Traffic Policy
A traffic policy determines the traffic to which bandwidth management applies to and how to manage bandwidth resources.
A traffic policy references a traffic profile. When a FW determines that traffic matches a specified traffic policy, the FW allocates bandwidth resources to the traffic based on the traffic profile referenced by the traffic policy.
Traffic Policy Rules
A traffic policy contains a set of rules. Each rule defines matching conditions and actions to perform on traffic that matches the traffic policy.
The FW matches traffic with traffic policies based on the following conditions:
- Source security zone or inbound interface
- Destination security zone or outbound interface
- Source address or region
- Destination address or region
- User name
- Service name
- Application name
- URL categories
- Schedule
- DSCP value
The actions are as follows:
Limit
The FW implements bandwidth management for the traffic matching the specified conditions. The action is specified in the traffic profile referenced in the specified traffic policy.
Not limit
The FW does not implement bandwidth management on the traffic matching the specified conditions.
The default traffic policy on the FW has all the matching conditions set to "any" and the action set to not limit.
Hierarchical Policies
The bandwidth management function provided by the FW supports hierarchical policies, so that you can configure multiple child bandwidth policies under one bandwidth policy. The FW supports a maximum of four-level policies which are matched from top to bottom as displayed on the UI. The policy matching stops when the traffic matches all conditions of one policy in a traffic profile. Traffic is always matched with a parent policy before matching child policies.
Compared with an independent traffic policy, hierarchical policies achieve better bandwidth multiplexing. For example, Department A has three project teams: Team 1, Team 2, and Team 3. A parent policy can be configured to limit the total amount of bandwidth available to Department A, and one child policy can be configured for each team to limit the amount of bandwidth they can use.
In this example shown in Figure 1, the total amount of bandwidth available to Department A is 4 Mbit/s. If the traffic of Team 3 (child policy 3) uses bandwidth of 1 Mbit/s, then the remaining bandwidth in the parent policy is 3 Mbit/s, which can be shared by the traffic of Team 1 (child policy 1) and Team 2 (child policy 2). Without the hierarchical policy, each team can use only the amount of bandwidth allowed by its own child policy, and the bandwidth resources of Department A cannot be multiplexed.