Traffic management doesn't seem to work
Windows updates downloads have been killing our bandwidth. Based on the traffic in the Dimension log server, I created a traffic management rule limiting the bandwidth used by http-proxy.1 to 250 Mbps. However, the machine in question is still downloading over 1000Mbps from windows update.
Here is the sample from the log file even after the traffic rule was activated:
ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.1-00, protocol=http/tcp, src_ip=192.168.X.XXX, src_port=58325, dst_ip=23.200.0.13, dst_port=80, src_intf=Trusted, dst_intf=External, rc=525, proxy_act=HTTP-Client.Standard.1, rcvd_bytes=131464952, sent_bytes=229, elapsed_time=29.025846 sec(s); op=GET, dstname=b.c2r.ts.cdn.office.net, arg=/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.17830.20166/stream.x64.x-none.dat, 1AFF-0024, geo_dst=USA
131MB in 29 seconds and there are multiple examples of this. Any clue on what I'm doing wrong?
Comments
250 Mbps = 31.25 MBps
X 29 secs = 906 MB max transmission
You are allowing too high a rate
I have a 1Gbps internet connection, and now I've set the rule down to 20 Mbps, it still floods the connection at 1,124 Mbps. I must have some kind of over ride somewhere that's still allowing full rate traffic.
Or do these rules only throttle outgoing traffic?
Just a thought. I have a couple of proxy overrides on the http proxy rules for akama.net and sites related to MS updates. If they're in the proxy override, are they ignored for traffic management rules too?
@KellyL
HTTP proxy exceptions only apply to specific items inside the HTTP proxy.
These settings are bypassed for HTTP-proxy exceptions:
HTTP request — Idle timeout, range requests, URL path length, all request methods, all URL paths, request headers, authorization pattern matching
HTTP response — Idle timeout, response headers, content types, cookies, body content types
Reputation Enabled Defense — for sites on the HTTP-proxy exceptions list the reputation score is set to -1
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/http/http_proxy_exceptions_c.html
If you make a change to a rule, it will only affect new connections that started after you've changed your settings. Previous connections that are already downloading data will eventually time out/reset and be covered by the new rule. If you absolutely need to test a new rule, rebooting said workstations, or rebooting the firewall will force everything to a new connection.
-James Carson
WatchGuard Customer Support
What is the TM setting type - per client?