Queues

The QoS module embedded in Stormshield Network’s intrusion prevention engine is associated with the Filter module in order to provide Quality of Service functions.

When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.

There are three types of queues on the firewall: Two of them are directly associated with QoS algorithms: PRIQ (Priority Queuing) and CBQ (Class-Based Queuing). The third enables traffic monitoring.

Class-based queue (CBQ)

A scheduling class can be chosen for each filter rule and a bandwidth guarantee or restriction can be assigned to it.

For example: you can associate a scheduling class with HTTP traffic by associating a CBQ to the corresponding filter rule.

Class-based queuing determines the way in which traffic assigned to QoS rules will be managed on the network. Bandwidth reservation mechanisms for this queue type guarantee a minimum service while bandwidth restriction mechanisms enable the preservation of bandwidth when dealing with applications that consume a large amount of resources.

Adding a class-based queue

To add a class-based queue, click on the button Add a queue, then select Class-based queue (CBQ). A line will be added to the table in which you will be able to make your changes.

Modifying a class-based queue

Name Name of the queue to be configured.
Type Type of queue (from monitoring (MONQ), priority (PRIQ), reservation/limitation (CBQ)).
Priority Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. It is possible to select a value from 1 (highest priority) to 7 (lowest priority).
Bp min Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s.

REMARK
This option is synchronized by default with the option Min inv. By modifying the value of this option, this value will be replicated in Min inv. By modifying the value of Min inv, the values will be different and therefore desynchronized.

Bp max Acting as a restriction, this option prohibits bandwidth for the traffic assigned to these queues from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s.

REMARK
This option is synchronized by default with the option Min inv. By modifying the value of this option, this value will be replicated in Min inv. By modifying the value of Min inv, the values will be different and therefore desynchronized.

Min inv. Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s.

REMARK
If you enter a value higher than the Max inv., the following message will appear: “downward traffic: the minimum guaranteed bandwidth should be lower than or equal to the maximum bandwidth”.

Max inv. Acting as a restriction, this option prohibits bandwidth for the downward traffic, assigned to these queues, from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s.
Color Color to differentiate the queue.
Comments Related comments.

REMARK
If you select “0” in the “Minimum bandwidth” column and “Unlimited” in the “Maximum bandwidth” column, no restrictions will be placed on the traffic. In this case, a message will appear, suggesting that you change your queue to a monitoring queue.

The table in the menu Class-based queuing displays the various queues that have been configured. Clicking on Check usage allows you to view (in the browser bar on the left) the list of filter rules in which the selected queue is being used.

Deleting a class-based queue

Select the line of the class-based queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Monitoring queue

Monitoring queues do not affect how traffic associated with QoS rules is treated.

They enable the registration of throughput and bandwidth information that may be viewed in the QoS monitoring module (after being selected in the QoS configuration tab in the Monitoring configuration module).

Configuration options for Monitoring queues are as follows:

Adding a monitoring queue

To add a monitoring queue, click on Add a queue, then select Monitoring queue (MONQ).

Modifying a monitoring queue

Name Name of the queue to be configured.
Type Type of queue from CBQ, PRIQ or MONQ).
Color Color to differentiate the queue.
Comments Related comments.

Deleting a monitoring queue

Select the line of the monitoring queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Priority queue

There are 7 levels of priority. Packets are treated according to the configured priorities.

High priority can be assigned to DNS queries by creating a filter rule and associating it with a PRIQ.

Priority queuing gives certain packets priority during their treatment. This means that packets associated with a PRIQ filter rule will be treated before other packets.

The scale of priorities ranges from 1 to 7. Priority 1 corresponds to traffic with the highest priority among PRIQ queues. Priority 7 corresponds to traffic with the lowest priority among PRIQ queues.

Traffic without QoS rules will be treated before any other PRIQ or CBQ queues.

Configuration options for PRIQ queues are as follows:

Adding a priority queue

To add a class-based queue click on the button Add a queue, then select Priority queue (PRIQ).

A line will be added to the table in which you will be able to make your changes.

Modifying a priority queue

The table displays the various queues that have been configured. Clicking on Check usage allows you to check whether these rules are being used in a filter rule. If this is the case, a menu will appear in the browser bar, showing the rules.

Name Name of the queue to be configured.
Type Type of queue from CBQ, PRIQ or MONQ).
Priority Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. It is possible to select a value from 1 (highest priority) to 7 (lowest priority).
Color Color to differentiate the queue.
Comments Related comments.

Deleting a priority queue

Select the relevant line in the table of priority queues and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Available queues

At the end of the queue table, the available number of queues will be indicated for a given firewall model. These values are as follows:

SN160w, SN210w, SN310 SN510, SN710, SN910 SN2000, SN2100, SN3000, SN3100, SN6000, SN6100
20 100 255