User quotas conflict with static routes

I have a cluster of 2 M400 running software version 12.4.B592447.
I created quota action to try to limit the time our users spend on YouTube, it never worked as expected so I set a limit for how much they can download from YouTube per day, did some testing (having YouTube running all day) and found the magic number, 450MB/day which means they could be on YouTube around 3 hours/day. First I created a packet filter policy using ports 80 and 443 when the traffic was going to YouTube related domains (based on what I saw on Dimension *.googlevideo.com is the main one, along with *.youtube.com). I started noticing an issue where after reaching the quota llimit, the firewall started blocking traffic that was not related to the quota action and the policy at all, including traffic going to static routes (in this case we have a couple of Cisco ASAs for 2 different IPsec tunnels, so we have static routs for those). I escalated the issue to the company that provides local support for WG, and they recommended to change from packet filtering policies to proxy policies, so I did the same thing but this time using proxys (created 3 as they recommended, 1 for http, 1 for https and 1 for dns for traffic going to YouTube related domains) but the same thing is happening, once the quota limit is reached, it starts blocking traffic that is not related to the policies, including static routes.

Comments

  • You, or the company that provides local support for WG, should open a support incident on this.

  • edited September 2019

    I did. They recommended upgrading to Fireware 12.5, which I did and it did not resolve the issue. They came up with a workaround, adding my static routes to Quota Exceptions, and that seems to be working fine.

    I hope they come up with a real fix in the future.

  • Interesting behavior - I might try that out on my test firebox

    All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).

  • edited September 2019

    @James said:
    Interesting behavior - I might try that out on my test firebox

    That would be nice, this is what I have so far:

    • M400 cluster running Fireware 12.5
    • 2 proxy policies (http and https, the DNS one wasnt necessary so its gone)
    • Static routes were added to Quota Exceptions
    • And since I have *.googlevideo.com added to my policies, it also started causing "NET::ERR_CERT_AUTHORITY_INVALID" error when the quota limit was reached and users were trying to open google apps like Google Drive, Google Calendar, Google Tasks (gmail was working fine though), so I added *.google.com to the exceptions and that fixed it.

    I'm still monitoring this to see what else comes up.

Sign In to comment.