Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Collaborator

Bandwidth Rate Limit

Hello All,

In the documentation there seems to be limited information about the "Limit" objects for controlling upload and download traffic. These objects are discussed in terms of limiting traffic bandwidth to and from the Internet.  

Are these "Limit" objects in fact related only to traffic to and from Internet? Or can they be used to control any traffic on the matching a rule?

Our scenario  is that we want to limit internal traffic over an IPsec site to site tunnel. We have backup traffic that are traversing a site to site VPN between a branch site and a central site.  We were thinking of limiting this traffic using a "limit" object, as these backups are causing the ISP link to be saturated.

Many thanks,

Michael

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

I would suggest to use the QoS Blade to achieve your goal, as it can be defined per interface - see CP R81 QoS AdminGuide

for details!

CCSE CCTE SMB Specialist
Timothy_Hall
Champion
Champion

The Limit feature is a function of the APCL/URLF blades which typically inspect traffic to and from the Internet, so you must be matching traffic against an application or site object to use it.  Not really applicable for your situation of trying to limit bandwidth consumed by a VPN tunnel, but I suppose you could create some custom application/site objects to match traffic in that tunnel and limit it in an APCL/URLF-capable layer.  Here is some more info:

Applying APCL/URLF Bandwidth Limits

  • One very nice feature of APCL/URLF is the ability to enforce bandwidth limits for undesirable sites/applications that cannot be flat-out blocked due to political reasons. A classic example is Media Streaming sites than can consume very large amounts of bandwidth but are not directly required for typical business functions:

limit.png

  • Bandwidth limits for APCL/URLF are applied directly by these features, and the full-fledged Quality of Service (QoS) feature does not need to be enabled by the firewall to use them.

  • Bandwidth guarantees cannot be specified; the full QoS blade is required for that functionality.

  • Upload bandwidth limits, download bandwidth limits, or both can be specified.

  • Note that any bandwidth limit enforced will be shared by all connections matching that particular rule; the limits are not per-connection or per-user. It is also not currently possible to enforce overall bandwidth limits over a certain timeframe (i.e. allow 1GByte of streaming data per 24-hour period and then no more until the next day when another 1GByte is allowed).

  • Packets in excess of the configured bandwidth limit are simply dropped by the firewall (this forcing TCP to slow its send rate); these packets are not queued or shaped by the firewall.

The QoS blade is probably more appropriate for what you are trying to do, and it is very easy to tag/match VPN traffic specifically when enforcing a QoS limit or guarantee by checking the Apply rule only to encrypted traffic checkbox in the QoS rule specifying the limit.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Michael_Horne
Collaborator

Hello,

We do not want to limit the VPN tunnel traffic, but the traffic that is encrypted in the tunnel.  fi this is FTP traffic, then we can match that application with a rule. I do not see having to match an application as an issue. My main concern is if having both source and destination as private IPs woudl cause any issue.  One of the IP addresses would not be part of a local / internal network and woudl be reached over an external interface via the default route.

Regards,

Michael

0 Kudos
Timothy_Hall
Champion
Champion

No that should work fine, just try to make the source and destination IP addresses as specific as possible in the rule matching service FTP.  The service for FTP is not technically an application object but the limit should still work for that rule as long as that layer has APCL/URLF enabled.  If the limit does not work for a simple service like FTP check out "FTP Protocol-upload" and "FTP Protocol-download" which are true application objects that can be used to limit GETs and/or PUTs.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos