Queues tab
Queues
The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.
When a packet arrives on an interface, it will first be processed by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.
There are three types of queues on the firewall: Two of them are directly associated with QoS algorithms: PRIQ (Priority Queuing) and CBQ (Class-Based Queuing). The third enables traffic monitoring.
Class-based queue (CBQ)
A scheduling class can be chosen for each filter rule and a bandwidth guarantee or restriction can be assigned to it.
For example, you can associate a scheduling class with HTTP traffic by associating a CBQ to the corresponding filter rule.
Class-based queuing determines the way in which traffic assigned to QoS rules will be managed on the network. Bandwidth reservation mechanisms for this queue type guarantee a minimum service while bandwidth restriction mechanisms enable the preservation of bandwidth when dealing with applications that consume a large amount of resources.
Adding a class-based queue
To add a class-based queue:
- Click on Add.
- Select Class Based Queuing (CBQ).
A window appears, allowing you to configure the various properties of the queue: Name, Type, Comments, Bandwidth restrictions;
Details of the properties of a Class Based Queuing queue are described below.
Modifying a class-based queue
| Name | Name of the queue to be configured. |
| Type |
Bandwidth reservation/limitation queues are indicated as Class Based Queuing (CBQ). |
| Comments | Related comments (optional). |
Bandwidth restrictions
| Guaranteed bandwidth | Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s. REMARKS |
| Max bandwidth | Acting as a restriction, this option prohibits bandwidth for the traffic assigned to these queues from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s. REMARKS |
| Guaranteed rev. | Acting as a service guarantee, this option makes it possible to guarantee a given throughput and a descending maximum transfer time. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s. REMARKS |
| Max rev. | Acting as a restriction, this option prohibits bandwidth for the downward traffic, assigned to these queues, from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s. |
REMARKS
If you select “None” in the Guaranteed bandwidth column and “Unlimited” in the Max. bandwidth column, no restrictions will be placed on the traffic. In this case, a message will appear, suggesting that you change your queue to a monitoring queue.
The grid of the Queues menu displays the various queues that have been configured. Clicking on Check usage allows you to display the list of filter rules in which the selected queue is being used.
Deleting a class-based queue
Select the line of the class-based queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Monitoring queue
Monitoring queues do not affect how traffic associated with QoS rules is treated.
They enable the registration of throughput and bandwidth information that may be viewed in the QoS monitoring module (after being selected in the QoS configuration tab in the Monitoring configuration module).
Configuration options for Monitoring queues are as follows:
Adding a monitoring queue
To add monitoring queue:
- Click on Add.
- Select Monitoring Queuing (MONQ).
A window appears, allowing you to configure the various properties of the queue: Name, Type, Comments.
Details of the properties of a Monitoring Queuing (MONQ) queue are described below.
Modifying a monitoring queue
| Name | Name of the queue to be configured. |
| Type |
Traffic monitoring queues are indicated as Monitoring Queuing (MONQ). |
| Comments | Related comments (optional). |
Deleting a monitoring queue
Select the line of the monitoring queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Priority queue
There are 7 levels of priority. Packets are treated according to the configured priorities.
High priority can be assigned to DNS queries by creating a filter rule and associating it with a PRIQ.
Priority queuing gives certain packets priority during their treatment. This means that packets associated with a PRIQ filter rule will be treated before other packets.
The scale of priorities ranges from 0 to 7. Priority 0 corresponds to traffic with the highest priority among PRIQ queues. Priority 7 corresponds to traffic with the lowest priority among PRIQ queues.
Traffic without QoS rules will be treated before any other PRIQ or CBQ queues.
Configuration options for PRIQ queues are as follows:
Adding a priority queue
To add a priority queue:
- Click the Add button.
- Select Priority Queuing (PRIQ).
A window appears, allowing you to configure the various properties of the queue: Name, Type, Priority, Comments.
Details of the properties of a Priority Queuing (PRIQ) queue are described below.
Modifying a priority queue
The table displays the various queues that have been configured. Clicking on Check usage allows you to check whether these rules are being used in a filter rule. If this is the case, a menu will appear in the browser bar, showing the rules.
| Name | Name of the queue to be configured. |
| Type |
Priority-based queues are indicated as Priority Queuing (PRIQ). |
| Priority | Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. A value from 0 (highest priority) to 7 (lowest priority) can be selected. |
| Comments | Related comments (optional). |
Deleting a priority queue
Select the relevant line in the table of priority queues and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.
Available queues
At the end of the queue table, the available number of queues will be indicated for a given firewall model. These values are as follows:
| SN160(W), SN210(W), SN310 | EVA1, EVA2, EVA3, EVA4, EVAU (16G) SN-XS-Series-170, SN-S-Series-220, SN-S-Series-320 SNi10 |
EVAU (32G), EVAU (64G) SN2100, SN-L-Series-2200, SN3100, SN-L-Series-3200, SN-XL-Series-5200, SN6100, SN-XL-Series-6200 |
| 20 | 100 | 255 |