qos - Configure the network QoS (Quality of Service)
qos bandwidth [(internal | external | auxiliary) [[(ingress | egress)] <bandwidth>]]
qos shape [(web | antivirus | file | default) [(internal | external | auxiliary) [(ingress | egress) [<qos>]]]]
qos shape [tweb [(internal | auxiliary) [(ingress | egress) [<qos>]]]]
qos shape [rweb [(internal | external) [(ingress | egress) [<qos>]]]]
qos shape [peer internal [(ingress | egress) [<qos>]]]
qos shape [router [((add | add:<rule-name> | insert:<rule-name>) <rule-name> (internal | external | auxiliary) <protocol> <src-ip>[/<mask-prefix>] <src-port> <ingress-qos> <dst-ip>[/<mask-prefix>] <dst-port> <egress-qos>) | (del <rule-name>) | raz]]
qos shape [router [move:(-|+)<rule-name> <rule-name> | move:<position>]
qos borrow [(internal | external | auxiliary) [(ingress | egress) [on | off]]]
The QoS (Quality of Service) controller allows you to allocate more or less bandwidth to traffic destined to the appliance itself or just passing through (traffic routed via the appliance). This allows you to protect your critical applications and users from being penalized by less important traffic in an overloaded network. The QoS controller is deactivated by default. To activate it use the command mode.
The configuration is done is several stages. First the overall bandwidth can be limited for each logical network interface for incoming or outgoing traffic. Then the network traffic can be prioritised or shaped to limit the bandwidth usage for each type of traffic. In addition, concurrent flows classified in the same type of traffic are scheduled to receive and send data equitably so extensive usage by some users (or machines) does not penalise others.
We distinguish five types of traffic:
* Administration and monitoring traffic: this type of traffic has the highest priority compared to all other traffic to ensure that the appliance is always remotely reachable even if the appliance is overloaded by other traffic. The QoS can’t be modified for these traffic. The following traffic are classified as monitoring traffic: SSH, Web GUI, SNMP and SysLog.
* Technical low level and basic service traffic: arp, icmp, vrrp, ntp and authentication traffic are classified in this type of traffic with a limited bandwidth configured by the system. The QoS can’t be modified for this type of traffic.
* Technical traffic destined to the appliance itself: these traffic are file and peer traffic respectively for file exchange traffic (blacklists, backup...) and traffic with shared or HA peer appliances via the internal network interface (see the command peer to manage peer appliances).
* Web traffic treated by the appliance before being routed: these traffic are web, tweb and rweb respectively for Web traffic for protected users (by the forwarding proxy), Web traffic for transparently protected users (by the transparent proxy) and Web traffic for protected backend Web servers (by the reverse proxy). Web traffic includes HTTP on port 80, HTTPS on port 443 and DOMAIN (for name resolutions) on port 53.
* Antivirus traffic treated by the appliance (only if the antivirus is used as service by external systems): this type of traffic is named antivirus.
* Traffic passing through the appliance that are just routed without being filtered: this type of traffic is only allowed when the router mode is activated (see the command mode to activate the router mode).
The qos command uses the terms ingress and egress respectively for incoming traffic and outgoing traffic from a logical network interface. The <qos> value used in this command represents the shaping to apply to a traffic. It may be a percentage of the total bandwidth limit configured for a logical network interface or a bandwidth value expressed in Kbps. If the <qos> value ends with the character ’%’ it is considered as a percentage (integer between 1 and 100). Otherwise it is considered as a Kbps (Kilo bit per second) value.
The first usage form of this command allows you to define the total bandwidth limit for each logical network interface for incoming and outgoing traffic. All bandwidths are given in Kbps (Kilobit per second).
The second to fifth usage forms allow you to shape the traffic destined to the appliance itself and allocate different bandwidths to different types of traffic. Having defined global QoS features with this command a customisation is possible network by network alongside the usage of some commands (access, transparent, rweb, peer). Please note that if a network is declared to have web (forwarding) access and transparent access at the same time, the customisation made for the transparent mode (using the command transparent) has a higher priority than the customisation made for the web mode (using the command access web).
The sixth usage form allows you to shape the traffic not destined to the appliance itself but passing through when the router mode is activated. The shaping for routed traffic can be configured with rules. A <rule-name> must begin with an alpha character and may contains alpha numeric characters as well as the character "_" and the character "-". To add a rule at the end of all rules, use the keyword add. To add a rule after a given rule, use the keyword add: followed by the rule name after which the new rule have to be inserted. To insert a rule before a given rule, use the keyword insert: followed by the rule name before which the new rule have to be inserted.
The shaping for routed traffic can be configured for every logical network interface (internal, external, or auxiliary) according to the used protocol, the source IP, the source port number, the destination IP and the destination port number of the traffic. The keyword any can be used to specify an undefined protocol, IP address or port number. The default <mask-prefix> is 32 (to specify a single remote machine). Supported protocols are:
* tcp (Transmission Control Protocol)
* udp (User Datagram Protocol).
The <ingress-qos> specifies the shaping for forth traffic (from source to destination) that come in from the given network interface while the <egress-qos> specifies the shaping for back traffic (from destination to source) that go out from the given network interface.
Please note that the following principles should be considered to define a shaping rule for routed traffic compared to a firewall rule:
* A firewall rule is stateful while a shaping rule is not. This means that in a firewall rule, the source IP is always the initiator of the communication (the client) while the destination IP is always the listener (the server). In a shaping rule the used convention is to consider that incoming traffic from a network interface go from the source IP to the destination IP (forth traffic) while outgoing traffic go from the destination IP to the source IP (back traffic).
* A single firewall rule can manage the security of a communication established between a source and destination IP while two shaping rules are required to shape a routed traffic: one shaping rule attached to a first network interface and a one shaping rule attached to second network interface.
* As NAT operations defined by a firewall rule are done after an IP packet comes in the appliance from the initiator and through a network interface, traffic exchanged with the initiator and through that network interface use non NATed IPs.
* As NAT operations defined with a firewall rule are already done when a packet goes out to the listener and through a network interface, traffic exchanged with the listener and through that network interface use NATed IPs.
Any other traffic which is not classified in one of the above traffic types is classified in the default traffic type.
Please note that when all <qos> values are expressed as a percentage there is no obligation to have a total of 100% even if this is a recommended configuration. When a <qos> is expressed as a Kbps value, it should be less than or equal to the defined bandwidth limit for the given logical network interface. The command apply verifies the integrity of <qos> values configured here.
The seventh usage form allows you to move a rule from one position to another in the list of shaping rules for routed traffic. To move a rule before or after another denoted rule use the keyword move: followed by the sign â (for before) or + (for after), the rule name of the denoted rule and the rule name of the rule to move. Please note that white spaces are not allowed between the keyword move:, the signs â or + and the rule name of the denoted rule. To move a rule to an absolute position use the move: followed by the position number and the rule name of the rule to move (the first position is the position number 1). Please note that white spaces are not allowed between the keyword move: and the position number.
In a concurrent environment the <qos> limit may be configured to be surpassed when the load of other networks is under their configured <qos> limits. This mechanism is called borrowing (a traffic type borrows its available bandwidth to other traffic types). The eighth usage form of this command allows you to activated or deactivated the borrowing mechanism. Deactivating the borrowing allows you to affect strict bandwidth to a traffic type while its activation allows you to share the available bandwidth more flexibly.
The QoS controller classifies the network traffic according to the used protocol (TCP or UDP), the source/destination IP address and the source/destination port. In certain circumstances, the appliance may not shape the traffic as required because of an ambiguity in the configuration. For instance if an external FTP server and an antivirus client (such as an MTA) share the same IP address, the traffic can be classified as antivirus traffic as well as file traffic. The reason is that both FTP and antivirus traffic use dynamic ports, thus creating ambiguity.
access (1) firewall (1) apply (1) mode (1) peer (1) rweb (1) transparent (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2018 CacheGuard - All rights reserved