Traffic management doesn't seem to work

KellyLKellyL
in Firebox - QoS and Traffic Management

Windows updates downloads have been killing our bandwidth. Based on the traffic in the Dimension log server, I created a traffic management rule limiting the bandwidth used by http-proxy.1 to 250 Mbps. However, the machine in question is still downloading over 1000Mbps from windows update.

Here is the sample from the log file even after the traffic rule was activated:
ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.1-00, protocol=http/tcp, src_ip=192.168.X.XXX, src_port=58325, dst_ip=23.200.0.13, dst_port=80, src_intf=Trusted, dst_intf=External, rc=525, proxy_act=HTTP-Client.Standard.1, rcvd_bytes=131464952, sent_bytes=229, elapsed_time=29.025846 sec(s); op=GET, dstname=b.c2r.ts.cdn.office.net, arg=/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.17830.20166/stream.x64.x-none.dat, 1AFF-0024, geo_dst=USA

131MB in 29 seconds and there are multiple examples of this. Any clue on what I'm doing wrong?

Comments

  • Bruce_BriggsBruce_Briggs

    250 Mbps = 31.25 MBps
    X 29 secs = 906 MB max transmission

    You are allowing too high a rate

  • KellyLKellyL
    edited August 19

    I have a 1Gbps internet connection, and now I've set the rule down to 20 Mbps, it still floods the connection at 1,124 Mbps. I must have some kind of over ride somewhere that's still allowing full rate traffic.

    Or do these rules only throttle outgoing traffic?

  • KellyLKellyL

    Just a thought. I have a couple of proxy overrides on the http proxy rules for akama.net and sites related to MS updates. If they're in the proxy override, are they ignored for traffic management rules too?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @KellyL
    HTTP proxy exceptions only apply to specific items inside the HTTP proxy.

    These settings are bypassed for HTTP-proxy exceptions:

    HTTP request — Idle timeout, range requests, URL path length, all request methods, all URL paths, request headers, authorization pattern matching
    HTTP response — Idle timeout, response headers, content types, cookies, body content types
    Reputation Enabled Defense — for sites on the HTTP-proxy exceptions list the reputation score is set to -1

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/http/http_proxy_exceptions_c.html

    If you make a change to a rule, it will only affect new connections that started after you've changed your settings. Previous connections that are already downloading data will eventually time out/reset and be covered by the new rule. If you absolutely need to test a new rule, rebooting said workstations, or rebooting the firewall will force everything to a new connection.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    What is the TM setting type - per client?

Sign In to comment.