Topics covered in this article:
- BitTorrent filtering.
- Incoming P2P traffic shaping.
When you want to detect, and possibly also control or traffic shape, BitTorrent traffic (for example, from the uTorrent client) you must select these applications in Application Control:
- uTP (Micro Transport Protocol)
It is common to miss out also applying application control to the uTP protocol which is used for transferring files in BitTorrent. If it is missed out, it will seem as if Application Control cannot correctly detect BitTorrent traffic (the speed will not be limited or BitTorrent will still function even if the action is set to block it).
You can read more about uTP at this link: http://en.wikipedia.org/wiki/Micro_Transport_Protocol
Incoming P2P traffic shaping
P2P traffic has the ability to be initiated both from the inside to the outside (which is the expected way) AND also from the outside to the inside (which is why you usually need to set up port forwarding/SAT or Allow policies in a Transparent Mode setup).
This means that if you want to properly traffic shape the P2P traffic, you must setup Application Control to have different Forward and Return pipes, depending on the direction in which the traffic is initiated. If you do not, the inbound and outbound traffic will be mixed in the in/out pipes respectively, and the net result is that your traffic shaping will not function as you expect it to.
A Setup Example
Create two Pipes:
in-pipe, Grouping = Destination IP
out-pipe, Grouping = Source IP
Grouping is needed to be able to run the “pipes -users” command later.
Create two Application Control Rule sets:
P2P_out: Family = peer_to_peer, Fwd=out-pipe, Ret=in-pipe.
P2P_in: Family = peer_to_peer, Fwd=in-pipe, Ret=out-pipe
Outbound IP Policy
On the outbound IP Policy (usually a NAT policy, but an Allow policy in a Transparent Mode scenario), assign the P2P_out rule:
NAT_out NAT lan lannet wan all-nets all_tcpudpicmp AC=P2P_out
For transparent mode setups:
Allow_out Allow lan lannet wan all-nets all_tcpudpicmp AC=P2P_out
Please note that NATing/Allowing all ports (or even all protocols!) like this is considered unsafe. You should do your best to limit what you are letting out from your internal network!
Inbound IP Policy
On the inbound IP Policy (usually an IP Policy with destination translation, but an Allow rule in a Transparent Mode scenario) assign the P2P_in rule:
P2P_in SAT any all-nets core wan_ip “TCP destport=xyz” SetDestinationIP=<P2P_client_ip> AC=P2P_in
For transparent mode setups:
Allow_in wan all-nets lan <P2P_client_ip> AC=P2P_in
Verify correct functioning
When running the P2P software, verify your settings with the CLI commands:
- "pipe -users in-pipe"
- "pipe -users out-pipe"
You should not see:
- IPs from the outside in the out-pipe.
- IPs from the inside in the in-pipe.
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
2 May, 2023 core rules schedule applicationcontrol