Applies To: Cloud-managed Fireboxes
In a network with many computers, the volume of data that moves through the firewall can be very large. To prevent data loss for important business applications, and to make sure mission-critical applications take priority over other traffic, you can use traffic shaping and quality of service (QoS) marking in WatchGuard Cloud.
Traffic Shaping
With traffic shaping, you can guarantee or limit the bandwidth available for different types of traffic. When you guarantee bandwidth, you prioritize a specific volume of traffic before the Firebox processes other traffic. When you limit bandwidth, you make sure that potentially high bandwidth connections do not consume all available bandwidth resources.
QoS Marking
With QoS marking, you can define traffic priority when network congestion occurs at the Firebox. When a network is not congested, all traffic flows freely and prioritization is irrelevant. When traffic congestion occurs, QoS enforces a strict priority queue, and the Firebox processes higher priority traffic before lower priority traffic.
In addition to the traffic shaping and QoS marking features, you can also configure a connection rate limit for traffic handled by a specific policy. When you limit the connection rate, the policy denies connections that exceed a specific capacity. For more information, go to Configure a Connection Rate Limit in a Firewall Policy.
In combination, these features can help you maintain the availability of the resources you want to prioritize.
Throughput Considerations
Traffic shaping and QoS affect maximum throughput on the Firebox because the Firebox CPU must omplete additional processing for each packet. Potential throughput reductions are as follows:
- Unified Threat Management (UTM) firewall — On a Firebox with security services applied to HTTP traffic, throughput might be reduced up to 10%.
- IMIX firewall — Throughput might be reduced up to 40%. This is most noticeable on tabletop Fireboxes when you measure internal traffic, for which the maximum performance is less than the potential link speed.
- IMIX UDP traffic over BOVPN — Throughput might be reduced up to 20%.
Traffic Shaping
To control the upload and download bandwidth for the traffic that a policy manages, you can assign a traffic shaping rule to the policy. You can also apply traffic shaping rules to specific applications and application categories in addition to policies.
The maximum number of traffic shaping rules that you can configure depends on the Firebox model.
| Firebox Model | Maximum Number of Traffic Shaping Rules |
|---|---|
| NV5 | 100 |
| T15 | 100 |
| Other Firebox T Series | 300 |
| FireboxV | 300 |
| Firebox Cloud |
300 |
| Firebox M Series | 500 |
Before you implement traffic shaping, you must know the available bandwidth on the network and determine how much bandwidth you want to guarantee or limit for different types of traffic.
QoS Marking
Networks often support many kinds of network traffic that compete for bandwidth. All traffic, whether of prime importance or negligible importance, has an equal chance to reach its destination in a timely manner. QoS marking gives critical traffic preferential treatment to make sure it is delivered quickly and reliably.
You can use QoS marking to create different types of service for outbound network traffic. When you mark traffic, you change up to six bits in the packet header fields defined for this purpose. From this marking, Fireboxes and other QoS-capable devices can determine how to handle the packet appropriately as it travels from point to point on the network.
In WatchGuard Cloud, you can enable QoS marking on an individual policy. When you define QoS marking for a policy, the Firebox marks all the traffic that uses that policy.
Traffic Shaping Tile
On the Device Configuration page, in the Firewall section, the Traffic Shaping tile shows the status of traffic shaping rules and QoS markings:
With the traffic shaping feature, you can:
- Configure Traffic Shaping Rules for Policies
- Configure Traffic Shaping Rules for Application Control
- Configure QoS Marking for Policies
- Monitor Traffic Shaping on Fireboxes and FireClusters