Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 2906 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to tell if/when Traffic Shaping is working?

Wayne Folta

I've finally gotten around to trying traffic shaping for applications. (I've previously done shaping for firewall rules, to prioritize a VOIP subnet.) One big question: how do I know my application-based (or really any) traffic shaping configuration is actually doing something?

For example, I believe I've reserved bandwidth for Teams and Zoom calls, but how do I know when it's working? What if Sophos Applications classification gets Teams wrong, or what if I accidentally adjust shaping for Glip and not Ring Central, or what if I adjust shaping for Ring Central's video but not for its VOIP (I use the latter, not the former)?

I haven't found anything in the GUI, though I do have to say that the traffic shaping is a bit disjoint in the GUI. There might be a CLI command, and at a minimum all I need is to be able to run something while a Zoom video call or a Ring Central VOIP call is running to make sure there actually is reserved bandwidth for Zoom.

(To be honest, an overall buffer/queue throughput/backup kind of command or display might be pretty cool. I assume I could pull my specific question from that.)



This thread was automatically locked due to age.
  • 0

    Update: I've found some commands that begin to address this in Advanced Shell. But it's way complicated -- perhaps because of how traffic is handed off to/From XStream, etc -- and so I can't really tell at this point.

  • +1

    Hello Wayne,

    Thank you for contacting the Sophos Community.

    You would need to run a conntrack - E | grep

    Then you can see in the following 3 flags:

    bwid=20 upclass=2:9 dnclass=2:9

    bwid = 0 means no traffic shaping policy has been applied

    bwid = 20 means that traffic shaping police 20 has been applied

    Run the following command to know the BW policy ID 20

    psql -U nobody -d corporate -c "select * from tblbandwidthpolicy where policyid=20;"

    The easy would be to run this conntrack:

    conntrack -L | grep "bwid=0" | grep

    Just add the IP after the last GREP for the IP you want to know

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Perfect. So run the pqsl (no WHERE clause, though) to find the policy's of the rules, then "conntrack -E | grep "bwid=21" where 21 is my rule's ID. The restriction type's from the psql-retrieved rules appear to be User (2), Rule (3) and App (15).

    Which I think will show 

    I'd been poking around with the "tc" command, which may be involved somehow, but doesn't put the pieces together.

  • 0 in reply to Wayne Folta

    I'm seeing some strange results, in particular with trying to Guarantee bandwidth for Youtube. I'll have to capture screen shots, but last night I was seeing Youtube in Love Connections and when I hovered over the Application ID it mentioned my Guarantee, but the actual Traffic Shaping column had a dash. Which seems to echo what I'm (not) finding with the conntrack.

    Youtube is doing QUIC (App on AppleTV) and when I kill QUIC there's no video, so maybe there's a kind of split thing going on and something's confused between actual HTTPS (port 443 TCP) and Google QUIC (port 443 UDP). So maybe not the best test case.

    I can clearly see, following your instructions, a rule-based Guarantee for my VOIP VLAN. Just having potential issues with Application-based Guarantees. (I'll have to check Teams/Zoom, who I don't think do the QUIC shenanigans.)

  • 0 in reply to Wayne Folta

    OK, finally figured it out. I had attached a Guarantee to the applications, but you then need to add that as a rule in an App Control Policy for a Firewall Rule. (Which in my case meant creating a new Policy instead of using Sophos-premade policy. (Included one rule from their premade, plus the application control.)

Unfiltered HTML