Check Point QoS
Administration Guide
Version NGX R65
700726 March 2007

© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5
Contents
Preface Who Should Use This Guide 10
Summary of Contents 11
Appendices 11
Related Documentation 12
More Information 15
Feedback 16
Chapter 1 Overview
What is Quality of Service 18
Internet Bandwidth Management Technologies 19
Overview 19
Superior QoS Solution Requirements 19
Benefits of a Policy-Based Solution 20
How Does Check Point Deliver QoS 21
Features and Benefits 23
Traditional Check Point QoS vs. Check Point QoS Express 24
Workflow 26
Chapter 2 Introduction to Check Point QoS
Check Point QoS’s Innovative Technology 30
Technology Overview 31
Check Point QoS Architecture 33
Basic Architecture 33
Check Point QoS Configuration 35
Concurrent Sessions 38
Interaction with VPN-1Pro and VPN-1 Net 39
Interoperability 39
Chapter 3 Basic QoS Policy Management
Overview 42

Rule Base Management 43
Overview 43
Connection Classification 44
Network Objects 44
Services and Resources 45
Time Objects 45
Bandwidth Allocation and Rules 45
Default Rule 47
QoS Action Properties 47
Example of a Rule Matching VPN Traffic 48
Bandwidth Allocation and Sub-Rules 49
6
Implementing the Rule Base 51
To Verify and View the QoS Policy 51
To Install and Enforce the Policy 51
To Uninstall the QoS Policy 52
To Monitor the QoS Policy 52
Chapter 4 Check Point QoS Tutorial
Introduction 54
Building and Installing a QoS Policy 56
Step 1: Installing Check Point Modules 57
Step 2: Starting SmartDashboard 57
To Start SmartDashboard 58
Step 3: Determining QoS Policy 61
Step 4: Defining the Network Objects 61
To Define the Gateway London 62
To Define the Interfaces on Gateway London 66
To Define the QoS Properties for the Interfaces on Gateway London 72
Step 5: Defining the Services 73
Step 6: Creating a Rule Base 73

To Create a New Policy Package 74
To Create a New Rules 75
To Modify New Rules 76
Step 7: Installing a QoS Policy 82
Conclusion 84
Chapter 5 Advanced QoS Policy Management
Overview 86
Examples: Guarantees and Limits 87
Per Rule Guarantees 87
Per Connections Guarantees 90
Limits 91
Guarantee - Limit Interaction 91
Differentiated Services (DiffServ) 93
Overview 93
DiffServ Markings for IPSec Packets 93
Interaction Between DiffServ Rules and Other Rules 94
Low Latency Queuing 95
Overview 95
Low Latency Classes 95
Interaction between Low Latency and Other Rule Properties 100
When to Use Low Latency Queuing 101
Low Latency versus DiffServ 102
Authenticated QoS 103
Citrix MetaFrame Support 104
Overview 104
Limitations 105
Load Sharing 106
Overview 106
Table of Contents 7
Check Point QoS Cluster Infrastructure 107

Chapter 6 Managing Check Point QoS
Defining QoS Global Properties 112
To Modify the QoS Global Properties 112
Specifying Interface QoS Properties 114
To Define the Interface QoS Properties 114
Editing QoS Rule Bases 118
To Create a New Policy Package 118
To Open an Existing Policy Package 119
To Add a Rule 119
To Rename a Rule 121
To Copy, Cut or Paste a Rule 121
To Delete a Rule 122
Modifying Rules 123
Modifying Sources in a Rule 123
Modifying Destinations in a Rule 126
Modifying Services in a Rule 128
Modifying Rule Actions 130
Modifying Tracking for a Rule 135
Modifying Install On for a Rule 135
Modifying Time in a Rule 138
Adding Comments to a Rule 140
Defining Sub-Rules 142
Working with Differentiated Services (DiffServ) 144
To Define a DiffServ Class of Service 145
To Define a DiffServ Class of Service Group 146
To Add QoS Class Properties for Expedited Forwarding 147
To Add QoS Class Properties for Non Expedited Forwarding 148
Working with Low Latency Classes 150
To Implement Low Latency Queuing 150
To Define Low Latency Classes of Service 151

To Define Class of Service Properties for Low Latency Queuing 151
Working with Authenticated QoS 153
To Use Authenticated QoS 153
Managing QoS for Citrix ICA Applications 155
Disabling Session Sharing 155
Modifying your Security Policy 156
Discovering Citrix ICA Application Names 157
Defining a New Citrix TCP Service 160
Adding a Citrix TCP Service to a Rule (Traditional Mode Only) 161
Installing the Security and QoS Policies 161
Managing QoS for Citrix Printing 162
Configuring a Citrix Printing Rule (Traditional Mode Only) 162
Configuring Check Point QoS Topology 163
Viewing the Check Point QoS Modules Status 164
To Display the Status of Check Point QoS Modules Controlled by the SmartCenter
Server 164
8
Enabling Log Collection 165
To Turn on QoS Logging 165
To Confirm that the Rule is Marked for Logging 166
To Start SmartView Tracker 167
Chapter 7 SmartView Tracker
Overview of Logging 170
Examples of Log Events 174
Connection Reject Log 174
LLQ Drop Log 174
Pool Exceeded Log 175
Examples of Account Statistics Logs 177
General Statistics Data 177
Drop Policy Statistics Data 178

LLQ Statistics Data 178
Chapter 8 Command Line Interface
Check Point QoS Commands 180
Setup 181
fgate Menu 182
Control 183
Monitor 185
Utilities 187
Chapter 9 Check Point QoS FAQ (Frequently Asked Questions)
Questions and Answers 190
Introduction 190
Check Point QoS Basics 191
Other Check Point Products - Support and Management 194
Policy Creation 195
Capacity Planning 196
Protocol Support 197
Installation/Backward Compatibility/Licensing/Versions 198
How do I? 198
General Issues 199
Chapter 10 Deploying Check Point QoS
Deploying Check Point QoS 202
Check Point QoS Topology Restrictions 202
Sample Bandwidth Allocations 204
Frame Relay Network 204
Appendix A Debug Flags
fw ctl debug -m FG-1 Error Codes for Check Point QoS 208
Index 217
9
Preface
P

Preface
In This Chapter
Who Should Use This Guide page 10
Summary of Contents page 11
Related Documentation page 12
More Information page 15
Feedback page 16
Who Should Use This Guide
10
Who Should Use This Guide
This guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
• System administration.
• The underlying operating system.
• Internet protocols (IP, TCP, UDP etc.).
Summary of Contents
Preface11
Summary of Contents
This guide describes QoS components and contains the following chapters and
appendices.
Appendices
This guide contains the following appendices
Table A-1
Chapter Description
Chapter 1, “Overview” presents an overview of Quality of Service and
how it is delivered by Check Point QoS.
Chapter 2, “Introduction to
Check Point QoS”
presents an overview of QoS, including

technologies and architecture.
Chapter 3, “Basic QoS Policy
Management”
describes how to manage a basic FloodGate-1
QoS Policy Rule Base.
Chapter 4, “Check Point QoS
Tutorial”
is a short tutorial describing how to define a QoS
Policy.
Chapter 5, “Advanced QoS
Policy Management”
describes the more advanced policy management
features of Check Point QoS that enable you to
refine basic QoS policies.
Chapter 6, “Managing Check
Point QoS”
describes how to manage QoS, including
modifying and changing policies and rules.
Chapter 7, “SmartView
Tracker”
describes the features and tools that are
available for monitoring Check Point QoS.
Chapter 8, “Command Line
Interface”
discusses how to work with Check Point QoS via
the Command Line.
Chapter 9, “Check Point QoS
FAQ (Frequently Asked
Questions)”
a compilation of frequently asked questions and

their answers.
Chapter 10, “Deploying
Check Point QoS”
Describes how to deploy Check Point QoS and
provides sample bandwidth allocations.
Table A-2
Appendix Description
Appendix A, “Debug Flags” contains a list of debugging error codes.
Related Documentation
12
Related Documentation
The NGX R65 release includes the following documentation
TABLE P-1 VPN-1 Power documentation suite documentation
Title Description
Internet Security Product
Suite Getting Started
Guide
Contains an overview of NGX R65 and step by step
product installation and upgrade procedures. This
document also provides information about What’s
New, Licenses, Minimum hardware and software
requirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Point
products from VPN-1/FireWall-1 NG forward. This
guide is specifically geared towards upgrading to
NGX R65.
SmartCenter
Administration Guide
Explains SmartCenter Management solutions. This
guide provides solutions for control over

configuring, managing, and monitoring security
deployments at the perimeter, inside the network, at
all user endpoints.
Firewall and
SmartDefense
Administration Guide
Describes how to control and secure network
access; establish network connectivity; use
SmartDefense to protect against network and
application level attacks; use Web Intelligence to
protect web servers and applications; the integrated
web security capabilities; use Content Vectoring
Protocol (CVP) applications for anti-virus protection,
and URL Filtering (UFP) applications for limiting
access to web sites; secure VoIP traffic.
Virtual Private Networks
Administration Guide
This guide describes the basic components of a
VPN and provides the background for the
technology that comprises the VPN infrastructure.
Related Documentation
Preface13
Eventia Reporter
Administration Guide
Explains how to monitor and audit traffic, and
generate detailed or summarized reports in the
format of your choice (list, vertical bar, pie chart
etc.) for all events logged by Check Point VPN-1
Power, SecureClient and SmartDefense.
SecurePlatform™/

SecurePlatform Pro
Administration Guide
Explains how to install and configure
SecurePlatform. This guide will also teach you how
to manage your SecurePlatform machine and
explains Dynamic Routing (Unicast and Multicast)
protocols.
Provider-1/SiteManager-1
Administration Guide
Explains the Provider-1/SiteManager-1 security
management solution. This guide provides details
about a three-tier, multi-policy management
architecture and a host of Network Operating Center
oriented features that automate time-consuming
repetitive tasks common in Network Operating
Center environments.

TABLE P-2 Integrity Server documentation
Title Description
Integrity Advanced
Server Installation
Guide
Explains how to install, configure, and maintain the
Integrity Advanced Server.
Integrity Advanced
Server Administrator
Console Reference
Provides screen-by-screen descriptions of user
interface elements, with cross-references to relevant
chapters of the Administrator Guide. This document

contains an overview of Administrator Console
navigation, including use of the help system.
Integrity Advanced
Server Administrator
Guide
Explains how to managing administrators and
endpoint security with Integrity Advanced Server.
Integrity Advanced
Server Gateway
Integration Guide
Provides information about how to integrating your
Virtual Private Network gateway device with Integrity
Advanced Server. This guide also contains information
regarding deploying the unified SecureClient/Integrity
client package.
TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Description
Related Documentation
14
Integrity Advanced
Server System
Requirements
Provides information about client and server
requirements.
Integrity Agent for Linux
Installation and
Configuration Guide
Explains how to install and configure Integrity Agent
for Linux.
Integrity XML Policy

Reference Guide
Provides the contents of Integrity client XML policy
files.
Integrity Client
Management Guide
Explains how to use of command line parameters to
control Integrity client installer behavior and
post-installation behavior.
TABLE P-2 Integrity Server documentation (continued)
Title Description
More Information
Preface15
More Information
• For additional technical information about Check Point products, consult Check
Point’s SecureKnowledge at />• See the latest version of this document in the User Center at
/>Feedback
16
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:

17
Chapter
1
Overview
In This Chapter
What is Quality of Service page 18
Internet Bandwidth Management Technologies page 19
How Does Check Point Deliver QoS page 21
Features and Benefits page 23

Traditional Check Point QoS vs. Check Point QoS Express page 24
Workflow page 26
What is Quality of Service
18
What is Quality of Service
Quality of Service is a set of intelligent network protocols and services that are
used to efficiently manage the movement of information through a local or wide
area networks. QoS services sort and classify flows into different traffic classes, and
allocate resources to network traffic flows based on user or application ID, source
or destination IP address, time of day, application specific parameters, and other
user-specified variables.
Fundamentally, QoS enables you to provide better service to certain flows. This is
done by either raising the priority of a flow or limiting the priority of another flow.
Internet Bandwidth Management Technologies
Chapter 1 Overview 19
Internet Bandwidth Management
Technologies
In This Section
Overview
When you connect your network to the Internet, it is most important to make
efficient use of the available bandwidth. An effective bandwidth management
policy ensures that even at times of network congestion, bandwidth is allocated in
accordance with enterprise priorities.
In the past, network bandwidth problems have been addressed either by adding
more bandwidth (an expensive and usually short term “solution”) or by router
queuing, which is ineffective for complex modern Internet protocols.
Superior QoS Solution Requirements
In order to provide effective bandwidth management, a bandwidth management tool
must track and control the flow of communication passing through, based on
information derived from all communication layers and from other applications.

An effective bandwidth management tool must address all of the following issues:
• Fair Prioritization
It is not sufficient to simply prioritize communications, for example, to specify
a higher priority for HTTP than for SMTP. The result may well be that all
bandwidth resources are allocated to one service and none to another. A
bandwidth management tool must be able to divide the available resources so
that more important services are allocated more bandwidth, but all services are
allocated some bandwidth.
• Minimum Bandwidth
Overview page 19
Superior QoS Solution Requirements page 19
Benefits of a Policy-Based Solution page 20
Benefits of a Policy-Based Solution
20
A bandwidth management tool must be able to guarantee a service’s minimum
required bandwidth. It must also be able to allocate bandwidth preferentially,
for example, to move a company’s video conference to the “head of the line” in
preference to all other internet traffic.
• Classification
A bandwidth management tool must be able to accurately classify
communications. However, simply examining a packet in isolation does not
provide all the information needed to make an informed decision. State
information — derived from past communications and other applications — is
also required. A packet’s contents, the communication state and the application
state (derived from other applications) must all be considered when making
control decisions.
Benefits of a Policy-Based Solution
Based on the principles discussed in the previous section, there are basically three
ways to improve the existing best-effort service that enterprise networks and ISPs
deliver today:

• Add more bandwidth to the network.
• Prioritize network traffic at the edges of the network.
• Guarantee QoS by enforcing a set of policies that are based on business
priorities (policy-based network management) throughout the network.
Of these, only policy-based network management provides a comprehensive QoS
solution by:
• Using policies to determine the level of service that applications or customers
need.
• Prioritizing network requests.
• Guaranteeing levels of service.
How Does Check Point Deliver QoS
Chapter 1 Overview 21
How Does Check Point Deliver QoS
Check Point QoS (previously called FloodGate-1), a policy-based QoS management
solution from Check Point Software Technologies Ltd., satisfies your needs for a
bandwidth management solution. Check Point QoS is a unique, software-only based
application that manages traffic end-to-end across networks, by distributing
enforcement throughout network hardware and software.
Check Point QoS enables you to prioritize business-critical traffic, such as ERP,
database and Web services traffic, over less time-critical traffic. Check Point QoS
allows you to guarantee bandwidth and control latency for streaming applications,
such as Voice over IP (VoIP) and video conferencing. With highly granular controls,
Check Point QoS also enables guaranteed or priority access to specific employees,
even if they are remotely accessing network resources through a VPN tunnel.
Check Point QoS is deployed with VPN-1® Pro. These integrated solutions provide
QoS for both VPN and unencrypted traffic to maximize the benefit of a secure,
reliable, low-cost VPN network.
Figure 1-1 Check Point QoS Deployment
Check Point QoS leverages the industry's most advanced traffic inspection and
bandwidth control technologies. Check Point-patented Stateful Inspection

technology captures and dynamically updates detailed state information on all
network traffic. This state information is used to classify traffic by service or
How Does Check Point Deliver QoS
22
application. After a packet has been classified, Check Point QoS applies QoS to the
packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ)
algorithm to precisely control bandwidth allocation.
Features and Benefits
Chapter 1 Overview 23
Features and Benefits
Check Point QoS provides the following features and benefits:
• Flexible QoS policies with weights, limits and guarantees: Check Point QoS
enables you to develop basic policies specific to your requirements. These basic
policies can be modified at any time to incorporate any of the Advanced Check
Point QoS features described in this section.
• Integration with VPN-1 Power or VPN-1 Net: Optimize network performance for
VPN and unencrypted traffic: The integration of an organization’s security and
bandwidth management policies enables easier policy definition and system
configuration.
• Performance analysis through SmartView Tracker: monitor the performance of
your system by means of log entries recorded in SmartView Tracker.
• Integrated DiffServ support: add one or more Diffserv Classes of Service to the
QoS Policy Rule Base.
• Integrated Low Latency Queuing: define special classes of service for “delay
sensitive” applications like voice and video to the QoS Policy Rule Base.
• Integrated Authenticated QoS: provide QoS for end-users in dynamic IP
environments, such as remote access and DHCP environments.
• Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA
protocol.
• No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS

and VPN-1 Power share a similar architecture and many core technology
components, therefore users can utilize the same user-defined network objects
in both solutions.
• Proactive management of network costs: Check Point QoS’s monitoring systems
enable you to be proactive in managing your network and thus controlling
network costs.
• Support for end-to-end QoS for IP networks: Check Point QoS offers complete
support for end-to-end QoS for IP networks by distributing enforcement
throughout network hardware and software.
Traditional Check Point QoS vs. Check Point QoS Express
24
Traditional Check Point QoS vs. Check Point
QoS Express
Both Traditional and Express modes of Check Point QoS are included in every
product installation. Express mode enables you to define basic policies quickly and
easily and thus “get up and running” without delay. Traditional mode incorporates
the more advanced features of Check Point QoS.
You can specify whether you choose Traditional over Express or vice versa, each
time you install a new policy.
Table 1-1 shows a comparative table of the features of the Traditional and Express
modes of Check Point QoS.
Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check Point
QoS
Traditional
Check Point
QoS Express
Find out more
Weights * * “Weight” on page 45
Limits (whole rule) * * “Limits” on page 46

Guarantees (whole rule) * * “Guarantees” on
page 46
Authenticated QoS * “Authenticated QoS” on
page 103
Logging * * “Overview of Logging”
on page 170
Accounting * *
Supported by VPN-1 UTM
Edge Gateways
* Check Point
VPN-1 UTM Edge
Management Solutions
Administration Guide
Support of platforms and
HW accelerator
**
High Availability and Load
Sharing
**
Guarantee (Per connection) * “Per Connections
Guarantees” on page 90
Limit (Per connection) * “Limits” on page 46
Traditional Check Point QoS vs. Check Point QoS Express
Chapter 1 Overview 25
LLQ (controlling packet
delay in Check Point QoS)
* “Low Latency Queuing”
on page 95
DiffServ * “Differentiated Services
(DiffServ)” on page 93

Sub-rules *
Matching by URI resources *
Matching by DNS string *
TCP Retransmission
Detection Mechanism
(RDED)
*
Matching Citrix ICA
Applications
*
Table 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check Point
QoS
Traditional
Check Point
QoS Express
Find out more