When I make a firewall rule to limit streaming services like youtube and netflix my client pc's ignore the rule(wired and wireless).

 A few things I see.

1. You last image of firewall rules shows the WAN/WiFi as source for the "limit streaming" rule, but the screen shot of the rule itself shows LAN/WiFi as source. Just be sure that's correct because WAN/WiFi source won't touch things coming from LAN.
2. Firewall rules are processed top-down and the first rule to hit is used. Your "limit streaming" is shown last, which means LAN clients will hit rule 2 and never get to rule 4.
3. In your capture of the traffic shaping policy, you don't show that you selected the YouTube Video Streaming application, so we can only assume it was selected along with the other related YouTube stuff.

A quick thing to check would be the Live Connections tab of current activities while a client is streaming. Find the YouTube Video Streaming in the list of apps, click the underlined "total connections" count to bring up the details and it will show you which firewall rule was applied to the traffic. If you can confirm it is hitting your "limit streaming" rule then we can dig down deeper.

Gary

 A few things I see.

1. You last image of firewall rules shows the WAN/WiFi as source for the "limit streaming" rule, but the screen shot of the rule itself shows LAN/WiFi as source. Just be sure that's correct because WAN/WiFi source won't touch things coming from LAN.
2. Firewall rules are processed top-down and the first rule to hit is used. Your "limit streaming" is shown last, which means LAN clients will hit rule 2 and never get to rule 4.
3. In your capture of the traffic shaping policy, you don't show that you selected the YouTube Video Streaming application, so we can only assume it was selected along with the other related YouTube stuff.

A quick thing to check would be the Live Connections tab of current activities while a client is streaming. Find the YouTube Video Streaming in the list of apps, click the underlined "total connections" count to bring up the details and it will show you which firewall rule was applied to the traffic. If you can confirm it is hitting your "limit streaming" rule then we can dig down deeper.

Gary

Hi Gary Parr,

When I make a rule that is before rule 2 i get this error message from my browser

to give you a rough discription (becasue it is in Dutch) my conncection is not protected.

it says that google has an invalid certificate.

Error code SEC_ERROR_UNKNOWN_ISSUER

So basicly i am not allowed to go on the internet if it is setup like this.

to go back on your point 3. i basicly selectedd everything with youtube in the name.

My guess is that the certificate error you are seeing is caused by a redirect to the captive portal. By default, XG uses SSL for the captive portal but the factory-installed SSL certificate is self-signed and not trusted. You can either replace the SSL certificate with a "real" one, import the Sophos CA so the self-signed becomes trusted, or you can disable HTTPS redirection for the captive portal. Other alternatives include removing the "known users" requirement for that rule or using a different authentication mechanism.

Oh, it could also mean you have enabled decryption and scanning of HTTPS which uses the same self-signed cert causing the same untrusted issues.

-Gary

Hi Gary,

I can go on the internet now but it still looks like my rule is getting ignored. maybe one of my setting is wrong?

-Cedric

Hi Cedric,

It looks like you may have accidentally removed "limit streaming" from your FW rule while you were testing other things. The screenshot you just attached shows "none" for Web Policy.

-Gary

Hi Gary,

After messing around in the firewall settings with your advice in mind I got it working propperly.

-Cedric