DotW: Limiting BitTorrent Traffic

DotW: Limiting BitTorrent Traffic

20705
Created On 09/25/18 19:05 PM - Last Modified 05/31/23 19:20 PM


Resolution


Peer-to-peer file sharing applications are now widely used. How can we control this kind of traffic? Without some controls in place, these applications can saturate links to the point that other, more important applications can suffer from latency.

 

This question was raised by Jan.Meylaers

 blocking bittorrent

 

There are multiple ways to go about this and several members of the community jumped in with recommendations.

 

Gwesson pointed out that PAN-OS can do application-specific QoS, and recommended  setting up a QoS policy to limit the maximum bandwidth available for the BitTorrent application. So rather than trying to limit the number of sessions, you make it slow. Users would still be able to use BitTorrent—the application would simply be slowed to the allowed bandwith.

 

There is a great article explaining exactly how to do application-specific QoS :

 

QoS configuration example

 

QoS is a great way to limit the bandwith. It does not limit the number of sessions.

 

Limitting the number of sessions is a little more tricky because it can only be done on a service, as Jan.Meylaers pointed out.  

 

First of all, you  need to configure a DoS Protection Profile using 'Resource Protection' where you can configure the Maximum Concurrent Sessions:

 

Objects tab > Security Profiles > DoS Protection.

 

DoS protection profile

 

After you have a DoS protection profile, you can use it in the DoS Protection Policy :

 

Policies tab > DoS Protection:

 

Dos Protection Policies

 

Notice, however, that you can only use a 'Service' and not an 'Application,'as Jan.Meylaers previously mentioned.

 

User lwheelock jumped in on the discussion, saying that you could create a separate service for your BitTorrent allow rule.

 

You can create a new service here:

Objects tab > Services > Click Add

 

custom service.png

 

 

Notice in the above screenshot, I've selected the port range >1024 as mentioned by user lwheelock.

 

You could limit the port range to whatever you want so the BitTorrent application is allowed only over a set of ports.

 

So instead of using the application defaults, you can configure a service on your security rule and your BitTorrent security rule would look something like this:

 

TCP service.png

 

 

The above rule will allow the BitTorrent application on the ports you have configured in the 'Service.'

 

Finally, to limit the number of sessions, you configure a DoS Protection Policy using the custom service and the DoS Protection Profile you created:

 

DoS Protection Policy

 

A word of caution. If you cannot isolate the BitTorrent traffic in the DoS protection policy, then other traffic using the same ports from your custom Service will match the DoS protection profile!

 

If you are unable to isolate the BitTorrent traffic, then you could limit the number of allowed ports to a 'manageable' space.

 

Follow the complete discussion here: Blocking-Bittorrent.

 

As always, we welcome feedback and comments below.

 

Thanks for reading.

 

Kim Wens
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUCCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language