Network Traffic Shaping on Sophos Firewall PDF
Document Details
Uploaded by ConsistentAntigorite2330
2022
Tags
Summary
This Sophos document details how to configure traffic shaping policies on Sophos Firewall for different types of traffic, such as for individual users, firewall rules, web categories and applications. It provides examples (like limiting FTP bandwidth) and explains how to guarantee bandwidth for specific users.
Full Transcript
Network Traffic Shaping on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2040: Network Traffic Shaping on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduce...
Network Traffic Shaping on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2040: Network Traffic Shaping on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Network Traffic Shaping on Sophos Firewall - 1 Network Traffic Shaping on Sophos Firewall In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE to create traffic shaping policies ✓ Configuring settings for traffic shaping for firewall rules and users. ✓ The types of traffic shaping policy that can be created DURATION 7 minutes In this chapter you will learn how to create traffic shaping policies for firewall rules and users. Network Traffic Shaping on Sophos Firewall - 2 Network Traffic Shaping Configure available bandwidth Configure the default policy Traffic shaping policies can be created for users, firewall rules, web categories, and applications Before creating traffic shaping policies, you need to make sure that the available bandwidth has been configured for the firewall. Optionally, the default policy may have also been configured to apply to any traffic that does not have a specific policy applied. Traffic shaping can be applied to different types of traffic in the Sophos Firewall. We can apply traffic shaping to users, firewall rules, web categories, and applications. Policies created for traffic shaping directly apply to one of the above-mentioned types and cannot be applied elsewhere. We will now look at examples of how to configure traffic shaping policies for firewall rules and users. Network Traffic Shaping on Sophos Firewall - 3 Example 1: Limit FTP Let's look at an example policy. We would like to create a policy to limit the bandwidth of FTP applications running on port 20 and 21. Users need to be able to transfer data using FTP but not deny bandwidth from more critical systems. The maximum WAN bandwidth has already been configured and we want to ensure that users using FTP do not exceed 2500 KB/s total. To do this, we will configure a policy and then apply it to a firewall rule. Network Traffic Shaping on Sophos Firewall - 4 Example 1: Limit FTP We have created a new traffic shaping policy named FTP Limit Rule. The policy association is type Rule so that we can apply it to a firewall rule afterwards. As we want to limit the traffic, the rule type is set to Limit and we are not separating the upload and download limits. We set the Priority to 0 – Real Time so that the rule is processed before others to limit the traffic. We have set the Limit to 2500 KB/s as per the requirements and because we want to ensure that this number is not exceeded no matter ow many users are actively transferring files with FTP, we set the Bandwidth usage type as Shared. Now that we have created and saved the rule, we need to apply it to a firewall rule. Application Traffic Shaping on Sophos Firewall - 5 Example 1: Limit FTP We create a firewall rule and configure it to allow FTP traffic originating in the LAN and going to the WAN. This should target internal users connecting to outside servers using FTP. Next, in the “Other security features”, set the “Shape traffic” pick-list to the traffic shaping rule that we created in previously. Once we save the rule, and make sure that it is enabled, any traffic that matches this rule will have its traffic limited as per the policy that we created. Application Traffic Shaping on Sophos Firewall - 6 Example 2: User Guarantee Now let’s consider another scenario where certain users need to have guaranteed bandwidth to a critical business application that runs in the cloud. These users are part of a group that has been created on the firewall called “Business Application Users”. This means that we need to create a new policy that is user-based and apply it to this group. It should guarantee 1000 KB/s to each user independently, and no user should need more than that for the application. Network Traffic Shaping on Sophos Firewall - 7 Example 2: User Guarantee Let’s look at an example rule that could be created to satisfy the conditions. Here we can see a rule with a policy association of Users and a rule type of Guarantee. This will allow us to set a guaranteed bandwidth as well as a maximum bandwidth for this policy. To meet the need of the application, we set the guarantee to 1000 KB/s. Depending on what else the firewall rule targets, we could limit the bandwidth so that users do not abuse it or leave the upper limit high if this is not a concern. Next, we set the priority to 1 – Business Critical. This is done so that it is processed very early in the list with only priority 0 rules superseding these rules. To finish the rule, the usage type is set to Individual so that each user is guaranteed the needed bandwidth. Network Traffic Shaping on Sophos Firewall - 8 Example 2: User Guarantee With the policy complete, we edit the group that exists for the users. In the traffic shaping section, we select the newly created policy to apply it to all users that are part of this group. Please note that if a user has a traffic shaping policy applied directly, it will override the group setting. Network Traffic Shaping on Sophos Firewall - 9 Example 2: User Guarantee To complete the process, we need to have a firewall rule that allows access to the business application. As part of the rule, we will enable the option to Match known users, and in the Users or groups field, we add the group that has the traffic shaping policy applied. If we scroll down to the Other security features, we can see that the Shape traffic pick-list can no longer be modified and now shows that the policy is being pulled from the user. With this in place, any user and traffic matching this rule will have the appropriate traffic shaping policy applied. Network Traffic Shaping on Sophos Firewall - 10 Chapter Review Traffic shaping policies can target network traffic or users Policies can guarantee or limit the traffic The priority controls which traffic is processed first Here are the three main things you learned in this chapter. Traffic shaping policies can target network traffic or users. Policies can guarantee or limit the traffic. The priority controls which traffic is processed first. Network Traffic Shaping on Sophos Firewall - 15 Network Traffic Shaping on Sophos Firewall - 16
