Advanced
Keep classification after encapsulation
Select this checkbox if you want to make sure that after encapsulation a packet will still match the traffic selector of the original service if no other traffic selector matches.
The assignment of an encapsulated IP packet to a traffic selector works as follows:
- The original IP packet is compared with the existing traffic selectors in the given order. The packet is assigned to the first matching traffic selector (e.g., Internal -> HTTP -> Any).
- The IP packet gets encapsulated, and the service changes (e.g., to IPsec).
- The encapsulated packet is compared with the existing traffic selectors in the given order. The packet is assigned to the first matching traffic selector (e.g., Internal -> IPsec -> Any).
-
If no traffic selector matches, the assignment depends on the Keep classification after encapsulation option:
- If the option is selected, the encapsulated packet will be assigned to the traffic selector found in step 1.
- If the option is not selected, the encapsulated packet will not be assigned to any traffic selector and therefore cannot be part of a bandwidth pool.
Explicit Congestion Notification support
ECN
Explicit Congestion Notification (Explicit Congestion Notification) is an extension to the Internet Protocol and allows end-to-end notifications of network congestion without dropping packets. ECN only works if both endpoints of a connection successfully negotiate to use it. Selecting this checkbox, Sophos UTM will send the information that it is willing to use ECN. If the other endpoint agrees, they will exchange ECN information. Note that the underlying network and involved routers must support ECN as well.