Queues tab

Queues

The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.

When a packet arrives on an interface, it will first be processed by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.

There are three types of queues on the firewall: Two of them are directly associated with QoS algorithms: PRIQ (Priority Queuing) and CBQ (Class-Based Queuing). The third enables traffic monitoring.

Class-based queue (CBQ)

A scheduling class can be chosen for each filter rule and a bandwidth guarantee or restriction can be assigned to it.

For example, you can associate a scheduling class with HTTP traffic by associating a CBQ to the corresponding filter rule.

Class-based queuing determines the way in which traffic assigned to QoS rules will be managed on the network. Bandwidth reservation mechanisms for this queue type guarantee a minimum service while bandwidth restriction mechanisms enable the preservation of bandwidth when dealing with applications that consume a large amount of resources.

Adding a class-based queue

To add a class-based queue:

  1. Click on Add.
  2. Select Class Based Queuing (CBQ).
    A window appears, allowing you to configure the various properties of the queue: Name, Type, Comments, Bandwidth restrictions;

Details of the properties of a Class Based Queuing queue are described below.

Modifying a class-based queue

Name Name of the queue to be configured.
Type

Bandwidth reservation/limitation queues are indicated as Class Based Queuing (CBQ).

Comments Related comments (optional).
Bandwidth restrictions
Guaranteed bandwidth Acting as a service guarantee, this option allows guaranteeing a given throughput and a maximum transfer time. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s.

REMARKS
This option is synchronized by default with the option Guaranteed rev. By modifying its value, the value will be replicated in Guaranteed rev. By modifying the value of Guaranteed rev., the values will be different and therefore desynchronized.

Max bandwidth Acting as a restriction, this option prohibits bandwidth for the traffic assigned to these queues from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s.

REMARKS
This option is synchronized by default with the option Max rev. By modifying its value, the value will be replicated in Max rev. By modifying the value of Max rev, the values will be different and therefore desynchronized.

Guaranteed rev. Acting as a service guarantee, this option makes it possible to guarantee a given throughput and a descending maximum transfer time. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with a guaranteed minimum of 10Kbits/s, the HTTP+FTP bandwidth will be at a minimum of 10Kbits/s. However, there is no restriction on the HTTP bandwidth being 9Kbits/s and the FTP bandwidth being only 1Kbits/s.

REMARKS
If you enter a value higher than the Max rev., the following message will appear: “downward traffic: the minimum guaranteed bandwidth should be lower than or equal to the maximum bandwidth”.

Max rev. Acting as a restriction, this option prohibits bandwidth for the downward traffic, assigned to these queues, from being exceeded. Configured in Kbits/s, Mbits/s, Gbit/s or as a percentage of the reference value, this value is shared between all traffic assigned to this QoS rule. As such, if HTTP and FTP traffic is associated with a queue with an authorized maximum of 500Kbits/s the HTTP+FTP bandwidth must not exceed 500Kbits/s.

REMARKS
If you select “None” in the Guaranteed bandwidth column and “Unlimited” in the Max. bandwidth column, no restrictions will be placed on the traffic. In this case, a message will appear, suggesting that you change your queue to a monitoring queue.

The grid of the Queues menu displays the various queues that have been configured. Clicking on Check usage allows you to display the list of filter rules in which the selected queue is being used.

Deleting a class-based queue

Select the line of the class-based queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Monitoring queue

Monitoring queues do not affect how traffic associated with QoS rules is treated.

They enable the registration of throughput and bandwidth information that may be viewed in the QoS monitoring module (after being selected in the QoS configuration tab in the Monitoring configuration module).

Configuration options for Monitoring queues are as follows:

Adding a monitoring queue

To add monitoring queue:

  1. Click on Add.
  2. Select Monitoring Queuing (MONQ).
    A window appears, allowing you to configure the various properties of the queue: Name, Type, Comments.

Details of the properties of a Monitoring Queuing (MONQ) queue are described below.

Modifying a monitoring queue

Name Name of the queue to be configured.
Type

Traffic monitoring queues are indicated as Monitoring Queuing (MONQ).

Comments Related comments (optional).

Deleting a monitoring queue

Select the line of the monitoring queue to be deleted and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Priority queue

There are 7 levels of priority. Packets are treated according to the configured priorities.

High priority can be assigned to DNS queries by creating a filter rule and associating it with a PRIQ.

Priority queuing gives certain packets priority during their treatment. This means that packets associated with a PRIQ filter rule will be treated before other packets.

The scale of priorities ranges from 0 to 7. Priority 0 corresponds to traffic with the highest priority among PRIQ queues. Priority 7 corresponds to traffic with the lowest priority among PRIQ queues.

Traffic without QoS rules will be treated before any other PRIQ or CBQ queues.

Configuration options for PRIQ queues are as follows:

Adding a priority queue

To add a priority queue:

  1. Click the Add button.
  2. Select Priority Queuing (PRIQ).
    A window appears, allowing you to configure the various properties of the queue: Name, Type, Priority, Comments.

Details of the properties of a Priority Queuing (PRIQ) queue are described below.

Modifying a priority queue

The table displays the various queues that have been configured. Clicking on Check usage allows you to check whether these rules are being used in a filter rule. If this is the case, a menu will appear in the browser bar, showing the rules.

Name Name of the queue to be configured.
Type

Priority-based queues are indicated as Priority Queuing (PRIQ).

Priority Defines the priority level of the traffic assigned to the queue. The cells in this column can only be edited for PRIQs. A value from 0 (highest priority) to 7 (lowest priority) can be selected.
Comments Related comments (optional).

Deleting a priority queue

Select the relevant line in the table of priority queues and click on Delete. A message will appear asking you to confirm that you wish to delete the queue.

Available queues

At the end of the queue table, the available number of queues will be indicated for a given firewall model. These values are as follows:

SN160(W), SN210(W), SN310 EVA1, EVA2, EVA3, EVA4, EVAU (16G)
SN-S-Series-220, SN-S-Series-320
SN510, SN-M-Series-520
SN710, SN-M-Series-720
SN910, SN-M-Series-920
SN1100
SNi20
SNi40
EVAU (32G), EVAU (64G)
SN2000, SN2100
SN3000, SN3100
SN6000, SN6100
20 100 255