Configure Application Traffic Shaping on Sophos Firewall

Application Traffic Shaping lets Sophos Firewall prioritise or limit applications. This gives important services such as Microsoft 365, Teams, VoIP or ERP systems a better chance of stable bandwidth, while less critical traffic can be restricted.

Traffic shaping is not a replacement for properly sized internet links, but it is an important tool when several applications compete for the same connection.

When Application Traffic Shaping is useful

Traffic shaping is especially helpful in environments with limited or heavily shared bandwidth.

Typical examples:

• Microsoft Teams or VoIP should be prioritised.
• Microsoft 365 should run more reliably.
• Backup, update or cloud sync traffic should be limited.
• Streaming or social media should receive lower priority.
• Business-critical applications should take precedence.
• Guest networks should be limited.

The important point is to define the goal first: should traffic be prioritised, guaranteed or limited?

⚠️ Traffic shaping cannot create missing bandwidth. If the line is permanently overloaded, shaping only helps with prioritisation. The cause of the overload still needs to be investigated.

Requirements

Before configuring it, check the following:

• Web Protection is licensed. Application Control is part of the Web Protection licence and is therefore also included in the Standard Protection licence bundle. You can check the licence status under System > Administration > Licensing. Sophos also lists Application Control as part of Web Protection in the licensing overview: Sophos Firewall licensing info.
• The affected applications are correctly detected by the firewall.
• The internet bandwidth is realistically known.
• The relevant firewall rules have been identified.
• Logging is enabled for the affected rules.
• It is clear which applications should be prioritised or limited.

For a clean configuration, do not start with many rules at once. It is better to begin with one clear use case, such as prioritising Teams or limiting streaming.

Define the traffic shaping strategy

Before the technical configuration, define the strategy.

Possible goals:

• Prioritise critical applications.
• Limit non-essential applications.
• Reserve minimum bandwidth for specific services.
• Set maximum bandwidth for guest networks.
• Treat uploads and downloads differently.

For real-time services such as Teams, VoIP or video conferencing, latency is often more important than raw bandwidth. After implementation, check not only speed but also quality and stability.

Create a traffic shaping policy

Traffic shaping policies are created under Configure > System services > Traffic shaping.

1. Sign in to the Sophos Firewall WebAdmin.
2. Open System services.
3. Go to the Traffic shaping tab.
4. Create a new traffic shaping policy.
5. Under Policy association, choose how the policy will be used later.
6. Select the rule type, priority and bandwidth values.
7. Save the policy.

For Policy association, the intended use is important:

• Rules: The policy is selected directly in a firewall rule in the Shape traffic field.
• Applications: The policy is used based on applications. It can be assigned to an application or application category under Protect > Applications > Traffic shaping default.
• Users or Web categories: For user-based or web-category-based scenarios.

For simple Teams or VoIP prioritisation, Rules is usually the easiest option to understand. If several applications within the same firewall rule need different shaping policies, Applications is more useful.

The values should match the actual internet connection. If the configured bandwidth is too high, the firewall cannot control the bottleneck effectively.

Prepare the Application Filter

For traffic shaping to apply to applications, the firewall must be able to identify the application. For Microsoft Teams, OneDrive and other known applications, the signatures already exist. You do not need to define the application from scratch; you create a suitable selection.

The menu path is Protect > Applications > Application filter.

The Application Filter ensures that the firewall rule identifies the relevant traffic as Microsoft Teams, OneDrive, VoIP or another application.

Example for Microsoft Teams:

1. Open Protect > Applications > Application filter.
2. Create a new Application Filter.
3. Enter a descriptive name, for example Microsoft Teams.
4. Add a new application rule.
5. Search for microsoft teams using the Smart Filter.
6. Select the relevant Microsoft Teams applications.
7. Set the action to Allow.
8. Save the filter.

Applications can also be grouped under Protect > Applications > Application object. For the usual selection in a firewall rule, however, the Application Filter is generally the clearer starting point.

For cloud services, test carefully. Microsoft 365 consists of many services. It is often better to check Teams, OneDrive, SharePoint or Exchange specifically instead of creating a very broad category.

Assign Application Traffic Shaping

If you want to use the application-based variant, the traffic shaping policy is not only assigned in the firewall rule. The actual assignment to the application is done under Protect > Applications > Traffic shaping default.

1. Open Protect > Applications > Traffic shaping default.
2. Search for the application or application category, for example Microsoft Teams or the relevant cloud category.
3. Edit the entry.
4. Select a compatible traffic shaping policy.
5. Save the change.

A policy on a single application takes precedence over a policy at category level. This is useful if an entire category is limited, but individual business-critical applications inside it should still be guaranteed or prioritised.

If you only want to use a simple rule-based policy, you can skip this step. In that case, selecting the policy in the Shape traffic field of the firewall rule is sufficient.

Apply the policy in a firewall rule

Traffic shaping usually becomes effective through a firewall rule. The menu path is Protect > Rules and policies > Firewall rules.

1. Open the firewall rule that the traffic really uses.
2. Open Other security features.
3. Under Identify and control applications (App control), select the correct Application Filter.
4. Under Shape traffic, select the traffic shaping policy.
5. Decide whether Apply application-based traffic shaping policy must be enabled.
6. Save the firewall rule.
7. Test the affected application.

The most important question is the checkbox Apply application-based traffic shaping policy:

• Checkbox not selected: The policy selected under Shape traffic applies directly to the traffic of this firewall rule. This is the simpler option if the entire rule should receive the same shaping value.
• Checkbox selected: The firewall considers application-based traffic shaping policies from Protect > Applications > Traffic shaping default. This is useful if individual applications or application categories within the same firewall rule should be handled differently.

For a first setup, I usually recommend the simple variant: select an Application Filter, create a traffic shaping policy with Policy association > Rules, select it under Shape traffic and leave the checkbox disabled. Only when several applications in the same rule need different priorities or limits is it worth using the application-based variant with Traffic shaping default and the checkbox enabled.

Rule order is important. If traffic is handled by a more general rule above it, such as an existing LAN to WAN rule, it will never reach the newly created specific rule. In that case, neither Application Control nor traffic shaping applies in the expected rule.

Check the effect

After configuration, check whether the application is correctly detected and controlled.

Check the following:

• Live logs on the firewall.
• Application Control logs.
• Reports for top applications.
• Bandwidth usage per rule.
• User feedback for real-time services.
• Speed tests only as an additional check.

For pure bandwidth tests, iPerf or a speed test can be helpful. See also: Sophos Firewall troubleshooting with iPerf and speed tests

Common mistakes

Application is not detected

Check whether an Application Filter is selected under Other security features in the firewall rule. The traffic must also actually pass through this rule.

Shaping has no visible effect

Check the bandwidth values of the policy and the rule order. If the internet connection is not saturated, you often will not see an obvious effect.

If Apply application-based traffic shaping policy is enabled, a matching application or category must also really have a traffic shaping policy assigned under Protect > Applications > Traffic shaping default. The checkbox alone does not create prioritisation.

Traffic uses a general rule

If a general rule such as LAN to WAN is already above the new rule, the traffic may be processed there. The specific rule for Microsoft Teams, VoIP or cloud apps is then never matched. In that case, the specific rule must be placed above the general rule or the existing rule must be adjusted.

Microsoft 365 works worse

Microsoft 365 consists of many services and connections. Do not limit the entire category blindly. Test specifically and monitor Teams, Exchange, SharePoint and OneDrive separately.

Guest network still uses too much bandwidth

Check whether guest traffic uses the correct firewall rule and whether the traffic shaping policy is active there.

Recommendation

Start with a small number of clear policies. Prioritise business-critical applications and limit traffic that actually causes problems. Then monitor logs and reports and adjust the values gradually. Traffic shaping works best when it is targeted and easy to understand.