Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to tell if/when Traffic Shaping is working?

I've finally gotten around to trying traffic shaping for applications. (I've previously done shaping for firewall rules, to prioritize a VOIP subnet.) One big question: how do I know my application-based (or really any) traffic shaping configuration is actually doing something?

For example, I believe I've reserved bandwidth for Teams and Zoom calls, but how do I know when it's working? What if Sophos Applications classification gets Teams wrong, or what if I accidentally adjust shaping for Glip and not Ring Central, or what if I adjust shaping for Ring Central's video but not for its VOIP (I use the latter, not the former)?

I haven't found anything in the GUI, though I do have to say that the traffic shaping is a bit disjoint in the GUI. There might be a CLI command, and at a minimum all I need is to be able to run something while a Zoom video call or a Ring Central VOIP call is running to make sure there actually is reserved bandwidth for Zoom.

(To be honest, an overall buffer/queue throughput/backup kind of command or display might be pretty cool. I assume I could pull my specific question from that.)



This thread was automatically locked due to age.
  • Update: I've found some commands that begin to address this in Advanced Shell. But it's way complicated -- perhaps because of how traffic is handed off to/From XStream, etc -- and so I can't really tell at this point.

  • Hello Wayne,

    Thank you for contacting the Sophos Community.

    You would need to run a conntrack - E | grep

    Then you can see in the following 3 flags:

    bwid=20 upclass=2:9 dnclass=2:9 

    bwid = 0 means no traffic shaping policy has been applied

    bwid = 20 means that traffic shaping police 20 has been applied

    Run the following command to know the BW policy ID 20

    psql -U nobody -d corporate -c "select * from tblbandwidthpolicy where policyid=20;"

    The easy would be to run this conntrack:

    conntrack -L | grep "bwid=0" | grep

    Just add the IP after the last GREP for the IP you want to know

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Perfect. So run the pqsl (no WHERE clause, though) to find the policy's of the rules, then "conntrack -E | grep "bwid=21" where 21 is my rule's ID. The restriction type's from the psql-retrieved rules appear to be User (2), Rule (3) and App (15).

    Which I think will show 

    I'd been poking around with the "tc" command, which may be involved somehow, but doesn't put the pieces together.

  • I'm seeing some strange results, in particular with trying to Guarantee bandwidth for Youtube. I'll have to capture screen shots, but last night I was seeing Youtube in Love Connections and when I hovered over the Application ID it mentioned my Guarantee, but the actual Traffic Shaping column had a dash. Which seems to echo what I'm (not) finding with the conntrack.

    Youtube is doing QUIC (App on AppleTV) and when I kill QUIC there's no video, so maybe there's a kind of split thing going on and something's confused between actual HTTPS (port 443 TCP) and Google QUIC (port 443 UDP). So maybe not the best test case.

    I can clearly see, following your instructions, a rule-based Guarantee for my VOIP VLAN. Just having potential issues with Application-based Guarantees. (I'll have to check Teams/Zoom, who I don't think do the QUIC shenanigans.)

  • OK, finally figured it out. I had attached a Guarantee to the applications, but you then need to add that as a rule in an App Control Policy for a Firewall Rule. (Which in my case meant creating a new Policy instead of using Sophos-premade policy. (Included one rule from their premade, plus the application control.)