Using the Sonicwall’s Application Firewall feature to restrict bandwidth on specific websites
I was recently given a project that involved testing out the Application Firewall feature on the Sonicwall firewall. We’ve been talking about promoting this feature to clients as a way to manage their employees’ internet browsing habits. The idea is to slow down the traffic to the problem website instead of outright blocking it. If the website is blocked and the user sees a denial message, they are far more likely to look for a way around the block. If the website is just slow, there is a greater chance that they will just give up and try again later, or maybe think the problem is on the other end.
So after looking at the available options in the application firewall feature, I discovered the necessary steps to accomplish the website slowdown idea.
- First, I had to turn on Bandwidth Management on the WAN interface. I turned on both inbound and outbound management. Since we have a T1, I used 1500 as the Maximum Available Bandwidth.
- Next, I created an Application Object. This was set to be a Partial Match of the HTTP Host type. For the test sites, I entered ‘facebook.com’ and ‘myspace.com’. If this works, any URL with those phrases in it will be affected.
- An Application Firewall Action was the next item created. The Action type was set to Bandwidth Management. For both Outbound and Inbound, I set the Guaranteed Bandwidth to 1% and the Maximum Bandwidth to 2%. Seemed like a good starting point. Bandwidth Priority was set to lowest. When I hit Apply, I received a message stating that the Guaranteed Bandwidth had to be above 1.295%. Seemed like a strange limitation to me, but I made the appropriate change and went with it.
- The final step was just to create a Application Firewall Policy to bring everything together. The Policy type was a HTTP Client Request. I assigned the Object and Action that I had created above. Source, Destination, Service, and Direction were all left as Any.
Then I started to run some tests and was somewhat disappointed. The sites seemed a little slower, but not enough to really discourage someone. I went back to the Guaranteed and Maximum Bandwidth settings and tried to lower them. No such luck. Every time I tried, I got the same 1.295% minimum message I got before. I could lower the Maximum Available Bandwidth on the entire WAN, which would then make the 1.295% smaller as well, but it would also restrict our total bandwidth for the office which already feels constricted sometimes. A T1 just isn’t what it used to be.
On a whim, I tried 0% as the Guaranteed Bandwidth setting. Hmm, no error message this time. Then I heard my ‘social media site’ addict Office Manager complaining loudly from the other room. I walked over there to see what sort of experience he was having. Sure enough, those websites were down to a crawl. Content was still loading, but at dial-up like speeds. Success!
I’m pretty pleased how well it worked in the end. Some of the settings are a bit odd but overall it’s a solid feature. There are a ton of other Object and Action types built in, and a bunch of available criteria that can be used for applying each Policy. I think my follow-up project will be to get this working with the Single-Sign On feature so I can apply this policy to only specific domain users, while leaving others free to roam.