Queues
The QoS module embedded in Stormshield Network’s intrusion prevention engine is associated with the Filter module in order to provide Quality of Service functions.
When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.
There are three types of queues on the firewall: Two of them are directly associated with QoS algorithms: PRIQ (Priority Queuing) and CBQ (Class-Based Queuing). The third enables traffic monitoring.
Class-based queue (CBQ)
A scheduling class can be chosen for each filter rule and a bandwidth guarantee or restriction can be assigned to it.
For example: you can associate a scheduling class with HTTP traffic by associating a CBQ to the corresponding filter rule.
Class-based queuing determines the way in which traffic assigned to QoS rules will be managed on the network. Bandwidth reservation mechanisms for this queue type guarantee a minimum service while bandwidth restriction mechanisms enable the preservation of bandwidth when dealing with applications that consume a large amount of resources.
Adding a class-based queue
To add a class-based queue, click on the button Add a queue, then select Class-based queue (CBQ). A line will be added to the table in which you will be able to make your changes.
Modifying a class-based queue
Name | Name of the queue to be configured. |
Type | Type of queue (from monitoring (MONQ), priority (PRIQ), reservation/limitation (CBQ)). |
Priority | Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. It is possible to select a value from 1 (highest priority) to 7 (lowest priority). |
Bp min | Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s. REMARK |
Bp max | Acting as a restriction, this option prohibits bandwidth for the traffic assigned to these queues from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s. REMARK |
Min inv. | Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s. REMARK |
Max inv. | Acting as a restriction, this option prohibits bandwidth for the downward traffic, assigned to these queues, from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s. |
Color | Color to differentiate the queue. |
Comments | Related comments. |
REMARK
If you select “0” in the “Minimum bandwidth” column and “Unlimited” in the “Maximum bandwidth” column, no restrictions will be placed on the traffic. In this case, a message will appear, suggesting that you change your queue to a monitoring queue.
The table in the menu Class-based queuing displays the various queues that have been configured. Clicking on Check usage allows you to view (in the browser bar on the left) the list of filter rules in which the selected queue is being used.
Deleting a class-based queue
Select the line of the class-based queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Monitoring queue
Monitoring queues do not affect how traffic associated with QoS rules is treated.
They enable the registration of throughput and bandwidth information that may be viewed in the QoS monitoring module (after being selected in the QoS configuration tab in the Monitoring configuration module).
Configuration options for Monitoring queues are as follows:
Adding a monitoring queue
To add a monitoring queue, click on Add a queue, then select Monitoring queue (MONQ).
Modifying a monitoring queue
Name | Name of the queue to be configured. |
Type | Type of queue from CBQ, PRIQ or MONQ). |
Color | Color to differentiate the queue. |
Comments | Related comments. |
Deleting a monitoring queue
Select the line of the monitoring queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Priority queue
There are 7 levels of priority. Packets are treated according to the configured priorities.
High priority can be assigned to DNS queries by creating a filter rule and associating it with a PRIQ.
Priority queuing gives certain packets priority during their treatment. This means that packets associated with a PRIQ filter rule will be treated before other packets.
The scale of priorities ranges from 1 to 7. Priority 1 corresponds to traffic with the highest priority among PRIQ queues. Priority 7 corresponds to traffic with the lowest priority among PRIQ queues.
Traffic without QoS rules will be treated before any other PRIQ or CBQ queues.
Configuration options for PRIQ queues are as follows:
Adding a priority queue
To add a class-based queue click on the button Add a queue, then select Priority queue (PRIQ).
A line will be added to the table in which you will be able to make your changes.
Modifying a priority queue
The table displays the various queues that have been configured. Clicking on Check usage allows you to check whether these rules are being used in a filter rule. If this is the case, a menu will appear in the browser bar, showing the rules.
Name | Name of the queue to be configured. |
Type | Type of queue from CBQ, PRIQ or MONQ). |
Priority | Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. It is possible to select a value from 1 (highest priority) to 7 (lowest priority). |
Color | Color to differentiate the queue. |
Comments | Related comments. |
Deleting a priority queue
Select the relevant line in the table of priority queues and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Available queues
At the end of the queue table, the available number of queues will be indicated for a given firewall model. These values are as follows:
SN160w, SN210w, SN310 | SN510, SN710, SN910 | SN2000, SN2100, SN3000, SN3100, SN6000, SN6100 |
20 | 100 | 255 |