Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
i have a problem with a traffic shapring policy. I would like to limnit the user for internet traffic So i created a rule
for LAN to WAN and placed a places the lightly limited policy as traffic shaping.
The traffic in dection to the LAN will be shaped but the traffic that goes from LAN to WAN is not be shaped. How can
i manage that the shaping is working in both directions or is cause of the statefull firewall the incomming traffic not
checked against thte rule ?
Hi marco_47d Please refer the article to apply user-based traffic shaping, it should work for LAN to WAN traffic as well.https://community.sophos.com/kb/en-us/123061
KeyurCommunity Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
it not worked for me i created a new policy and limit it to 20Mbit/s up/down. Just
downstream limit was working.
Hi marco_47d As per the screenshot, it seems that you have created firewall rule-based traffic shaping policy.To apply it on the user profile, you required to create user-based traffic shaping policy.For testing purpose, please follow the below steps.1 Create source IP based firewall rule for LAN to WAN zone.2. Position the rule on the top so that traffic will not pass from any other firewall rule.3. Apply the same configuration as the current firewall rule where the user traffic is passing and verify the behavior.
yes it should be a rule based policy and not user based- We not have a user authentification on the firewall for that kind of traffic i want to shape.
I just created a rule for the user from Wifi network to shaqpe the traffic to the internet so my idea is that they not use all the bandwith for youtube etc.
I am sure that the correct rule is used i checked it in the log file it points to the rule that i use for internet traffic. I put all pictures in a pdf i hope its okay. The
share is of my german email provider that should not make a problem.
My IP is the 172.16.0.218 in the Wifi Zone and i go to WAN Zone. In the log the traffic points to rule nr.9
My test showed again Download Speed 20 Mbit and Upload 50 Mbit
Hi marco_47d The configuration seems to be correct, Can you please just verify the last step, when you check the packet capture in GUI, Please enable the packet capture >> Click on >> Show Additional Properties and select Application ID and verify if the same policy is applied on not, if you hover the mouse over it, it will give more details.If traffic shaping policy is applied the case required further investigation and I would recommend to contact technical support and open a service request.
here ist the output.
Hi marco_47d I request you to contact technical support and open a service request to investigate the issue further.
Okay thank you i will opnen a ticket.
This may be related to how the XG enforces the limit and where the measurement is taking place.
Website^| Not enforced. XG will download the file at full speed.v
^| Enforced. XG will deliver the file to the client at restricted speed.v
Just dealing with downloads as a example here. When you put in a limit, the limit is not enforced at the XG to Website level. Therefore from the perspective of the website, the download happens fast. But the delivery to the file to the client is at the limited speed. The perspective of the client, the download is limited.
Let me give a more full example. Lets say you have a WAN speed of 10MB/s, you are limiting the download speed to 1MB/s.
User clicks on a 20MB file.
XG downloads the 20MB at 10MB/s, taking 2 seconds.
XG virus scans the files.
XG sends the file to the client at 1MB/s, taking 20 seconds.
If you ask the website, it took 2 seconds to download the file. If you ask the client, it took 22 seconds to download the file.
i think this is not what happening. We not using the firwall as a proxy server and the virus engine
is not enabled.
So there is about how traffic is handled. I checked now different Data that i had transfered and
it looks like its shaped well. So for example client to dropbox or dropbox to client. Same like ftp server
is working but my speed mesure tool on my cellphone seems to measure the traffic different ot better say
it generates the traffic differennt not sure if its just udp packet but i will capture them with wirieshark if i
have some time.
So basicaly it looks like the traffic shaping is working. I will update my post when i examined the traffic and
can say exactly what is the different in the testing tool