Peer-to-peer file sharing applications are now widely used. How can we control this kind of traffic? Without some controls in place, these applications can saturate links to the point that other, more important applications can suffer from latency.
This question was raised by Jan.Meylaers.
There are multiple ways to go about this and several members of the community jumped in with recommendations.
Gwesson pointed out that PAN-OS can do application-specific QoS, and recommended setting up a QoS policy to limit the maximum bandwidth available for the BitTorrent application. So rather than trying to limit the number of sessions, you make it slow. Users would still be able to use BitTorrent—the application would simply be slowed to the allowed bandwith.
There is a great article explaining exactly how to do application-specific QoS :
QoS configuration example
QoS is a great way to limit the bandwith. It does not limit the number of sessions.
Limitting the number of sessions is a little more tricky because it can only be done on a service, as Jan.Meylaers pointed out.
First of all, you need to configure a DoS Protection Profile using 'Resource Protection' where you can configure the Maximum Concurrent Sessions:
Objects tab > Security Profiles > DoS Protection.
After you have a DoS protection profile, you can use it in the DoS Protection Policy :
Policies tab > DoS Protection:
Notice, however, that you can only use a 'Service' and not an 'Application,'as Jan.Meylaers previously mentioned.
User lwheelock jumped in on the discussion, saying that you could create a separate service for your BitTorrent allow rule.
You can create a new service here:
Objects tab > Services > Click Add
Notice in the above screenshot, I've selected the port range >1024 as mentioned by user lwheelock.
You could limit the port range to whatever you want so the BitTorrent application is allowed only over a set of ports.
So instead of using the application defaults, you can configure a service on your security rule and your BitTorrent security rule would look something like this:
The above rule will allow the BitTorrent application on the ports you have configured in the 'Service.'
Finally, to limit the number of sessions, you configure a DoS Protection Policy using the custom service and the DoS Protection Profile you created:
A word of caution. If you cannot isolate the BitTorrent traffic in the DoS protection policy, then other traffic using the same ports from your custom Service will match the DoS protection profile!
If you are unable to isolate the BitTorrent traffic, then you could limit the number of allowed ports to a 'manageable' space.
Follow the complete discussion here: Blocking-Bittorrent.
As always, we welcome feedback and comments below.
Thanks for reading.
Kim Wens