Traffic Selectors
A traffic selector can be regarded as a QoS definition which describes certain types of network traffic to be handled by QoS. These definitions later get used inside the bandwidth pool definition. There you can define how this traffic gets handled by QoS, like limiting the overall bandwidth or guarantee a certain amount of minimum bandwidth.
To create a traffic selector, proceed as follows:
-
On the Traffic Selector tab, click New Traffic Selector.
The Add Traffic Selector dialog box opens.
-
Specify the following settings:
Name: Enter a descriptive name for this traffic selector.
Selector type: You can define the following types:
- Traffic selector: Using a traffic selector, traffic will be shaped based on a single service or a service group.
- Application selector: Using an application selector, traffic will be shaped based on applications, i.e. which traffic belongs to which application, independent from the port or service used.
- Group: You can group different service and application selectors into one traffic selector rule. To define a group, there must be some already defined single selectors.
Source: Add or select the source network for which you want to enable QoS.
Service: Only with Traffic selector. Add or select the network service for which you want to enable QoS. You can select among various predefined services and service groups. For example, select VoIP protocols (SIP and H.323) if you want to reserve a fixed bandwidth for VoIP connections.
Destination: Add or select the destination network for which you want to enable QoS.
Tip – For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
Control by: Only with Application selector. Select whether to shape traffic based on its application type or by a dynamic filter based on categories.
- Applications: The traffic is shaped application-based. Select one or more applications in the box Control these applications.
- Dynamic filter: The traffic is shaped category-based. Select one or more categories in the box Control these categories.
Control these applications/categories: Only with Application selector. Click the Folder icon to select applications/categories. A dialog window opens, which is described in detail in the next section.
Productivity: Only with Dynamic filter. Reflects the productivity score you have chosen.
Risk: Only with Dynamic filter. Reflects the risk score you have chosen.
Note – Some applications cannot be shaped. This is necessary to ensure a flawless operation of Sophos UTM on AWS. Such applications miss a checkbox in the application table of the Select Application dialog window, e.g. WebAdmin, Teredo and SixXs (for IPv6 traffic), Portal (for User Portal traffic), and some more. When using dynamic filters, shaping of those applications is also prevented automatically.
Comment (optional): Add a description or other information.
-
Optionally, make the following advanced settings:
TOS/DSCP (only with selector type Traffic Selector): In special cases it can be useful to distinguish traffic to be handled by QoS not only by its source, destination, and service but additionally based on its TOS or DSCP flags in the IP header.
- Off: With this default option all traffic matching the source, service and destination selected above will be handled by QoS.
-
TOS bits: Select this option if you want to restrict the traffic handled by QoS to IP packets with specific TOS bits (Type of Service) settings. You can choose between the following settings:
- Normal service
- Minimize monetary cost
- Maximize reliability
- Maximize throughput
- Minimize delay
- DSCP bits: Select this option if you want to restrict the traffic handled by QoS to IP packets with specific DSCP bits (Differentiated Services Code Point) settings. You can either specify a single DSCP Value (an integer in the range from 0-63) or select a predefined value from the DSCP Class list (e.g., BE default dscp (000000)).
Amount of data sent/received: Select the checkbox if you want the traffic selector to match based on the amount of bytes transferred by a connection so far. With this feature you can e.g. limit the bandwidth of large HTTP uploads without constraining regular HTTP traffic.
- Sent/Received: From the drop-down list, select More than to define the traffic selector only for connections which exceed a certain amount of traffic. Select Less than to define it for connections with less traffic so far.
- kByte: Enter the threshold for the amount of traffic.
Helper: Some services use dynamic port ranges for data transmission. For each connection, the ports to be used are negotiated between the endpoints via a control channel. Sophos UTM on AWS uses a special connection tracking helper monitoring the control channel to determine which dynamic ports are being used. To include the traffic sent through the dynamic ports in the traffic selector, select Any in the Service box above, and select the respective service from the Helper drop-down list.
-
Click Save.
The new selector appears on the Traffic Selectors list.
If you defined many traffic selectors, you can combine multiple selectors inside a single traffic selector group, to make the configuration more convenient.
This traffic selector or traffic selector group can now be used in each bandwidth pool. These pools can be defined on the Bandwidth Pools tab.
The Select Application or Category Dialog Window
When creating application control rules you need to choose applications or application categories from a dialog window called Select one or more applications/categories to control.
The table in the lower part of the dialog window displays the applications you can choose from or which belong to a defined category. By default, all applications are displayed.
The upper part of the dialog window provides three configuration options to limit the number of applications in the table:
- Category: Applications are grouped by category. This list contains all available categories. By default, all categories are selected, which means that the table below displays all applications available. If you want to limit the displayed applications to certain categories, click into the category list and select only one or more categories relevant to you.
- Productivity: Applications are also classified by their productivity impact which means how much they influence productivity. Example: Salesforce, a typical business software, has the score 5 which means its usage adds to productivity. On the contrary, Farmville, an online game, has the score 1 which means its usage is counterproductive. The network service DNS has the score 3 which means its productivity impact is neutral.
- Risk: Applications are also classified by the risk they carry when used with regard to malware, virus infections, or attacks. A higher number means a higher risk.
Tip – Each application has an Info icon which, when clicked, displays a description of the respective application. You can search the table by using the filter field in the table header.
Now, depending on the type of control you selected in the Create New Traffic Selector dialog box, do the following:
- Control by dynamic filter: Select the categories from the Category box and click Apply to adopt the selected categories to your rule.
- Control by application: From the table, select the applications you want to control by clicking the checkbox in front. Click Apply to adopt the selected applications to your rule.
After clicking Apply, the dialog window closes and you can continue to edit the settings of your traffic selector rule.