Configuring Bandwidth Control
Bandwidth control allows you to control the amount of data that comes in to and goes out from Secure Web Gateway. You can configure it as part of your web policy to ensure:
-
A minimum and maximum of bandwidth for different types of web traffic
For example, you can ensure that at least 5,000 Kbit/s out of an overall 20,000 Kbit/s of bandwidth can be used by streaming media traffic. At the same time, you can restrict social networking traffic to not using more than 5,000 Kbit/s of the overall bandwidth. -
Priority for some types of web traffic over others when distributing unused bandwidth
For example, you can configure that unused bandwidth is made available to YouTube traffic before bandwidth not used by this traffic is made available to other types of streaming media traffic.
You can complete the configuration activities that are required here on the user interface for Secure Web Gateway under Configuration > Bandwidth Control. You need to complete them for every Secure Web Gateway appliance you want to include in the bandwidth control configuration.
In the following, more information about important concepts and elements of bandwidth control for Secure Web Gateway is provided.
It is also explained how to configure bandwidth classes for the different types of web traffic as well as the network interfaces for this traffic and the web policy rules that control it.
For an older version of this topic on how to configure bandwidth control, see Configure Bandwidth Control.
Concepts and Elements of Bandwidth Control
When configuring bandwidth control on Secure Web Gateway, you set up bandwidth classes for the different types of web traffic, for example, streaming media or social networking traffic.
A minimum and maximum amount of bandwidth is configured for each class to limit the use of bandwidth by the different types of web traffic. A priority is also configured to distribute bandwidth among the different types of web traffic based on this parameter.
Rule events are available to cover the different directions of the traffic flow, for example, traffic coming in to Secure Web Gateway from a web server.
Bandwidth control on Secure Web Gateway also uses native Linux Traffic Control to implement an underlying process for this feature and the HTB classful qdsic utility for granular control of web traffic.
The following sections provide more information about these concepts and elements.
Bandwidth Classes, Limits, and Priority
To configure bandwidth control, you set up bandwidth classes for the different types of web traffic. For each class, you configure:
-
Minimum bandwidth — Minimum amount of bandwidth that is reserved for the traffic in a class
The minimum bandwidth is ensured as long as sufficient bandwidth is available. -
Maximum bandwidth — Maximum amount of bandwidth that is allowed for the traffic in a class
The maximum bandwidth cannot be exceeded by this traffic even if more bandwidth is available. - Priority — The available bandwidth is distributed among the classes based on the priority that is configured for them
If not all of the bandwidth that is made available to a class is actually used by the traffic in this class, unused bandwidth is distributed among the classes with lower priorities.
A higher value for the priority parameter of a class means that its priority is actually lower. For example, a value of 75 indicates a lower priority than 50.
Bandwidth Control Hierarchy
Bandwidth classes are usually configured in a hierarchy with parent and child classes on different levels. The bandwidth that is available is distributed from the top to the bottom of the hierarchy.
The following diagram illustrates a sample configuration with bandwidth control classes on three levels. There is a root class at the top with parent and child classes on the next two levels.
A diagram like this is also referred to as tree diagram. Only the child classes at the end of the branches of the tree, which have no children themselves, are configured to cover the different types of web traffic. They are also known as "leaf" classes and marked in the diagram by a green leaf icon.
The other classes on the tree are only configured to distribute bandwidth among their children.
The diagram shows that bandwidth control is performed in this sample configuration as follows:
- The overall amount of available bandwidth in this configuration is 20,000 Kbit/s both as a minimum and maximum. These values are configured as limits for the root class.
The root class is not competing for bandwidth with any other class. Priority 0 is appropriately configured for this class. -
The overall bandwidth is distributed among the children of the root class.
When configuring this distribution, the sum of the bandwidth portions that are configured as minimum for the children of a parent must not exceed the minimum of the parent.
This is observed here with 20,000 Kbit/s configured as minimum for the root class and 5,000 Kbit/s and 2,500 Kbit/s, respectively, for its children.
Priority 0 is appropriately configured for them, as they are not competing for bandwidth with each other. -
The bandwidth for the Streaming child of the root class is distributed among its two children, YouTube and Streaming Media. Different priorities are configured for these children, as they compete for bandwidth with each other.
With a priority value of 50, YouTube traffic is given priority over other types of streaming media traffic with a priority of 75.
For example, if the configured minimum bandwidth of 1,500 Kbit/s is used for other streaming media traffic, 8,500 Kbit/s are made available to YouTube traffic, as 10,000 Kbit/s is configured as maximum for their Streaming parent.
Only what is not used of these 8,500 Kbit/s by YouTube traffic is made available to other streaming media traffic.
On the other hand, more than 8,500 Kbit/s can only be used by YouTube traffic if less than 1,500 Kbit/s is used at the same time by other streaming media traffic.
If no bandwidth is used by other streaming media traffic, all of the 10,000 Kbit/s configured as maximum can be used by YouTube traffic.
Events for Bandwidth Control Rules
Configuring bandwidth control for Secure Web Gateway includes configuring web policy rules with events that trigger the bandwidth control process.
To cover the different directions of the traffic flow, different events are available:
-
Bandwidth.FromClient — For traffic from a client to Secure Web Gateway
- Bandwidth.ToClient — For traffic from Secure Web Gateway to a client
-
Bandwidth.FromServer — For traffic from a web server to Secure Web Gateway
- Bandwidth.ToServer — For traffic from Secure Web Gateway to a web server
The following diagram illustrates these events and the traffic flow.
Configuring Bandwidth Classes
To configure bandwidth classes, you specify values for their parameters, which include class name, priority, and maximum and minimum bandwidth. If a bandwidth class is a child class, you also specify its parent.
The sample configuration includes the following bandwidth classes:
- Root — With a minimum and a maximum bandwidth of 20,000 Kbit/s and priority 0
The priority is 0 here because there is no other bandwidth class competing for bandwidth with the root class. -
Two child classes under Root:
-
Streaming — With a minimum bandwidth of 5,000 Kbit/s, a maximum bandwidth of 10,000 Kbit/S, and priority 0
-
Social Networking — With a minimum bandwidth of 2,500 Kbit/s, a maximum bandwidth of 5,000 Kbit/S, and priority 0
The priority is 0 here because even if there is another bandwidth class at the same level, it is not competing for bandwidth, as it is no "leaf" class.
-
-
Two child classes under Streaming:
-
YouTube — With a minimum bandwidth of 3,500 Kbit/s, a maximum bandwidth of 10,000 Kbit/S, and priority 50
Priority 50 gives this bandwidth class priority over the other class on this level, which has priority 75. -
Streaming Media — With a minimum bandwidth of 1,500 Kbit/s, a maximum bandwidth of 5,000 Kbit/s, and priority 75
-
The following illustration shows how these bandwidth classes and their parameters look after configuring them on the user interface.
Configuring Network Interfaces
To configure network interfaces for bandwidth control, you add them to the list that is provided. Bandwidth control is applied to traffic going through these network interfaces.
Depending on the network mode that is configured, you add network interfaces as follows:
-
Explicity Proxy, Proxy HA, Transparent Router, WCCP — For these network modes, you add the network interface you want to use for bandwidth control, for example, eth0.
Depending on what you have configured for the Proxy HA network mode, you need to add more than one network interface on a Secure Web Gateway appliance if it is a director node.
- Transparent Bridge — For this network mode, you add the network interface you want to use for bandwith control on a Secure Web Gateway appliance depending on whether it is a director or scanning node.
In this network mode, the director node forwards traffic to the scanning nodes. It is configured with a director priority greater than 0, whereas the scanning nodes are configured with directory priority 0.
A redundant director node can additionally be configured to replace the active director node when it becomes unavailable.-
Director node (active or redundant) — Add the network interface you want to use, for example, eth0.
You can also specify an outbound and an inbound network interface.
-
Scanning node — Add the network interface that is configured to receive traffic from the director node.
-
Configuring a Bandwidth Control Rule Set
A rule set for bandwidth control should be inserted in a top position of the rule set tree. This ensures bandwidth control is applied early in the filtering process.
For the sample configuration, the rules in this rule set look like this:
Each rule uses the Bandwith.FromServer event, as the traffic you want to control comes in to Secure Web Gateway from web servers.
The Stop Rule Set action stops processing of this rule set as soon as bandwidth control has been applied to a particular type of web traffic. The rule conditions ensure that the different types are recognized.
The rules are placed in the following order to perform bandwidth control:
-
Bandwidth Control: YouTube — This rule is placed first, which means that once it is recognized that a user tries to access YouTube, bandwidth control is applied to it and processing of the rule is stopped.
Thus ensures that bandwidth control is not applied to YouTube traffic again by the second rule, which is for streaming media traffic, as YouTube traffic also belongs to this type of traffic. -
Bandwidth Control: Streaming Media — This rule is placed second, which means bandwidth control is applied to all streaming media traffic other than YouTube traffic.
- Bandwidth Control: Social Networking — This rule is placed last. If social networking traffic is directed to Secure Web Gateway, processing of the first two rules in the rule set will not affect it.
Bandwidth control is then applied to it, which completes the processing of this rule set.
Using IP Addresses to Restrict Bandwidth Control for Testing
When testing the rule set for bandwidth control that you have configured, we recommend using a separate Secure Web Gateway appliance as a test proxy.
If you have no appliance available for this purpose, you can add criteria to the rule set to restrict the bandwidth control that is performed by its rules.
For example, use criteria that restricts bandwidth control to traffic originating from particular clients, which you have entered in a list:
Client.IP is in range list (List of Test Clients)