Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

FloodGate-1

Selecting a Quality of Service Solution

FloodGate-1® can be implemented standalone, but is typically deployed as an integrated component of Check Point's VPN-1® product family. Quality of Service (QoS) is a requirement for any VPN deployment where performance is important or where there is the possibility of congestion on the local access link. Optimal performance for mission critical VPN traffic can be ensured when FloodGate-1, VPN-1 and FireWall-1® are deployed on the same device.

FloodGate-1 also maintains sessions for most protocols during fail over. In addition, FloodGate-1 maintains priority for these protocols. FloodGate-1 does this by tracking state information and associating it with the session in progress.

The Value of Security Integration
Because standalone QoS devices suffer from challenges that relate to the placement of the QoS device relative to the VPN/Firewall, integrated solutions are the only option for secure network environments.

Limitations of Standalone QoS Devices
If a dedicated QoS device is positioned on the WAN side of the VPN/Firewall device, it cannot effectively classify traffic for several reasons. First, the QoS device cannot classify traffic based on information in the IP header, because the information is encrypted. Second, the device cannot classify traffic destined for specific users or servers. This is because the device relies on the destination IP address to classify such traffic, but NAT sends inbound traffic to the firewall's IP address. Third, the QoS device is unprotected by the firewall device, and therefore can be subject to Denial of Service attacks.

View network diagram

If a dedicated QoS device is positioned on the LAN side of the VPN/Firewall device, bandwidth-management decisions are inaccurate and less effective, because VPN overhead causes the actual traffic load to grow beyond link capacity. Furthermore, the device cannot account for traffic flowing to and from the DMZ.

View network diagram

Integrated QoS/VPN Solutions
FloodGate-1/VPN-1 solutions solve these problems by integrating QoS, VPN and firewall functionality on the same device. Shared access to IP header, encryption, NAT, and DMZ information enables FloodGate-1 to account for all relevant information in its control algorithm.

Find out more