6 Replies Latest reply on Jul 25, 2016 1:49 PM by Jon Scholten

    Managing bandwidth

    roybad

      Hello everyone

       

      I wanted to know .. has anyone been able to make Linux's TC (Traffic control) work with MWG?

       

      MWG is built on a RHEL distro - but McAfee/Intel, while supporting iproute2 have disabled the support for NET_SCH*

       

      This is enabled on all laterLinux kernels so I presume McAfee are either running an ancient kernel or have done this for a reason.

      However, they've left all the binaries there, simply disabled the modules in the kernel..

       

      So, there's no easy way to say "this remote location has a 2mbps link so lets not allow browsing past 1mbps" or "My internet pipe is 100mbps so keep all browsing down to 80mbps" or similar.

       

      As McAfee provide the source code for the RHEL/centos kernel, we can always recompile it changing the =N to =M (module) or =Y (and include the module) but it's not something we should be doing.

       

      Has any McAfee customer made this work? or is limiting total bandwidth not a problem? Or is it always expected that another service manages bandwidth.

       

      (please don't suggest mwg throttle - it's not very good and means the request has to enter the http stack rather than stop at the tcp level)

      (yes, a PER was created and Michael S has been extremely helpful, but this isn't a current direction for McAfee)

      (of course, Bluecoat and Fortiguard have had this functionality for years and years)

       

      If someone else has done this, it'll give e confidence to give it a go!

      Thanks!!

        • 1. Re: Managing bandwidth
          Troja

          Hi,

          it is really easy. Just take a look in the help in the MWG GUI. Just search for "Bandwidth throttling rules".
          Several customers are using this feature to limit bandwith in several ways.

           

          Bandwidth throttling rules

           

          Bandwidth throttling rules limit the transferring speed when user upload objects to the web or download them.

          Events in bandwidth throttling rules

           

          Two events are available for use in rules that control bandwidth throttling:

          Throttle.Client — Limits the speed of data transfer from a client to the appliance

          This is the case when a client sends a request for uploading an object to a web server and the request is intercepted on the appliance together with the object.

          Throttle.Server — Limits the speed of data transfer from a web server to the appliance

          In this case, there has been a client request to download an object from a web server, and after this request has been filtered on the appliance and forwarded, the web server sends the object in response.

          Bandwidth throttling rule for uploads

           

          The following is an example of a rule that can execute bandwidth throttling rule for uploads.

          Limit upload speed for hosts on throttling list

          URL.Host is in list Upload Throttling List –> Continue – Throttle.Client (10)

          The rule uses the Throttle.Client event to limit the speed with which uploads are performed to 10 Kbps if the web server that the data should be uploaded to is on a particular list.

          In the criteria of the rule, the URL.Host property is used to retrieve the host name of the web server that is specified in the uploading request.

          If the Upload Throttling List contains this name, the criteria is matched and the rule applies. The throttling event is then executed.

          The Continue action lets rule processing continue with the next rule.

          Bandwidth throttling rule for downloads

           

          The following is an example of a rule that can execute bandwidth throttling rule for downloads.

          Limit download speed for media types on throttling list

          MediaType.EnsuredTypes at least one in list MediaType Throttling List –> Continue – Throttle.Server (1000)

          The rule uses the Throttle.Server event to limit the speed with which downloads are performed to 1000 Kbps if the web object that should be downloaded belongs to a media type on a particular list.

          In the criteria of the rule, the MediaType.EnsuredTypes property is used to detect the media type of the web object that the web server sends. An object can also be found to belong to more than one type.

          If any of these types is on the Media Type Throttling List, the criteria is matched and the rule applies. The throttling event is then executed.

          The Continue action lets rule processing continue with the next rule.

          Bandwidth throttling rules and rule sets

           

          We recommend that you create an overall rule set for bandwidth throttling rules and embed two rule sets in it, one for throttling uploads and another for throttling downloads. You can then let the embedded upload rule set apply for the request cycle and the embedded download rule set for the response cycle.

          Within each embedded rule set, you can have multiple throttling rules that apply to different kinds of web objects.

          The overall rule set for bandwidth throttling should be placed at the beginning of your rule set system. If this is not done, rules in other rule sets can start unthrottled downloads of web objects before your throttling rules are executed.

          For example, a rule for virus and malware filtering could trigger the download of a web object that has been sent by a web server in response to a user request. The web object then needs to be completely downloaded to the appliance to see whether it is infected.

          If your bandwidth throttling rule set is placed and processed after the rule set with the virus and malware filtering rule, bandwidth throttling is not applied to that download.

           

          You have no need to implement this on "Linux´s TC" base, it is directly supported in the ruleset.

           

          Cheers,

          Thorsten

          • 2. Re: Managing bandwidth
            roybad

            Perhaps you didn't see the end of the question -

            (please don't suggest mwg throttle - it's not very good and means the request has to enter the http stack rather than stop at the tcp level)

            mwg throttle sucks royall, oh, and breaks a number of streaming sites.

             

            Thanks for the cut and paste from the KB though.

            • 3. Re: Managing bandwidth
              roybad

              Also - TC manages bandwidth by queuing. TC is used by pretty much any Linux based router or firewall for managing bandwidth and is rock solid.

              MWG throttle does it by reducing the window size - not a great way of doing things. As I said, it upsets way too many streaming sites.

              • 4. Re: Managing bandwidth
                Troja

                Hm sorry,

                i think i missed something. :-)

                 

                At the moment we have several customers with bandwidth management. What is managed.

                - youtube bandwidth

                - several download sites

                - several sites which are generating a high amount of download traffic

                - several webradio sites.

                 

                Are you throttling in client side or on server side? We have not seen such troubles at our customers, particular with audio and video streams.

                Where have you placed the throttling rules in your rule set? At the top or at the bottom of the ruleset?

                 

                 

                cheers,

                Thorsten

                • 5. Re: Managing bandwidth
                  roybad

                  You know, I so didn't want to talk about the merits or otherwise of MWG throttle.

                  I did spend many months playing with throttling and it doesn't do what TC does.

                  It doesn't do what Bluecoats do - or F5s do.

                  If you're happy with how it shapes traffic then great. It seems no-one else has issues with what McAfee do.

                  Perhaps it's time we look at alternate technologies.

                  • 6. Re: Managing bandwidth
                    Jon Scholten

                    Hey Roy!

                     

                    Classful bandwidth control was added in 7.6.2 for direct proxy deployments. We'd love your feedback if this is still of interest to you.

                     

                    I literally just finished a write up on it here: Best Practice: Implementing and Understanding Bandwidth Control

                     

                    Best Regards,

                    Jon