User's Guide - Version EH-1.5.5

Web Optimisation

QoS (Quality of Service)

The appliance allows you to manage the bandwidth sharing policy in your Web infrastructure. For instance you can reserve more bandwidth for your critical Web applications while less bandwidth is allocated to Web users. This feature is called Web traffic shaping. In addition Web users receive equitably the Web traffic in the same subnet so extensive usage by some Web users does not penalise others. We call this latter feature the Web traffic scheduling. The Web traffic shaping and the Web traffic scheduling are both supported by the QoS (Quality of Service) module of the appliance.

Configuring the traffic shaping and scheduling is a very straightforward process with CacheGuard. Web traffic scheduling is activated as long as the QoS mode is activated (all Web traffic is then scheduled to deliver equitable traffic to end users). To begin the traffic shaping configuration, you must first define the total incoming and outgoing bandwidth from the internal and external network interfaces. Afterwards, you must assign a percentage of these total values to fine-tune your policies. In the QoS management world the term "ingress" refers to incoming traffic and the term "egress" refers to outgoing traffic. So to set the QoS we should consider four parameters: Like any other feature in the appliance, the QoS feature can be activated or deactivated. The command "mode qos" allows management of the QoS state ("on" or "off").

For instance to activate the QoS mode and define 20 Mbps incoming flows from the external network interface (Coming from the Internet) and 80 Mbps outgoing flows from the internal network interface (Going to Web users) use the following commands (bandwidths are given in Kilobit/second):

The following commands define respectively 2 Mbps outgoing flows from the external network interface and 80 Mbps incoming flows from the internal network interface. Now to reserve 40% of the available bandwidth for Web users use the following command: To reserve 60% of the available bandwidth for Web servers use the following command: Note that in the CacheGuard architecture the internal zone (connected to or behind the internal network interface) is considered as a secure zone and the external zone (connected to or outside of the external network interface) is considered as a non-trusted zone. The appliance supports two modes: the "web" mode and the "rweb" (for reverse Web) mode. The "web" mode protects Web users located in the internal zone while the "rweb" mode protects Web servers (also located in the internal zone) so in both points of view threats come from the external zone. In reverse mode the malicious users are the Web users while in forwarding mode Web users should be protected against malicious threats. In the QoS module, the "web" keyword refers to Web traffic exchanged with protected Web users (located in the internal zone) and the keyword "rweb" refers to protected Web servers. Finally each subnet may be fine-tuned to have its own QoS policy. For instance to affect 30% of the available Web bandwidth to the subnet "" and 70% to the subnet "", use the following commands: These rules allocate a maximum bandwidth of 9.6 Mbps (0,30 x 0,40 x 80 Mbps) for the subnet "" and 22.4 Mbps (0,70 x 0,40 x 80 Mbps) for the subnet "".

Note that the QoS defined for each Web users subnet is relative to the total shaping percentage defined for all Web users (here 40%).