Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
3
Replies

Can WSA throttle certain types of traffic?

keithsauer507
Level 5
Level 5

‎09-29-2021 12:32 PM

We have a S600V WSA and I was wondering if there's any way to throttle certain types of web traffic.  There have been a few occasions, despite having a WSUS server on prem and GPO's pointed to it, that windows update and Microsoft content hosted at akami and level 3 have completely obliterated out internet connection.

 

I'd like to limit this type or traffic either by IP or category to lets say a global rate of 50mbps... then in theory 50 computers could be doing a 1mbps transfer but other, more important traffic like VPN inbound and work from home users to on prem resources would have a much clearer pipe and not face disconnects on a whim when Microsoft wants to DDoS the network with their Windows 10 arsenal.

 

I didn't initially see anything in WSA except for bandwidth limiting media traffic, but perhaps I need to do a software update.  If you have this type of feature 1) where in the UI is it and 2) what software version you are on?  If this is not available, 1) WHY? and 2) Whats the link to make a feature request?

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-29-2021 12:41 PM

WSA is just Web Security Device, it has not to have the main features like QoS and other options - unlike NGFW ( may be worth looking at before it reaching to WSA and control or throttle will be a good idea in the path, so WSA can do its own job as expected.

 

i do see some application-based bandwidth, (never tested, since as i believe WSA doing its job as Web security)

 

 

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010010.html

 

As mentioned best practice throttle before client traffic reaching to WSA.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ken Stieers
VIP
VIP

‎10-01-2021 08:32 AM

Yes the WSA can limit bandwidth usage.
Under Web Security Manager, Overall Bandwidth Limit, you can cap how much total the individual WSA will let through.
Under Access Polices, in the Applications section some of that can be throttled.
As far as enhancement requests... Cisco pushes you to contact your sales team.
You'll get better traction by joining a beta.


0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎10-04-2021 09:18 AM

Unfortunately, the overall bandwidth limit only applies to media.

In applications there only seems to be bandwidth limit options for Facebook or Media.  Windows updates, Office Updates, Adobe Creative Cloud, etc... all would have been pretty big players to add.

 

Its hard to throttle them since they all use CDNs and IP's / networks change pretty fluidly. 

 

We do have a new pair of Palo Alto firewalls we are going to be putting in place so we will see if that's something they can do since its up to layer 7 visibility.

 

We found another GPO for the windows update service that we closed a small hole, so hopefully, there will be zero going to MS for updates and 100% rely on our WSUS server.  It did remove the "check online for updates to windows" hyperlink underneath the normal check for updates button.

0 Helpful
Customers Also Viewed These Support Documents