1. Trang Chủ
  2. Quản trị mạng
  3. Check Point QoS

Check Point QoS

Tham khảo tài liệu 'check point qos', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả Check Point QoS Administration Guide Version NGX R65 700726 March 2007 © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduc

Thể loại Tài liệu miễn phí Quản trị mạng

Số trang 220

Ngày tạo 8/29/2018 5:31:56 PM +00:00

Loại tệp PDF

Kích thước

Tên tệp

Tải Check Point QoS (.pdf)

Xem mẫu

  1. Check Point QoS Administration Guide Version NGX R65 700726 March 2007
  2. © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
  3. Contents Preface Who Should Use This Guide.............................................................................. 10 Summary of Contents ....................................................................................... 11 Appendices ................................................................................................ 11 Related Documentation .................................................................................... 12 More Information ............................................................................................. 15 Feedback ........................................................................................................ 16 Chapter 1 Overview What is Quality of Service ................................................................................. 18 Internet Bandwidth Management Technologies ................................................... 19 Overview .................................................................................................... 19 Superior QoS Solution Requirements ............................................................ 19 Benefits of a Policy-Based Solution .............................................................. 20 How Does Check Point Deliver QoS.................................................................... 21 Features and Benefits ...................................................................................... 23 Traditional Check Point QoS vs. Check Point QoS Express ................................... 24 Workflow......................................................................................................... 26 Chapter 2 Introduction to Check Point QoS Check Point QoS’s Innovative Technology........................................................... 30 Technology Overview ................................................................................... 31 Check Point QoS Architecture ........................................................................... 33 Basic Architecture ...................................................................................... 33 Check Point QoS Configuration..................................................................... 35 Concurrent Sessions.................................................................................... 38 Interaction with VPN-1Pro and VPN-1 Net ......................................................... 39 Interoperability ........................................................................................... 39 Chapter 3 Basic QoS Policy Management Overview ......................................................................................................... 42 Rule Base Management.................................................................................... 43 Overview .................................................................................................... 43 Connection Classification............................................................................. 44 Network Objects ......................................................................................... 44 Services and Resources ............................................................................... 45 Time Objects .............................................................................................. 45 Bandwidth Allocation and Rules ................................................................... 45 Default Rule............................................................................................... 47 QoS Action Properties ................................................................................. 47 Example of a Rule Matching VPN Traffic....................................................... 48 Bandwidth Allocation and Sub-Rules ............................................................ 49 Table of Contents 5
  4. Implementing the Rule Base............................................................................. 51 To Verify and View the QoS Policy ................................................................ 51 To Install and Enforce the Policy .................................................................. 51 To Uninstall the QoS Policy ......................................................................... 52 To Monitor the QoS Policy ........................................................................... 52 Chapter 4 Check Point QoS Tutorial Introduction .................................................................................................... 54 Building and Installing a QoS Policy .................................................................. 56 Step 1: Installing Check Point Modules......................................................... 57 Step 2: Starting SmartDashboard ................................................................. 57 To Start SmartDashboard............................................................................. 58 Step 3: Determining QoS Policy ................................................................... 61 Step 4: Defining the Network Objects ........................................................... 61 To Define the Gateway London ..................................................................... 62 To Define the Interfaces on Gateway London ................................................. 66 To Define the QoS Properties for the Interfaces on Gateway London................. 72 Step 5: Defining the Services....................................................................... 73 Step 6: Creating a Rule Base ....................................................................... 73 To Create a New Policy Package ................................................................... 74 To Create a New Rules ................................................................................ 75 To Modify New Rules .................................................................................. 76 Step 7: Installing a QoS Policy..................................................................... 82 Conclusion ...................................................................................................... 84 Chapter 5 Advanced QoS Policy Management Overview ......................................................................................................... 86 Examples: Guarantees and Limits...................................................................... 87 Per Rule Guarantees ................................................................................... 87 Per Connections Guarantees ........................................................................ 90 Limits........................................................................................................ 91 Guarantee - Limit Interaction ....................................................................... 91 Differentiated Services (DiffServ) ...................................................................... 93 Overview .................................................................................................... 93 DiffServ Markings for IPSec Packets ............................................................. 93 Interaction Between DiffServ Rules and Other Rules ...................................... 94 Low Latency Queuing ....................................................................................... 95 Overview .................................................................................................... 95 Low Latency Classes ................................................................................... 95 Interaction between Low Latency and Other Rule Properties.......................... 100 When to Use Low Latency Queuing ............................................................. 101 Low Latency versus DiffServ....................................................................... 102 Authenticated QoS......................................................................................... 103 Citrix MetaFrame Support............................................................................... 104 Overview .................................................................................................. 104 Limitations............................................................................................... 105 Load Sharing................................................................................................. 106 Overview .................................................................................................. 106 6
  5. Check Point QoS Cluster Infrastructure ....................................................... 107 Chapter 6 Managing Check Point QoS Defining QoS Global Properties ....................................................................... 112 To Modify the QoS Global Properties........................................................... 112 Specifying Interface QoS Properties................................................................. 114 To Define the Interface QoS Properties ....................................................... 114 Editing QoS Rule Bases.................................................................................. 118 To Create a New Policy Package ................................................................. 118 To Open an Existing Policy Package............................................................ 119 To Add a Rule .......................................................................................... 119 To Rename a Rule .................................................................................... 121 To Copy, Cut or Paste a Rule...................................................................... 121 To Delete a Rule ....................................................................................... 122 Modifying Rules............................................................................................. 123 Modifying Sources in a Rule ...................................................................... 123 Modifying Destinations in a Rule ................................................................ 126 Modifying Services in a Rule ...................................................................... 128 Modifying Rule Actions.............................................................................. 130 Modifying Tracking for a Rule .................................................................... 135 Modifying Install On for a Rule................................................................... 135 Modifying Time in a Rule........................................................................... 138 Adding Comments to a Rule....................................................................... 140 Defining Sub-Rules ........................................................................................ 142 Working with Differentiated Services (DiffServ) ................................................. 144 To Define a DiffServ Class of Service .......................................................... 145 To Define a DiffServ Class of Service Group................................................. 146 To Add QoS Class Properties for Expedited Forwarding ................................. 147 To Add QoS Class Properties for Non Expedited Forwarding .......................... 148 Working with Low Latency Classes ................................................................... 150 To Implement Low Latency Queuing ........................................................... 150 To Define Low Latency Classes of Service.................................................... 151 To Define Class of Service Properties for Low Latency Queuing...................... 151 Working with Authenticated QoS ..................................................................... 153 To Use Authenticated QoS ......................................................................... 153 Managing QoS for Citrix ICA Applications ......................................................... 155 Disabling Session Sharing.......................................................................... 155 Modifying your Security Policy ................................................................... 156 Discovering Citrix ICA Application Names.................................................... 157 Defining a New Citrix TCP Service .............................................................. 160 Adding a Citrix TCP Service to a Rule (Traditional Mode Only)....................... 161 Installing the Security and QoS Policies ...................................................... 161 Managing QoS for Citrix Printing ..................................................................... 162 Configuring a Citrix Printing Rule (Traditional Mode Only)............................. 162 Configuring Check Point QoS Topology........................................................ 163 Viewing the Check Point QoS Modules Status ................................................... 164 To Display the Status of Check Point QoS Modules Controlled by the SmartCenter Server ................................................................................................... 164 Table of Contents 7
  6. Enabling Log Collection.................................................................................. 165 To Turn on QoS Logging ............................................................................ 165 To Confirm that the Rule is Marked for Logging ........................................... 166 To Start SmartView Tracker........................................................................ 167 Chapter 7 SmartView Tracker Overview of Logging ....................................................................................... 170 Examples of Log Events.................................................................................. 174 Connection Reject Log .............................................................................. 174 LLQ Drop Log ........................................................................................... 174 Pool Exceeded Log.................................................................................... 175 Examples of Account Statistics Logs................................................................ 177 General Statistics Data .............................................................................. 177 Drop Policy Statistics Data......................................................................... 178 LLQ Statistics Data ................................................................................... 178 Chapter 8 Command Line Interface Check Point QoS Commands........................................................................... 180 Setup ........................................................................................................... 181 fgate Menu ................................................................................................... 182 Control ......................................................................................................... 183 Monitor......................................................................................................... 185 Utilities ........................................................................................................ 187 Chapter 9 Check Point QoS FAQ (Frequently Asked Questions) Questions and Answers................................................................................... 190 Introduction ............................................................................................. 190 Check Point QoS Basics ............................................................................ 191 Other Check Point Products - Support and Management ............................... 194 Policy Creation ......................................................................................... 195 Capacity Planning ..................................................................................... 196 Protocol Support....................................................................................... 197 Installation/Backward Compatibility/Licensing/Versions................................. 198 How do I? ................................................................................................ 198 General Issues.......................................................................................... 199 Chapter 10 Deploying Check Point QoS Deploying Check Point QoS............................................................................. 202 Check Point QoS Topology Restrictions ....................................................... 202 Sample Bandwidth Allocations ........................................................................ 204 Frame Relay Network ................................................................................ 204 Appendix A Debug Flags fw ctl debug -m FG-1 Error Codes for Check Point QoS...................................... 208 Index .......................................................................................................... 217 8
  7. Preface P Preface In This Chapter Who Should Use This Guide page 10 Summary of Contents page 11 Related Documentation page 12 More Information page 15 Feedback page 16 9
  8. Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). 10
  9. Summary of Contents Summary of Contents This guide describes QoS components and contains the following chapters and appendices. Table A-1 Chapter Description Chapter 1, “Overview” presents an overview of Quality of Service and how it is delivered by Check Point QoS. Chapter 2, “Introduction to presents an overview of QoS, including Check Point QoS” technologies and architecture. Chapter 3, “Basic QoS Policy describes how to manage a basic FloodGate-1 Management” QoS Policy Rule Base. Chapter 4, “Check Point QoS is a short tutorial describing how to define a QoS Tutorial” Policy. Chapter 5, “Advanced QoS describes the more advanced policy management Policy Management” features of Check Point QoS that enable you to refine basic QoS policies. Chapter 6, “Managing Check describes how to manage QoS, including Point QoS” modifying and changing policies and rules. Chapter 7, “SmartView describes the features and tools that are Tracker” available for monitoring Check Point QoS. Chapter 8, “Command Line discusses how to work with Check Point QoS via Interface” the Command Line. Chapter 9, “Check Point QoS a compilation of frequently asked questions and FAQ (Frequently Asked their answers. Questions)” Chapter 10, “Deploying Describes how to deploy Check Point QoS and Check Point QoS” provides sample bandwidth allocations. Appendices This guide contains the following appendices Table A-2 Appendix Description Appendix A, “Debug Flags” contains a list of debugging error codes. Preface 11
  10. Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Contains an overview of NGX R65 and step by step Suite Getting Started product installation and upgrade procedures. This Guide document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Explains SmartCenter Management solutions. This Administration Guide guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and Describes how to control and secure network SmartDefense access; establish network connectivity; use Administration Guide SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks This guide describes the basic components of a Administration Guide VPN and provides the background for the technology that comprises the VPN infrastructure. 12
  11. Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Explains how to monitor and audit traffic, and Administration Guide generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. SecurePlatform™/ Explains how to install and configure SecurePlatform Pro SecurePlatform. This guide will also teach you how Administration Guide to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Provider-1/SiteManager-1 Explains the Provider-1/SiteManager-1 security Administration Guide management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. TABLE P-2 Integrity Server documentation Title Description Integrity Advanced Explains how to install, configure, and maintain the Server Installation Integrity Advanced Server. Guide Integrity Advanced Provides screen-by-screen descriptions of user Server Administrator interface elements, with cross-references to relevant Console Reference chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Integrity Advanced Explains how to managing administrators and Server Administrator endpoint security with Integrity Advanced Server. Guide Integrity Advanced Provides information about how to integrating your Server Gateway Virtual Private Network gateway device with Integrity Integration Guide Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. Preface 13
  12. Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Provides information about client and server Server System requirements. Requirements Integrity Agent for Linux Explains how to install and configure Integrity Agent Installation and for Linux. Configuration Guide Integrity XML Policy Provides the contents of Integrity client XML policy Reference Guide files. Integrity Client Explains how to use of command line parameters to Management Guide control Integrity client installer behavior and post-installation behavior. 14
  13. More Information More Information • For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/. • See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 15
  14. Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com 16
  15. Chapter 1 Overview In This Chapter What is Quality of Service page 18 Internet Bandwidth Management Technologies page 19 How Does Check Point Deliver QoS page 21 Features and Benefits page 23 Traditional Check Point QoS vs. Check Point QoS Express page 24 Workflow page 26 17
  16. What is Quality of Service What is Quality of Service Quality of Service is a set of intelligent network protocols and services that are used to efficiently manage the movement of information through a local or wide area networks. QoS services sort and classify flows into different traffic classes, and allocate resources to network traffic flows based on user or application ID, source or destination IP address, time of day, application specific parameters, and other user-specified variables. Fundamentally, QoS enables you to provide better service to certain flows. This is done by either raising the priority of a flow or limiting the priority of another flow. 18
  17. Internet Bandwidth Management Technologies Internet Bandwidth Management Technologies In This Section Overview page 19 Superior QoS Solution Requirements page 19 Benefits of a Policy-Based Solution page 20 Overview When you connect your network to the Internet, it is most important to make efficient use of the available bandwidth. An effective bandwidth management policy ensures that even at times of network congestion, bandwidth is allocated in accordance with enterprise priorities. In the past, network bandwidth problems have been addressed either by adding more bandwidth (an expensive and usually short term “solution”) or by router queuing, which is ineffective for complex modern Internet protocols. Superior QoS Solution Requirements In order to provide effective bandwidth management, a bandwidth management tool must track and control the flow of communication passing through, based on information derived from all communication layers and from other applications. An effective bandwidth management tool must address all of the following issues: • Fair Prioritization It is not sufficient to simply prioritize communications, for example, to specify a higher priority for HTTP than for SMTP. The result may well be that all bandwidth resources are allocated to one service and none to another. A bandwidth management tool must be able to divide the available resources so that more important services are allocated more bandwidth, but all services are allocated some bandwidth. • Minimum Bandwidth Chapter 1 Overview 19
  18. Benefits of a Policy-Based Solution A bandwidth management tool must be able to guarantee a service’s minimum required bandwidth. It must also be able to allocate bandwidth preferentially, for example, to move a company’s video conference to the “head of the line” in preference to all other internet traffic. • Classification A bandwidth management tool must be able to accurately classify communications. However, simply examining a packet in isolation does not provide all the information needed to make an informed decision. State information — derived from past communications and other applications — is also required. A packet’s contents, the communication state and the application state (derived from other applications) must all be considered when making control decisions. Benefits of a Policy-Based Solution Based on the principles discussed in the previous section, there are basically three ways to improve the existing best-effort service that enterprise networks and ISPs deliver today: • Add more bandwidth to the network. • Prioritize network traffic at the edges of the network. • Guarantee QoS by enforcing a set of policies that are based on business priorities (policy-based network management) throughout the network. Of these, only policy-based network management provides a comprehensive QoS solution by: • Using policies to determine the level of service that applications or customers need. • Prioritizing network requests. • Guaranteeing levels of service. 20
nguon tai.lieu . vn
Tin học văn phòng Đồ họa - Thiết kế - Flash Quản trị Web Cơ sở dữ liệu Quản trị mạng Kỹ thuật lập trình Hệ điều hành Phần cứng An ninh - Bảo mật Chứng chỉ quốc tế Thủ thuật máy tính Điện - Điện tử Kinh tế học Hoá học Xã hội học Môi trường