checkpoint ngx qos

7/31/2019 Checkpoint NGX QoS

1/188

Check Point QoS

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

http://support.checkpoint.com/kb/

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part No.: 700726

April 2005
http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://support.checkpoint.com/kb/


2/188

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;

without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


3/188

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No one

other than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials mustbe immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in th is document should be construed asgranting, by implication, estoppel, or otherwise, any l icense or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in

advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


4/188

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release


5/188

5

Table Of Contents

Chapter 1 OverviewSummary of Contents 11

What is Quality of Service 12

Internet Bandwidth Management Technologies 12

Overview 12

Superior QoS Solution Requirements 13Benefits of a Policy-Based Solution 13

How Does Check Point Deliver QoS 14

Features and Benefits 15

Traditional Check Point QoS vs. Check Point QoS Express 16

Workflow 17

Chapter 2 Whats New in Check Point QoS

Whats New in Check Point QoS 19Support of Windows Groups Using Authenticated QoS 19

Citrix ICA Support 19

Performance Enhancements 19

Load Sharing 20

VPN-1 Net Support 20

Chapter 3 Introduction to Check Point QoS

Check Point QoSs Innovative Technology 21Technology Overview 22

Check Point QoS Architecture 24

Basic Architecture 24

Check Point QoS Configuration 27

Concurrent Sessions 29

Interaction with VPN-1Pro and VPN-1 Net 29

Interoperability 29

Chapter 4 Basic QoS Policy ManagementOverview 31

Rule Base Management 31

Overview 32

Connection Classification 33

Network Objects 33

Services and Resources 34

Time Objects 34

Bandwidth Allocation and Rules 34Default Rule 35

QoS Action Properties 36


6/188

6 Table of Contents

Example of a Rule Matching VPN Traffic 37

Bandwidth Allocation and Sub-Rules 37

Implementing the Rule Base 39

To Verify and View the QoS Policy 39

To Install and Enforce the Policy 39

To Uninstall the QoS Policy 40

To Monitor the QoS Policy 40

Chapter 5 Check Point QoS TutorialIntroduction 41

Building and Installing a QoS Policy 43

Step 1: Installing Check Point Modules 44

Step 2: Starting SmartDashboard 44

To Start SmartDashboard 45

Step 3: Determining QoS Policy 48

Step 4: Defining the Network Objects 48

To Define the Gateway London 49

To Define the Interfaces on Gateway London 52

To Define the QoS Properties for the Interfaces on Gateway London 58

Step 5: Defining the Services 59

Step 6: Creating a Rule Base 59To Create a New Policy Package 60

To Create a New Rules 60

To Modify New Rules 62

Step 7: Installing a QoS Policy 67

Conclusion 68

Chapter 6 Advanced QoS Policy Management

Overview 69Examples: Guarantees and Limits 69

Per Rule Guarantees 70

Per Connections Guarantees 73

Limits 74

Guarantee - Limit Interaction 74

Differentiated Services (DiffServ) 75

Overview 76

DiffServ Markings for IPSec Packets 76

Interaction Between DiffServ Rules and Other Rules 76Low Latency Queuing 77

Overview 77

Low Latency Classes 78

Interaction between Low Latency and Other Rule Properties 82

When to Use Low Latency Queuing 83

Low Latency versus DiffServ 83

Authenticated QoS 84

Citrix MetaFrame Support 85Overview 85

Limitations 85


7/188

Table of Contents 7

Load Sharing 86

Overview 86

Check Point QoS Cluster Infrastructure 87

Chapter 7 Managing Check Point QoSDefining QoS Global Properties 92

To Modify the QoS Global Properties 92

Specifying Interface QoS Properties 94

To Define the Interface QoS Properties 94

Editing QoS Rule Bases 98

To Create a New Policy Package 98

To Open an Existing Policy Package 99

To Add a Rule 99

To Rename a Rule 101

To Copy, Cut or Paste a Rule 101

To Delete a Rule 101

Modifying Rules 103

Modifying Sources in a Rule 104

Modifying Destinations in a Rule 107

Modifying Services in a Rule 109

Modifying Rule Actions 112Modifying Tracking for a Rule 117

Modifying Install On for a Rule 118

Modifying Time in a Rule 121

Adding Comments to a Rule 124

Defining Sub-Rules 125

Working with Differentiated Services (DiffServ) 126

To Define a DiffServ Class of Service 127

To Define a DiffServ Class of Service Group 128

To Add QoS Class Properties for Expedited Forwarding 129To Add QoS Class Properties for Non Expedited Forwarding 130

Working with Low Latency Classes 131

To Implement Low Latency Queuing 132

To Define Low Latency Classes of Service 133

To Define Class of Service Properties for Low Latency Queuing 133

Working with Authenticated QoS 134

To Use Authenticated QoS 134

Managing QoS for Citrix ICA Applications 135Disabling Session Sharing 136

Modifying your Security Policy 137

Discovering Citrix ICA Application Names 137

Defining a New Citrix TCP Service 140

Adding a Citrix TCP Service to a Rule (Traditional Mode Only) 140

Installing the Security and QoS Policies 141

Managing QoS for Citrix Printing 141

Configuring a Citrix Printing Rule (Traditional Mode Only) 142

Configuring Check Point QoS Topology 142Viewing the Check Point QoS Modules Status 143


8/188

8 Table of Contents

To Display the Status of Check Point QoS Modules Controlled by the SmartCenter Server

143

Enabling Log Collection 143

To Turn on QoS Logging 143

To Confirm that the Rule is Marked for Logging 144

To Start the SmartView Tracker 144

Chapter 8 SmartView TrackerOverview of Logging 147

Examples of Log Events 150

Connection Reject Log 150

LLQ Drop Log 150

Pool Exceeded Log 151

Examples of Account Statistics Logs 152

General Statistics Data 152

Drop Policy Statistics Data 153

LLQ Statistics Data 153

Chapter 9 Command Line InterfaceCheck Point QoS Commands 155

Setup 156

fgate Menu 156

Control 157

Monitor 158

Utilities 160

Chapter 10 Check Point QoS FAQ (Frequently Asked Questions)Questions and Answers 163

Introduction 164

Check Point QoS Basics 164

Other Check Point Products - Support and Management 167

Hardware Support 169

Policy Creation 169

Capacity Planning 171

Protocol Support 172

Installation/Backward Compatibility/Licensing/Versions 173

How do I? 173General Issues 176

Chapter 11 Deploying Check Point QoSDeploying Check Point QoS 177

Check Point QoS Topology Restrictions 177

Sample Bandwidth Allocations 179

Frame Relay Network 179

Appendix A Debug Flags


9/188

Table of Contents 9

fw ctl debug -m FG-1 Error Codes for Check Point QoS 183


10/188

10 Table of Contents


11/188

11

CHAPTER 1

Overview

In This Chapter

Summary of ContentsChapter 1 Overview, presents an overview of Quality of Service and how it is

delivered by Check Point QoS.

Chapter 2 Whats New in Check Point QoS, presents an overview of the new

features of FloodGate-1.

Chapter 3 Introduction to Check Point QoS, presents an overview of FloodGate-1,

including technologies and architecture.Chapter 4 Basic QoS Policy Management, describes how to manage a basic

FloodGate-1 QoS Policy Rule Base.

Chapter 5 Check Point QoS Tutorial, is a short tutorial describing how to define a

QoS Policy.

Chapter 6 Advanced QoS Policy Management describes the more advanced policy

management features of Check Point QoS that enable you to refine basic QoS policies.

Summary of Contents page 11

What is Quality of Service page 12

Internet Bandwidth Management Technologies page 12

How Does Check Point Deliver QoS page 14

Features and Benefits page 15

Traditional Check Point QoS vs. Check Point QoS Express page 16

Workflow page 17


12/188

What is Quality of Service

12

Chapter 7 Managing Check Point QoS, describes how to manage FloodGate-1,

including modifying and changing policies and rules.

Chapter 8 SmartView Tracker, describes the features and tools that are available for

monitoring Check Point QoS.

Chapter 9 Command Line Interface, discusses how to work with Check Point QoS

via the Command Line.

Chapter 10 Check Point QoS FAQ (Frequently Asked Questions), is a compilation of

frequently asked questions and their answers.

Appendix A, Debug Flags is a list of debugging error codes.

What is Quality of Service

Quality of Service is a set of intelligent network protocols and services that are used to

efficiently manage the movement of information through a local or wide area networks.

QoS services sort and classify flows into different traffic classes, and allocate resources to

network traffic flows based on user or application ID, source or destination IP address,

time of day, application specific parameters, and other user-specified variables.

Fundamentally, QoS enables you to provide better service to certain flows. This is done

by either raising the priority of a flow or limiting the priority of another flow.

Internet Bandwidth Management Technologies

In This Section

Overview

When you connect your network to the Internet, it is most important to make efficientuse of the available bandwidth. An effective bandwidth management policy ensures that

even at times of network congestion, bandwidth is allocated in accordance with

enterprise priorities.

In the past, network bandwidth problems have been addressed either by adding more

bandwidth (an expensive and usually short term solution) or by router queuing,

which is ineffective for complex modern Internet protocols.

Overview page 12

Superior QoS Solution Requirements page 13

Benefits of a Policy-Based Solution page 13


13/188

Superior QoS Solution Requirements

Chapter 1 Overview 13

Superior QoS Solution Requirements

In order to provide effective bandwidth management, a bandwidth management tool

must track and control the flow of communication passing through, based on

information derived from all communication layers and from other applications.

An effective bandwidth management tool must address all of the following issues:

Fair Prioritization

It is not sufficient to simply prioritize communications, for example, to specify a

higher priority for HTTP than for SMTP. The result may well be that all

bandwidth resources are allocated to one service and none to another. A bandwidth

management tool must be able to divide the available resources so that more

important services are allocated more bandwidth, but all services are allocated some

bandwidth.

Minimum Bandwidth

A bandwidth management tool must be able to guarantee a services minimum

required bandwidth. It must also be able to allocate bandwidth preferentially, for

example, to move a companys video conference to the head of the line inpreference to all other internet traffic.

Classification

A bandwidth management tool must be able to accurately classify communications.

However, simply examining a packet in isolation does not provide all the

information needed to make an informed decision. State information derived

from past communications and other applications is also required. A packets

contents, the communication state and the application state (derived from other

applications) must all be considered when making control decisions.

Benefits of a Policy-Based Solution

Based on the principles discussed in the previous section, there are basically three ways

to improve the existing best-effort service that enterprise networks and ISPs deliver

today: Add more bandwidth to the network.

Prioritize network traffic at the edges of the network.

Guarantee QoS by enforcing a set of policies that are based on business priorities

(policy-based network management) throughout the network.

Of these, only policy-based network management provides a comprehensive QoS

solution by: Using policies to determine the level of service that applications or customers need.


14/188

How Does Check Point Deliver QoS

14

Prioritizing network requests.

Guaranteeing levels of service.

How Does Check Point Deliver QoSCheck Point QoS (previously called FloodGate-1), a policy-based QoS management

solution from Check Point Software Technologies Ltd., satisfies your needs for a

bandwidth management solution. Check Point QoS is a unique, software-only based

application that manages traffic end-to-end across networks, by distributing

enforcement throughout network hardware and software.

Check Point QoS enables you to prioritize business-critical traffic, such as ERP,database and Web services traffic, over less time-critical traffic. Check Point QoS allows

you to guarantee bandwidth and control latency for streaming applications, such as

Voice over IP (VoIP) and video conferencing. With highly granular controls, Check

Point QoS also enables guaranteed or prior ity access to specific employees, even if they

are remotely accessing network resources through a VPN tunnel.

Check Point QoS is deployed with VPN-1 Pro. These integrated solutions provide

QoS for both VPN and unencrypted traffic to maximize the benefit of a secure,reliable, low-cost VPN network.

FIGURE 1-1 Check Point QoS Deployment


15/188



Check Point QoS leverages the industry's most advanced traffic inspection and

bandwidth control technologies. Check Point-patented Stateful Inspection technology

captures and dynamically updates detailed state information on all network traffic. This

state information is used to classify traffic by service or application. After a packet hasbeen classified, Check Point QoS applies QoS to the packet by means of an innovative,

hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth

allocation.

Features and Benefits

Check Point QoS provides the following features and benefits:

Flexible QoS policies with weights, limits and guarantees: Check Point QoS

enables you to develop basic policies specific to your requirements. These basic

policies can be modified at any time to incorporate any of the Advanced Check

Point QoS features described in this section.

Integration with VPN-1 Pro or VPN-1 Net: Optimize network performance for

VPN and unencrypted traffic: The integration of an organizations security and

bandwidth management policies enables easier policy definition and system

configuration.

Performance analysis through SmartView Tracker: monitor the performance of your

system by means of log entries recorded in SmartView Tracker.

Integrated DiffServ support: add one or more Diffserv Classes of Service to the

QoS Policy Rule Base.

Integrated Low Latency Queuing: define special classes of service for delay

sensitive applications like voice and video to the QoS Policy Rule Base. Integrated Authenticated QoS: provide QoS for end-users in dynamic IP

environments, such as remote access and DHCP environments.

Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA

protocol.

No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS and

VPN-1 Pro share a similar architecture and many core technology components,

therefore users can utilize the same user-defined network objects in both solutions.

Proactive management of network costs: Check Point QoSs monitoring systems

enable you to be proactive in managing your network and thus controlling network

costs.

Support for end-to-end QoS for IP networks: Check Point QoS offers complete

support for end-to-end QoS for IP networks by distributing enforcement

throughout network hardware and software.


16/188

Traditional Check Point QoS vs. Check Point QoS Express

16

Traditional Check Point QoS vs. Check Point QoS Express

Both Traditional and Express modes of Check Point QoS are included in every product

installation. Express mode enables you to define basic policies quickly and easily and

thus get up and running without delay. Traditional mode incorporates the more

advanced features of Check Point QoS.

You can specify whether you choose Traditional over Express or vice versa, each time

you install a new policy.

TABLE 1-1 shows a comparative table of the features of the Traditional and Express

modes of Check Point QoS.

TABLE 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features

Feature Check PointQoSTraditional

Check PointQoS Express

Find out more onpage...

Weights * * Weight on page 34

Limits (whole rule) * * Limits on page 35

Guarantees (whole rule) * * Guarantees on page 35

Authenticated QoS * Authenticated QoS onpage 84

Logging * * Overview of Loggingon page 147

Accounting * *

Support of platforms and HW

accelerator

* *

High Availability and Load

Sharing

* *

Guarantee (Per connection) * Per ConnectionsGuarantees on page 73

Limit (Per connection) * Limits on page 35

LLQ (controlling packet delay

in Check Point QoS)

* Low Latency Queuingon page 77

DiffServ * Differentiated Services(DiffServ) on page 75


17/188



Workflow

The following workflow shows both the basic and advanced steps that the SystemAdministrator may follow in the installation, setup and operational procedures of Check

Point QoS:

FIGURE 1-2 Workflow Steps

1 Verify that Check Point QoS is installed on top of VPN-1Pro or VPN-1 Net.

2 Start SmartDashboard. See Step 2: Starting SmartDashboard on page 44.

3 Define the Global Properties of Check Point QoS. See Defining QoS Global

Properties on page 92.

4 Define the Check Point Gateways Network Objects. See the SmartCenter Guide.

Sub-rules *

Matching by URI resources *

Matching by DNS string *

TCP Retransmission

Detection Mechanism

(RDED)

*

Matching Citrix ICA

Applications

*

TABLE 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features

Feature Check PointQoS

Traditional

Check PointQoS Express

Find out more onpage...


18/188

Workflow

18

5 Setup the basic rules and sub-rules governing the allocation of QoS flows on the

network. See Editing QoS Rule Bases on page 98. After the basic rules have

been defined, you may modify these rules to add any of the more advanced features

described in step 8.

6 Implement the Rule Base. See Implementing the Rule Base on page 39.

7 Enable log collection and monitor the system. See Enabling Log Collection on

page 143.

8 Modify the rules defined in step 4 by adding any of the following advanced

features:

DiffServ Markings. See Working with Differentiated Services (DiffServ) on

page 126.

Define Low Latency Queuing. See Working with Low Latency Classes on

page 131.

Define Authenticated QoS. See Working with Authenticated QoS on page

134

Define Citrix ICA Applications. See Managing QoS for Citrix ICAApplications on page 135.


19/188

19

CHAPTER 2

Whats New in Check

Point QoS

In This Chapter

Whats New in Check Point QoS

Support of Windows Groups Using Authenticated QoS

This new feature allows QoS where the QoS module uses already defined Windows

Groups. It does so by querying the UserAuthority Server. Consult the UserAuthority

Guidesection of the SecureAgent for more technical information.

Citrix ICA Support

Introducing the QoS solution for Citrix ICA protocol:

Classifying all ICA applications running over Citrix through layer 7.

Differentiating between the Citrix traffic based on ICA published applications to

ICA printing traffic.

Performance Enhancements

NGX R60 includes enhanced throughput capabilities. The maximum throughput

supported by Check Point QoS (depending on the type of traffic):

Long UDP packets have increased:

more than 1.1Gbps in Express Mode, or

up to 890Mbps in Traditional Mode Real-world traffic has increased:

Whats New in Check Point QoS page 19

Whats New in Check Point QoS


20/188

What s New in Check Point QoS

20

up to 330Mbps in Express Mode, or

up to 255Mbps in Traditional Mode

These numbers were measured on a high performance SecurePlatform server.

Load Sharing

We present the first QoS fault-tolerant solution for cluster load sharing that deploys a

unique distributed WFQ bandwidth management technology. You can specify a unified

QoS policy per virtual interface of the cluster. The resulting bandwidth allocation will

be identical to that obtained by installing the same policy on a single server.

VPN-1 Net Support

Check Point QoS can be installed along with the VPN-1 Net product.


21/188

21

CHAPTER 3

Introduction to CheckPoint QoS

In This Chapter

Check Point QoSs Innovative Technology

FloodGate-1 is a bandwidth management solution for Internet and Intranet gateways

that enables network administrators to set bandwidth policies to solve or alleviate

network problems like the bandwidth congestion at network access points. The overall

mix of traffic is dynamically controlled by managing bandwidth usage for entire classes

of traffic, as well as individual connections. FloodGate-1 controls both inbound and

outbound traffic flows.

Network traffic can be classified by Internet service, source or destination IP address,

Internet resource (for example, specific URL designators), user or traffic direction

(inbound or outbound). A Check Point QoS Policy consists of rules that specify the

weights, limits and guarantees that are applied to the different classifications of traffic.A rule can have multiple sub-rules, enabling an administrator to define highly granular

Bandwidth Policies.

FloodGate-1 provides its real benefits when the network lines become congested.

Instead of allowing all traffic to flow arbitrarily, FloodGate-1 ensures that important

traffic takes precedence over less important traffic so that the enterprise can continue to

function with minimum disruption, despite network congestion. FloodGate-1 ensures

that an enterprise can make the most efficient use of a congested network.

Check Point QoSs Innovative Technology page 21

Check Point QoS Architecture page 24Interaction with VPN-1Pro and VPN-1 Net page 29

Check Point QoSs Innovative Technology


22/188

Q gy

22

FloodGate-1 is completely transparent to both users and applications.

FloodGate-1 implements four innovative technologies:

Stateful Inspection: FloodGate-1 incorporates Check Points patented Stateful

Inspection technology to derive complete state and context information for all

network traffic.

Intelligent Queuing Engine: This traffic information derived by the Stateful

Inspection technology is used by FloodGate-1s Intelligent Queuing Engine (IQ

EngineTM) to accurately classify traffic and place it in the proper transmission queue.

The network traffic is then scheduled for transmission based on the QoS Policy.

The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ)

algorithm to precisely control the allocation of available bandwidth and ensure

efficient line utilization.

WFRED (Weighted Flow Random Early Drop): FloodGate-1 makes use of

WFRED, a mechanism for managing packet buffers that is transparent to the user

and requires no pre-configuration.

RDED (Retransmission Detection Early Drop): FloodGate-1 makes use of RDED,

a mechanism for reducing the number of retransmits and retransmit storms. ThisCheck Point mechanism, drastically reduces retransmit counts, greatly improving

the efficiency of the enterprises existing lines. The increased bandwidth that

FloodGate-1 makes available to important applications comes at the expense of less

important (or completely unimportant) applications. As a result purchasing more

bandwidth can be significantly delayed.

Technology Overview

FloodGate-1s four innovative technologies are discussed in more detail in this section.

Stateful Inspection

Employing Stateful Inspection technology, FloodGate-1 accesses and analyzes data

derived from all communication layers. This state and context data is stored and

updated dynamically, providing virtual session information for tracking both

connection-oriented and connectionless protocols (for example, UDP-basedapplications). Cumulative data from the communication and application states, network

configuration and bandwidth allocation rules are used to classify communications.

Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based on

file types. For example, FloodGate-1 can identify HTTP file downloads with *.exe or

*.zip extensions and allocates bandwidth accordingly.

Technology Overview


23/188

Chapter 3 Introduction to Check Point QoS 23

Intelligent Queuing Engine

FloodGate-1 uses an enhanced WFQ algorithm to manage bandwidth allocation. A

FloodGate-1 packet scheduler moves packets through a dynamically changing

scheduling tree at different rates in accordance with the QoS Policy. High prioritypackets move through the scheduling tree more quickly than low priority packets.

Check Point QoS leverages TCPs throttling mechanism to automatically adjust

bandwidth consumption per individual connections or classes of traffic. Traffic bursts are

delayed and smoothed by FloodGate-1s packet scheduler, holding back the traffic and

forcing the application to fit the traffic to the QoS Policy. By intelligently delaying

traffic, the IQ Engine effectively controls the bandwidth of all IP traffic.

The preemptive IQ Engine responds immediately to changing traffic conditions and

guarantees that high priority traffic always takes precedence over low priority traffic.

Accurate bandwidth allocation is achieved even when there are large differences in the

weighted priorities (for example 50:1). In addition, since packets are always available for

immediate transmission, the IQ Engine provides precise bandwidth control for both

inbound and outbound traffic, and ensures 100% bandwidth utilization during periods

of congestion. In addition, in Traditional mode it uses per connection queuing to

ensure that every connection receives its fair share of bandwidth.

WFRED (Weighted Flow Random Early Drop)

WFRED is a mechanism for managing the packet buffers of FloodGate-1. WFRED

does not need any preconfiguring. It adjusts automatically and dynamically to the

situation and is transparent to the user.

Because the connection of a LAN to the WAN creates a bottleneck, packets that arr ivefrom the LAN are queued before being retransmitted to the WAN. When traffic in the

LAN is very intense, queues may become full and packets may be dropped arbitrarily.

Dropped packets may reduce the throughput of TCP connections, and the quality of

streaming media.

WFRED prevents FloodGate-1s buffers from being filled by sensing when traffic

becomes intense and dropping packets selectively. The mechanism considers every

connection separately, and drops packets according to the connection characteristics andoverall state of the buffer.

Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP

header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the

connection, and then uses this information. WFRED protects fragile connections

from more aggressive ones, whether they are TCP or UDP, and always leaves some

buffer space for new connections to open.

Check Point QoS Architecture


24/188

24

RDED (Retransmit Detect Early Drop)

TCP exhibits extreme inefficiency under certain bandwidth and latency conditions. For

example, the bottleneck that results from the connection of a LAN to the WAN causes

TCP to retransmit packets. RDED prevents inefficiencies by detecting retransmits inTCP streams and preventing the transmission of redundant packets when multiple

copies of a packet are concurrently queued on the same flow. The result is a dramatic

reduction of retransmit counts and positive feedback retransmit loops. Implementing

RDED requires the combination of intelligent queuing and full reconstruction of TCP

streams, capabilities that exist together only in FloodGate-1.


In This Section

Basic Architecture

The architecture and flow control of Check Point QoS is similar to Firewall.

Check Point QoS has three components:

SmartConsole

SmartCenter Server

Module

The components can be installed on one machine or in a distributed configuration on

a number of machines.

Bandwidth policy is created using SmartDashboard. The policy is downloaded to the

SmartCenter Server where it is verified and downloaded to the QoS Modules using

CPD (Check Point Daemon), which is run on the module and the SmartCenter Server.

The QoS module uses the Firewall chaining mechanism (see below) to receive, processand send packets. QoS uses a proprietary classifying and rule-matching infrastructure to

examine a packet. Logging information is provided using Firewall kernel API.

Basic Architecture page 24

Check Point QoS Configuration page 27

Concurrent Sessions page 29

Basic Architecture


25/188


QoS Module

The major role of the QoS module is to implement a QoS policy at network access

points and control the flow of inbound and outbound traffic. It includes two main

parts: QoS kernel driver

QoS daemon

QoS Kernel Driver

The kernel driver is the heart of QoS operations. It is in the kernel driver that IP

packets are examined, queued, scheduled and released, enabling QoS traffic control

abilities. Utilizing Firewall kernel module services, QoS functionality is a part of the

cookie chain, a Check Point infrastructure mechanism that allows modules to operate

on each packet as it travels from the link layer (the machine network card driver) to the

network layer (its IP stack), or vice versa.

QoS Daemon (fgd50)

The QoS daemon is a user mode process used to perform tasks that are difficult for the

kernel. It currently performs 2 tasks for the kernel (using Traps):

Resolving DNS for the kernel (used for Rule Base matching).

Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base

matching).

In CPLS configuration, the daemon updates the kernel of any change in the cluster

status. For example, if a cluster member goes down the daemon recalculates the

relative loads of the modules and updates the kernel.

QoS SmartCenter Server

The QoS SmartCenter Server is an add-on to the SmartCenter Server (fwm). The

SmartCenter Server, which is controlled by Check Point SmartConsole clients, provides

general services to Check Point QoS and is capable of issuing QoS functions by

running QoS command line utilities. It is used to configure the bandwidth policy and

control QoS modules. A single SmartCenter Server can control multiple QoS modulesrunning either on the same machine as the SmartCenter Server or on remote machines.

The SmartCenter Server also manages the Check Point Log Repository and acts as a

log server for the SmartView Tracker. The SmartCenter server is a user mode process

that communicates with the module using CPD.



26/188

26

QoS SmartConsole

The main SmartConsole application is Check Point SmartDashboard. By creating

"bandwidth rules" the SmartDashboard allows system administrators to define a network

QoS policy to be enforced by Check Point QoS.

Other SmartConsole clients are the SmartView Tracker - a log entries browser; and

SmartView Status which displays status information about active QoS modules and their

policies.

FIGURE 3-1 Basic Architecture - Check Point QoS Components

Check Point QoS in SmartDashboard

Check Point SmartDashboard is used to create and modify the QoS Policy and define

the network objects and services. If both VPN-1Pro and Check Point QoS are licensed,

they each have a tab in SmartDashboard.

FIGURE 3-2 QoS Rules in SmartDashboard

The QoS Policy rules are displayed in both the SmartDashboard Rule Base, on the

right side of the window, and the QoS tree, on the left (see FIGURE 3-2).

Check Point QoS Configuration


27/188


Check Point QoS Configuration

The SmartCenter Server and the QoS Module can be installed on the same machine or

on two different machines. When they are installed on different machines, the

configuration is known as distributed (see FIGURE 3-3).

FIGURE 3-3 Distributed FloodGate-1 Configuration

FIGURE 3-3 shows a distributed configuration, in which one SmartCenter Server(consisting of a SmartCenter Server and a SmartConsole) controls four QoS Modules,

which in turn manage bandwidth allocation on three FloodGated lines.

A single SmartCenter Server can control and monitor multiple QoS Modules. The QoS

Module operates independently of the SmartCenter Server. QoS Modules can operate

on additional Internet gateways and interdepartmental gateways.



28/188

28

Client/Server Interaction

The SmartConsole and the SmartCenter Server can be installed on the same machine

or on two different machines. When they are installed on two different machines,

FloodGate-1 implements the Client/Server model, in which a SmartConsole controls aSmartCenter Server running on another workstation.

FIGURE 3-4 QoS Client/Server Configuration

In the configuration depicted in FIGURE 3-4, the functionality of the SmartCenter

Server is divided between two workstations (Tower and Bridge). The SmartCenter

Server, including the database, is on Tower. The SmartConsole is on Bridge.

The user, working on Bridge, maintains the QoS Policy and database, which reside on

Tower. The QoS Module on London enforces the QoS Policy on the FloodGated line.

The SmartCenter Server is started with the cpstart command, and must be running if

you wish to use the SmartConsole on one of the client machines.

A SmartConsole can manage the Server (that is, run the SmartConsole to communicate

with a SmartCenter Server) only if both the administrator running the SmartConsole

and the machine on which the SmartConsole is running have been authorized to access

the SmartCenter Server.

In practice, this means that the following conditions must be met:

The machine on which the Client is running is listed in the

$FWDIR/conf/gui-clients file.

You can add or delete SmartConsoles using the Check Point configuration

application (cpconfig).

The administrator (user) running the GUI has been defined for the SmartCenter

Server.

You can add or delete administrators using the Check Point configuration

application (cpconfig).

Concurrent Sessions


29/188


Concurrent Sessions

In order to prevent more than one administrator from modifying a QoS Policy at the

same time, FloodGate-1 implements a locking mechanism. All but one open policy is

Read Only.

Interaction with VPN-1Pro and VPN-1 Net

In This Section

Interoperability

FloodGate-1 must be installed together with VPN-1 Pro or VPN-1 Net on the same

system. FloodGate-1 is installed on top of a VPN-1 Pro or VPN-1 Net. Because

FloodGate-1 and VPN-1 Pro or VPN-1 Net share a similar architecture and many core

technology components, users can utilize the same user-defined network objects in

both solutions. This integration of an organizations security and bandwidth

management policies enables easier policy definition and system configuration. Both

products can also share state table information which provides efficient traffic inspection

and enhanced product performance. FloodGate-1s tight integration with VPN-1 Pro

or VPN-1 Net provides the unique ability to enable users that deploy the solutions in

tandem to define bandwidth allocation rules for encrypted and

network-address-translated traffic.

SmartCenter ServerIf FloodGate-1 is installed on a machine on which VPN-1 Pro or VPN-1 Net is also

installed, FloodGate-1 uses the VPN-1 Pro or VPN-1 Net SmartCenter Server and

shares the same objects database (network objects, services and resources) with VPN-1

Pro or VPN-1 Net. Some types of objects have properties which are product specific.

For example, a VPN-1 Pro has encryption properties which are not relevant to

FloodGate-1, and a FloodGate-1 network interface has speed properties which are not

relevant to VPN-1 Pro.

Interoperability page 29

Interaction with VPN-1Pro and VPN-1 Net


30/188

30


31/188

31

CHAPTER 4

Basic QoS PolicyManagement

In This Chapter

Overview

This chapter describes the basic QoS policy management that is required to enable you

to define and implement a working QoS Rule Base. More advanced QoS policy

management features are discussed in Chapter 6 Advanced QoS Policy Management.

Rule Base Management

In This Section

Overview page 31

Rule Base Management page 31Implementing the Rule Base page 39

Overview page 32

Connection Classification page 33Network Objects page 33

Services and Resources page 34

Time Objects page 34

Bandwidth Allocation and Rules page 34

Default Rule page 35



32/188

32

Overview

QoS policy is implemented by defining an ordered set of rules in the Rule Base. The

Rule Base specifies what actions are to be taken with the data packets. It specifies the

source and destination of the communication, what services can be used, and at what

times, whether to log the connection and the logging level.

The Rule Base comprises the rules you create and a default rule (see Default Rule

page 35). The default rule is automatically created with the Rule Base. It can be

modified but cannot be deleted. The fundamental concept of the Rule Base is that

unless other rules apply, the default rule is applied to all data packets. The default rule

is therefore always the last rule in the Rule Base.

A very important aspect of Rule Base management is reviewing SmartView Tracker

traffic logs and particular attention should be paid to this aspect of management.Check Point QoS works by inspecting packets in a sequential manner. When Check

Point QoS receives a packet belonging to a connection, it compares it against the first

rule in the Rule Base, then the second, then the third, and so on. When it finds a rule

that matches, it stops checking and applies that rule. If the matching rule has sub-rules

the packets are then compared against the first sub-rule, then the second and so on until

it finds a match. If the packet goes through all the rules or sub-rules without finding a

match, then the default rule or default sub-rule is applied. It is important to understandthat the first rule that matches is applied to the packet, not the rule that best matches.

After you have defined your network objects, services and resources, you can use them

in building a Rule Base. For installation instructions and instructions on building a

Rule Base, see Editing QoS Rule Bases on page 98.

The QoS Policy Rule Base concept is similar to the Security Policy Rule Base. General

information about Policy Rule Bases can be found in the SmartCenterGuide.

QoS Action Properties page 36

Example of a Rule Matching VPN Traffic page 37

Bandwidth Allocation and Sub-Rules page 37

Connection Classification


33/188

Chapter 4 Basic QoS Policy Management 33

FIGURE 4-1 SmartDashboard Rule Base Window

Connection Classification

A connection is classified according to four criteria:

Source: A set of network objects, including specific computers, entire networks,

user groups or domains.

Destination: A set of network objects, including specific computers, entire networks

or domains.

Service: A set of IP services, TCP, UDP, ICMP or URLs.

Time: Specified days or time periods.

Network Objects

Network objects serve as the sources and destinations that are defined in QoS Policy

rules. The network objects that can be used in FloodGate-1 rules include workstations,

networks, domains, and groups.

Information about network objects can be found in the SmartCenterGuide.

User Groups

Check Point QoS allows you to define User Groups that are comprised of predefined

users. For example, all the users in the marketing department can be grouped together

in a User Group called Marketing. when defining a Source in a rule you can then use

this group as a possible Source, instead of adding individual users to the Source of the

rule.

Note - It is best to organize lists of objects (network objects and services) in groups

rather than in long lists. Using groups gives you a better overview of your QoS Policy and

leads to a more readable Rule Base. In addition, objects added to groups are automatically

included in the rules.

http://netobjs.pdf/http://netobjs.pdf/


34/188

34

Services and Resources

FloodGate-1 allows you to define QoS rules, not only based on the source and

destination of each communication, but also according to the service requested. The

services that can be used in FloodGate-1 rules include TCP, Compound TCP, UDP,ICMP and Citrix TCP services, IP services

Resources can also be used in a FloodGate-1 Rule Base. They must be of type URI for

QoS.

Time Objects

Check Point QoS allows you to define Time objects that are used is defining the timethat a rule is operational. Time objects can be defined for specific times and/or for

specific days. The days can further be divided into days of the month or specific days of

the week.

Bandwidth Allocation and Rules

A rule can specify three factors to be applied to bandwidth allocation for classified

connections:

Weight

Weight is the relative portion of the available bandwidth that is allocated to a rule.

To calculate what portion of the bandwidth the connections matched to a rule receive,

use the following formula:

this rules portion = this rules weight / total weight of all rules with open connections

For example, if this rules weight is 12 and the total weight of all the rules under which

connections are currently open is 120, then all the connections open under this rule are

allocated 12/120 (or 10%) of the available bandwidth.

In practice, a rule may get more than the bandwidth allocated by this formula, if other

rules are not using their maximum allocated bandwidth.

Unless a per connection limit or guarantee is defined for a rule, all connections under arule receive equal weight.

Allocating bandwidth according to weights ensures full utilization of the line even if a

specific class is not using all of its bandwidth. In such a case, the left over bandwidth is

divided among the remaining classes in accordance with their relative weights. Units are

configurable, see Defining QoS Global Properties on page 92.

Default Rule

G


35/188


Guarantees

A guarantee allocates a minimum bandwidth to the connections matched with a rule.

Guarantees can be defined for:

the sum of all connections within a rule

A total rule guarantee reserves a minimum bandwidth for all the connections under

a rule combined. The actual bandwidth allocated to each connection depends on

the number of open connections that match the rule. The total bandwidth allocated

to the rule can be no less than the guarantee, but the more connections that are

open, the less bandwidth each one receives.

individual connections within a rule

A per connection guarantee means that each connection that matches the particular

rule is guaranteed a minimum bandwidth.

Although weights do in fact guarantee the bandwidth share for specific connections,

only a guarantee allows you to specify an absolute bandwidth value.

Limits

A limit specifies the maximum bandwidth that is assigned to all the connections

together. A limit defines a point beyond which connections under a rule are not

allocated bandwidth, even if there is unused bandwidth available.

Limits can also be defined for the sum of all connections within a rule or for individual

connections within a rule.

For more information on weights, guarantees and limits, see Action Type on page 36.

Default Rule

A default rule is automatically added to each QoS Policy Rule Base, and assigned theweight specified in the QoS (FloodGate-1) page of the Global Properties window. You

can modify the weight, but you cannot delete the default rule (see Weight on page

34).

The default rule applies to all connections not matched by the other rules or sub-rules

in the Rule Base.

Note - Bandwidth allocation is not fixed. As connections are opened and closed,FloodGate-1 continuously changes the bandwidth allocation to accommodate competing

connections, in accordance with the QoS Policy.


I ddi i d f l l i i ll dd d h f b l d li


36/188

36

In addition, a default rule is automatically added to each group of sub-rules, and applies

to connections not classified by the other sub-rules in the group (see To Verify and

View the QoS Policy on page 39).

QoS Action Properties

The restrictions on bandwidth for connections to which a rule applies are defined in

the QoS Action Properties window.

Action Type

By this stage, you should already have decided whether your policy is Traditional mode

or Express mode, see Traditional Check Point QoS vs. Check Point QoS Express onpage 16.

You can select one of the following Action Types:

Simple

Advanced

TABLE 4-1 shows which Action Types you can select in Traditional or Express modes.

Simple

The following actions are available:

Apply rule to encrypted traffic only

Rule weight

Rule limit

Rule guarantee

Advanced

The same actions that are available in Simple mode are available in Advanced mode

with the addition of the following:

Per connection limit

Per rule guarantee

Per connection guarantee

Number of permanent connections

TABLE 4-1 Action Types Available

Action Type Traditional Mode Express Mode

Simple Yes Yes

Advanced Yes No

Example of a Rule Matching VPN Traffic

Accept additional connections


37/188


Accept additional connections

Example of a Rule Matching VPN Traffic

VPN traffic is traffic that is encrypted in the same gateway by Check Point VPN. VPNtraffic does not refer to traffic that was encrypted by a non-Check Point product prior

to arriving at this gateway. This type of traffic can be matched using the IPSec service.

When Apply rule only to encrypted traffic is checked in the QoS Action Properties

window, only VPN traffic is matched to the rule. If this field is not checked, all types

of traffic (both VPN and non-VPN) are matched to the rule.

Use the Apply rule only to encrypted traffic field to build a Rule Base in which youdefine QoS actions for VPN traffic which are different than the actions that are applied

to non-VPN traffic. Since Check Point QoS uses the First Rule Match concept, the

VPN traffic rules should be defined as the top rules in the Rule Base. Below them rules

which apply to all types of traffic should be defined. Other types of traffic skip the top

rules and match to one of the non-VPN rules defined below the VPN traffic rules. In

order to completely separate VPN traffic from non-VPN traffic, define the following

rule at the top of the QoS Rule Base:

All the VPN traffic is matched to this rule. The rules following this VPN Traffic Rule

are then matched only by non-VPN traffic. You can define sub-rules below the VPN

Traffic rule that classify the VPN traffic more granularly.

Bandwidth Allocation and Sub-Rules

When a connection is matched to a rule with sub-rules, a further match is sought

among the sub-rules. If none of the sub-rules apply, the default rule for the specific

group of sub-rules is applied (see Default Rule on page 35).

Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The

same rules then apply to the nested sub-rules. If the connection matches a sub-rule that

has sub-rules itself, a further match is sought among the nested sub-rules. Again if none

of the sub-rules apply, the default rule for the specific group of sub-rules is applied.

TABLE 4-2 VPN Traffic Rule

Name Source Dest Service Action

VPN rule Any Any Any VPN Encrypt, and

other configured

actions


Bandwidth is allocated on a top/down approach This means that sub rules cannot


38/188

38

Bandwidth is allocated on a top/down approach. This means that sub-rules cannot

allocate more bandwidth to a matching rule, than the rule in which the sub-rule is

located. A nested sub-rule, therefore, cannot allocate more bandwidth than the sub-rule

in which it is located.

A Rule Guarantee must likewise always be greater than or equal to the Rule Guarantee

of any sub-rule within that rule. The same applies to Rule Guarantees in sub-rules and

their nested sub-rules., as shown in the following example.

Example:

In this example any extra bandwidth from the application of Rule A1.1 is applied to

Rule A2 before it is applied to Rule A1.2.

TABLE 4-3 Bandwidth Allocation in Nested Sub-Rules

Rule Name Source Destination Service Action

Rule A Any Any ftp Rule Guarantee -

100KBps

Weight 10

Start of Sub-Rule A

Rule A1 Client-1 Any ftp Rule Guarantee -100KBps

Weight 10

Start of Sub-Rule A1

Rule A1.1 Any Any ftp Rule Guarantee -

80KBps

Weight 10

Rule A1.2 Any Any ftp Weight 10

End of Sub-Rule A1

Rule A2 Client-2 Any ftp Weight 10

End of Sub-Rule A

Rule B Any Any http Weight 30

To Verify and View the QoS Policy

Implementing the Rule Base


39/188



When you have defined the desired rules, you should perform a heuristic check on the

Rule Base to check that the rules are consistent. If a Rule Base fails the verification, an

appropriate message is displayed.

You must save the Policy Package before verifying. Otherwise, changes made since the

last save will not be checked.

After verifying the correctness of the Rule Base, it must be installed on the

FloodGate-1 Modules that will enforce it. When you install a QoS Policy, the policy is

downloaded to these QoS Modules. There must be a QoS Module running on the

object which receives the QoS Policy.

In This Section

To Verify and View the QoS Policy

1 Select Policy>Verify to perform a heuristic check on the Rule Base to check that

the rules are consistent.

2 Select Policy>View to view the generated rules as ASCII text.

To Install and Enforce the Policy

Perform the following steps in order to install and enforce the QoS policy:1 Once the rule base is complete, select Install from the Policy menu. The Install

Policy window is displayed. Specify the QoS modules on which you would like to

install your new QoS policy. By default, all QoS modules are already selected. (In

order for an object to be a QoS module, it needs to have FloodGate-1 checked

underCheck Point Products in the Object Properties window).

The objects in the list are those that have FloodGate-1 Installed checked in their

definition (see Specifying Interface QoS Properties on page 94).

Note - The QoS Module machine and the SmartCenter module machine must be properly

configured before a QoS Policy can be installed.

To Verify and View the QoS Policy page 39

To Install and Enforce the Policy page 39

To Uninstall the QoS Policy page 40

To Monitor the QoS Policy page 40


You may deselect and reselect specific items, if you wish. The QoS Policy is not


40/188

40

y p , y Q y

installed on unselected items.

2 Click OK to install the QoS Policy on all selected hosts. The installation progress

window is displayed.

To Uninstall the QoS Policy

You can uninstall QoS Policy from any or all of the QoS Modules in which it is

installed.

1 Choose Uninstall from the Policy menu to remove the QoS Policy from the selected

QoS Module. The Install Policy window is displayed.

2 Deselect those QoS Modules from which you would like to uninstall the QoS

policy.

3 Click OK.

To Monitor the QoS Policy

Check Point SmartView Monitor allows you to monitor traffic through a floodgated

interface. For more information, see SmartView Monitor Guide.

CHAPTER 5


41/188

41

CHAPTER 5

Check Point QoSTutorial

In This Chapter

Introduction

This chapter presents a step by step guide to building and installing a QoS Policy in

Check Point QoS. This tutorial is based on the network configuration shown in

FIGURE 5-1 on page 42.

This tutorial is based on a simple network configuration, but working through it will

familiarize you with the many issues involved in building and installing a FloodGate-1

QoS Policy. Each step in the process is described in detail so that by the end of this

tutorial you will have developed a practical knowledge of building and installing a

usable QoS policy.

The tutorial walks you through the steps involved in physically installing a network,

and then introduces you to SmartDashboard and Check Point QoS, in which youconfigure the network and implement QoS policy.

Introduction page 41

Building and Installing a QoS Policy page 43

Conclusion page 68

Introduction

FIGURE 5-1 Example Network Configuration


42/188

42

This example shows a typical network configuration for an organization with offices

located in London, Oxford and Cambridge. The Check Point QoS Module is located

in London where the gateway to the Internet will comprise 3 interfaces. The

SmartCenter Server is located at Oxford while the SmartConsole is installed at

Cambridge. Within the pr ivate local network there are the Marketing and Engineering

departments. In this tutorial you are shown how a QoS policy is implemented toregulate and optimize the flow in Internet traffic to these departments.

Building and Installing a QoS Policy


43/188

Chapter 5 Check Point QoS Tutorial 43

The following steps represent the workflow that must be followed in order to build and

install a QoS Policy on the network shown in FIGURE 5-1. Each of these steps is then

described in detail in the sections that follow:

1 Install the appropriate Check Point Modules on each machine, as needed (see

TABLE 5-1).

2 Start SmartDashboard and display the QoS tab.

3 Determine the type of QoS Policy you want to implement.

4 Define the network objects to be used in the Rule Base.

You define only those objects that are explicitly used in the Rule Base and do not

have to define the entire network.

5 Define any proprietary services used in your network.

You do not have to define the commonly used services. These are already defined

for you in FloodGate-1. In most cases, you need only specify a name, for network

objects and services because Check Point QoS obtains the objects properties from

the appropriate databases (DNS, YP. hosts file).

6 Create a new QoS Rule Base and the rules that comprise that Rule Base.

7 Install the Rule Base on the QoS Module machine, which will enforce the QoS

Policy.

Each of these steps are described in detail in the sections that follow.

TABLE 5-1 Check Point Modules to Install on Each Machine

Computer Function Check Point Module toinstall

London QoS Module; the Gateway

to the Internet

QoS Module

VPN-1 Pro Module (required)

Oxford SmartCenter Server SmartCenter Server, QoS Add-

on

Cambridge SmartConsole SmartDashboard

Note - In order to manage QoS modules, you need to install Check Point QoS on theSmartCenter Server as well as on the module.


In This Section


44/188

44

Step 1: Installing Check Point Modules

This step describes the physical installation of the Check Point Products at the various

locations in the example on page 42. In this tutorial you do not physically install the

network but you do run the QoS Module on SmartDashboard.

Detailed installation instructions are available in the Getting Started Guide.

Install QoS in the following sequence:

1 Install QoS and VPN-1 Pro or VPN-1 Net modules on London.

2 Install SmartConsole on Cambridge.

3 Install SmartCenter Server on Oxford.

4 On Oxford, define Cambridge as a SmartConsole.

5 On Oxford, define the administrators who will be allowed to manage the QoS

Policy.

6 Establish a secure connection (SIC) between the SmartCenter Server at Oxford and

the QoS Module at London.

Step 2: Starting SmartDashboard

You must start SmartDashboard in order to be able to access Check Point QoS. For the

purposes of this tutor ial, and although all the regular log on procedures are described in

this section, you must run SmartDashboard in Demo Mode, selecting the Advanced

option. This section describes how to start SmartDashboard and access its QoS tab to

be able to enter and install the QoS Policy you are defining.

Step 1: Installing Check Point Modules page 44

Step 2: Starting SmartDashboard page 44Step 3: Determining QoS Policy page 48

Step 4: Defining the Network Objects page 48

Step 5: Defining the Services page 59

Step 6: Creating a Rule Base page 59

Step 7: Installing a QoS Policy page 67

To Start SmartDashboard



45/188

Chapter 5 Check Point QoS Tutorial 45

1 From the Start menu, select Programs > Check Point SmartConsole R60 >

SmartDashboard. The Welcome to Check Point SmartDashboard window (FIGURE

5-2) is displayed:FIGURE 5-2SmartDashboard Login Window

2 You can log in using either your:

User Name and Password

a Select User Name.

b Enter your user name and password in the designated field.

Certificate

a Select Certificate.

b Select the name of your certificate file from the dropdown list.

c You can browse for the file using by clicking .

d Enter the password you used to create the certificate in the Password field.

3 Enter the name of the machine on which the SmartCenter Server is running. You

can enter one of the following:

A resolvable machine name

A dotted IP address


4 To work in local mode, check Demo Mode and select Advanced from the

drop-down list


46/188

46

drop-down list.

5 (Optional) Check Read Only if you do not wish to modify a policy,

6 (Optional) Click More Options >> to display the Certificate Management and

Advanced Options (FIGURE 5-3).

FIGURE 5-3(SmartDashboard Login Window - More Options

7 (Optional) Click Change Password to change the certificate password.

8 (Optional) Check Use compressed connection to compress the connection to theSmartCenter Server.


9 (Optional) Enter the text describing why the administrator wants to make a change

in the security policy in the Session Des

checkpoint ngx qos

Documents