resource. Only resources of type URI for QoS (see URI for QoS Definition window of thecheck Point SmartCenter Guide) can be added to the FloodGate-1 Rule Base. In addition, only one URI for QoS resource can be used in a single rule. Note - Previous versions of FloodGate-1 have not been limited in the number of URI for QoS resources allowed per rule. If you are using a QoS Policy originally designed for use with a previous FloodGate-1 version, be sure to redefine any rule including more than one resource in its Service Field. Http services with URI for QoS resources can be defined on all ports (see Enabling for TCP Resource in the Check Point SmartCenter Guide). For information about defining URI for QoS resources for use in the FloodGate-1 Rule Base, see Services and Resources in the Check Point SmartCenter Guide. Edit Edit the selected object. You must first select one of the objects already defined under Service. The appropriate window is opened (depending on the type of the selected object), and you can change the object s properties. Alternatively, you can double-click on an object to edit it. Delete Delete the selected object. You must first select one of the objects already defined under Service. Cut Delete the selected object and put it on the clipboard. Chapter 2 FloodGate-1 GUI 45

46 Modifying a Rule You must first select one of the objects already defined under Service. Copy Copy the selected object to the clipboard. You must first select one of the objects already defined under Service. Paste Paste the object on the clipboard in the rule s Service. To Affect Actions in the Rule When you right-click in the Action column, the following menu is displayed (FIGURE 2-13). TABLE 2-6 Action Menu Selections FIGURE 2-13 Action menu Edit Properties Open the QoS Action Properties window. See QoS Action Properties Window below for information on defining each of the fields in the Action Properties Window. Reset to Default Reset the rule s properties to their default values. The default values are defined in the FloodGate-1 tab of the Global Properties window (see FloodGate-1 Global Properties on page 31). QoS Action Properties Window Right click on Action > Edit Properties from any rule base rule to define Action The QoS Action Properties window is displayed. In the QoS Action Properties window: Note - When Express FloodGate-1 has been installed, Advanced Actions are not available. Action Type select one of the following: Simple the full set of actions with the exception of the Guarantee Allocation and the per connection limit features Advanced the full set of actions with the Guarantee Allocation feature included VPN Traffic perform matching for VPN Traffic 46 Check Point FloodGate-1 Guide September 2002

47 Allow rule only to encrypted traffic Check this box if you want the rule to be matched only by VPN traffic. If you do not check this field, rules will be matched by all traffic types, i.e., VPN and non-vpn traffic. VPN traffic means traffic that is encrypted in this same gateway by Check Point VPN-1. This field does not apply to traffic that was encrypted prior to arriving to this gateway. This type of traffic can be matched using the "IPSec" service, see Services and Resources in the Check Point SmartCenter Guide. For further explanation on how to use this check box for prioritizing VPN traffic over non-vpn, see Matching VPN Traffic on page 69. Action Properties the QoS Action Properties of a rule define the restrictions on bandwidth for connections to which the rule applies. Rule Weight checked by default, recommended to leave as is to avoid complete loss of bandwidth. For detailed information see Weights on page 70. Rule Limit restricts the total bandwidth consumed by the rule. For detailed information see Limits on page 71. Tip - When using weights or gaurantees, the weighted fair queuing algorithm that FloodGate- 1 makes use of assures that no bandwidth is ever wasted. Spare bandwidth is divided among the backlogged rules. However, if you set a rule limit, it will not use spare bandwidth above this limit. Rule Guar antee defines the absolute bandwidth allocated to the rule. For detailed information see Guarantees on page 70. Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit. Advanced Window Definitions Rule Weight checked by default, recommended to leave as is or at least make sure that the rule weight is not empty to avoid the rules s complete loss of bandwidth. For detailed information see Weights on page 70 Warning - 0 rate in conjunction with 0 guarantee can lead to the rule s complete loss of bandwidth. To prevent this from happening, retain some ratio in the Rule Weight. The default is 10. Limit limit defines a point beyond which connections under a rule will not be allocated bandwidth, even if there is unused bandwidth available. For detailed information see Limits on page 71. Rule Limit restricts the total bandwidth consumed by the rule Chapter 2 FloodGate-1 GUI 47

48 Modifying a Rule Per Connection limit sets rule limit per connection Note - The number you enter for the Rule Guarantee cannot be larger than the Rule Limit. Guarantee Allocation allocates a minimum bandwidth to the connections matched with a rule. For detailed information see Guarantees on page 70. Guarantee defines the absolute bandwidth allocated to the rule Per rule restricts (in bits per second) the total bandwidth consumed by the rule Per connection restricts (in bits per second) the absolute bandwidth allocated per connection Per connection guarantee allocates a minimum bandwidth per connection (in bits per second) Number of guaranteed connections allocates a minimum number of guaranteed connections Note - The Number of guaranteed connections multiplied by the Per connection guarantee cannot be greater than rule limit. Accept additional non guaranteed connections when checked connections without per connection guarantees pass through this rule and receive any left over bandwidth. This only occurs if all other conditions have been met. Note - Select a non-zero rule weight when Accept additional non-guaranteed connections is checked. To Affect Tracking in the Rule For a detailed discussion on Tracking and Logging see Overview of Logging on page 87. For information on how to turn logging on see Enabling Log Collection on page Check Point FloodGate-1 Guide September 2002

49 TABLE 2-7 Track Track Menu Meaning no logging for this connection Log Log the connection. Account Log in Accounting format. Install On The Install On field specifies on which interfaces of the FloodGate module the rule will be enforced. You can select any number of Install On objects. Add Open the Add Interface window (FIGURE 2-14) to add an interface on which to install the rule. FIGURE 2-14 Add Interface window Select: a module (and all its interfaces on which QoS is defined), or an interface (in both directions), or one direction of an interface Delete Remove the selected object from the list of Install On objects. You must first select one of the objects already defined under Install On. In order to install a FloodGate-1 QoS Policy on a gateway s interface(s), you must: 1) Make sure the gateway has a FloodGate-1 module installed. Chapter 2 FloodGate-1 GUI 49

50 Modifying a Rule 2) Check FloodGate-1 under Check Point products installed in the General page of the Properties window (see FIGURE 2-15 on page 50). FIGURE 2-15 Properties window General page 3) Define the active interfaces in the QoS tab of the Interface Properties window. Only active interfaces will be listed in the Add Interface window (FIGURE 2-14). For information about the fields of the QoS tab, see Interface Properties on page 33. To Affect Time in the Rule Add The Add Object window for Time objects (FIGURE 2-16) is displayed, from which you can select time objects to add to the rule s Time. 50 Check Point FloodGate-1 Guide September 2002

51 You can define any number of items in Time. FIGURE 2-16 Add Object window - Time Objects Edit Edit the selected object. You must first select one of the objects already defined under Time. The appropriate window is opened (depending on the type of the selected object), and you can change the object s properties. Alternatively, you can double-click on an object to edit it. Delete Delete the selected object. You must first select one of the objects already defined under Time. To Add a Comment to the Rule You can add comments to a rule. Double click on the Comment field to open the Comment window (FIGURE 2-17). FIGURE 2-17 Comment window Type any text you wish to add in the text box. Chapter 2 FloodGate-1 GUI 51

52 Sub-Rules Sub-Rules Sub-rules are rules that allocate bandwidth more specifically within a rule. For example, consider the rule shown in FIGURE FIGURE 2-18 Rule Base with Sub-Rules The bandwidth allocated to the Internet VPN rule is further allocated among the subrules Financial Apps through Default under Internet VPN (see the rule tree). In This Section To define a sub-rule on page 52 To View Sub-Rules on page 52 To define a sub-rule proceed as follows: 1 Select the rule under which the sub-rule is to be defined. 2 Right-click in the Rule Name column. 3 Select Add Sub-rule from the menu. To View Sub-Rules The sub-rules under a main rule can be seen by expanding the rule in the QoS Rule Tree. To view sub-rules in the Rule Base itself, click on one of the sub-rules in the relevant main rule. The Rule Base will show all the sub-rules for that rule. 52 Check Point FloodGate-1 Guide September 2002

53 DiffServ In This Section To Implement DiffServ Marking in FloodGate-1 on page 53 To Define a DiffServ Class on page 54 To Define a DiffServ Class of Service Groups on page 56 To Add Qos Class Properties for Expedited Forwarding on page 57 To Add Qos Class Properties for Non Expedited Forwarding on page 57 To Implement DiffServ Marking in FloodGate-1 For a detailed discussion on DiffServ see Diffserv on page 76. proceed as follows: 1 Define one or more DiffServ Classes of Service using the QoS Classes window. You may also define a Class of Service Group. For more information, see To Define a DiffServ Class on page In the Qos tab of the Interface Properties window of all interfaces on which the DiffServ class will be implemented (see Interface Properties on page 33), click Add under DiffServ and Low Latency classes to add a new class, or Edit to edit the properties of an existing class. 3 In the Add QoS Class Properties window, select the QoS class and define the Inbound and Outbound parameters. 4 Click OK. You can now add QoS Classes to the QoS Policy Rule Base. To do so: 5 Right-click in the Name column of a rule and choose Add Class of Service, or choose Add QoS Class from the Rules menu. 6 Specify whether the class should appear above or below the rule in the Rule Base. 7 Choose the required Class of Service from the drop-down menu in the Add Class of Service window (FIGURE 2-19). Chapter 2 FloodGate-1 GUI 53

54 DiffServ FIGURE 2-19 Add Class of Service window 8 Click OK. A DiffServ class header will appear in the Rule Base. 9 Add rules under the QoS Class you defined, by either: choosing Rules>Add Rule>Below from the menu, or right-clicking on the QoS Class and choosing Add Rule>Below from the menu To Define a DiffServ Class Select Manage>QoS>QoS Classes from the SmartDashboard menu. The QoS Classes window (FIGURE 2-20) is displayed. FIGURE 2-20 QoS Classes window To define a new DiffServ class, click New and select either: DiffServ Class of Service to display the Class of Service Properties window (FIGURE 2-21), or DiffServ Class of Service Group to display the Group Properties window (FIGURE 2-22). 54 Check Point FloodGate-1 Guide September 2002

55 Class of Service Properties Window DiffServ FIGURE 2-21 Class of Service Properties window Name The name of the Class of Service. Comment Enter the text to be displayed when this class is selected in the QoS Classes window (FIGURE 2-20). Color Select a color from the drop-down list. Type Select a type from the dropdown list. You may choose a predefined or user defined class. DiffServ code This read-only field displays the DiffServ marking as a bitmap. Chapter 2 FloodGate-1 GUI 55

56 DiffServ To Define a DiffServ Class of Service Groups FIGURE 2-22 QoS Class of Services Group window Name The group s name. Comment This text is displayed on the bottom of QoS Classes window (FIGURE 2-20 on page 54). Color Select the desired color from the drop-down list. To add a DiffServ class to the group, select the class in the list box labeled Not in Group, and click on Add. To delete a class from the group, select the class in the list box labeled In Group, and click on Remove. 56 Check Point FloodGate-1 Guide September 2002

57 To Add Qos Class Properties for Expedited Forwarding FIGURE 2-23 Add Low Latency QoS Class Properties window To display this window, click Add or Edit under Low latency Classes or DiffServ>Expedited Forwarding in the Qos tab of the Interface Properties window (FIGURE 2-2 on page 34). Define at least one inbound or outbound direction. Class Select a Low Latency class from the list of defined classes. Inbound Define the portion of the interface s inbound capacity to be marked. Constant Bit Rate The constant bit rate at which packets of this class will be transmitted. Maximal Delay The maximum delay that will be tolerated for packets of this class. Those packets that exceed this delay are dropped. Outbound Define the portion of the interface s outbound capacity to be marked by defining a Constant Bit Rate and a Maximum Delay. To Add Qos Class Properties for Non Expedited Forwarding Click Add or Edit under DiffServ>Others in the Qos tab of the Interface Properties window (FIGURE 2-2 on page 34). The Add QoS Class Properties window is displayed. QoS Class Select a DiffServ Class from the list of defined classes. Inbound Define the portion of the interface s inbound capacity to be marked. Chapter 2 FloodGate-1 GUI 57

58 Low Latency Classes Guaranteed Bandwidth The bandwidth guaranteed to be marked with the QoS Class. Bandwidth Limit The upper limit of the bandwidth to be marked with the QoS Class. Traffic in excess of the Bandwidth Limit will not be marked. For example, if the interface s capacity is 256MB and you set Guaranteed Bandwidth to 128MB and Bandwidth Limit to 192MB, then traffic beyond 192MB will not be marked. Outbound Define the portion of the interface s outbound capacity to be marked by defining a Guaranteed Bandwidth and a Bandwidth Limit. Low Latency Classes Fo more detailed information, please see Low Latency Queuing on page 77. In This Section To Implement Low Latency Queuing on page 58 To Define Low Latency Classes of Service on page 59 To Define class of Service Properties for Low Latency Queuing on page 60 To Add QoS Class Properties Window Low Latency Queuing on page 60 To Implement Low Latency Queuing Having defined one or more Low Latency Classes of Service, you can implement Low Latency Queuing as follows: 1 In the Qos tab of the Interface Properties window of all interfaces on which Low Latency classes will be implemented (see Interface Properties on page 33), click Add under DiffServ and Low Latency classes to add a new class, or Edit to edit the properties of an existing class. 2 In the Add QoS Class Properties window (FIGURE 2-26 on page 60), select the Low Latency class and define the Inbound and Outbound parameters (see To Add QoS Class Properties Window Low Latency Queuing on page 60). 3 Click OK. You can now add Low Latency Classes to the QoS Policy Rule Base. To do so: 58 Check Point FloodGate-1 Guide September 2002

59 4 Right-click in the Name column of a rule and choose Add Class of Service, or choose Add QoS Class from the Rules menu. 5 Specify whether the class should appear above or below the rule in the Rule Base. Note - The order of the classes in the Rule Base must be DiffServ, followed by Low Latency, and then Best Effort. You will not be able to add a Low Latency class to the Rule Base above any DiffServ classes you may have. 6 Choose the required Class of Service from the drop-down menu in the Add Class of Service window (FIGURE 2-24). FIGURE 2-24 Add Class of Service window 7 Click OK. A class header will appear in the Rule Base. 8 Add rules under the QoS Class you defined, by either: choosing Rules>Add Rule>Below from the menu, or right-clicking on the QoS Class and choosing Add Rule>Below from the menu To Define Low Latency Classes of Service Before a Low Latency class can be implemented on an interface and used in the FloodGate-1 Rule Base, it must be defined. To define a Low Latency Class of Service, select Manage>QoS>QoS Classes from the SmartDashboard menu. The QoS Classes window (FIGURE 2-20 on page 54) is displayed. To define a new Low Latency class, click New and select Low Latency Class of Service to display the Class of Service Properties window (FIGURE 2-25 on page 60). Chapter 2 FloodGate-1 GUI 59

60 Low Latency Classes To Define class of Service Properties for Low Latency Queuing FIGURE 2-25 Class of Services window - Low Latency Queuing Name The name of the Class of Service. Comment Enter the text to be displayed when this class is selected in the QoS Classes window (FIGURE 2-20 on page 54). Color Select a color from the drop-down list. Class Priority Select one of the five priority types from the dropdown list (Class 1 being the highest priority). To Add QoS Class Properties Window Low Latency Queuing FIGURE 2-26 Add QoS Class Properties window Low Latency Queuing 60 Check Point FloodGate-1 Guide September 2002

61 To display this window, click Add or Edit under DiffServ and Low Latency classes in the Qos tab of the Interface Properties window (FIGURE 2-2 on page 34). Class Select a Low Latency class from the list of defined classes. Inbound Define the Constant Bit Rate and Maximal Delay for inbound traffic. Constant Bit Rate The constant bit rate at which packets of this class will be transmitted. Maximal Delay The maximum delay that will be tolerated for packets of this class. Outbound Define the Constant Bit Rate and Maximal Delay for outbound traffic. Completing the Rule Base In This Section To Verify and View the QoS Policy on page 61 To Install and Enforce the Policy on page 62 To Uninstall the QoS Policy on page 63 To Monitor the QoS Policy on page 63 To Verify and View the QoS Policy When you have defined the desired rules, open the Policy menu and select Verify to perform a heuristic check on the Rule Base. Verification will check that the rules are consistent and that no rule is redundant. If a Rule Base fails the verification, an appropriate message will appear. You must save a Rule Base before verifying. Otherwise, changes made since the last save will not be checked. To view the generated rules as ASCII text, select View from the Policy menu. Chapter 2 FloodGate-1 GUI 61

62 Completing the Rule Base To Install and Enforce the Policy Installing a QoS Policy means downloading it to the FloodGate Modules that will enforce it. There must be a FloodGate Module running on the object which is receiving the QoS Policy. Note - The FloodGate Module machine and the SmartCenter module machine must be properly configured before a QoS Policy can be installed. Perform the following steps in order to install and enforce the QoS policy: 1 Create a new QoS Policy by selecting New from the File menu. In the displayed window: Name the new QoS policy. Select whether you would like the QoS policy to be Traditional or Express. Click OK to save all configurations and to display the QoS tab. 2 Configure the QoS rule base by defining QoS rules. 3 Once the rule base is complete, select Install from the Policy menu. The Install Policy window is displayed. In this window you can specify the FloodGate-1 modules on which you would like to install your new QoS policy. By default, all FloodGate-1 modules are already selected. (In order for an object to be a FloodGate-1 module, it needs to have FloodGate-1 checked under Products Installed in the Object Properties window). The objects in the list are those that have FloodGate-1 Installed checked in their definition (see Interface Properties on page 33). You may unselect and reselect specific items, if you wish. The QoS Policy will not be installed on unselected items. 4 Click on OK to install the QoS Policy on all selected hosts. The installation progress window is displayed. 62 Check Point FloodGate-1 Guide September 2002

63 To Uninstall the QoS Policy Choose Uninstall from the Policy menu to remove the QoS Policy from the selected hosts. The Install Policy window is then displayed. In this window you can deselect the FloodGate-1 modules from which you would like to uninstall the QoS policy. To Monitor the QoS Policy The Check Point SmartView Monitor allows you to monitor traffic through a floodgated interface. For more information, see Check Point SmartView Monitor Userguide. FloodGate Modules Status To display the status of FloodGate-1 Modules controlled by the SmartCenter Server Use the Check Point Status Manager application and the SmartView Monitor. For information about the Check Point Status Manager, see Status Manager in the Check Point SmartCenter Guide. Enabling Log Collection If you want a connection to be logged, make sure the FloodGate-1 logging flag is turned on and that the connection s matching rule is marked with track action log or account. For information on how FloodGate-1 s logging features work see Overview of Logging on page 87. In This Section To Turn on QoS Logging on page 64 To Create a Track Log or Account Rule on page 64 To Start the SmartView Tracker on page 65 Chapter 2 FloodGate-1 GUI 63

64 Enabling Log Collection To Turn on QoS Logging A FloodGate Module logs to the Check Point Accounting log if Turn on QoS Logging is checked in the Additional Logging page (under Logs and Masters) of the FloodGate Module s Properties window (FIGURE 2-27 on page 64). FIGURE 2-27Properties window - Additional Logging Configuration To Create a Track Log or Account Rule Select the Rule whose connection will be logged. Right click on the track option for that rule and select either Log or Account. FIGURE 2-28 Track Logging or Accounting 64 Check Point FloodGate-1 Guide September 2002

65 To Start the SmartView Tracker To start the SmartView Tracker, double-click on the SmartView Tracker icon, or choose SmartView Tracker from the Window menu in the SmartDashboard window. FIGURE 2-29Log showing FloodGate-1 entries Note - The SmartCenter Server reads the Log File and sends the data to the GUI Client for display. The GUI Client only displays the data. It is now possible to view log data according to: Rule Name Rules using DiffServ Control type having to do with install and uninstall logs For more information, see SmartView Tracker on page 575 of the Check Point SmartCenter Guide. Chapter 2 FloodGate-1 GUI 65

66 66 Check Point FloodGate-1 Guide September 2002 Enabling Log Collection

67 CHAPTER 3 QoS Policy Management In This Chapter Network Objects Network Objects on page 67 Services and Resources on page 67 Rule Base Management on page 68 Using Guarantees and Limits on page 71 Diffserv on page 76 Low Latency Queuing on page 77 Network objects serve as the sources and destinations that are defined in QoS Policy rules. The network objects that can be used in FloodGate-1 rules include workstations, networks, domains, and groups. Information about network objects can be found in Network Objects, of Check Point SmartCenter Guide. Services and Resources FloodGate-1 allows you to define QoS rules, not only based on the source and destination of each communication, but also according to the service requested. The services that can be used in FloodGate-1 rules include TCP, Compound TCP, UDP, and ICMP services. Resources can also be used in a FloodGate-1 Rule Base. They must be of type URI for QoS. General information about services and resources can be found in Services and Resources in the Check Point SmartCenter Guide. 67

68 Rule Base Management Rule Base Management After you have defined your network objects, services and resources, you can use them in building a Rule Base. For installation instructions and instructions on building a Rule Base see Editing a Rule Base on page 35. Packets are matched against the first three components (Source, Destination, and Service) of the rule, and the Time at which the packet is inspected as well as the VPN Traffic attribute, if it has been checked in the QoS Action Properties window. The first rule that matches a packet is applied, and the specified Action is taken. The communication may be logged, depending on the value of the Track field. The QoS Policy Rule Base is similar to the Security Policy Rule Base. General information about Policy Rule Bases can be found in Security Policy Rule Base of the Check Point SmartCenter Guide. FIGURE 3-1 SmartDashboard Rule Base window Note - It s best to organize lists of objects (network objects and services) in groups rather than in long lists. Using groups will give you a better overview of your QoS Policy and will lead to a more readable Rule Base. In addition, objects added to groups will be automatically included in the rules. Default Rule A default rule is automatically added to each QoS Policy Rule Base, and assigned the weight specified in the FloodGate-1 page of the Global Properties window (see Network Objects on page 67). You can modify the weight, but you cannot delete the default rule (see Weights on page 70). The default rule applies to all connections not classified by the other rules in the Rule Base. In addition, a default rule is automatically added to each group of sub-rules, and applies to connections not classified by the other sub-rules in the group (see To Verify and View the QoS Policy on page 61). 68 Check Point FloodGate-1 Guide September 2002

69 Matching VPN Traffic Matching VPN Traffic When Encrypt Traffic is checked in the QoS Action Properties window, only VPN traffic is matched to the rule. If this field is not checked, all types of traffic (i.e. both VPN and non-vpn) are matched to the rule. VPN traffic is traffic that is encrypted in the same gateway by Check Point VPN-1. VPN traffic does not refer to traffic that was encrypted prior to arriving at this gateway. This type of traffic can be matched using the IPSec service, see Services and Resources in the Check Point SmartCenter Guide. Use the Encrypt Traffic field to build a rule base in which you define QoS actions for VPN traffic which are different than the actions that will be applied to non-vpn traffic. Since FloodGate-1 uses the First Rule Match concept, see First Rule Match Principle on page 120, the VPN traffic rules should be defined as the top rules in the rule base. Below them rules which will apply to all types of traffic should be defined. Other types of traffic will skip the top rules and match to one of the non-vpn rules defined below the VPN traffic rules. In order to completely separate VPN traffic from non-vpn traffic, define the following rule at the top of the QoS rule base: TABLE 3-1 VPN Traffic Rule Name Source Dest Service Action VPN rule Any Any Any VPN Encrypt, and other configured actions All the VPN traffic will be matched to this rule. The rules following this VPN Traffic Rule will be matched only by non-vpn traffic. You can define sub-rules below the VPN Traffic rule, that classify the VPN traffic more granularly, see Bandwidth Allocation and Sub-Rules on page 71. Simple or Advanced QoS In the QoS Action Properties window, you are required to select whether you would like Simple QoS or Advanced QoS. By this stage, you should already have decided whether your policy is Regular or Express, see Regular FloodGate-1 vs. FloodGate-1 Express on page 23. Simple QoS can be selected when you use Traditional or Advanced FloodGate-1. Whereas Advanced QoS can only be used in Traditional Mode. The QoS Action Properties of a rule define the restrictions on bandwidth for connections to which the rule applies. QoS Action Properties may be of four types: weights Chapter 3 QoS Policy Management 69

70 Rule Base Management guarantees limits VPN traffic These are defined in the QoS Action Properties window, see QoS Action Properties Window on page 46. Weights Weight is the relative portion of the available bandwidth that will be allocated to a rule. To calculate what portion of the bandwidth the connections allocated under a rule will receive, use the following formula: this rule s portion = this rule s weight / total weight of all rules with open connections A rule may also get more than the bandwidth allocated by this formula, if other rules are not using their maximum allocated bandwidth. For example, if this rule s weight is 12 and the total weights of all the rules under which connections are currently open at a given moment is 120, then all the connections open under this rule will be allocated 12/120 (or 10%) of the available bandwidth. Unless there is a per connection limit or guarantee defined for a rule, all connections under the rule will receive equal weight. Units are configurable. See Network Objects on page 67 for more information. Guarantees A guarantee allocates a minimum bandwidth to the connections matched with a rule. Guarantees can be defined: for the sum of all connections within a rule A total rule guarantee reserves a minimum bandwidth for all the connections under a rule combined. The actual bandwidth allocated to each connection will depend on the number of open connections that match the rule. The total bandwidth allocated to the rule will be no less than the guarantee, but the more connections are open, the less bandwidth each one will receive. for individual connections within a rule A per connection guarantee reserves a minimum bandwidth for each connection under a rule. For more information and examples of guarantees, see Sub-Rules on page Check Point FloodGate-1 Guide September 2002

71 Limits Limits A limit defines a point beyond which connections under a rule will not be allocated bandwidth, even if there is unused bandwidth available. Limits can also be defined for the sum of all connections within a rule or for individual connections within a rule. For more information and examples of limits, see Sub-Rules on page 52. Bandwidth Allocation and Sub-Rules When a connection is matched to a rule with sub-rules, a further match is looked for among the sub-rules. If none of the sub-rules apply, the default rule for the specific group of sub-rules (see Default Rule on page 68) is applied. Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. When sub-rules are nested, extra bandwidth goes first to the other members of a sub-rule group, and only then to another sub-rule at the same level. Using Guarantees and Limits The QoS Action properties defined in the rules and sub-rules of a QoS Policy Rule Base interact with one another to determine bandwidth allocation. The following guidelines and examples explain how to use guarantees and limits effectively. Per Rule Guarantees 1) The bandwidth allocated to the rule is a combination of the bandwidth guaranteed to the rule, plus the bandwidth that is given to the rule because of its weight. The guaranteed bandwidth is first extracted from the total bandwidth and set aside so that the guarantee can be upheld. The remaining bandwidth is distributed according to the weights specified by all the rules. Chapter 3 QoS Policy Management 71

72 Using Guarantees and Limits Example: TABLE 3-2 Total Rule Guarantees Rule Name Source Destination Service Action Rule A Any Any ftp Rule Guarantee - 100KBps Weight 10 Rule B Any Any http Weight 20 The link capacity is 190KBps. In this example, Rule A will receive 130 KBps, 100 KBps from the guarantee, plus (10/30) * ( ). Rule B will receive 60 KBps, which is (20/30) * ( ). 2) If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it. Example: TABLE 3-3 Guarantee is Defined in Sub-rule A1, But Not in Rule A. Rule Name Source Destination Service Action Rule A Any Any ftp Weight 10 Start of Sub-Rule Rule A1 Client-1 Any ftp Rule Guarantee - 100KBps Weight 10 Rule A2 Client-2 Any ftp Weight 10 End of Sub- Rule Rule B Any Any http Weight 30 This Rule Base is not correct because the guarantee is defined in sub-rule A1, but not in Rule A. To correct this, add a guarantee of 100KBps or more to Rule A. 3) A rule guarantee must not be smaller than the sum of guarantees defined in its subrules. 72 Check Point FloodGate-1 Guide September 2002

73 Per Rule Guarantees Example: TABLE 3-4 Example of an Incorrect Rule Base Rule Name Source Destination Service Action Rule A Any Any ftp Rule Guarantee - 100KBps Weight 10 Start of Sub-Rule Rule A1 Client-1 Any ftp Rule Guarantee - 80KBps Weight 10 Rule A2 Client-2 Any ftp Rule Guarantee - 80KBps Weight 10 Rule A3 Client-3 Any ftp Weight 10 End of Sub- Rule Rule B Any Any http Weight 30 This Rule Base is incorrect because the sum of guarantees in Sub-Rules A1 and A2 is ( ) = 160, which is greater that the guarantee defined in Rule A (100 KBps). To correct this, define a guarantee not smaller than 160KBps in Rule A, or reduce the guarantees defined in A1 and A2. 4) If a rule s weight is low, some connections may receive very little bandwidth. Chapter 3 QoS Policy Management 73

74 Using Guarantees and Limits Example: TABLE 3-5 If a Rule s Weight is Low, Some Connections May Receive Very Little Bandwidth Rule Name Source Destination Service Action Rule A Any Any ftp Rule Guarantee - 100KBps Weight 1 Start of Sub-Rule Rule A1 Client-1 Any ftp Rule Guarantee - 100KBps Weight 10 Rule A2 Client-2 Any ftp Weight 10 End of Sub- Rule Rule B Any Any http Weight 30 The link capacity is 190KBps. Rule A is entitled to 103KBps, which are the 100KBps guaranteed, plus ( ) * (1 / 31). FTP traffic classified to Sub-Rule A1 will receive the guaranteed 100KBps which is almost all the bandwidth to which Rule A is entitled. All connections classified to Sub-Rule A2 will together receive only 1.5KBps, which is half of the remaining 3KBps. 5) The sum of guarantees in rules in the first level should not exceed 90% of the capacity of the link. Per Connections Guarantees 1) If the Accept Additional Non Guaranteed Connections is checked, connections exceeding the number defined in Number of Guaranteed Connections will be allowed to open. If you leave the edit box adjacent to Accept Additional Non Guaranteed Connections empty, the additional connections will receive bandwidth allocated on behalf of the Rule Weight defined. 2) If Per connection guarantees are defined both for a rule and for its sub-rule, the Per connection guarantee of the sub-rule should not be greater than the Per connection guarantee of the rule. 74 Check Point FloodGate-1 Guide September 2002

75 Limits Limits When such a Rule Base is defined, a connection classified to the sub-rule will receive the Per connection guarantee that is defined in the sub-rule. If a sub-rule does not have a Per connection guarantee, it will still receive the Per connection guarantee defined in the original rule. 1) If both a rule limit and a Per connection limit are defined for a rule, the Per connection limit must not be greater than the rule limit. 2) If a limit is defined in a rule with sub-rules, and limits are defined in all the subrules, the rule limit should not be greater than the sum of limits defined in the subrules. Having a rule limit that is greater than the sum of limits defined in the sub-rules will never be necessary, because it is not possible to allocate more bandwidth to a rule than the bandwidth determined by the sum of the limits of its sub-rules. Guarantee - Limit Interaction 1) If a rule limit and a rule guarantee are defined in a rule, then the limit should not be smaller than the guarantee. 2) If both a Limit and a Guarantee are defined in a rule, and the Limit is equal to the Guarantee, connections may receive no bandwidth, as in the following examples: Chapter 3 QoS Policy Management 75

76 Diffserv Example: TABLE 3-6 No Bandwidth Received Diffserv Rule Name Source Destination Service Action Rule A Any Any ftp Rule Guarantee 100KBps Rule Limit 100KBps Weight 10 Start of Sub-Rule Rule A1 Client-1 Any ftp Rule Guarantee 100KBps Weight 10 Rule A2 Client-2 Any ftp Weight 10 End of Sub- Rule Rule B Any Any http Weight 30 The Guarantee in sub-rule A1 equals the Guarantee in rule A (100KBps). When there is enough traffic on A1 to use the full Guarantee, traffic on A2 does not receive any bandwidth from A (there is a limit on A of 100KBps). The steps that lead to this situation are as follows: A rule has both a guarantee and a limit, such that the limit equals the guarantee. The rule has sub-rules with Total Rule Guarantees that add up to the Total Rule Guarantee for the entire rule. The rule also has sub-rule(s) with no guarantee. In such a case, the traffic from the sub-rule(s) with no guarantee may receive no bandwidth. Diffserv (Differentiated Services) is a technology by which packets are marked (in the IP header TOS byte) inside the enterprise network as belonging to a certain Class of Service, or QoS Class. These packets are then granted priority on the public network. DiffServ markings have meaning on the public network, not inside the enterprise network. (Effective implementation of DiffServ requires that packet markings be recognized on all public network segments.) 76 Check Point FloodGate-1 Guide September 2002

77 DiffServ Markings for IPSec Packets DiffServ Markings for IPSec Packets When DiffServ markings are used for IPSec packets, the DiffServ mark can be copied from one location to another in one of two ways: :ipsec.copy_tos_to_inner The DiffServ mark is copied from the IPSec header to the IP header of the original packet after decapsulation/decryption. :ipsec.copy_tos_to_outer The DiffServ mark is copied from the original packet s IP header to the IPSec header of the encrypted packet after encapsulation. This property should be set, per FloodGate Module, in $FWDIR/conf/objects_5_0.c. The default setting is: :ipsec.copy_tos_to_inner (false) :ipsec.copy_tos_to_outer (true) Interaction Between DiffServ Rules and Other Rules DiffServ rules can be installed only on interfaces for which the relevant QoS Class has been defined in the Qos tab of the Interface Properties window (FIGURE 2-2 on page 34). Best Effort rules (that is, non-diffserv rules) can be installed on all interfaces of gateways with FloodGate Modules installed. Only rules installed on the same interface interact with each other. A DiffServ rule specifies not only a QoS Class, but also weight, in the same way that other QoS Policy Rules do. These weights are enforced only on the interfaces on which the rule is installed. For example, suppose a DiffServ rule specifies a weight of 50 for ftp connections. That rule will be installed only on the interfaces for which the QoS Class is defined. On other interfaces, the rule will not be installed and ftp connections routed through those other interfaces will not receive the weight specified in the rule. To specify a weight for all ftp connections, add a rule under Best Effort. Low Latency Queuing Overview For most traffic on the web (such as most TCP protocols), the WFQ (Weighted Fair Queuing, see Intelligent Queuing Engine on page 21) paradigm is adequate. This means that packets reaching FloodGate-1 are put in queues and forwarded according to the interface bandwidth and the priority of the matching rule. Using this standard policy, FloodGate-1 avoids dropping packets as often as possible, because such drops may adversely affect TCP. Avoiding drops, however, means holding (possibly long) queues, which may lead to non-negligible delay. Chapter 3 QoS Policy Management 77

78 Low Latency Queuing For some types of traffic, such as voice and video, bounding this delay is important. Long queues are inadequate for these types of traffic because they lead to substantial delay. Fortunately, for most of the delay sensitive applications, there is no need to drop packets from queues in order to keep them short. Instead, the fact that the streams of these applications have a known, bounded bit rate can be utilized. If FloodGate-1 is configured to forward as much traffic as the stream delivers, then only a small number of packets will accumulate in the queues and delay will be reduced. FloodGate-1 Low Latency Queuing makes it possible to define special classes of service for delay sensitive applications like voice and video. Rules under these classes can be used together with other rules in the QoS Policy Rule Base. Low Latency classes require you to specify the maximal delay that will be tolerated and a Constant Bit Rate. FloodGate-1 then guarantees that traffic matching rules of this type will be forwarded within the limits of the bounded delay. Low Latency Classes For information on installing Low Latency Classes see Low Latency Classes page 58. For each Low Latency class defined on an interface, a constant bit rate and maximal delay should be specified for active directions. FloodGate-1 checks packets matched to Low Latency class rules to make sure they have not been delayed for longer than their maximal delay permits. If the maximal delay of a packet has been exceeded, it will be dropped. Otherwise, it will be transmitted at the defined constant bit rate for the Low Latency class to which it belongs. If the Constant Bit Rate of the class is defined correctly (i.e. it is not smaller than the expected arrival rate of the matched traffic), packets will not be dropped (provided that the delay exceeds some minimum, see Computing Maximal Delay on page 80). On the other hand, when the arrival rate is higher than the specified Constant Bit Rate, packets exceeding this constant rate will be dropped, to assure that those transmitted are within the maximal delay limitations. Note - The maximal delay set for a Low Latency class is an upper limit. This means that packets matching the class will always be forwarded with a delay not greater, but many times smaller than specified. 78 Check Point FloodGate-1 Guide September 2002

79 Low Latency Classes Low Latency Class Priorities In most cases, one Low Latency class is enough to serve all bounded delay traffic. In some cases, however, the user may need to define more than one Low Latency class. For this purpose, Low Latency classes are given one out of five priority levels (not including the Expedited Forwarding class, see Low Latency versus DiffServ on page 84). These priority levels are relative to other Low Latency classes. It is advisable to define more than one Low Latency class if different types of traffic require different maximal delays. The class with the lower maximal delay should get a higher priority than the class with the higher delay. The reason for this is that when two packets are ready to be forwarded, one for each Low Latency class, the packet from the higher priority class will be forwarded first. The remaining packet (from the lower class) will then encounter greater delay. This implies that the minimal delay that can be set for a Low Latency class depends on all the Low Latency classes of higher priority. Other Low Latency classes can affect the delay incurred by a class and so they must be taken into consideration when determining the minimal delay that is feasible for the class. This is best done by initially setting the priorities for all Low Latency classes according to maximal delay and then defining the classes according to descending priority. When you define class two, for example, class one should be already defined. For more information on the effects of class priority on computing maximal delay, see Computing Maximal Delay on page 80. Logging LLQ Information Extensive information is available for all aspects of logs for more information, see SmartView Tracker on page 87. Computing the Correct Constant Bit Rate and Maximal Delay Limits on Constant Bit Rate For each direction of an interface (inbound and outbound), the sum of the constant bit rates of all the Low Latency classes cannot exceed twenty percent of the total designated bandwidth rate. The twenty percent limit is set to ensure that Best Effort traffic does not suffer substantial delay and jitter as a result of the existing Low Latency class(es). Chapter 3 QoS Policy Management 79

80 Low Latency Queuing Computing Constant Bit Rate To compute the Constant Bit Rate of a Low Latency class, you should know the bit rate of a single application stream in traffic that matches the class and the number of expected streams that will be simultaneously opened. The Constant Bit Rate of the class should be the bit rate of a single application, times the expected number of simultaneous streams. If the number of streams exceeds the number you expected when you set the Constant Bit Rate, then the total incoming bit rate will exceed the Constant Bit Rate, and many drops will occur. You can avoid this situation by limiting the number of concurrent streams. For more information, see Ensuring that Constant Bit Rate is Not Exceeded (Preventing Unwanted Drops) on page 82. Note - Unlike bandwidth allocated by a Guarantee, the constant bit rate allocated to a Low Latency class on an interface in a given direction will not be increased in the event that more bandwidth is available. Computing Maximal Delay To compute the maximal delay of a Low Latency class, you should take into account both the maximal delay that streams matching the class can tolerate in FloodGate-1 and the minimal delay that FloodGate-1 can guarantee this stream. It is important not to define a maximal delay that is too small, which may lead to unwanted drops. The delay value defined for a class determines the number of packets that can be queued in the Low Latency queue before drops begin to occur. The smaller the delay, the shorter the queue will be. Therefore, an insufficient maximal delay may cause packets to be dropped before they have the chance to be forwarded. It is advisable to allow for at least several packets to be queued, as explained in the steps below. If you are using Check Point SmartView Tracker it is recommended to use the default Class Maximal Delay defined in the LLQ log. In order to obtain this default number you must first configure the correct Constant Bit Rate for the Class and you must give an estimation for the Class Maximal Delay. For more information see SmartView Tracker on page 87. Alternately, you can set the Class Maximal Delay in the steps that follow. If you use the following method you can set the delay of the class by obtaining estimates for the upper and lower bounds, and setting the delay to a value between the bounds: 1 Estimate the greatest delay that you can set for the class: 80 Check Point FloodGate-1 Guide September 2002

81 Low Latency Classes a Refer to the technical details of the streaming application and find the delay that it can tolerate. For voice applications, for example, it is commonly stated that the user starts to experience irregularities when overall delay exceeds 150 ms. b Find or estimate the bound on the delay that your external network (commonly the WAN) imposes. Many Internet Service Providers publish Service Level Agreements (SLAs) that guarantee certain bounds on delay. c The maximal delay should be set at no more than the delay that the streaming application can tolerate minus the delay that the external network introduces. This ensures that the delay introduced by FloodGate-1, when added to the delay introduced by the external network, does not exceed the delay tolerated by the streaming application. 2 Estimate the smallest delay that you can set for the class: a Find the bit rate of the streaming application in the application properties, or using Check Point SmartView Monitoring (see Check Point SmartView Monitoring User Guide). Note - Even if you set the Constant Bit Rate of the class to accommodate multiple simultaneous streams, conduct the following calculations with the streaming rate of a single stream. b Estimate the typical packet size in the stream. You can either find it in the application properties or monitor the traffic. If you do not know the packet size, you can take its size to be the MTU of the LAN behind FloodGate-1. For Ethernet, this number is 1500 Bytes. c Many LAN devices, including switches and NICs, introduce some burstiness to flows of constant bit rate by changing the delay between packets. For constant bit rate traffic generated in the LAN and going out to the WAN, it is therefore recommended to monitor the stream packets on the floodgated gateway (on the internal interface that precedes FloodGate-1) to get an estimate of burst size. Chapter 3 QoS Policy Management 81

82 Low Latency Queuing d If no burstiness is detected, the minimal delay of the class should be no smaller than: 3 packet size bit rate This will enable three packets to be held in the queue before drops can occur. (Note again that the bit rate should represent a single application, even if you set the Constant Bit Rate of the class to accommodate multiple streams). If burstiness is detected, set the minimal delay of the class to be at least: burst size + 1 packet size bit rate 3 The maximal delay that you choose for the class should be between the smallest delay (estimated in step 2 on page 81) and the greatest delay (estimated in step 1 on page 80). Setting it very close to either of these values is not recommended. However, if you expect the application to burst occasionally, or if you don t know whether the application generates bursts at all, then you should set the delay close to the greatest value. 4 When you enter the maximal delay you calculated, you may get an error box containing the message The inbound/outbound maximal delay of class... must be greater than... milliseconds. This can occur if the class of service that you define is not of the first priority (see Low Latency Class Priorities on page 79). The delay value displayed in the error message depends on the Low Latency classes of higher priority, and on interface speed. Set the maximal delay to a value no smaller than the one printed in the message. Ensuring that Constant Bit Rate is Not Exceeded (Preventing Unwanted Drops) As explained in Logging LLQ Information on page 79, if the aggregate bit rate going through the Low Latency class exceeds the Constant Bit Rate of the class, then drops occur. This situation may occur when the number of streams actually opened exceeds the number you expected when you set the Constant Bit Rate. To ensure that no more streams than allowed will open through a Low Latency Class, define a single rule under the class, with a per connection guarantee as its Action. In the Per Connection Guarantee field of the QoS Action Properties window, define the per connection bit rate that you expect, and in Number of guaranteed connections define the maximal number of connections that you allow in this class. Accept additional nonguaranteed connections should not be checked. 82 Check Point FloodGate-1 Guide September 2002

83 Interaction between Low Latency and Other Rule Properties In this way, you can limit the number of connections to the number you used to compute the Constant Bit Rate of the class. Interaction between Low Latency and Other Rule Properties To activate a Low Latency class, you should define at least one rule under it in the QoS Policy Rule Base, and you may define more than one rule. The traffic matching any Low Latency class rule will receive the delay and Constant Bit Rate properties defined for the specified class and will also be treated according to the rule properties (weight, guarantee and limit). You can use all types of properties in the rules under the Low Latency class, including Weight, Guarantee, Limit, Per Connection Guarantee and Per Connection Limit. To better understand the integration of Low Latency class and rule properties you can consider the class with its rules as a separate network interface forwarding packets at a rate defined by the Constant Bit Rate, with delay bounded by the class delay and with the rules defining the relative priority of the packets before they arrive at the interface. If a rule has a relatively low priority, then packets matching it will be entitled to a small portion of the Constant Bit Rate, and hence prone to more drops if the incoming rate is not small enough. Note - Using sub-rules under the low latency class is not recommended because they make it difficult to compute the streams that will suffer drops and the drop pattern. Guarantees and limits are not recommended for the same reasons (with the exception of Per Connection Guarantees, as described in Ensuring that Constant Bit Rate is Not Exceeded (Preventing Unwanted Drops) on page 82. When to Use Low Latency Queuing Use Low Latency Queuing in the following cases: When low delay is important, and the bit rate of the incoming stream is known. This is the case for video and voice applications. In such cases, specify both the maximal delay and the Constant Bit Rate of the class. When controlling delay is important, but the bit rate is not known in advance. The most common example is Telnet. This application requires fast responses, but the bit rate is not known in advance. In addition, even if the stream occasionally exceeds the Constant Bit Rate, you do not want to experience drops. It is preferable to experience a somewhat larger delay. In such cases set the Constant Bit Rate of the class to an upper estimate of the stream rate, and set a very large Chapter 3 QoS Policy Management 83

84 Low Latency Queuing maximal delay (such as ms). The large delay will ensure that even in the event of a burst exceeding the Constant Bit Rate packets will not be dropped. They will be queued and forwarded according to the Constant Bit Rate. Note - When the incoming stream is smaller than the Constant Bit Rate, the actual delay will be much smaller than ms (in the example above), because packets will be forwarded almost as soon as they arrive. The ms bound is effective only for large bursts. Do not use a Low Latency Class when controlling delay is not of prime importance. For most TCP protocols (such as HTTP, FTP and SMTP) the other type of FloodGate-1 rule is more adequate. Use Weights, Limits and Guarantees in such cases, so the exact priority of the traffic will be imposed without having to take care of bit rate and delay. FloodGate-1 will execute the job with minimal drops. Moreover, weights and guarantees will dynamically fill the pipe when some types of expected traffic are not present, while Low Latency Queuing firmly bounds its traffic by the Constant Bit Rate. Low Latency versus DiffServ Low Latency classes differ from DiffServ classes in that they do not receive type of service (TOS) markings. Packets are not marked as Low Latency in a universal manner, and this preferential treatment can only be guaranteed for the FloodGate Module through which they pass. The exception to this rule is the Expedited Forwarding DiffServ class. Any DiffServ class defined as an Expedited Forwarding class automatically becomes a Low Latency class of highest priority. Such a class will receive the conditions afforded it by its DiffServ marking both in FloodGate-1 and in the rest of the network. Note - To use the Expedited Forwarding class as DiffServ only, without delay being enforced, specify a Maximal Delay value of in the Interface Properties tab (see Low Latency Classes on page 58). When to Use DiffServ and When to Use LLQ There are only two cases when you should mark your traffic using a DiffServ class: when your ISP supports DiffServ, which means that you can receive a different level of QoS according to the DiffServ marking that you apply to the IP packets when your ISP provides you with several classes of service using MPLS. In this case, DiffServ marking serves to communicate to you ISP the class of service that you expect every packet to receive 84 Check Point FloodGate-1 Guide September 2002

85 Low Latency versus DiffServ If neither of the two cases above applies, and you need to limit the delay for some types of traffic (see When to Use Low Latency Queuing on page 83), you should use Low Latency Queueing. Authenticated QoS It is now possible to use the information in the User Authority Server (UAS) in order to prioritize bandwidth allocation according to specific users. The UAS maintains a list of authenticated users, in accordance with which FloodGate-1 allocates bandwidth. FloodGate-1 supports Client Authentication, including Encrypted Client Authentication, and SecuRemote/SecureClient Authentication. User and Session Authentication are not supported. For information about Client Authentication, see Client Authentication on page 173 of Check Point FireWall-1 Guide. To Use Authenticated QoS In order to apply Authenticated QoS in a rule, follow these steps: 1 Make sure that the UAS package is installed on the module that will be performing Authenticated QoS. 2 Make sure that the UserAuthority, under Check Point Products Installed, is checked on the VPN-1/FireWall-1 Module upon which you are installing the policy. 3 Create a group in Manage>Users>New>Group in the menu. The Group Properties window is displayed. Chapter 3 QoS Policy Management 85

86 Authenticated QoS FIGURE 3-2 Group Properties window 4 Include all the user(s) whom you want to give priority by selecting the user and clicking on. To remove a user from the group, select the user and click on. 5 Make a rule and in the Source column, right click and select Add User Access. For example, if the CEO of your company is in a remote location and he wants to access his and doesn t want to wait too long, create a rule as follows: TABLE 3-7 Rule Name A Rule that Allows Access to from a Remote Location Source Destination Service Action CEO CEO@localnet Any Pop-3 Weight 10 Guarantee 50,000 Bps Note - To minimize the resources taken up by Authenticated QoS, it is recommended that Authenticated QoS rules refer to specific services, and do not include Any in the Service field. 6 Install the policy. Note - The user must be authenticated in the UAS in order for the QoS policy to be enforced. 86 Check Point FloodGate-1 Guide September 2002

87 Low Latency versus DiffServ Policy wide properties for Authenticated QoS can be defined in the FloodGate-1 page of the Global Properties window (FIGURE 2-1 on page 32). For more information, see Network Objects on page 67 above Chapter 3 QoS Policy Management 87

88 88 Check Point FloodGate-1 Guide September 2002 Authenticated QoS

89 CHAPTER 4 SmartView Tracker Overview of Logging page 87 Explaining the Event SmartView Tracker Logs (non-accounting) page 88 Explaining the Accounting SmartView Tracker Log page 89 Overview of Logging If you want a connection to be logged, make sure the FloodGate-1 logging flag is turned on and that the connection s matching rule is marked with track action log or account. To learn how to turn on QoS Logging, create Log or Account tracking and how to start the SmartView Tracker see Enabling Log Collection on page 63. The SmartView Tracker allows you to view entries in the Log File. Each entry in the Log File is a record of an event or an account record. The SmartView Tracker gives you control over the information displayed in the Log File. You can navigate through the Log File and select the log entries which you would like to be displayed. There are two types of events which are logged. TABLE 4-1 describes the features unique to event logs and TABLE 4-2 describes the features unique to accounting logs. 87

90 Overview of Logging TABLE 4-1 Explaining the Event SmartView Tracker Logs (non-accounting) logged... data returned presentation Connection Reject When FloodGate-1 rejects a The name of the matching rule connection as a result of the on account of which the number of guaranteed connection was rejected connections being exceeded and/or when additional connections are not configured to be accepted. Running Out of Packet Buffers Happens when: FloodGate-1 s global packet buffers are exhausted One of the interfacedirection s packet buffers are exhausted and generated at a maximum of once per 12 hours. LLQ Packet Drop When a packet is dropped from an LLQ connection. A report is generated at a maximum of once per 5 minutes. A string explaining the nature of the problem and the size of the relevant pool. The statistics are computed from the last time an LLQ Packet Drop log was generated. The statistics are computed for all relevant interface directions. The following are logged: 1. number of bytes dropped from the connection. 2. average delay computed for all the connection s packets that were not dropped. 3. maximum delay of a connection packet. 4. maximum delay difference between two consecutive successfully transmitted packets. Generated as a reject log. Unified with the initial connection log. New log record created each time a global problem is reported. Unified with the initial connection log. Express or traditional modes Traditional mode only. PCG is a feature of traditional mode. Traditional mode only. Traditional Mode only. LLQ is a feature of traditional mode. 88 Check Point FloodGate-1 Guide September 2002

91 TABLE 4-2 Explaining the Accounting SmartView Tracker Log logged... Data Returned Express or Traditional modes General Statistics The total bytes transmitted through FloodGate-1 for each relevant interface and direction. Drop Policy Statistics Total bytes dropped from the connection as a result of FloodGate-1 s drop policy. Count of the bytes dropped from the connection because it exceeded the maximum used memory fragments for a single connection LLQ Statistics Statistics about the LLQ connection. Inbound & outbound bytes transmitted by FloodGate-1 Both Traditional Mode only Traditional Mode only. LLQ is a feature of traditional mode. The following are logged: 1. number of bytes dropped from the connection due to delay expiration 2. average packet delay. 3. jitter which is computed as the maximum delay difference between two consecutive packets. Examples of Log Events FloodGate-1 logs the following events in the SmartView Tracker: Connection Reject Log page 90 LLQ Drop Log page 90 Pool Exceeded Log page 91 Chapter 4 SmartView Tracker 89

92 Examples of Log Events Connection Reject Log The connection is rejected because the rule exceeds the number of guaranteed connections, where Accept additional non guaranteed connections is unchecked in the QoS Action Properties window, see QoS Action Properties Window on page 46. The log will include the name as well as the class of the rule in the following format: rule_name:<class>-><name>. In the following example, the rule belongs to the class Best_Effort. The name of the rule (rule_name) is udp2. TABLE 4-3 Connection Reject Log example... Time Product Inter. Track Action Info :17:09 FloodGate- 1 daemon log reject rule_name:best_ Effort->udp2... LLQ Drop Log A packet from the LLQ connection is dropped, LLQ information is computed and logged from the last time a log was generated. This information includes significant data logged from the relevant interface-direction. In the following example, the information logged includes: s_in_llq_drops the number of bytes dropped from the connection on the Server-In interface direction. s_in_llq_avg_xmit_delay average delay computed for all the connection's packets that were not dropped, on the Server-In interface direction. s_in_llq_max_delay maximum delay of a connection packet that was not dropped on the Server-In interface direction. s_in_llq_xmit_jitter maximum delay difference between two consecutive successfully transmitted packets of the connection on the Server-In interface direction. Any packets which are dropped in between the two successfully transmitted packets are ignored. s_in_llq_recommended_delay the default delay that can be entered into the Add Low Latency QoS Class Properties window in order to achieve a minimal number of dropped bytes. TABLE 4-4 LLQ Drop Log example... Product Track Info FloodGate-1 log s_in_llq_drops:3000 s_in_llq_avg_xmit_delay: 900 s_in_llq_max_delay: 1351 s_in_llq_xmit_jitter: 1351 s_in_llq_recommended_delay: Check Point FloodGate-1 Guide September 2002

93 Pool Exceeded Log In the example sited above since relevant data was observed only on the Server-In interface direction, only Server-In counters are available. Pool Exceeded Log TABLE 4-5 Note - There are several reasons why logging might not occur on a specified interface direction: FloodGate-1 may not be installed on all the interfaces directions No packets were seen on other interface directions Data on other interface directions, may not be significant, for instance, the values logged may be all zeroes. The designated size of the pool exceeded, whether the pool is set for a particular interface direction, or whether it represents the global pool. In the example, the following information can be deduced: an interface direction (ifdir) has a pool size of 8 fragments the interface name is E100B1, and the direction is outbound (marked by little cube juxtaposed to the interface name which has an outward pointing arrow) in the Inter. column. Pool Exceeded Log example... Product Inter. Type Info FloodGate-1 E100B1 control info:ifdir Memory Pool Exceeded Pool_size:8... Examples of Account Statistics Logs To Generate Floodgate-1 account logs: FloodGate-1 must be checked in the Module s Products Installed field. The rules in the QoS policy installed on the FloodGate-1 module for which you would like to create logs, must be labelled with an account icon in the Track column In the Check Point SmartView Tracker, the account logs always include the segment_time information (i.e. the time from which the information about the log was gathered) in the Info. column. TABLE 4-6 The mandatory fields in account logs... Product Track Info FloodGate-1 Account segment_time 8May :24:57... Chapter 4 SmartView Tracker 91

94 Examples of Account Statistics Logs Account Logs may include any or all of the following information: General Statistics Data page 92 Drop Policy Statistics Data page 92 LLQ Statistics Data page 93 Note - Only significant data is logged and presented in the same log record. General Statistics Data TABLE 4-7 These statistics include the number of bytes transmitted through FloodGate-1 in any relevant interface direction. In the following example: s_in_bytes 5768 bytes were transmitted through Floodgate-1 on the Server-In interface direction. s_out_bytes bytes were transmitted through Floodgate on the Server- Out interface direction. General Statistics Data example... Info s_in_bytes:5768 s_out_bytes: Drop Policy Statistics Data TABLE 4-8 The number of bytes dropped from the connection in any relevant interface direction as a result of drop policy. The drop policy is aimed at managing FloodGate-1 packet buffers, see WFRED (Weighted Flow Random Early Drop) on page 22. This includes the total number of bytes dropped from the connection since it exceeded its allocation. In the following example: s_out_total_drops bytes were dropped from the connection as a result of drop policy, on the Server-Out interface direction. s_out_exceed_drops out of total number of drops (s_out_total_drops) bytes were dropped from the connection because it exceeded its allowed number of fragments, on the Server-Out interface direction. Drop Policy Statistics Data example... Info s_out_total_drops: s_out_exceed_drops: Check Point FloodGate-1 Guide September 2002

95 LLQ Statistics Data LLQ Statistics Data Data items are the same as in LLQ Drop Log on page 78, but are computed from the beginning of the connection and not from the last time a log was generated. Chapter 4 SmartView Tracker 93

96 94 Check Point FloodGate-1 Guide September 2002 Examples of Account Statistics Logs

97 CHAPTER 5 Deploying FloodGate-1 In This Chapter Deploying FloodGate-1 page 95 Interaction with Check Point VPN-1/FireWall-1 page 96 Sample Bandwidth Allocations page 97 Deploying FloodGate-1 FloodGate-1 Topology Restrictions FloodGate-1 can manage any number of external interfaces, subject to the following restrictions: 1) All of the traffic on a managed line must go through the gateway. 2) Each managed line must be connected (directly or indirectly via a router) to a separate physical interface on the FloodGated machine. Two managed lines may not share a physical interface to the FloodGated machine, nor may two lines be connected to the same router. For example, in the configuration depicted in FIGURE 5-1, the routers can pass traffic to each other through the hub without the FloodGate Module being aware of the traffic. FIGURE 5-1 Two lines connected to a single interface localnet hub router FloodGate Module router 95

98 Interaction with Check Point VPN-1/FireWall-1 In addition, you cannot manage two lines connected to a single router (as in FIGURE 5-2), since traffic may pass from one line to the other directly through the router, without the FloodGate Module being aware of the traffic. FIGURE 5-2 Two lines connected to a router localnet router router FloodGate Module router An example of a correct configuration is depicted in FIGURE 5-3. FIGURE 5-3 Correct configuration localnet router FloodGate Module router Interaction with Check Point VPN-1/FireWall-1 Interoperability FloodGate-1 must be installed together with VPN-1/FireWall-1 on the same system. Because FloodGate-1 and VPN-1/FireWall-1 share a similar architecture and many core technology components, users can utilize the same user-defined network objects in both solutions. This integration of an organization s security and bandwidth management policies enables easier policy definition and system configuration. Both products can also share state table information which provides efficient traffic inspection and enhanced product performance. FloodGate-1 s tight integration with VPN-1/FireWall-1 provides the unique ability to enable users deploying the solutions in tandem to define bandwidth allocation rules for encrypted and network-addresstranslated traffic. SmartCenter Server If FloodGate-1 is installed on a machine on which VPN-1/FireWall-1 is also installed, FloodGate-1 uses the VPN-1/FireWall-1 SmartCenter Server and so shares the same objects database (network objects, services and resources) with VPN-1/FireWall-1. Some types of objects have properties which are product specific. For example, a 96 Check Point FloodGate-1 Guide September 2002

99 Interoperability VPN-1/FireWall-1 has encryption properties which are not relevant to FloodGate-1, and a FloodGate-1 network interface has speed properties which are not relevant to VPN-1/FireWall-1. FloodGate and FireWall Modules If you are using both FloodGate-1 and VPN-1/FireWall-1, it is best to install the FloodGate and VPN/FireWall Modules on the same machine, rather than on separate machines. If they are on the same machine, then the FloodGate Module will be able to correctly classify packets whose IP addresses have been translated, and to look inside encapsulated encryption packets. Sample Bandwidth Allocations Frame Relay Network In the network depicted in FIGURE 5-4, the branch offices communicate with the central site and vice versa, but they do not communicate directly with each other or with the Internet except through the central site. The Web server makes important company documents available to the branch offices, but the database server supports the company s mission-critical applications. The problem is that most of the branch office traffic is internal and external Web traffic, and the mission-critical database traffic suffers as a result. The network administrator has considered upgrading the 56K lines, but is reluctant to do so, not only because of the cost but also because upgrading would probably not solve the problem. The upgraded lines would still be filled mostly with Web traffic. FIGURE 5-4 Frame Relay Network example Branch Offices Web Server FloodGate Module T1 FloodGated Line Frame Relay Network 56K Bps 56K Bps T1 56K Bps Database Server 56K Bps Internet The goals are as follows: Chapter 5 Deploying FloodGate-1 97

100 Sample Bandwidth Allocations 1) Allocate the existing bandwidth so that access to the database server gets the largest share. 2) Take into account that the branch offices are connected to the network by 56K lines. These goals are accomplished with the following Rule Base: TABLE 5-1 Main Rules Rule Name Source Destination Service Action Office 1 Office 1 Any Any Weight 10 Limit 56KBps Office n Office n Any Any Weight 10 Limit 128KBps Default Any Any Any Weight 10 Each office has sub-rules, as follows:. TABLE 5-2 Office Sub-Rules Rule Name Source Destination Service Action Start of Sub-Rule Database Rule Any Database Server database-service Weight 50 Web Rule Any Web Server http Weight 10 Branch Offices Any Any Any Weight 10 End of Sub-Rule The sub-rules give database traffic priority over web traffic and other traffic. Assumptions The following assumptions are made in this example: The problem (and its solution) apply to traffic outbound from the central site. 98 Check Point FloodGate-1 Guide September 2002

101 Interoperability Note that FloodGate-1 shapes the branch office lines in the outbound direction only. FloodGate-1 shapes inbound traffic only on directly controlled interfaces (that is, interfaces of the FloodGated machine). The central site has the capacity to handle the network s peak traffic load. There is no traffic between the offices. Chapter 5 Deploying FloodGate-1 99

102 100 Check Point FloodGate-1 Guide September 2002 Sample Bandwidth Allocations

103 CHAPTER 6 FloodGate-1 Tutorial Introduction In This Chapter Introduction page 101 Building a QoS Policy page 102 Installing a QoS Policy page 122 This chapter presents a step by step guide to building and deploying a QoS Policy in FloodGate-1. FIGURE 6-1 on page 102 shows the network configuration used. The example configuration is simple, but working through it will familiarize you with many of the issues involved in setting up a FloodGate-1 QoS Policy. 101

104 Building a QoS Policy FIGURE 6-1 Example Network configuration private localnet London FloodGate Marketing Module (le2) (le0) router FloodGated Line Internet Engineering (le1) Cambridge (GUI Client) Oxford (Management Server) publicly accessible DMZ HTTP Server HTTP Server FTP Server Building a QoS Policy To implement a QoS Policy, proceed as follows: 1 Install the appropriate Check Point Modules on each machine, as needed (see TABLE 6-1). TABLE 6-1 Check Point Modules to Install on Each Machine computerfunction London FloodGate Module; the gateway to the Internet Check Point Module to install FloodGate Module VPN/FireWall Module (required) Oxford SmartCenter Server SmartCenter Server, FloodGate-1 Cambridge GUI Client Management GUI Client Note - In order to manage FloodGate-1 modules, you need to install FloodGate-1 on the SmartCenter Server as well as on the module. 2 Define the network objects to be used in the Rule Base. You do not have to define the entire network only those objects that are explicitly used in the Rule Base. 102 Check Point FloodGate-1 Guide September 2002

105 Installation 3) Define any proprietary services used in your network. You do not have to define the commonly used services. These are already defined for you in FloodGate-1. Defining network objects and services is very straightforward. In most cases, you need only specify a name, because FloodGate-1 can obtain the object s properties from the appropriate databases (DNS, YP. hosts file). 4) Define a QoS Policy Rule Base. 5) Install the Rule Base on the FloodGate Module machine, which will enforce the QoS Policy. The above steps are described in the following sections of this chapter for the configuration shown in FIGURE 6-1. Further details can be found in later chapters of this book. Installation Installation instructions are given in Chapter 5, Installing and Configuring VPN-1/FireWall-1, of Check Point Getting Started Guide. Install FloodGate-1 in the following sequence: 1 Install the FloodGate and VPN/FireWall Modules on London. When you configure London immediately after the installation, define Oxford as London s Master. 2 Install the GUI Client on Cambridge. 3 Install the SmartCenter Server on Oxford. When you configure Oxford immediately after the installation, define London as Oxford s remote VPN/FireWall Module. 4 On Oxford, define Cambridge as a GUI Client. 5 On Oxford, define the administrators who will be allowed to manage the QoS Policy. Starting the GUI Client Start the Check Point Management Client GUI (from Start>Programs>Check Point Management Clients>SmartDashboard). The Welcome to Check Point SmartDashboard window (FIGURE 6-2) is displayed. Chapter 6 FloodGate-1 Tutorial 103

106 Building a QoS Policy FIGURE 6-2 Welcome to Check Point SmartDashboard window You can log in using either your: user name and password 1 Select User Name. 2 Enter your user name and password. 3 Click OK. certificate 1 Select Certificate. 2 Enter the name of your PKCS#12 certificate file. You can browse for the file using by clicking. 3 Enter the password you used to create the certificate. 4 Click OK. Enter the name of the machine on which the SmartCenter Server is running. You can enter one of the following: A resolvable machine name A dotted IP address To work in local mode, check Demo Mode. If you do not wish to modify a policy, check Read Only before clicking on OK. Note - If you are not defined as a user, and therefore do not possess a user name, see To Add an Administrator on page 49, for information how to define users on the SmartCenter Server. 104 Check Point FloodGate-1 Guide September 2002

107 Starting the GUI Client Certificate Management, Compression and Advanced Options In the SmartDashboard Login window (FIGURE 6-2), click More Options >> to display the Certificate Management, Connection Optimizations and Advanced Options (FIGURE 6-3) FIGURE 6-3 (SmartDashboard login window - more options) To change the certificate password, click Change Password. To compress the connection to the SmartCenter Server, check Use compressed connection. Enter the text describing why the administrator wants to make a change in the security policy in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the Session ID column (in Audit mode only). If the Session ID column does not appear in the SmartView Tracker, use the Query Properties pane to display it. For more information on the SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter Guide. To hide the Certificate Management, Connection Optimizations and Advanced options, click Less Options <<. Click OK. The Check Point SmartDashboard window is opened. Chapter 6 FloodGate-1 Tutorial 105

108 Building a QoS Policy To display the QoS tab In order to display the QoS tab, you will need to create you first QoS policy, to do so, see To Install and Enforce the Policy on page 62. Once the policy has been created, the QoS tab appears in the SmartDashboard. To show an empty QoS Rule Base (FIGURE 6-4), click the QoS tab. FIGURE 6-4 SmartDashboard window with empty QoS Policy Rule Base QoS Policy To implement an effective QoS Policy, you must first determine how you currently use your network, and then identify and prioritize types of traffic and users. For the configuration shown above, a typical QoS Policy would be: HTTP traffic should be allocated more bandwidth than RealAudio Marketing should be allocated more bandwidth than Engineering Defining the Network Objects For the configuration shown above, define London, the gateway on which the Floodgate Module is running, and its interfaces, as well as the sub-networks for the Marketing and Engineering departments. The gateway London will be defined as an example. For information about defining networks, see Network Objects in Check Point SmartCenter Guide. 106 Check Point FloodGate-1 Guide September 2002

109 Defining the Network Objects 1 Open the Properties window (FIGURE 6-10 on page 110). TABLE 6-2 lists several ways to open the Properties window: TABLE 6-2 Creating a new workstation From the proceed as follows to open the Properties window (FIGURE 6-10) Manage menu From the Manage menu, choose Network Objects. In the Network Objects window (FIGURE 6-5), click New. Choose Workstation from the menu (FIGURE 6-9). objects toolbar If the objects toolbar is not visible, choose View>Toolbars>Objects from the menu. Select from the toolbar. In the Network Objects window (FIGURE 6-5), click New. Choose Workstation from the menu (FIGURE 6-9). Network Objects tree Click in the object tree tabs (FIGURE 6-7) to display the Network Objects tree. Right-click Workstation in the Network Objects tree (FIGURE 6-8). Choose New Workstation. FIGURE 6-5 Network Objects window FIGURE 6-6 Object Tree toolbar Chapter 6 FloodGate-1 Tutorial 107

110 Building a QoS Policy FIGURE 6-7 Object Tree tabs FIGURE 6-8 Right-clicking in the Network Objects tree FIGURE 6-9 Network Objects menu To define London as a FloodGate Module: 108 Check Point FloodGate-1 Guide September 2002

111 Defining the Network Objects 2 Fill in the data in London s General page as shown in TABLE 6-3. TABLE 6-3 London s Properties window General page Field Value Explanation Name London This is the name by which the object is known on the network; the response to the hostname command. IP Address This is the interface associated with the host name in the DNS get this by clicking Get Address. For gateways, this should always be the IP address of the external interface. Comment Type Check Point products installed Object Management Secure Internal Communication FloodGate Module (gateway) Gateway Check this field. Select the current version number. Check VPN-1 & FireWall-1. Check FloodGate-1. Check Managed by this SmartCenter Server. This is the text that is displayed at the bottom of the Network Objects window when this object is selected These settings specify the Check Point products installed on London, and their version number. FloodGate-1 must be installed on any gateway on which a FloodGate Module is installed. Note that if multiple Check Point products are installed on a machine, they must all be the same version number. This setting specifies that FWall is managed by the SmartCenter Server on which the GUI is running, that is, by Hatter. Establishes a secure communication channel between Check Point Modules. Chapter 6 FloodGate-1 Tutorial 109

112 Building a QoS Policy FIGURE 6-10Properties window - General page To define the interfaces on which FloodGate-1 will control traffic: 3 Click Topology (in the tree on the left side of the Properties window to display the Topology page (FIGURE 6-11). 110 Check Point FloodGate-1 Guide September 2002

113 Defining the Network Objects FIGURE 6-11Properties window - Topology page No interfaces are shown, since you have not yet defined any. 4 The easiest and most reliable way to define the interfaces is to click Get Interfaces, which automatically retrieves general and topology information for each interface. Alternatively, clicking Add displays the Interface Properties window. Interface information can then be defined in the General and Topology tabs of this window, which are described in Chapter 4, Network Objects, of Check Point SmartCenter Guide. Chapter 6 FloodGate-1 Tutorial 111

114 Building a QoS Policy The data for each of the three interfaces of London is as follows: TABLE 6-4 Field Values Interface Properties window le0 Field Value Explanation General tab Name le0 Net Address Net Mask Topology tab Topology Anti-Spoofing Check External (leads out to the Internet). Check Perform Anti- Spoofing based on network topology. This setting specifies to which network this interface leads. This setting specifies that each incoming packet will be examined to ensure that its source IP address is consistent with the interface through which it entered the machine. Spoof Tracking Check Log. This specifies that when spoofing is detected, the event will be logged. 112 Check Point FloodGate-1 Guide September 2002

115 Defining the Network Objects TABLE 6-5 Field Values Interface Properties window le1 Field Value Explanation General tab Name le1 Net Address Net Mask Topology tab Topology IP addresses behind this interface Anti-Spoofing Check Internal (leads to the local network). Check Network defined by the interface IP and Net Mask. Check Perform Anti- Spoofing based on network topology. This setting specifies to which network this interface leads. This setting specifies that the standard IP addressing scheme is being used. This setting specifies that each incoming packet will be examined to ensure that its source IP address is consistent with the interface through which it entered the machine. Spoof Tracking Check Log. This specifies that when spoofing is detected, the event will be logged. Chapter 6 FloodGate-1 Tutorial 113

116 Building a QoS Policy TABLE 6-6 Field Values Interface Properties window le2 Field Value Explanation General tab Name le2 Net Address Net Mask Topology tab Topology IP addresses behind this interface Anti-Spoofing Check Internal (leads to the local network). Check Network defined by the interface IP and Net Mask. Check Perform Anti- Spoofing based on network topology. This setting specifies to which network this interface leads. This setting specifies that the standard IP addressing scheme is being used. This setting specifies that each incoming packet will be examined to ensure that its source IP address is consistent with the interface through which it entered the machine. Spoof Tracking Check Log. This specifies that when spoofing is detected, the event will be logged. After the three interfaces have been defined, you can see them in the Topology page of the Properties window (FIGURE 6-12). 114 Check Point FloodGate-1 Guide September 2002

117 Defining the Network Objects FIGURE 6-12Topology page QoS information for appropriate interfaces is defined separately in the QoS tab of the Interface Properties window: 5 Double-click London s external interface (le0), or select it and click Edit. The Interface Properties window will be displayed. 6 Click the QoS tab (FIGURE 6-13). Chapter 6 FloodGate-1 Tutorial 115

118 Building a QoS Policy FIGURE 6-13Interface Properties window - QoS tab 7 Check both Inbound Active and Outbound Active. 8 Set both rates to T1 (1.536 MBps). 9 Click OK to exit the Interface Properties window. 10 Click OK to exit the Properties window. Defining the Services The QoS Policy described above does not require definition of proprietary services. The commonly used services HTTP and RealAudio are already defined in FloodGate-1. For information about defining proprietary services, see Services and Resources of Check Point SmartCenter Guide. Defining a Rule Base After defining your network objects, you are now ready to define a Rule Base. Rule Properties Each rule s properties are defined in the QoS Action Properties window. To display the QoS Action Properties window, right-click in the Action column and select Edit Properties from the menu. For more information, see QoS Action Properties Window on page Check Point FloodGate-1 Guide September 2002

119 Defining a Rule Base Classifying Traffic by Service The first part of the QoS Policy ( HTTP traffic should be allocated more bandwidth than RealAudio ) can be expressed in following rules: TABLE 6-7 Allocating More Bandwidth Than RealAudio Rule Name Source Destination Service Action Web Rule Any Any HTTP Weight 35 RealAudio Rule Any Any RealAudio Weight 5 Default Any Any Any Weight 10 The first rule (named Web Rule) classifies HTTP connections and assigns them a weight of 35. The second rule (named RealAudio Rule) classifies RealAudio connections and assigns them a weight of 5. The third rule (named Default) is added automatically by FloodGate-1 with a default weight of 10, and applies to all connections not classified by other rules. Even an exhaustive Rule Base will generally not explicitly define rules for all the background services (such as DNS and ARP) in the traffic mix, but will let the Default rule deal with them. FIGURE 6-14Service Rules in the GUI Note how the structure of the Rule Base is shown at the left of the window (FIGURE 6-14) as a tree, with RealAudio Rule highlighted in both the tree and the Rule Base. (For a description of the Rule Base window, see Chapter 1, Introduction to FloodGate-1. ). Chapter 6 FloodGate-1 Tutorial 117

120 Building a QoS Policy The effect of these rules is that when connections compete for bandwidth, they receive bandwidth in accordance with the weights assigned by the rules that apply to them. For example, TABLE 6-8 describes what happens when there are four active connections. TABLE 6-8 Service Rules - four active connections connections relevant rule bandwidth remarks HTTP Web Rule 70% 35 / 50 (the total weights) RealAudio RealAudio Rule 10% 5 / 50 FTP Default sharing 20% 10 /50; a rule applies to all the connections together TELNET Default sharing 20% 10 /50; a rule applies to all the connections together It is important to note that the bandwidth allocation is constantly changing. Bandwidth is allocated among connections according to their relative weight. As the connection mix changes as it does continuously as connections are opened and closed FloodGate-1 changes the bandwidth allocation in accordance with the QoS Policy, so that bandwidth is never wasted. For example, if the HTTP, FTP and TELNET connections are all closed, and the only remaining connection is the RealAudio connection, RealAudio will receive 100% of the bandwidth. Suppose now that the TELNET and FTP connections are closed. TABLE 6-9 shows the result. TABLE 6-9 Service Rules - two active connections connections relevant rule bandwidth remarks HTTP Web Rule 87.5% 35 / 40 (the total weights) RealAudio RealAudio Rule 12.5% 5 / 40 Both HTTP and RealAudio benefit from the bandwidth released by the closed connections. Even though RealAudio is assigned a very small weight compared to HTTP, it will never starve, even in the event of heavy HTTP traffic. Note - In practice, you will probably want to give a high relative weight to an interactive service such as TELNET, which transfers small amounts of data but has an impatient user at the keyboard. 118 Check Point FloodGate-1 Guide September 2002

121 Defining a Rule Base Classifying Traffic by Source The second part of the QoS Policy ( Marketing should be allocated more bandwidth than Engineering ) can be expressed in the following rules: TABLE 6-10 Marketing is Allocated More Bandwidth Than Engineering Rule Name Source Destination Service Action Marketing Rule Marketing Any Any Weight 30 Engineering Rule Engineerin g Any Any Weight 20 Default Any Any Any Weight 10 The effect of these rules is similar to the effect of the rules in TABLE 6-8 on page 118, except for: the different weights the fact that allocation is based on users rather than on services Classifying Traffic by Service and Source TABLE 6-11 shows all the rules together in a single Rule Base. TABLE 6-11 All the Rules Together Rule Name Source Destination Service Action Web Rule Any Any HTTP Weight 35 RealAudio Rule Marketing Rule Any Any RealAudio Weight 5 Marketing Any Any Weight 30 Engineering Rule Engineerin g Any Any Weight 20 Default Any Any Any Weight 10 In this Rule Base, bandwidth allocation is based both on sub-networks and on services. Chapter 6 FloodGate-1 Tutorial 119

122 Building a QoS Policy First Rule Match Principle In the Rule Base in TABLE 6-11, it s possible that more than one rule can be relevant to a connection. However, FloodGate-1 works according to a first rule match principle. Every connection is examined against the QoS Policy and receives bandwidth according to the action defined in the first rule that is matched. If a user in Marketing initiates an HTTP connection, both Web Rule and Marketing Rule are theoretically relevant. Because Web Rule comes before Marketing Rule in the Rule Base, the connection will be given a weight of 35. Marketing Rule will no longer be relevant to this connection. In order to differentiate HTTP traffic by source, it would be necessary to create subrules for Web Rule. See Sub-Rules on page 121. Note - The actual bandwidth allocated to a connection at any given moment depends on the weights of the other connections active at the same time. Guarantees and Limits In addition to using weights, you can refine bandwidth allocation by using guarantees and limits. You can define guarantees and limits for whole rules, or for individual connections within a rule. For example, the Web Rule shown in the Rule Base in TABLE 6-11 on page 119 allocates 35% of available bandwidth to all the HTTP connections combined. The actual amount of bandwidth received by connections under this rule will depend on available bandwidth and on open connections that match the other rules. A guarantee can be used mainly to specify bandwidth in absolute measures (such as bits or bytes) instead of relative weights. Note however that 35% of available bandwidth (specified in the example above) is assured to you. You may get more bandwidth if there are few connections backlogged to other rules, but you will not get less bandwidth. The bandwidth allocated is absolutely guaranteed. In TABLE 6-12, Web 120 Check Point FloodGate-1 Guide September 2002

123 Sub-Rules Rule is guaranteed 20 KBps. The connections under Web Rule will receive a total bandwidth of 20 KBps. Any remaining bandwidth will be allocated to all the rules, Web Rule included, according to their weights. TABLE 6-12 Guarantee Example Rule Name Source Destination Service Action Web Rule Any Any HTTP Guarantee 20 KBps Weight 35 RealAudio Any Any RealAudio Weight 5 Rule Marketing Rule Marketing Any Any Weight 30 Engineering Rule For more information and examples of guarantees and limits, see Simple or Advanced QoS on page 69 and Using Guarantees and Limits on page 71. Sub-Rules Engineeri ng Any Any Weight 20 Default Any Any Any Weight 10 Sub-rules are rules within a rule. For example, you may wish to allocate bandwidth for HTTP connections by source, so that HTTP connections from Marketing receive more bandwidth than other HTTP traffic. In this case, you would define sub-rules under HTTP Rule as follows: TABLE 6-13 Defining Sub-Rules Rule Name Source Destination Service Action Web Rule Any Any HTTP Weight 20 Start of Sub-Rule Marketing HTTP Marketing Any Any Weight 10 Default Any Any Any Weight 1 End of Sub-Rule Chapter 6 FloodGate-1 Tutorial 121

124 Installing a QoS Policy The sub-rule means that for connections under HTTP Rule bandwidth should be allocated according to the weights specified: 10 for HTTP traffic from the Marketing department and 1 for everything else. The bandwidth allocated to HTTP rule according to its weight (20). This weight is further divided between its sub-rules in a 10:1 ratio. Note that there will be two Default rules: one for the Rule Base as a whole and another for the sub-rules of HTTP Rule. Installing a QoS Policy After you have defined the Rule Base, you can install the QoS Policy on the FloodGate Modules by selecting Install from the Policy menu. The Install Policy window will be displayed, showing a list of gateways defined as FloodGate Modules (see Defining the Network Objects on page 106). Select the specific FloodGate Modules on which to install the QoS Policy. FloodGate-1 will enforce the QoS Policy on the directions specified in the interface properties of each selected module. For further information, see To Install and Enforce the Policy on page Check Point FloodGate-1 Guide September 2002

125 CHAPTER 7 Command Line Interface In This Chapter section Interaction with VPN-1/FireWall-1 Setup Control Monitor Utilities commands (cpstart and cpstop) (fgate, fgate load, fgate unload, fgate fetch) (fgate stat, Examples) (fgate log, fgate ctl, fgate debug, fgate kill) Interaction with VPN-1/FireWall-1 When VPN-1/FireWall-1 is installed on the same machine as FloodGate-1 the FloodGate-1 commands are as listed in TABLE 7-1. TABLE 7-1 FloodGate-1 command names VPN-1/FireWall-1 and FloodGate-1 installed on the same machine etmstart etmstop fgd50 cplic Description starts FloodGate-1 stops FloodGate-1 FloodGate-1 daemon For more information see the Check Point SmartCenter Guide 123

126 Setup Setup In This Section cpstart and cpstop Generally, to stop and start the FloodGate-1 Module you are required to stop the VPN-1/FireWall-1 using the cpstop and cpstart commands. In the event that you would like to stop the FloodGate-1 Module only, you can use the etmstart and etmstop commands which are FloodGate-1 specific. For more on cpstop and cpstart, see the Check Point SmartCenter Guide. etmstart etmstart loads the FloodGate-1 Module, starts the FloodGate-1 daemon (fgd50), and fetches the last policy that was installed on the FloodGate-1 module. etmstop etmstop kills the FloodGate-1 daemon (fgd50) and then unloads the FloodGate-1 policy and Module. fgate Menu cpstart and cpstop page 124 etmstart page 124 etmstop page 124 The following menu is displayed when typing fgate from the command line. FIGURE 7-1 fgate menu 124 Check Point FloodGate-1 Guide September 2002