SonicOS 5.8.1: Configuring the Global Bandwidth Management Service

SonicOS 5.8.1: Configuring the Global Bandwidth Management Service Document Scope This feature guide describes the global bandwidth management (BWM) feature available in SonicOS Enhanced 5.8.1.0. This document contains the following sections: Feature Overview What Is Global BWM? Benefits section on page 2 How Does Global BWM Work? section on page 2 Platforms section on page 3 Using Global BWM section on page 4 Firewall Settings > BWM section on page 4 Configuring Global BWM section on page 6 Configuring Interfaces section on page 6 Configuring Firewall Access Rules section on page 8 Configuring Application Rules section on page 9 Configuring App Flow Monitor section on page 15 Glossary section on page 18 Global Bandwidth Management Feature Module 1

Feature Overview Feature Overview This section provides an introduction to the global BWM feature and contains the following subsections: What Is Global BWM? Benefits section on page 2 How Does Global BWM Work? section on page 2 Platforms section on page 3 What Is Global BWM? Bandwidth management (BWM) is a means of allocating bandwidth resources to critical applications on a network. Global BWM is controlled by the SonicWALL Security Appliance on ingress (inbound) and egress (outbound) traffic. It allows network administrators to guarantee minimum bandwidth and prioritize traffic based on access rules created in the Firewall > Access Rules page on the SonicWALL management interface. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic can improve network performance. Benefits Global BWM provides the following benefits: Simple bandwidth management on all interfaces. Bandwidth management on ingress and egress traffic. Users can specify bandwidth management priority per interface, in firewall rules, app rules, or through App Flow Monitor. Default bandwidth management queue for all traffic. How Does Global BWM Work? Global BWM works by first enabling bandwidth management on an interface and then allocating the available bandwidth for that interface on the ingress and egress traffic. It then assigns individual limits for each class of network traffic. By assigning priorities to network traffic, applications requiring a quick response time, such as Telnet, can take precedence over traffic requiring less response time, such as FTP. Global BWM provides eight priority queues. Three priority queues are set by default: 2 High 4 Medium: Default priority for all traffic that is not managed by a BWM enabled Firewall Access rule or Application Control Policy. 6 Low When global BWM is enabled on an interface, all of the traffic to and from that interface is bandwidth managed. For example, with bandwidth management type none, if there are three traffic types (1, 2, and 3) that are using an interface with the link capability of 100 Mbps, the cumulative capacity for all three types is 100 Mbps. 2 Global Bandwidth Management Feature Module

Feature Overview When bandwidth management type Global is enabled on that interface and the available ingress and egress traffic are configured to 10 Mbps, the following occurs: By default, the traffic types are sent to the Medium (4) Priority queue. This queue has, by default, a Guaranteed percentage of 50 and a Maximum percentage of 100. These values mean that the cumulative link capability is 10 Mbps with no global BWM enabled policies configured. Platforms The global BWM feature is available in SonicOS Enhanced 5.8.1.0. SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500 SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless SonicWALL TZ 200 / 200 Wireless SonicWALL TZ 100 / 100 Wireless Global Bandwidth Management Feature Module 3

Using Global BWM This section contains the following subsections: Firewall Settings > BWM section on page 4 Configuring Global BWM section on page 6 Firewall Settings > BWM To view the BWM configuration, navigate to the Firewall Settings > BWM page. This page consists of the following entities: 4 Global Bandwidth Management Feature Module

The defaults are set by SonicWALL to provide BWM ease-of-use. It is recommended that you review the specific bandwidth needs and enter the values on this page accordingly. Bandwidth Management Type Option: WAN Only WAN zones can have assigned guaranteed and maximum bandwidth to services and have prioritized traffic. Global (Default) All zones can have assigned guaranteed and maximum bandwidth to services and have prioritized traffic. None Disables BWM. Priority Column Displays the priority number and name. Enable Checkbox When checked, the priority queue is enabled. Guaranteed and Maximum\Burst Text Field Enables the guaranteed and maximum/burst rates. The corresponding Enable checkbox must be checked in order for the rate to take effect. These rates are identified as a percentage. The configured bandwidth on an interface is used in calculating the absolute value. The sum of all guaranteed bandwidth must not exceed 100%, and the guaranteed bandwidth must not be greater than the maximum bandwidth per queue. The default settings for this page consists of three priorities with preconfigured guaranteed and maximum bandwidth. The medium priority has the highest guaranteed value since this priority queue is used by default for all traffic not governed by a BWM enabled policy. Every time the Bandwidth Management Type is changed, all bandwidth management settings on the Firewall Rules will be reset to the factory defaults; therefore, you MUST reconfigure those rules. Global Bandwidth Management Feature Module 5

Configuring Global BWM Configuring Interfaces Global BWM can be configured using the following methods: Configuring Interfaces section on page 6 Configuring Firewall Access Rules section on page 8 Configuring Application Rules section on page 9 Configuring App Flow Monitor section on page 15 You can configure global BWM for each interface. To configure global BWM per interface, perform the following steps: Step 1 Navigate to the Network > Interfaces page. Step 2 Click the Configure icon in the Configure column for the interface for which you want to set global BWM. The Edit Interface dialog is displayed. 6 Global Bandwidth Management Feature Module

Step 3 Click the Advanced tab. Step 4 Step 5 Under Bandwidth Management, check Enable Egress or Enable Ingress or both checkboxes, and then enter the available bandwidth in kilobits per second (Kbps). Click OK. Global Bandwidth Management Feature Module 7

Configuring Firewall Access Rules You can configure global BWM for each firewall rule. This method configures the direction in which to apply BWM and sets the priority queue. To configure global BWM for a firewall rules, perform the following steps: Step 1 Step 2 Step 3 Navigate to the Firewall > Access Rules page. Click the Configure icon for the rule you want to edit. The Edit Rule General tab dialog is displayed. Click the Ethernet BWM tab. Step 4 Select the checkboxes, select the Bandwidth Priority, and then click OK. All priorities will be displayed (Realtime Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For a BWM Type of WAN, the default priority is level 7 (Low). 8 Global Bandwidth Management Feature Module

Step 5 Verify that BWM has been set. Configuring Application Rules Application layer BWM allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types. It is a best practice to configure BWM settings before configuring App Control policies that use BWM. After bandwidth management is enabled on the interface, you can configure BWM for a specific application rule on the Firewall > App Rules page. To configure global BWM for a specific application, perform the following steps: Step 1 Navigate to the Firewall > App Rules page. Global Bandwidth Management Feature Module 9

Step 2 Under App Rules Policies, select the Action Type: Bandwidth Management. The page will sort by Action Type Bandwidth Management. Step 3 Click the Configure icon in the Configure column for the policy you want to change. The Edit App Control Policy window is displayed. Step 4 Change the Action Object to the desired policy, and then click OK. All priorities will be displayed (Realtime Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the Medium Priority (default). The change will take effect when you return to the App Rules page. 10 Global Bandwidth Management Feature Module

Understanding BWM Action Objects Action Objects define how the App Rules policy reacts to matching events. You can customize an action or select one of the predefined default actions. The predefined actions are displayed in the App Control Policy Settings page when you add or edit a policy from the App Rules page. Custom BWM actions behave differently than the default BWM actions. Custom BWM actions are configured by adding a new action object from the Firewall > Action Objects page and selecting the Bandwidth Management action type. Custom BWM actions and policies using them retain their priority level setting when the Bandwidth Management Type is changed from Global to WAN, and from WAN to Global. A number of BWM action options are also available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall Settings > BWM page. If the Bandwidth Management Type is set to Global, all eight levels of BWM are available. If the Bandwidth Management Type is set to WAN, the predefined actions list includes three levels of WAN BWM. The following table lists the predefined default actions that are available when adding a policy. If BWM Type = Global BWM Global-Realtime BWM Global-Highest BWM Global-High BWM Global-Medium High BWM Global-Medium BWM Global-Medium Low BWM Global-Low BWM Global-Lowest If BWM Type = WAN WAN BWM High WAN BWM Medium WAN BWM Low Global Bandwidth Management Feature Module 11

Creating a New BWM Action or Policy If you do not want to use the predefined BWM actions or policies, you have the option to create a new one that fits your needs. To create a new BWM action or policy, perform the following steps: Step 1 Step 2 Navigate to the Firewall > Action Objects page. Click Add New Action Object at the bottom of the page. The Add/Edit Action Object window is displayed. Step 3 If the BWM type is Global, do the following: Action Name field: Enter a name for the policy. Action drop-down: Select Bandwidth Management Check Enable Outbound Bandwidth Management checkbox and select the Bandwidth Priority. Check Enable Inbound Bandwidth Management checkbox and select the Bandwidth Priority. If the Bandwidth Management Type is set to WAN on the Firewall Settings > BWM page, the screen displays the following options, which are not displayed if Bandwidth Management Type is set to Global: Bandwidth Aggregation Method Guaranteed Bandwidth 12 Global Bandwidth Management Feature Module

Maximum Bandwidth Enable Tracking Bandwidth Usage In case of a BWM type of WAN, the configuration of these options is included in the following steps. All priorities will be displayed (0 7) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the Medium Priority (default). Step 4 Step 5 In the Bandwidth Aggregation Method drop-down list, select one of the following: Per Policy When multiple policies are using the same Bandwidth Management action, each policy can consume up to the configured bandwidth even when the policies are active at the same time. Per Action When multiple policies are using the same Bandwidth Management action, the total bandwidth is limited as configured for all policies combined if they are active at the same time. Do one or both of the following: To manage outbound bandwidth, select the Enable Outbound Bandwidth Management checkbox. Global Bandwidth Management Feature Module 13

Step 6 Step 7 Step 8 Step 9 Step 10 To manage inbound bandwidth, select the Enable Inbound Bandwidth Management checkbox. To specify the Guaranteed Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the drop-down list, select either percentage (%) or Kbps. If you plan to use this custom action for rate limiting rather than guaranteeing bandwidth, you do not need to change the Guaranteed Bandwidth field. To specify the Maximum Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the drop-down list, select either percentage (%) or Kbps. If you plan to use this custom action for guaranteeing bandwidth rather than rate limiting, you do not need to change the Maximum Bandwidth field. For Bandwidth Priority, select a priority level from the drop-down list, where 0 is the highest and 7 is the lowest. Optionally select Enable Tracking Bandwidth Usage to track the usage. When bandwidth usage tracking is enabled, you can view the usage in the Action Properties tooltip by mousing over the BWM action of a policy on the Firewall > App Rules page. Click OK. You can see the resulting action in the Action Objects screen. 14 Global Bandwidth Management Feature Module

Configuring App Flow Monitor BWM can also be configured from the App Flow Monitor page by selecting a service type application or a signature type application and then clicking the Create Rule button. The Bandwidth Management options available there depend on the enabled priority levels in the Global Priority Queue table on the Firewall Settings > BWM page. The priority levels enabled by default are High, Medium, and Low. You must have the SonicWALL Application Visualization application enabled before proceeding. To configure BWM using the App Flow Monitor, perform the following steps: Step 1 Navigate to the Dashboard > App Flow Monitor page. Step 2 Check the service-based applications or signature-based applications to which you want to apply global BWM. General applications cannot be selected. Service-based applications and signature-based applications cannot be mixed in a single rule. Global Bandwidth Management Feature Module 15

Step 3 Create rule for service-based applications will result in creating a firewall access rule and create rule for signature-based applications will create an application control policy. Click Create Rule. The Create Rule pop-up is displayed. Service-based Application Options Signature-based Application Options Step 4 Step 5 Select the Bandwidth Manage radio button, and then select a global BWM priority. Click Create Rule. A confirmation pop-up is displayed. 16 Global Bandwidth Management Feature Module

Service-based Application Successful Signature-based Application Successful Step 6 Click OK. Step 7 Navigate to Firewall > Access Rules page (for service-based applications) and Firewall > App Rules (for signature-based applications) to verify that the rule was created. For service-based applications, the new rule is identified with a tack in the Comments column and a prefix in Service column of ~services=<service name>. For example, ~services=ntp&t=1306361297. For signature-based applications, the new rule is identified with a prefix, ~BWM_Global-<priority>=~catname=<app_name> in the Name column and in the Object column prefix ~catname=<app_name>. Global Bandwidth Management Feature Module 17

Glossary Glossary Bandwidth Management (BWM): Refers to any variety of algorithms or methods used to shape or police traffic. Guaranteed Bandwidth: A percentage of the total available bandwidth on an interface, which will always be granted to a certain class of traffic. The total Guaranteed Bandwidth across all BWM rules cannot exceed 100% of the total available bandwidth. The Guaranteed Bandwidth can also be set to 0%. Inbound (Ingress) BWM: The ability to shape the rate at which traffic enters a particular interface. Maximum Bandwidth: A percentage of the total available bandwidth on an interface defining the maximum bandwidth to be allowed to a certain class of traffic. The Maximum Bandwidth can be set to 0%, which will prevent all traffic. When both Guaranteed and Maximum bandwidth are set to 0% and the priority is assigned to a particular traffic type, in any policy, that particular traffic will be dropped due to zero assigned bandwidth. Outbound (Egress) BWM: Conditioning the rate at which traffic is sent from an interface. Outbound BWM uses a credit (or token) based queuing system with 8 priority rings to service different types of traffic, as classified by Access Rules. Priority: An additional dimension used in the classification of traffic. SonicOS uses eight priority values (0 = highest, 7 = lowest) to comprise the queue structure used for BWM. Queues are serviced in the order of their priority. Queuing: To effectively make use of the available bandwidth on a link. Queues are commonly employed to sort and separately manage traffic after it has been classified. Part Number: 232-000740-00_Rev_A Solution Document Version History Version Number Date s 1 6/11 This document was created. 18 Global Bandwidth Management Feature Module