💻由于网络连接过载，通过SmartDashboard访问Checkpoint防火墙几乎不可能，且无其他替代访问方式。此外，调试产生的大文件通过scp下载会占用全部带宽，导致客户端运行缓慢。

🛠Linux内核的服务质量（QOS）是解决上述问题的完美工具，可通过灵活的过滤标准限制使用的带宽。文章仅提供了一些可直接使用的配置，深入内容可参考elartc.org/howto。

📄在从防火墙下载大文件时，可通过QOS工具限制流量到特定速率。如限制到管理站的流量为300Kbit，管理IP为39.139.3.4。对于除管理IP外的任何流量，限制速率为30Kbit，到管理站的流量限制为200Kbit。

❗需要注意的是，文中提到的Linux的QOS在出口方向起作用，可限制从防火墙到互联网的上传流量。要限制大量下载，应在面向局域网的内部接口应用相同技术。

Quite often I need to work on the Checkpoint firewall access to which in SmartDashboard is close to impossible due to the overloaded internet connection to the firewall and there is no out of band access alternative.
Other times doing debug produces huge files (we talk gigabytes here) and if I download such files from the firewall through scp as is it will use up all the bandwidth of the line causing slowness to the client.
For such and alike cases there is a perfect tool provided by Linux kernel - Quality of service (QOS), which allows us to limit used bandwidth with very flexible filter criteria. QOS in Linux is subject enough complicated and extensive not to be dealt in a short post , so I just present some ready to use copy-paste configs just for that. For in-depth coverage see lartc.org/howto
And of course if your firewall has Floodguard license and feature installed (Checkpoint implementation of Quality of service) then you can achieve the same through rules in QOS tab in Smartdashboard.

Limiting myself - when downloading some huge file from the firewall I want to limit my traffic to some specific rate.
Here:
eth0 - outgoing interface;
100Mbit - physical rate of the interface;
300Kbit - rate limit I impose on traffic destined to my management station where I download the file;
39.139.3.4 - my management IP.

tc qdisc add dev eth0 root handle 33: htbtc class add dev eth0 parent 33: classid 33:10 htb rate 100mbittc class add dev eth0 parent 33:10 classid 33:200 htb rate 300Kbittc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst  39.139.3.4/32 flowid 33:200

Line is overloaded and I can't connect with SmartDashboard but still have ssh access.Here:
30Kbit - rate limit I impose on ANY traffic except to my management IP , see next rule;
200Kbit - rate limit on traffic to my management station.

tc qdisc add dev eth0 root handle 33: htbtc class add dev eth0 parent 33: classid 33:10 htb rate 100mbittc class add dev eth0 parent 33:10 classid 33:100 htb rate 30Kbittc filter add dev eth0 protocol ip parent 33:0 prio 5 u32 match ip dst any flowid 33:100tc class add dev eth0 parent 33:10 classid 33:200 htb rate 200Kbittc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst  39.139.3.4/32 flowid 33:200

NOTE QOS in Linux as presented here works on egress , i.e. it can limit traffic leaving the interface . Script above therefore limits what would be upload leaving to the Internet from the firewall.To limit some heavy download the same technique should be applied on Internal,facing the LAN, interface. Usually nevertheless the moment you throttle the upload modern applications will detect it and slow down download as well , but your mileage may vary.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.