Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 30689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

have anyone problem to apply traffic shaping limit bandwidth?

BrunoZavettieri

HI all,

after installing a Sophos XG by a customer users occasionally report an internet line lock. The monitoring exercise showed an excessive bandwidth use of some PC saturating traffic (traffic type was microsoft windows update it seems).

We tried to put some limitations with the policy of traffic shaping. We have created a clientless host for each PC and applied a traffic policy to limit the bandwidth for each host.

But it seems that the bandwidth continues to be saturated at random by some hosts.And seems that traffic shaping policy is not applied.

Someone has already had the goalscoring stakes type of problems?

thanks,



This thread was automatically locked due to age.
  • 0

    Hi Bruno,

    Please explain, which traffic shaping policy have you configured? Can you please post the screenshots so that I can look at the configurations.

    Thanks

  • 0 in reply to sachingurung

    Hi,

    the problem was in the windows update. If i drop windows update DNS the bandwidth usage is normal. Seems policy doesn't match policy. This is the screenshot first and after:

    I have applied drop after 11.00 AM. 

    So, firstly i have configurate a clientless policy for all IP in subnet:

    this policy doesn't work for all clientless user. one or two client saturate network traffic.(view previous screenshot)

    Now i have insert this rule:

    I have also try to insert a policy of traffic shaping to this rule but seems to not work. this is the policy that i have try to apply to this "drop rule":

    This is the Traffic Shaping policy Settings:

    Seems that some client windows 10 and some service doesn't match policy. I have test configuration with a Virtual Machine with windows 10. I try to download update and to download a File with FTP and in this case all policy of traffic shaping work.

    thanks,

  • 0 in reply to BrunoZavettieri

    I have the same problem, we have tried this:

    Set bandwidth of connection correctly.

    Create category limit policy of 2Mbps (256KBps) and apply as shared limit to web categories Information Technology and ~Updates

    Create application limit policy of 1Mbps (125KBps) and apply a share limit to appropriate applications

    Tick both boxes on policy to apply web category and application bandwidth controls 

    Most gets controlled but some seem to get through even though they are identified correctly and bandwidth saturation occurs.  Also we have only about 20% of the disk in use even though we have enabled caching.

    We are running MR1 at the moment on these firewalls.

    Cheers,

    Charles

  • 0 in reply to BrunoZavettieri

    Hi Bruno,

    Please find the link to configure Traffic Shaping on User(s).

    https://community.sophos.com/kb/en-US/123061

    If you have client-less User(s) on XG, you need apply the QoS on the identity based Firewall Rule. PFA screenshot:

    This Firewall Rule should have action as "Accept" not "Drop".

    Next configure a User based Traffic Shapping policy as:

    The above configured policy, should be selected in the Clientless User group, Navigate through   

    • Objects
    • Identity
    • Groups

    Hope that helps :)

    Thanks

  • 0 in reply to sachingurung

    HI,

    yes, when we have tried to limit bandwidth with User ClientLess Traffic Shaping Policy we have policy in group of clientClientLess less user and enable identity on rule.

    From Log Viewer user Match rule 14 when saturate traffic.(In fact, on my test VM traffic was cut properly also for Windows update). But since policy doesn't cut traffic we have decide to drop this type of traffic for allow users to work.

    maybe is a bug? 

    thanks for support,

  • 0 in reply to BrunoZavettieri

    Hi Bruno,

    If the user matches Rule:14, it means the traffic is forwarded through this rule and as traffic shaping is not applied here, bandwidth is not restricted. Try creating a Rule based Traffic Shaping policy and apply it on rule :14.

    Please go through the links to restrict bandwidth for a particular application signature or host.

    https://community.sophos.com/kb/en-US/123062

    community.sophos.com/.../123059

    Hope that helps:)

    Thanks

  • 0 in reply to sachingurung

    hi,

    but traffic shaping policy is applied by policy on user clientles or not?

    I have already tried to modify rule 3 with this configuration(In this case rule 3 is accept):

    Also in this case users match rule policy but not cut traffic. This is policy:

  • 0 in reply to BrunoZavettieri

    Hi Bruno,

    In the 1st screenshot, 'Match rule based on user identity' option is ON inside the FW Rule wherein the traffic shaping policy is configured.

    Thanks

  • 0 in reply to sachingurung

    hi Sachin,

    ok. I recapitulate the situation to make the configuration clearer:

    • In a first time we have created a Traffic Shaping Policy to cut bandwidth to 2 Mb/s. We have created "clientless user" for all PC on subnet. After that we have created a rule to match identity and apply the TS Policy to user clientless. In this configuration all Client match this rule but we have noticed that the windows updates saturate bandwidth. So, we tried to test this policy with a new VM Windows 10. we tried to download updates and TS Policy was apply correctly.
    • In a second time we have deleted all precedente TS policy. After that we have created a new rule with destination all windows updates FQDN. Client match this rule. We have created a policy with a limit to 1 Mb/s and we have applied this policy to rule. The result is the same. Some Client saturate bandwidth. And the traffic that saturate traffic is always Windows Updates.

    Hope i was clear.

    thanks for the support,

    best regards,

  • 0 in reply to BrunoZavettieri

    Has anyone solved this?

    Because I'm on 16.01.2 and the problem still exist!!!

    I have a firewall ruel based on user identity (so in 16.x traffic shaping is not applicable on the firewall rule but will use User rule).

    I have put the traffic shaping on the user group

    For the most of the users it works, but for some random windows 10 clients, only with windows update/office update, the traffic shaping is ignored and them saturate all my bandwidth...

    I repeat, only windows 10 and windows update (download or share updates)

    This is a real bug