Outbound/Upload - One Way Quota

Hi Guys,

Is it possible to implement a one way type quota?

We have come across an issue with data exfiltration through a legitimate site using a legitimate HTTPS service and want to know if uploads could be quoted?

In this instance we don't care about their downloads, but if they are sending away bulk data its raising red flags.

Trying to minimize potential false positives while also minimizing any calls to helpdesk due to quotas kicking in for the wrong metric.

Thanks,

Dave

Comments

  • edited November 16

    I'm not seeing how to do this for just uploads currently.

    From the docs on Quotas:
    "Bandwidth — The bandwidth quota is set in MB per day, and is enforced for all TCP and UDP traffic in both directions."

    About Quotas
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/quota_about_c.html

  • Yeah I know. That's the problem I would like enhanced. Ideally if we can quota traffic for a specific direction we have a much better chance of catching suspect traffic or at the very least be able to leverage a slowing tactic.

    I admit that this is something that I hadn't even thought of doing until we had the situation we just experienced.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave
    At this time quotas sum up traffic in both directions. I created a feature request (FBX-22392) with that issue -- if you'd like to follow that request please create a support case and mention FBX-22392 in the comments somewhere.

    At this current point in time, the best suggestion I have would be to monitor the Dimension top clients report for any large bandwidth users. Clicking down into their details should give a better idea of what they're doing.

    -James Carson
    WatchGuard Customer Support

Sign In or Register to comment.