Application Traffic Shaping on

Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW4515: Application Traffic Shaping on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Application Traffic Shaping on Sophos Firewall - 1

 Application Traffic Shaping on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure and apply a traffic ✓ Configuring Application Control on Sophos Firewall
shaping policy for applications. ✓ Configuring traffic shaping settings

DURATION

10 minutes

In this chapter you will learn how to configure and apply a traffic shaping policy for applications.

Application Traffic Shaping on Sophos Firewall - 2

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

You can create and apply traffic shaping policies based on applications.

Here you can see the applications grouped by their category. You can apply traffic shaping policies
to a category of applications. You can also apply policies to individual applications, which will take
precedence over any category level traffic shaping policy.

Application Traffic Shaping on Sophos Firewall - 3

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

When you choose to edit an application, you can select a compatible traffic shaping policy that will
override any other applied QoS policies for that application. From here, you can also edit or even
create new traffic shaping policies for the application.

Application Traffic Shaping on Sophos Firewall - 4

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

Traffic shaping policies can either be configured to limit the amount of bandwidth they can use,
perhaps to prevent video streaming impacting business, or to guarantee an amount of bandwidth
in the case of business-critical applications. As we mentioned in the previous slide, there are
several pre-defined traffic shaping policies that ship with the Sophos firewall. As can be seen, they
can be associated with standard firewall rules, applied to users, target web categories or applied to
an application.

Application Traffic Shaping on Sophos Firewall - 5

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

When you add a new traffic shaping policy, it is important to select the correct policy association.
This will determine where the policy can be applied in the Sophos firewall. For example, a user
policy cannot be applied to an application, and vice-versa.

Application Traffic Shaping on Sophos Firewall - 6

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The rule type determines if we are going to limit or guarantee bandwidth for the selected traffic.
Selecting the Limit option is often used when you want to prevent users, applications, or other
connections from using too much bandwidth and affecting critical business communications. For
example, a limit rule can be created for streaming media to prevent services such as YouTube from
consuming too much data.

A Guarantee rule is used when you want to ensure that an application or type of traffic has enough
bandwidth to function properly, even at the expense of other services. If you have a business-
critical application or system, such as VoIP, we want to ensure that they have the necessary
amount of bandwidth to function uninterrupted no matter what. Using the VoIP example, if the
bandwidth for calls were suddenly reduced, it could cause stuttering during calls or even
disconnects. Imagine how that would look if you were on the line with a customer.

Application Traffic Shaping on Sophos Firewall - 7

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The next settings can be used to determine how much bandwidth to allocate. The upload and
download bandwidth can be controlled independently if desired. The amount of bandwidth can be
set, and the bandwidth can be controlled per individual (per user, application, connection, etc…) or
shared between them.

A priority can also be configured for the rule which will determine which traffic gets processed first
if there are multiple priorities of traffic in the queue. The highest priority traffic, defined by the
lowest number, will always be processed first.

Application Traffic Shaping on Sophos Firewall - 8

 Traffic Shaping Policies Example

Here is an example showing a guarantee rule for a critical business application. In this example, the
rule is created with an application policy association and set as type guarantee. Then the priority is
set to 1, which is business critical.

We want to ensure that any traffic matching this rule is processed before almost all other traffic.
Finally, we set our guarantee and limit numbers. As this is an individual rule, and not a shared rule,
the bandwidth numbers are set to the minimum and maximum bandwidth needed per user of the
application. This does require a good understanding of the applications data needs.

After saving the policy, it would need to be applied to the application or application group.

Application Traffic Shaping on Sophos Firewall - 9

 Applying Traffic Shaping

To enable the application traffic shaping, select Apply application-based traffic shaping policy in
the firewall rule where you have applied the application filter.

Application Traffic Shaping on Sophos Firewall - 10

 Simulation: Create an Application Traffic Shaping Policy

In this simulation you will configure

and apply a traffic shaping policy for
applications.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

In this simulation you will configure and apply a traffic shaping policy for applications.

[Additional Information]

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

Application Traffic Shaping on Sophos Firewall - 11

 Chapter Review

You can apply traffic shaping policies to categories of applications as well as individual
applications. Traffic shaping policies applied to individual applications will take
precedence over traffic shaping policies applied to the category

Traffic shaping policies can be created to either limit the amount of bandwidth available
to an application or guarantee bandwidth, even at the expense of other services

The upload and download bandwidth can be controlled independently and can either
be individual to the policy association (user, firewall rule, web category, application), or
shared between them

Here are the three main things you learned in this chapter.

You can apply traffic shaping policies to categories of applications as well as individual applications.
Traffic shaping policies applied to individual applications will take precedence over traffic shaping
policies applied to the category.

Traffic shaping policies can be created to either limit the amount of bandwidth available to an
application or guarantee bandwidth, even at the expense of other services.

The upload and download bandwidth can be controlled independently and can either be individual
to the policy association (user, firewall rule, web category, application), or shared between them.

Application Traffic Shaping on Sophos Firewall - 16

Application Traffic Shaping on Sophos Firewall - 17