Skip to content

Traffic shaping

Traffic shaping policies determine the Quality of Service (QoS) for traffic.

You can create policies to guarantee and limit bandwidth. Policies can assign bandwidth to individual objects or be shared among the objects to which you apply them. You can also specify a time for the policy. You can't edit a policy after creating it.

You can apply traffic shaping policies to firewall rules and WAF rules, users and groups, applications and application categories, and web categories. To apply a policy to these objects, you associate it with the object through the policy association type. Only the policies created for the object appear on the object page for selection.

Sophos Firewall implements traffic shaping policies in a certain order if they're associated with more than one object in the firewall rule. For example, if you've applied a traffic shaping policy to more than one object in the firewall rule, the following order applies:

  • Application
  • Application category
  • Web category
  • User
  • Group
  • Firewall rule

Note

QoS isn't applied to system-generated traffic.

Traffic shaping settings

To change the global settings for traffic shaping, go to System services > Traffic shaping settings.

The default settings offer best-effort bandwidth and place an upper limit on the QoS. The default settings apply to traffic to which no traffic shaping policy applies.

Note

Traffic shaping settings: These only apply to outgoing traffic the firewall forwards to the WAN zone.

Traffic shaping policies: You can apply these to incoming and outgoing traffic forwarded by the firewall.

Apply to applications and application categories

The traffic shaping policy you apply to an application takes precedence over the one you apply to its application category.

The policy applies based on the application ID. You can see the application ID in the application filter log.

  1. Go to System services > Traffic shaping and create a policy associated with applications.
  2. Go to Applications > Application filter and create a policy for an application or category.
  3. Go to Applications > Traffic shaping default, click the edit button next to the application or category, and select a traffic shaping policy.
  4. Go to Rules and policies > Firewall rules. Select the application control policy in a firewall rule, and select Apply application-based traffic shaping policy.

Apply to web categories

  1. Go to System services > Traffic shaping and create a policy associated with web categories.
  2. Go to Web > Categories, click the edit button next to the web category you want, and select the traffic shaping policy. Alternatively, click Add to create a custom web category, and select a traffic shaping policy.
  3. Go to Web > Policies and create a policy for the web category.
  4. Go to Rules and policies > Firewall rules. Select the web policy in a firewall rule, and select Apply web category-based traffic shaping policy.

Apply to users

  1. Go to System services > Traffic shaping and create a policy associated with users.
  2. Go to Authentication > Users and select a traffic shaping policy for each user you want.
  3. Go to Rules and policies > Firewall rules. In a firewall rule, select Match known users, and select the users.

Apply to groups

  1. Go to System services > Traffic shaping and create a policy associated with users.
  2. Go to Authentication > Groups and select a traffic shaping policy for each group you want.
  3. Go to Rules and policies > Firewall rules. In a firewall rule, select Match known users, and select the groups.

Apply to firewall rules

When you assign traffic shaping policies to firewall rules, you can apply the policies to VPN connections, services, host groups, and hosts (example: IP hosts and MAC hosts).

  1. Go to System services > Traffic shaping and create a policy associated with rules.
  2. Go to Rules and policies > Firewall rules.
  3. In a firewall rule, do one of the following:

    • VPN connections: For Source zone, select VPN.
    • Hosts: Under Source networks and devices, select the hosts.
    • Services: Select the ports and protocols.
  4. Under Shape traffic, select a traffic shaping policy.

Apply to WAF rules

You can apply traffic shaping policies to your web servers.

  1. Go to System services > Traffic shaping and create a policy associated with rules.
  2. Go to Rules and policies > Firewall rules.
  3. Click the edit button next to a firewall rule and set Action to Protect with web server protection.
  4. Under Advanced settings > Traffic shaping, select a policy.

More resources