Can not apply QoS when enable Web Filtering?

Hi guys, I have the same problem on our UTM 550 cluster.

We configure QOS, in particoular "downlaod throttling" for youtube and it works like a charm, but when apply the webfiltering (full transparent mode) to just a computer to try  (a very simple policy with set a quota for streaming) suddenly to this computer is not anymore apply the QOS (I checked out the statistics from youtube..).

I tried to apply the same "downlaod throttling policy" not just to WAN interface but also to the LAN, because when a computer used the webproxy I could see it traffic on this interface and not on the WAN one but nothing,

I tried everything and every combination, could anyone help me?

I  will also contact my partner in order to open a ticket in Sophos becuase it's really strange and disappointing  behaviuor

Thank you all

Riccardo

Hi Riccardo,

There were many reported problems in the past with Download Throttling. Try to solve your problem with Bandwidth pools on the LAN interface.

community.sophos.com/.../147902
community.sophos.com/.../60821

I have a similar problem, and I'm using bandwidth pools.

I'm trying to throttle uploads to AWS which use port 443. After much fiddling, I have a bandwidth pool set up on the external interface and a traffic selector that selects for all traffic from a particular host. This doesn't apply the QoS until I explicitly put the host in the 'Skip Transparent Mode Source Host/Nets' in the Filtering Options/Misc page. Then the bandwidth pool gets applied.

It seems if you are using Web Filtering, and you want to use Bandwidth Pools, you need to explicitly exclude the traffic or host from Web Filtering. If you don't do this, the QoS doesn't get applied (for web traffic, i.e. ports 80, 443, etc...).

It's not a great solution, since I'd love to us QoS/Bandwidth Pools and Web Filtering for these hosts, but it just doesn't work.

FYI - I'm using UTM 9.355-1.

Hi, Paulo, and welcome to the UTM Community!

Please insert pictures of the 'Status' tab, your Traffic Selector and your Bandwidth Pools.

Cheers - Bob

Looks good.  Some suggestions:

1. Disable the Internal interface on the Status tab.
2. Edit the External interface on the Status tab:
   
   1. Deselect 'Download Equalizer'
   2. Do not select 'Limit uplink'

Now try - any luck?

Cheers - Bob

Nope. Same issue. The QoS Bandwidth Profile only gets applied if I specifically exclude the host in Web Protection / Filtering Options / Misc / Transparent Mode Skiplist / Skip Transparent Mode Source Hosts Nets.

It's possibly due to the fact that AWS uses port 443, but then again, the web filtering is set to Transparent and HTTPS is set to URL filtering only.

Like I said, I have a solution, it just doesn't make sense. I don't see why I need to exclude the host from Web Filtering for it to work, unless QoS and Web Filtering are mutually exclusive when it comes to web traffic on ports 80, 443 etc...

I haven't tried it with other protocols. I may see if I can do an scp from the host to see if the QoS profile gets applied without specifying the exclusion.

Confirmed. If it's not a web port, the QoS bandwidth pool gets applied without having to exclude the host from web filtering. I did an scp of a large file and the bandwidth pool restrictions were applied no problem.

So it seems web filtering seems to get in the way of Bandwidth Pools if the traffic you're trying to apply QoS to is web traffic, in which case, the pool is bypassed unless you specifically exclude the host from the web filtering.

Use application control for throttling. A lot easier and you don't have to worry about proxies. Only drawback is that they sometimes create a sub category like in the example below speedtest.net has its own category and you have to add it to throttle that particular website because http/s won't work (counter intuitive since http/s should cover all port 80/443 traffic but whatever). Create rules as below and you should be fine. 

I know its not as simple as ANY ANY throttle but it works with web proxy and most of the time all you need to throttle is http/s traffic anyway. Hope this helps.

Use application control for throttling. A lot easier and you don't have to worry about proxies. Only drawback is that they sometimes create a sub category like in the example below speedtest.net has its own category and you have to add it to throttle that particular website because http/s won't work (counter intuitive since http/s should cover all port 80/443 traffic but whatever). Create rules as below and you should be fine. 

I know its not as simple as ANY ANY throttle but it works with web proxy and most of the time all you need to throttle is http/s traffic anyway. Hope this helps.

Yep, I tried application control originally, and only tried any any throttle because I thought it wasn't selecting for the AWS profile. Didn't work. I even created rules by selecting 'Shape' traffic from the Flow Monitor screens, where the UTM automatically creates the rules. It just plainly doesn't work for the AWS port 443 traffic unless I specifically exclude it from Web Filtering. I have successfully created both inbound and outbound bandwidth pools before (even for speedtest.net)

Maybe it's a peculiarity of my setup which doesn't seem that strange. I really don't understand why it's not working as it should. I also tried mapping the host to it's own SNAT rule, thinking NAT could be getting in the way, it just doesn't seem to want to play. I can try every other type of traffic (by changing the selector), but 443 traffic, the profile just get's ignored.

I think it's a bug, but I have a workaround so it's ok for now. It may be a particularity of the specific host (it has a bonded interface which may be causing some strange issues?) - I will try with another host.