Bandwidth meter for SD-WAN routes is unreliable.

Question

Hello! 
 At first, I don't know if this is a known bug for the Sophos team, since I couldn't find It on the "Known Issues List". 
 The bandwidth meter for the SD-WAN routes doesn't show the correct bandwidth that went through each route. This is only an interface issue, the routing itself works as expected. 
 As an example I've created two rules, one with FQDN's and another with Application Objects, both does the same thing which is send OneDrive traffic to a high bandwidth link. 
 After downloading >12GB of data, both meters are showing only some megabytes of data went through those rules, looking over the Firewall logs it shows otherwise. 
 
 Thanks!

Moheed Ahmad · Accepted Answer

Prism said: On the example above there's no need to use FQDN's or App objects, even with a "Any" destination you can replicate It. Prism said: If I download some data from OneDrive, which passes through either Route #5 or #3, the meter will only account the uploaded data from the client, the downloaded data which went to the same route isn't accounted to the meter. 
 That is correct. Only uploaded data from client will show up, as there is no reply direction SDWAN route configured and SFOS accounts SDWAN-route data direction wise. 
 Prism said: I've uploaded 2 GB of data to OneDrive and while checking the Logs, I saw all data went through Route #3, but even then the bandwidth that the meter showed didn't match the amount of traffic that went through. (Not even close.) 
 First connection from an app is routed using default wan link load balance. The application-based SD-WAN route applies to subsequent connections after Sophos Firewall learns the session details. 
 It seems in your case, appcache hasn't learned (or it had aged from appcache) about ip-addresses of onedrive's storage lakes. That's why missing accounting. Had it been subsequent uploads they should get accounted. 
 There is a nice documentation over here. 
 https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRoutingUserApplication/ 
 
 Hope this clarifies your query. 
 
 HTH 
 Moheed

Moheed Ahmad · Answer

Hey Prism, 
 
 SDWAN-route and Firewall stats reported are not comparable apple-to-apple. Routing is per-packet operation and only captures those packets stats which passes thru it. Firewall rule works in stateful manner. All request and reply (client to server and server to client) fall under same firewall rule. 
 Having said that, it is quite possible for these two meters to report different reading. For example, if asymmetric routing is configured. or SDWAN routing is configured only request direction, SDWAN-route will account only for the upload stats as downloads might be following a different SDWAN route (or other routes). 
 Let us know if this is not the case in your observation. 
 
 HTH 
 Moheed

Bandwidth meter for SD-WAN routes is unreliable.

Top Replies