Traffic Management Limitations
Asking this before I bite off more than I can chew. I work for a school district... about 4,000 students, 350-ish staff that use computers regularly. I have all student traffic going through a single set of Firewall rules. I want to limit the bandwidth of any one student computer to no more than 15Mbps, more than most will need but will keep some from going crazy.
From what I've read, I create the Management Action base it per IP, and I set the instances to 256. 256 with 8 IP's per instance is about 2000 IP's. Again, 4,000 student devices and a few others that fall on the same network range for various reasons. Let's say 4,500 total, which would be more than the 2000 IP's that the Management Action is set for... So, my question...
Is that setup doomed for failure? What's going to happen to the other IP's. It sounds like, from what I read, that it will start lumping more IP's together to share the bandwidth... which isn't horrible, but isn't specifically the goal either.
The networks are segmented between campuses / networks... so I can create multiple rules, but I'm also trying to avoid having an over-abundance of rules...
I inherited the Firebox. Still somewhat of a newbie at the whole thing. Any advice, correction, or anything helpful would be appreciated. Still trying to figure out how this whole thing out. Thanks!
Comments
Hi @JohnS
For traffic management policies per-ip you are correct. There is a limit per-policy.
There's a few ways around this:
-Making rules by subnet (works best with /23s and /24s because of the per IP limitation)
-Using user groups instead of IPs to implement the policy.
See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_quick_start.html
-James Carson
WatchGuard Customer Support
@james.carson Because of the various things happening in our environment, I have about 55 rules now. On an M4800, how many rules would be too many if I want to break these out into individual rules? Individual subnets... we have probably close to 50... so the number of rules would grow from the 10 we have now to somewhere close to 20 or 30, pushing us close to 100 rules...
Not a problem for you.
I have over 100 policies on a T20.
125 enabled ones to be exact
That's great to know! Thanks!
@JohnS I've seen customers with well over 500 rules on small devices. There is a ceiling to how many policies you can have, but it has to do with the amount of memory available on the device, not the number of policies.
For example, if you load each policy with a server load balancing policy that sources from an extensive list of FQDNs, you'd probably max out at around 50.
(When customers find that limit, they're almost always asking more of their firewall than it's capable of, and it's almost always on the smallest devices we sell. The M4800 should reasonably be capable of handling thousands of complex policies if needed.)
-James Carson
WatchGuard Customer Support
That's great to know. I inherited this system from my previous boss, and he was afraid that 40 policies was going to overload the system. We've never even seen a major load on the box... and I think there were other issues that played into what caused the initial fear (years ago), so I didn't know how much wiggle room I had. I'm not looking to go too in-depth with complexity at the moment. I'm just needing more rules to handle the sheer amount of devices I have in our system. Thanks again!