Quote how blocking works

Hello Gib GoDesk ,

Thanks for reaching out to Sophos Community

For surfing quota to take effect you must apply it to users or groups: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/SurfingQuotas/WebSurfingQuotaAdd/index.html

And firewall rule should have user-based rule

So to answer, it is not "regardless of firewall rule" It's what the first user-based rule will the traffic hit on the policy precedence. 

Then if user/group hit "Maximum amount time - in Hours and minutes" traffic will be disconnected even if the Validity* period - in days is not yet expired.

Hope this helps. Have a nice day and thank you for choosing Sophos. 

Cheers,

Thank you Raphael. By the answer.

So the non-user, network-type rules won't be affected?

If I want to exclude an accounting rule, do I use this option? support.sophos.com/.../KB-000035941

I understand this option that it will not do the math, but it will still block it when it reaches the quota. Am I right?

Can I in a user rule apply a do not block exception when the account is reached?

Hi Gib,

So the non-user, network-type rules won't be affected?

• Yes, this will only apply to the match known user you've applied in the FW Rule.

If I want to exclude an accounting rule, do I use this option? support.sophos.com/.../KB-000035941

• Yes, you may follow the KB or you may create a FW Rule without a quota

I understand this option that it will not do the math, but it will still block it when it reaches the quota. Am I right?

• What do you mean that it won’t do the math? Once it reaches the quota, yes, this won’t allow any more access.

Can I in a user rule apply a do not block exception when the account is reached?

• Would you be so kind as to elaborate more?  What do you mean by account is reached? 
• Do you mean that once the user reaches the quota, you want to allow it again by making an exception?

Eric, thank you so much for the responses. I will try to improve the explanation, on the topics:

Q: I understand this option that it won't do the math, but it will still block you when you reach the quota. Am I right?

A: What do you mean you won't do the math? When it reaches the quota, yes, this will no longer allow access.

Q: Can I in a user rule apply a do not block exception when the account is hit?

A: Would you be so kind as to elaborate further? What do you mean account is achieved?
You mean once the user reaches the quota you want to allow it again by throwing an exception?

Let me explain a scenario:

One user in two groups, group 1 has no quota, group 2 has 1G data quota.

In user-based firewall rule. The rule that applies to group 1 is marked with the option "Exclude this user activity from data accounting."

Another firewall rule that applies to group 2 and has data quota.

Both rules are for internet. Access origins are different subnets. Network 192.168.1.0/24 and Network 192.168.2.0/24

What would happen when the data count is reached?

Option A - Would not access the internet in both user based rules
Option B - I would not access the internet due to the rule that applies to group 2.

Why my doubt? I have one of my internet data allowances (high speed - 100Mbps) and another an MPLS link (low speed - 10Mbps). Then the desktop network data will go out through the MPLS network and the other mobile device network would go out through the franked link.

For the more consumerist users not to affect the consumption of the other, the use of the quota will be necessary. However, I need to evaluate whether it will paralyze the use of the internet on the desktop network.


Thank you in advance for your kindness

Hi Gib,

To verify if the following Setup is correct

UserA will join 2 Different Firewall Rule

UserA in Rule 1 ( exception)  = Will not limit/block due to exception

UserA in Rule 2 ( Surfing quota)  = Will be blocked once quota is used

I would advise you to do a test policy using a test account to evaluate this setup further and not affect the production.

For policy testing, I would recommend doing a conntrack.

appears to work as expected. I took the tests this week. Thanks.

I have doubts about the network traffic quota cycle. I selected day. I think that every day from midnight he resets the quota, but I don't understand that. How does it work?

In testing, I logged in with the user yesterday (12/09) at 5pm and I was browsing and the user was only disconnected today (13/09). I understand that it should have been renewed. The panel says that tomorrow (14/09) the quota will be renewed. I'm very confused by these details.



Policy:

Hi Gib,

The cyclic is selected so users receive access for the amount of time specified at the start of each cycle. Once the specified time ends, users receive access again. Unused time does not carry over.

The cycle will start at the time of use and will have a duration of 24 hours(as configured). Once the quotas are all used up, this will be the start time for Renewal.

Hi Gib,

The cyclic is selected so users receive access for the amount of time specified at the start of each cycle. Once the specified time ends, users receive access again. Unused time does not carry over.

The cycle will start at the time of use and will have a duration of 24 hours(as configured). Once the quotas are all used up, this will be the start time for Renewal.

This excerpt from the text:
"The cyclic is selected so users receive access for the amount of time specified at the start of each cycle. Once the specified time ends, users receive access again. Unused time does not carry over."

The beginning of the cycle begins when the user logs in for the first time. If the user accesses at 10am today, will his cycle end at 10am the next day?

This excerpt from the text:
"The cycle will start at the time of use and will have a duration of 24 hours(as configured). Once the quotas are all used up, this will be the start time for Renewal."

Here I got confused. When the quota value is reached, does the renewal begin at that time? Example: User logged in at 10am today and was sold out at 12pm. Does he have to wait until 12pm the next day?

Hi Gib,

When the user logs in at 10 AM, and then uses all of the quota at 12 PM, then it’ll renew after 24 hours from 12 PM.

Thanks for clearing my doubt.

Hi Gib,

Glad to be a help, and have a great day.