Traffic shaping in Checkpoint the Linux way

in Checkpoint NG/NGX
#Checkpoint

Quite often I need to work on the Checkpoint firewall access to which in SmartDashboard is close to impossible due to the overloaded internet connection to the firewall and there is no out of band access alternative.
Other times doing debug produces huge files (we talk gigabytes here) and if I download such files from the firewall through scp as is it will use up all the bandwidth of the line causing slowness to the client.
For such and alike cases there is a perfect tool provided by Linux kernel - Quality of service (QOS), which allows us to limit used bandwidth with very flexible filter criteria. QOS in Linux is subject enough complicated and extensive not to be dealt in a short post , so I just present some ready to use copy-paste configs just for that. For in-depth coverage see lartc.org/howto
And of course if your firewall has Floodguard license and feature installed (Checkpoint implementation of Quality of service) then you can achieve the same through rules in QOS tab in Smartdashboard.

  1. Limiting myself - when downloading some huge file from the firewall I want to limit my traffic to some specific rate.
    Here:
    eth0 - outgoing interface;
    100Mbit - physical rate of the interface;
    300Kbit - rate limit I impose on traffic destined to my management station where I download the file;
    39.139.3.4 - my management IP.
tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 300Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst  39.139.3.4/32 flowid 33:200
  1. Line is overloaded and I can't connect with SmartDashboard but still have ssh access. Here:
    30Kbit - rate limit I impose on ANY traffic except to my management IP , see next rule;
    200Kbit - rate limit on traffic to my management station.
tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:100 htb rate 30Kbit
tc filter add dev eth0 protocol ip parent 33:0 prio 5 u32 match ip dst any flowid 33:100
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 200Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst  39.139.3.4/32 flowid 33:200

NOTE QOS in Linux as presented here works on egress , i.e. it can limit traffic leaving the interface . Script above therefore limits what would be upload leaving to the Internet from the firewall. To limit some heavy download the same technique should be applied on Internal,facing the LAN, interface. Usually nevertheless the moment you throttle the upload modern applications will detect it and slow down download as well , but your mileage may vary.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.