Sophos Firewall: How to Configure QoS and understanding the conceptual difference between the shared and individual

 Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

The purpose of the Recommended Read is to instruct on how to configure QOS to limit user bandwidth.

Topology

Configuration 1: Rule Base

Step1: Trafic-Shaping Policy

 To limit the bandwidth to 10 Mbps, go to CONFIGURE > System services > Traffic Shaping
             


Step2: Firewall rule
            Go to PROTECT > Rules and policies> Add.



Step3:Testing of Results

Go to web browser and test on any speed test site (ex. https://www.speedtest.net/)

Configuration 2: User Base

Step1: Creating User Base

Here we’re using clientless users. Go to CONFIGURE > Authentication > Clientless users


Step2: Traffic Shaping Policy

Under Traffic> Policy association, Click Users Radio button.


Step3: Enabling User's Policy

Under the Firewall rules > Other security features. Select the policy created.





Step4: Results

Conceptual Difference between the Shared and Individual

Example for Individual concept:

#
4 users
1 firewall rule
1QOS 1mbps individual
each wil get 256

#
Same for 2 firewall rules
2 users each rule
1QOS 1mbps individual
Each will get 512

#
Now 4 rules for 4 users
1 user each firewall rule.
each will get 1MBPS

Example for Shared concept:

#
4 users
1 firewall rule
1QOS 1mbps Shared

#
Same for 2 firewall rules
2 users each rule total of 4 users
1QOS 1mbps shared
Each will get 256

#
Now 4 rules for 4 users
1 user each firewall rule.
each will get 256

Individual - multiplying factor.
Shared - Within that QOS range.

Note - To illustrate the conceptual difference between the two options, we used 1 Mbps as an example.
To convert Mbps to KB/s, there is a link - https://www.gbmb.org/mbps-to-kbs

I hope this article has helped you achieve your requirement and clarified your doubts!



Revamp of RR
[edited by: Erick Jan at 3:36 AM (GMT -8) on 31 Jan 2023]
  • Hello!

    Is there any way to disable User-based QoS for a certain Firewall rule? User-based QoS policies are applied to all Firewall rule that have the user, including LAN to LAN traffic.

    As an example: If you create a custom QoS policy for a certain user directly for LAN to WAN traffic, all other Firewall rules that have the same user as authentication will also fall to the same QoS policy.

    Because of this, if you have a 10 Mbit/s QoS policy for WAN, even the internal LAN to LAN traffic that doesn't need any QoS will also be limited to 10 Mbit/s

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • Hey  ,

    Thank you for such an interesting query, well I did check in my labs be it LAN to LAN OR LAN to VPN...etc.. If the User-based QoS is applied the user's bandwidth will be still me limited to 10 Mbit/s. So As of now this a limitation and we can not disable User-based QoS for a certain firewall rule. This can be raised as a FR or submit as a feedback from the product itself. 

    A workaround would be to create a MAC/IP base rule that prioritizes bandwidth usage.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.