Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 14961 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control QoS rules stop working till reboot

Billybob

Hi, I have a firewall policy for clientless users that applies QoS to each user but at the same time have a policy to throttle youtube traffic. The problem is that everything works correctly for about 24 hours and then when I wake up in the morning, the application control part stops working. Disabling/enabling firewall policy doesn't work. If I reboot the firewall, everything works again.

The firewall keeps categorizing the apps correctly so that is not the problem. How can I restart the QoS daemon without restarting XG?

Here is the firewall policy

Here is when the QoS is working correctly with traffic shaping policy 25 (application control)

This is when it stops working and defaults to the user based QoS policy

Any hints???

Regards
Bill



This thread was automatically locked due to age.
  • 0

    Bill,

    are you experiencing this issue only for clientless users? As I know clientless users are automatically re-logged in every 24 hours so that can be the issue. In the latest version, if clientless users are disconnected manually by the administrators they will not reconnect automatically.

    Let's see if sachingurungu has a tips for this issue. It can even be a bug!

    Thanks Bill.

  • 0 in reply to lferrara

    Luk, to be honest, I really haven't figured out the best way to write firewall rules for users yet. I am still testing XG in the lab with a little added traffic from my home network. I want to classify users when they are using cell phones etc. but really don't want them to authenticate so I use clientless users. I know that sophos thinks that clientless users category is only suitable for printers or other static dumb devices but I don't want my home users to authenticate but I still want their traffic classified. Do you have any suggestions on creating users where they don't have to authenticate by logging in?

    As far as the QoS issue, I haven't tested it with anything but clientless so your assessment maybe correct.

    Regards

    Bill

  • 0 in reply to Billybob

    Bill,

    clientless users is the right method for you if you want to have reporting per user and not per device/ip. Maybe you found a bug with the Traffic Shaping.

    All other options needs a client to pass the authentication, Captive Portal or LDAP/SSO/Radius and for home/mobile are not the best choice.

    I will apply an Application QoS on my clientless user and let you know if tomorrow I have the same issue.

    Thanks

     

  • 0 in reply to lferrara

    Bill,

    the other option could be mac-binding :https://community.sophos.com/kb/en-us/123042

    but as you can see the Mac-Binding works only if an authentication agent is installed.

    Maybe they can improve this feature by binding a MAC-Address to users without requiring a client but by reading mac-address from the firewall log and bind the mac-address to user.

    Client agent is required if your users are behind a router where original mac-addresses are not available but you still need to correctly identify users.

    Of course this is my point of view and I do not know how the client-mac binding works now.

  • 0 in reply to lferrara

    I did play with the MAC binding a little but when you create the user, you have to specify a password which leads me to believe that there would be some kind of authentication required. Clientless users category is very powerful. I don't know why they want to restrict that for dumb devices. I have seen your other posts about clientless users on reporting etc. I really don't know why sophos creates good features and then handicap them by not fully utilizing their potential. We should be able to create unlimited amount of clientless users with the same name and different IP addresses/mac addresses.

    The GUI makes certain things non intuitive so I may just go back to UTM9 style reporting by device and see how it works in XG. The problem I am having is that in UTM9, QoS rules are written just like firewall rules so the order of the rule makes a different. So you can write a QoS rule about streaming and then write a bunch of rules for devices and the first streaming rule will apply to everyone first. In XG, since every firewall policy has its own QoS rule also, you have to write your firewall policies to make sure your QoS policies and firewall policies are applied in the order that you think they are going to be applied[:#] Almost like the problem you mentioned here https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80927/scheduled-time-and-web-policies---feature-request [:D]

    Regards

    Bill

  • 0 in reply to Billybob

    As I wrote, Mac-Binding works only if an authentication agent is installed so if you create a standard user, password is required to authenticate the user inside the agent.

    I am sure what you have found is a bug. If QoS works for 24 hours, it should work for the next 24 and 24 and 24 ......

    XG has a better management in terms of QoS, Policy rules and the new Web Filtering module. After a while, you will appreciate these features than UTM9 (I am still using it for big customers).

    I am sure that even clientless users wil be improved with our suggestions! [;)]

  • 0

    Hi Bill,

    Now that is interesting to see that the user traffic holds policy ID 25 in the first screenshot while the policy ID changes to 21 in the second screenshot. What I would really like to see here is a screenshot fo the FW rules. Check #1 in the guide here and do packet-capture, let us know which FW rule forwards the clientless user traffic; one when the TS policy works as defined and the next capture should be for the time when the TS policy stops working and takes on Policy ID 21. I want to check if the FW rule ID changes after 24 hours. 

    Also check Note A in the guide. Make sure the Clientless user based FW rule is on the top and explicitly defined for the clientless user.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the feedback. As I said, I am testing XG in a lab so I don't have any complicated rules, this is why the behavior is so curious.

    Now that is interesting to see that the user traffic holds policy ID 25 in the first screenshot while the policy ID changes to 21 in the second screenshot.

    Those are Traffic Shaping policy IDs and not firewall policies. Policy ID 21 is the user QoS policy while Policy ID 25 is application QoS policy. If you look closely at the screenshots in my first post, QoS policy 21 is still being applied to traffic other than youtube streaming. I only have one firewall allow rule so packet capture won't help. The second rule denies all traffic and is not relevant. Here are the firewall policies...

    Expanded view of firewall policy

     

    User QoS rules which appears as Rule 21 QoS policy...

    Application QoS policy to throttle ALL Streaming media which appears as rule 25

  • 0 in reply to Billybob

    Hi,

    Yes, I know that they are TS policies and not FW rule Policies. According to the technical architecture, TS policy applied in the FW rule i.e., policy ID 25 has a higher priority than ID 21. Hence, the traffic should not be shaped through policy 21 and should not be defined in the clientless user object unless explicit TS has to be configured on individual users; not defined globally via the FW rule. Please remove the TS policy from the User object.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the response. Let me try to explain what I am trying to accomplish and then you can maybe give me some pointers on how to do it. I will be the first to admit that XG is not very intuitive to me and that is why I run into these problems.

    1. So, lets say I have gigabit WAN link. I want each of my cell phone users throttled to 40mb/s. That is why I used clientless users with static IP addresses and applied user based QoS.(policy21)

    2. I have noticed that my users are wasting resources by consuming all the bandwidth that I have by streaming videos all day. So I apply an application policy(policy25) to throttle streaming video in firewall policy.

    Easy in UTM9 because QoS rules are applied in order so throttle video first and then throttle users... no problem. In XG, it works extremely well also, apply TS policy to user and then apply TS policy to firewall rule for the applications (atleast that is how I see it). It works fine for 24 hours and then stops working in XG. Why? Should I be doing this differently?