Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 14962 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control QoS rules stop working till reboot

Billybob

Hi, I have a firewall policy for clientless users that applies QoS to each user but at the same time have a policy to throttle youtube traffic. The problem is that everything works correctly for about 24 hours and then when I wake up in the morning, the application control part stops working. Disabling/enabling firewall policy doesn't work. If I reboot the firewall, everything works again.

The firewall keeps categorizing the apps correctly so that is not the problem. How can I restart the QoS daemon without restarting XG?

Here is the firewall policy

Here is when the QoS is working correctly with traffic shaping policy 25 (application control)

This is when it stops working and defaults to the user based QoS policy

Any hints???

Regards
Bill



This thread was automatically locked due to age.
Parents
  • 0

    Hi Bill,

    Now that is interesting to see that the user traffic holds policy ID 25 in the first screenshot while the policy ID changes to 21 in the second screenshot. What I would really like to see here is a screenshot fo the FW rules. Check #1 in the guide here and do packet-capture, let us know which FW rule forwards the clientless user traffic; one when the TS policy works as defined and the next capture should be for the time when the TS policy stops working and takes on Policy ID 21. I want to check if the FW rule ID changes after 24 hours. 

    Also check Note A in the guide. Make sure the Clientless user based FW rule is on the top and explicitly defined for the clientless user.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the feedback. As I said, I am testing XG in a lab so I don't have any complicated rules, this is why the behavior is so curious.

    Now that is interesting to see that the user traffic holds policy ID 25 in the first screenshot while the policy ID changes to 21 in the second screenshot.

    Those are Traffic Shaping policy IDs and not firewall policies. Policy ID 21 is the user QoS policy while Policy ID 25 is application QoS policy. If you look closely at the screenshots in my first post, QoS policy 21 is still being applied to traffic other than youtube streaming. I only have one firewall allow rule so packet capture won't help. The second rule denies all traffic and is not relevant. Here are the firewall policies...

    Expanded view of firewall policy

     

    User QoS rules which appears as Rule 21 QoS policy...

    Application QoS policy to throttle ALL Streaming media which appears as rule 25

  • 0 in reply to Billybob

    Hi,

    Yes, I know that they are TS policies and not FW rule Policies. According to the technical architecture, TS policy applied in the FW rule i.e., policy ID 25 has a higher priority than ID 21. Hence, the traffic should not be shaped through policy 21 and should not be defined in the clientless user object unless explicit TS has to be configured on individual users; not defined globally via the FW rule. Please remove the TS policy from the User object.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the response. Let me try to explain what I am trying to accomplish and then you can maybe give me some pointers on how to do it. I will be the first to admit that XG is not very intuitive to me and that is why I run into these problems.

    1. So, lets say I have gigabit WAN link. I want each of my cell phone users throttled to 40mb/s. That is why I used clientless users with static IP addresses and applied user based QoS.(policy21)

    2. I have noticed that my users are wasting resources by consuming all the bandwidth that I have by streaming videos all day. So I apply an application policy(policy25) to throttle streaming video in firewall policy.

    Easy in UTM9 because QoS rules are applied in order so throttle video first and then throttle users... no problem. In XG, it works extremely well also, apply TS policy to user and then apply TS policy to firewall rule for the applications (atleast that is how I see it). It works fine for 24 hours and then stops working in XG. Why? Should I be doing this differently?

  • 0 in reply to Billybob

    Bill,

    I configured the QoS yesterday and 24 hours are gone. My QoS policy is still working on Youtube Traffic for my clientless user. I have moved the Policy rule at the top with only that clientless user.

  • 0 in reply to lferrara

    Yeah I think I have narrowed down the bug. I changed the application control settings like below

    If you apply application control while allowing all applications, it keeps working. However, when application control is also applied at the same time, it stops working.

    Thanks for testing it out and appreciate all your help

    Regards

    Bill

  • 0 in reply to Billybob

    Bill,

    I always prefer to create custom as possible. In my case I created a Youtube Application Filter and it worked.

    Thanks anyway for your testing too. This will help other users.

  • 0 in reply to lferrara

    I had created a new application filter with allow all template. Then I was blocking twitter and apple OTA updates to see how XG was behaving. You are of course correct that allowing only what is needed is the best way to create policies.

     

    In any case, now that I know that the base functionality works, I may promote XG to my home firewall for internal clients[;)] Still using UTM9 as parameter firewall for WAF and email[8-|] 

    Thanks again , , and  for all the help you guys provide to the community. You guys are all great!

    Regards

    Bill

Reply
  • 0 in reply to lferrara

    I had created a new application filter with allow all template. Then I was blocking twitter and apple OTA updates to see how XG was behaving. You are of course correct that allowing only what is needed is the best way to create policies.

     

    In any case, now that I know that the base functionality works, I may promote XG to my home firewall for internal clients[;)] Still using UTM9 as parameter firewall for WAF and email[8-|] 

    Thanks again , , and  for all the help you guys provide to the community. You guys are all great!

    Regards

    Bill

Children
No Data