Configuring Bandwidth Management of App Control Signatures using App Rules

11/11/2022 255 People found this article helpful 205,697 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

This article illustrates how to configure bandwidth management of App Control signatures using App Rules.

NOTE: The default BWM Action Objects cannot be used in new App Rules, and are there for backwards compatibility. It is recommended to create BWM Action Objects from scratch to be used in new App Rules.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Enable Bandwidth Management on the WAN interface

1. Navigate to Network | System | Interfaces | Interface Settings page in the GUI.
2. Click Edit option of the active WAN connection.
   
   
   
   
   
3. In the Advanced tab, under Bandwidth Management enable the check boxes Enable Interface Egress Bandwidth Limitation & Enable Interface Egress Bandwidth Limitation and specify the Egress & Ingress Bandwidth Values in terms of 'Kbps' respectively.
   
   
   
   
   

NOTE:  Once BWM has been enabled on an interface, and a link speed defined, traffic traversing that link will be throttled—both inbound and outbound—to the declared values, even if no Access Rules or App Rules are configured with BWM settings.

TIP: Egress and Ingress BWM can be enabled jointly or separately configured on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links. Link rates up to 100,000 Kbps (100Mbit) may be declared on Fast Ethernet interfaces, while Gigabit Ethernet interfaces will support link rates up to 1,000,000 Kbps (Gigabit). The speed declared should reflect the actual bandwidth available for the link. Oversubscribing the link (i.e. declaring a value greater than the available bandwidth) is not recommended.

Create a new Bandwidth Object

1. Navigate to Object | Profile Objects | Bandwidth page.
2. Click on Add.
3. Enter the Object Name.
4. Specify the Guaranteed Bandwidth and Maximum Bandwidth.
5. In this example, we have specified a 5 Mbps Guaranteed and 5 Mbps Maximum Bandwidth.
   
   

Set Bandwidth for App Control signatures

Bandwidth Management using App Firewall infrastructure involves using Action Objects of type Bandwidth Management. There are three predefined Action Objects for bandwidth management:

If you do not want to use the predefined Action Objects, Custom Action Objects of type Bandwidth Management can also be created. When creating a custom Bandwidth Management Action Object, the following two methods can be used:

• Per Policy – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be calculated separately for each App Rule.
• Per Action – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be shared by all App Rules with this Action Object.

For the purpose of this article, we will be configuring bandwidth management using Per Policy.

• Navigate to Objects | Action Objects | App Rule Actions page.
• Click Add.
• Enter the following Information.
  
  • Action Name
  • Select Bandwidth Management under Action.
  • Select Bandwidth Aggregation Method to Per Policy
  • Check the box Enable Inbound Bandwidth Management and choose the desired Bandwidth Object or click  Create a new Bandwidth Object
    
  • Check the box Enable Outbound Bandwidth Management and choose the desired Bandwidth Object or click  Create a new Bandwidth Object
    
    

Create Match Objects with App Control Signatures.

SonicWall provides the same granularity when using Application Firewall infrastructure as in App Control Advanced. Application Control can be configured for a Category (like Social Networking, IM etc), for an Application (like YouTube.com, facebook.com etc.) and for individual Signatures (like video in facebook.com etc). However, each Match Object may contain only one of the above three. For example, you cannot create a Match Object with the Social Networking Category along with the Application, YouTube. In this article we would be using the Category, Multimedia.

• Navigate to Object | Match Objects | Match Objects page.
• Click Add.
• Enter the Object Name.
• From the drop down of Match Object Type select  Application Category List .
• Choose the Application Category that you wish for from the drop down.
  
  

Create App Rules

• Navigate to Policy | App Rules and click Settings Icon. Check the box under Enable App Rules.
• Click Accept.
  
  

• Click  Add Rule.
• Enter the following information and click OK to save.
  
  

Testing

• When accessing a multimedia website like www.YouTube.com, the following messages will be logged under Monitor | Logs | System Logs.
  
  
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Enable Bandwidth Management on the WAN interface

• Click Manage in the top navigation menu.
• Navigate to System Setup | Network | Interfaces page in the GUI.
• Click   Configure option of the active WAN connection. (Here single WAN connection is used).
  
  
  
• In the Advanced tab, under Bandwidth Management enable the check boxes Enable Interface Egress Bandwidth Limitation& Enable Interface Egress Bandwidth Limitation and specify the Egress & Ingress Bandwidth Values in terms of 'Kbps' respectively.
  
   

NOTE: Once BWM has been enabled on an interface, and a link speed defined, traffic traversing that link will be throttled-both inbound and outbound-to the declared values, even if no Access Rules or App Rules are configured with BWM settings.

TIP: Egress and Ingress BWM can be enabled jointly or separately configured on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links. Link rates up to 100,000 Kbps (100Mbit) may be declared on Fast Ethernet interfaces, while Gigabit Ethernet interfaces will support link rates up to 1,000,000 Kbps (Gigabit). The speed declared should reflect the actual bandwidth available for the link. Oversubscribing the link (i.e. declaring a value greater than the available bandwidth) is not recommended.

Set Bandwidth for App Control signatures

Bandwidth Management using App Firewall infrastructure involves using Action Objects of type Bandwidth Management. There are three predefined Action Objects for bandwidth management:

If you do not want to use the predefined Action Objects, Custom Action Objects of type Bandwidth Management can also be created. When creating a custom Bandwidth Management Action Object, the following two methods can be used:

Per Policy – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be calculated separately for each App Rule.
Per Action – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be shared by all App Rules with this Action Object.

For the purpose of this article, we will be configuring bandwidth management using Per Policy.

• Navigate to Policies | Objects | Action Objects page.
• Click Add
• Enter the following Information.
  
  • Action Name:
  • Select Bandwidth Management under Action.
  • Select Bandwidth Aggregation Method to Per Policy
  • Check the box Enable Inbound Bandwidth Management and choose the desired Bandwidth Object or click  Create a new Bandwidth Object
    
  • Check the box Enable Outbound Bandwidth Management and choose the desired Bandwidth Object or click  Create a new Bandwidth Object
    
    
    

Create Match Objects with App Control Signatures.

SonicWall provides the same granularity when using Application Firewall infrastructure as in App Control Advanced . Application Control can be configured for a Category (like Social Networking, IM etc), for an Application (like YouTube.com, facebook.com etc.) and for individual Signatures (like video in facebook.com etc). However, each Match Object may contain only one of the above three. For example, you cannot create a Match Object with the Social Networking Category along with the Application, YouTube. In this article we would be using the Category, Multimedia.

• Navigate to Polices | Objects | Match Objects page.
• Click   Add New Match Object button.
• Select the option  Match Object  from the drop down of  Add as shown in the GUI.
  
  
  
  
• In the new window that has opened, enter the following options.
  • Enter the Object Name.
  • From the drop down of Match Object Type select  Application Category List .
  • Choose the Application Categories  that you wish for from the drop down.
    

Create App Rules

• Navigate to Policies | Application Control and click  Gear Icon. Check the box under Enable App Rules .
  
  
  
• Click  Add New Policy.
• Enter the following information and click OK to save.
  

Testing

• When accessing a multimedia website like www.YouTube.com, the following messages will be logged under Log | View.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Enable Bandwidth Management on the WAN interface

• Login to the SonicWall management GUI.
• Navigate to Network | Interfaces page.
• Click  Configure button under an interface in the WAN zone. In this example the X1 interface.
• Click Advanced tab and do one or both of the following:
  • Under Bandwidth Management, to manage outbound bandwidth, select the Enable Egress Bandwidth Management checkbox, and optionally set the Available Interface Egress Bandwidth (Kbps) field to the maximum for the interface.
  • Under Bandwidth Management, to manage inbound bandwidth, select the Enable Ingress Bandwidth Management checkbox and optionally set the Available Interface Ingress Bandwidth (Kbps) field to the maximum for the interface.
• Click  OK .
  

NOTE: Once BMW has been enabled on an interface, and a link speed defined, traffic traversing that link will be throttled-both inbound and outbound-to the declared values, even if no Access Rules or App Rules are configured with BWM settings.

TIP: Egress and Ingress BWM can be enabled jointly or separately configured on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links. Link rates up to 100,000 Kbps (100Mbit) may be declared on Fast Ethernet interfaces, while Gigabit Ethernet interfaces will support link rates up to 1,000,000 Kbps (Gigabit). The speed declared should reflect the actual bandwidth available for the link. Oversubscribing the link (i.e. declaring a value greater than the available bandwidth) is not recommended.

Set Bandwidth for App Control signatures

Bandwidth Management using App Firewall infrastructure involves using Action Objects of type Bandwidth Management. There are three predefined Action Objects for bandwidth management:

If you do not want to use the predefined Action Objects, Custom Action Objects of type Bandwidth Management can also be created. When creating a custom Bandwidth Management Action Object, the following two methods can be used:

Per Policy – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be calculated separately for each App Rule.
Per Action – When an Action Object configured with this method is used in multiple App Rules, the bandwidth set here will be shared by all App Rules with this Action Object.

For the purpose of this article, we will be configuring bandwidth management using Per Policy.

• Navigate to Firewall | Action Objects page.
• Click Add New Action Object and enter the following in the Add/Edit Action Object window.
  

Create Match Objects with App Control Signatures

SonicWall provides the same granularity when using Application Firewall infrastructure as in App Control Advanced . Application Control can be configured for a Category (like Social Networking, IM etc), for an Application (like YouTube.com, facebook.com etc.) and for individual Signatures (like video in facebook.com etc). However, each Match Object may contain only one of the above three. For example, you cannot create a Match Object with the Social Networking Category along with the Application, YouTube. In this article we would be using the Category, Multimedia.

• Navigate to Firewall | Match Objects page.
• Click Add New Match Object button.
• Configure the following in the Add/Edit Match Object window and click OK.
  
  
  
  

Create App Rules

• Navigate to Firewall | App Rules page.
• Check the box under Enable App Rules.
• Click Add New Policy to bring up the Edit App Control Policy and configure the following.
  

Testing

• When accessing a multimedia website like www.YouTube.com, the following messages will be logged under Log | View:

Checking Bandwidth under App Flow Monitor

• If licensed for App Flow, bandwidth usage can be checked under Dashboard | App Flow Monitor.

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > NSa Series > Application Firewall
• Firewalls > NSv Series > Application Firewall
• Firewalls > TZ Series > Application Firewall
• Firewalls > NSa Series > Networking
• Firewalls > TZ Series > Networking