Can not apply QoS when enable Web Filtering?

Bandwidth Pools act only on traffic leaving an interface, so the Pool I suggested would guarantee bandwidth to the response traffic leaving your servers.

Cheers - Bob

BAlfson said:

As I suggested above, use 'Internet -> HTTP Response -> External (Address)' as the Traffic Selector in your Download Throttling rule instead of 'Any -> Any -> {Internal users network group}'.

Cheers - Bob

 

Thank you, Bob. This works great. 

You also mentioned above to apply a QoS rule for bandwidth pool with https response. Is this to guarantee the upload or download speed?

Thanks!

As I suggested above, use 'Internet -> HTTP Response -> External (Address)' as the Traffic Selector in your Download Throttling rule instead of 'Any -> Any -> {Internal users network group}'.

Cheers - Bob

Louis-M said:

I'm just wondering if you are thinking about this in the opposite way ie you are trying to throttle the web users instead of guaranteeing the web server x amount of bandwidth?

I've not tried it but in there under bandwidth pools, it states that it should work like that.

Hi Louis,

Bandwidth pool is actually for guaranteeing upload speed, not download.

I'm just wondering if you are thinking about this in the opposite way ie you are trying to throttle the web users instead of guaranteeing the web server x amount of bandwidth?

https://community.sophos.com/kb/en-us/115020

I've not tried it but in there under bandwidth pools, it states that it should work like that.

BAlfson said:

Quang, please be more specific about what traffic you want to prefer, whether it's request traffic or response traffic, where the web server is and where the users are relative to the UTM.

Cheers - Bob

 

Hi Bob,

Sorry for the confusion and unclear description. Let's just take the web servers out of the equation here. Let me explain what I want to achieve:

I want to limit my internal users from all internet downloads activities to, let's say, 20mbps. 

Right now, I'm doing this by creating a traffic selector as such:

Source: Any
Service: Any
Destination: Internal users network group

I then create a throttle rule on the external (WAN) interface with the above traffic selector.

With this QoS rule, all internet download activities in my internal network is limit to 20mbps, and this is exactly what I want. However, this would only work without web filtering applied to the Internal users net work group.

I do understand that according to the rulz #2, proxy traffic (web filtering) gets processed first, hence the QoS rule I have above is ignored. 

Now, can I still achieve my goal above with web filtering also applied?

Let me describe the situation in my own words to see if I understand.  You have a group of web servers that are used by people out on the Internet.  Your users sometimes fill your pipe with downloads and that interrupts the inbound web requests from the Internet.  You want to throttle the downloads requested by your users, but not the inbound requests from the Internet.  Correct?

Do the web servers also have outbound requests that result in large inbound responses?  If so, could these be configured to occur when your users are not present?

My idea is to use, for example "HTTP Response" = 80→1:65535 and "HTTP" = 1:65535 → 80.  Then, use a Download Throttling rule on the External interface to limit "HTTP Response" from "Internet" to "External (Address)" instead of to the server VLAN.  Also, on the External interface, place a Bandwidth Pool guaranteeing preference to "HTTP Response" traffic.

Cheers - Bob

BAlfson said:

Quang, please be more specific about what traffic you want to prefer, whether it's request traffic or response traffic, where the web server is and where the users are relative to the UTM.

Cheers - Bob

 

Hi Bob,

My web server is hosted behind the UTM with DNAT.

I have a user vlan and a server vlan. The inter-vlan routing are handled by my L3 switch, which has nothing to do with the UTM. However, I'd like to throttle "Any" download traffic to my user vlan to a certain bandwidth. In other words, I don't want users from the user vlan to saturate my total allowed bandwidth speed.

I created a traffic selector like this: Source=Any Service=Any Destination=user vlan

I then create a throttling rule on my external interface and throttle the speed for such traffic created above. This works fine with no issues ONLY if user vlan is not in the Allowed Networks under web filtering. 

Quang, please be more specific about what traffic you want to prefer, whether it's request traffic or response traffic, where the web server is and where the users are relative to the UTM.

Cheers - Bob

Hi Louis,

Thank you for your inputs.

I tried the throttling with applications and it worked. However, in the traffic selector, you have to set Any to Any for it to work. You can't limit this to a certain network of your liking. I think this is because the UTM proxy does not retain the source ip address of the hosts. This is not good because I have a web server that I do not want to be affected by this throttling. The reason I wanted to throttle so that I can reserve whatever bandwidth left for my web server. Now, I have to decide whether web filtering or QoS is important and use just one. If I ended up selecting QoS, I will not continue with the web filtering subscription next year - it's a waste of money.