Table of Contents
Advertisement
This will be the period of time after rule triggering during which traffic shaping is applied to
any associated connections that are opened.
Typically, a P2P transfer starts with an initial connection to allow transfer of control
information followed by a number of data transfer connections to other hosts.
It is the initial connection that IDP detects and the Time Window specifies the expected
period afterwards when other connections will be opened and subject to traffic shaping.
Connections opened after the Time Window has expired will no longer be subject to traffic
shaping.
A Time Window value of 0 means that only traffic flowing over the initial triggering
connection will be subject to traffic shaping. Any associated connections that do not trigger
an IDP rule will not be subject to traffic shaping.
5.
Optionally specify a Network
If the Time Window value is greater than zero, a Network can be specified. This IP address
range allows the administrator to further refine the subsequent connections associated with
IDP rule triggering that will be subject to traffic shaping. At least one side of associated
connection has to be in the IP range specified for it to be included in traffic shaping.
10.2.3. Processing Flow
To better understand how IDP Traffic Shaping is applied, the following are the processing steps
that occur:
1.
A new connection is opened by one host to another through the NetDefend Firewall and
traffic begins to flow. The source and destination IP address of the connection is noted by
NetDefendOS.
2.
The traffic flowing on the connection triggers an IDP rule. The IDP rule has Pipe as action so
the traffic on the connection is now subject to the pipe traffic shaping bandwidth specified
in the IDP rule.
3.
A new connection is then established that does not trigger an IDP rule but has a source or
destination IP that is the same as the connection that did trigger a rule. If the source or
destination is also a member of the IP range specified as the Network, then the connection's
traffic is included in the pipe performing traffic shaping for the original triggering
connection.
If no Network is specified then this new connection is also included in the triggering
connection's pipe traffic if source or destination match.
10.2.4. The Importance of Specifying a Network
Either Side Can Trigger IDP
After reading through the processing flow description above, it can be better understood why
specifying a Network is important. The IDP subsystem cannot know which side of a connection is
causing a rule to trigger. Sometimes it is the initiating client side and sometimes the responding
server. If traffic flow on both sides becomes restricted, this may have the unintended
consequence of traffic shaping connections that should not be traffic shaped.
799
Chapter 10: Traffic Management
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
