Configure Application Traffic Shaping on Sophos Firewall
With Application Traffic Shaping, the Sophos Firewall can prioritise or limit applications. This ensures that essential services like Microsoft 365, Teams, VoIP, or ERP systems have a better chance of stable bandwidth, while less critical traffic can be restricted.
Traffic Shaping does not replace proper line dimensioning but is an important tool when multiple applications compete for the same internet line.
When Application Traffic Shaping is Useful
Traffic Shaping is particularly helpful in environments with limited or heavily shared bandwidth.
Typical examples:
- Microsoft Teams or VoIP should be prioritised.
- Microsoft 365 should run more stably.
- Backup, update, or cloud sync traffic should be limited.
- Streaming or social media should receive lower priority.
- Business-critical applications should take precedence.
- Guest networks should be limited.
It is important to first define the goal: Should traffic be prioritised, guaranteed, or limited?
⚠️ Traffic Shaping cannot create missing bandwidth. If the line is permanently overloaded, shaping only helps with prioritisation. The cause of the overload must still be examined.
Prerequisites
Before configuration, you should check:
- Web Protection is licensed. Application Control is part of the Web Protection licence and is included in the Standard Protection licence bundle. Check the licence status under System > Administration > Licensing.
- The affected applications are correctly recognised by the firewall.
- The internet bandwidth is realistically known.
- The relevant firewall rules are identified.
- Logging is enabled for the affected rules.
- It is clear which applications should be prioritised or limited.
For a clean configuration, you should not start directly with many rules. It is better to have a clear initial use case, such as prioritising Teams or limiting streaming.
Define Traffic-Shaping Strategy
Before technical implementation, you should define the strategy.
Possible goals:
- Prioritise critical applications.
- Limit unimportant applications.
- Reserve minimum bandwidth for certain services.
- Set maximum bandwidth for guest networks.
- Treat uploads or downloads differently.
For real-time services like Teams, VoIP, or conferencing services, latency is often more important than pure bandwidth. Therefore, after implementation, you should check not only speed but also quality and stability.
Assess Bandwidth and Direction Correctly
Traffic Shaping only makes sense if it is clear where the bottleneck lies. For many internet connections, the upload is significantly more limited than the download. This is where Teams, VoIP, VPN, cloud backups, or file synchronisations are first noticeable.
Before the policy, you should note:
- Which line or WAN gateway is affected?
- Is download, upload, or both overloaded?
- Does the traffic run over a single WAN line or over SD-WAN?
- Which application should have priority and which can be slower?
- Are there backup, update, or sync jobs running at the same time?
The values in a Traffic-Shaping Policy should match the real line, not the theoretical provider specification. If a line nominally delivers 100/20 Mbps but only 80/15 Mbps is stably achieved in everyday life, planning should be done with realistic values.
- Maximum value higher than the real line: The firewall cannot manage the bottleneck cleanly
- Upload is ignored: Conferences and VoIP remain unstable
- Too many applications are prioritised: Prioritisation loses effectiveness
- Guest network is only limited in download: Upload can still disrupt productive services
- SD-WAN path is not checked: Policy affects a different path than expected
Create Traffic-Shaping Policy
Traffic-Shaping Policies are created under Configure > System services > Traffic shaping.
- Log in to the WebAdmin of the Sophos Firewall.
- Open System services.
- Switch to the Traffic shaping tab.
- Create a new Traffic-Shaping Policy.
- In Policy association, select how the policy should be used later.
- Set rule type, priority, and bandwidth values.
- Save the policy.

In Policy association, it is important what the policy is intended for:
- Rules: The policy is directly selected in a firewall rule in the Shape traffic field.
- Applications: The policy is used based on applications. The assignment to an application or application category is done under Protect > Applications > Traffic shaping default.
- Users or Web categories: For user- or web category-based scenarios.
For simple Teams or VoIP prioritisation, Rules is usually the most understandable option. If multiple applications within the same firewall rule are to receive different shaping policies, Applications is more useful.
The values should match the actual line. If the bandwidth is entered too high, the firewall cannot manage the bottleneck effectively.
Prepare Application Filter
For Traffic Shaping to be applied to applications, the firewall must recognise the application. For Microsoft Teams, OneDrive, or other known applications, the signatures are already available. You do not need to redefine the application but create a suitable selection.
The menu path is Protect > Applications > Application filter.
The Application Filter ensures that the firewall rule recognises the appropriate traffic as Microsoft Teams, OneDrive, VoIP, or another application.
If it is not about prioritisation or bandwidth but about Application Control itself, Set up and test Sophos Firewall Application Control is the more appropriate starting point.
Example for Microsoft Teams:
- Open Protect > Applications > Application filter.
- Create a new Application Filter.
- Give it a descriptive name, such as
Microsoft Teams. - Add a new application rule.
- Use the Smart Filter to search for
microsoft teams. - Select the appropriate Microsoft Teams applications.
- Set the action to Allow.
- Save the filter.

Under Protect > Applications > Application object, you can also group applications. However, for the classic selection in a firewall rule, the Application Filter is usually the more understandable starting point.

For cloud services, careful testing is advisable. Microsoft 365 consists of many services. It is often better to specifically check Teams, OneDrive, SharePoint, or Exchange rather than forming a very broad category.
Assign Application Traffic Shaping
If you want to use the application-based variant, you assign the Traffic-Shaping Policy not only in the firewall rule. The actual assignment to the application is done under Protect > Applications > Traffic shaping default.
- Open Protect > Applications > Traffic shaping default.
- Search for the application or application category, such as Microsoft Teams or the appropriate cloud category.
- Edit the entry.
- Select a compatible Traffic-Shaping Policy.
- Save the change.
A policy on a single application takes precedence over a policy at the category level. This is helpful if an entire category is limited, but individual business-critical applications within it still need to be guaranteed or prioritised higher.
If you only want to use a simple rule-based policy, this step can be skipped. Then selecting in the Shape traffic field of the firewall rule is sufficient.
Apply Policy in Firewall Rule
Traffic Shaping is usually effective through a firewall rule. The menu path is Protect > Rules and policies > Firewall rules.
- Open the firewall rule through which the traffic actually runs.
- Open the Other security features section.
- In Identify and control applications (App control), select the appropriate Application Filter.
- In Shape traffic, select the Traffic-Shaping Policy.
- Decide whether Apply application-based traffic shaping policy needs to be enabled.
- Save the firewall rule.
- Test the affected application.
The most important question is the tick at Apply application-based traffic shaping policy:
- Tick not set: The policy selected under Shape traffic applies directly to the traffic of this firewall rule. This is the simpler option if the entire rule should receive the same shaping value.
- Tick set: The firewall considers application-based Traffic-Shaping Policies from Protect > Applications > Traffic shaping default. This is useful if individual applications or application categories within the same firewall rule should be treated differently.


For beginners, I usually recommend the simple variant: select Application Filter, create a Traffic-Shaping Policy with Policy association > Rules, select it in Shape traffic, and do not set the tick. Only if multiple applications within the same rule should be prioritised or limited differently does the application-based variant with Traffic shaping default and enabled tick make sense.
The rule order is important. If traffic runs over a more general rule higher up, such as an existing LAN to WAN rule, it does not reach the newly created specific rule. Then neither Application Control nor Traffic Shaping applies in the expected rule.
Plan Rollout and Tuning
Traffic Shaping should not be understood as a one-time tick. The first policy is usually just a starting point. Only with real logs, reports, and user feedback can you see if the application is correctly recognised and if the set values match the line.
For productive environments, a small rollout is advisable:
- Select a specific use case, such as prioritising Teams or limiting backup traffic.
- Document current line utilisation and affected firewall rule.
- Create a Traffic-Shaping Policy with conservative values.
- Apply the policy first to a clearly defined rule or user group.
- Check live logs, application control logs, and top applications.
- Adjust values based on real observations after a few days.
- Document owner and review date for the policy.
The upload direction is particularly important. Many complaints about conferencing services, VoIP, or cloud applications do not arise from a lack of download but from limited upload, parallel backups, or cloud sync. If only the download is considered, the actual bottleneck often remains invisible.
With multiple WAN lines, you should also check which path is actually used. SD-WAN routes, gateway status, and route precedence can influence whether the expected shaping policy affects the relevant traffic. For assessing SD-WAN paths, Check Sophos Firewall SD-WAN Routing for Reply Packets and System Traffic is suitable.
For comparison measurements before and after the change, Test Sophos Firewall Performance with iPerf is suitable. It is important to use the same direction, the same source, the same destination, and preferably the same time of day. Otherwise, an external server, WLAN, or parallel traffic is quickly confused with the effect of the shaping policy.
Check Effectiveness
After configuration, you should check whether the application is correctly recognised and controlled.
Check:
- Live logs of the firewall.
- Application control logs.
- Reports on top applications.
- Bandwidth usage per rule.
- User feedback on real-time services.
- Speed tests only as a supplement.
For pure bandwidth tests, an iPerf or speed test can be helpful. The appropriate guide is Sophos Firewall Troubleshooting with iPerf and Speedtest.
Common Errors
Application is Not Recognised
Check if an Application Filter is selected in the firewall rule under Other security features. Additionally, the traffic must actually run through this rule.
Shaping Shows No Effect
Check the bandwidth values of the policy and the rule order. If the line is not utilised, you often see no visible effect.
If Apply application-based traffic shaping policy is enabled, a suitable application or category with a Traffic-Shaping Policy must also be provided under Protect > Applications > Traffic shaping default. The tick alone does not create prioritisation.
Traffic Runs Over a General Rule
If a general rule like LAN to WAN is already above the new rule, the traffic may be processed there. The specific rule for Microsoft Teams, VoIP, or cloud apps is then never hit. In this case, the specific rule must be above the general rule or the existing rule must be adjusted accordingly.
Microsoft 365 Works Worse
Microsoft 365 consists of many services and connections. Do not limit the entire category indiscriminately, but test specifically and observe Teams, Exchange, SharePoint, and OneDrive separately.
Guest Network Still Uses Too Much Bandwidth
Check if guest traffic runs through the correct firewall rule and if the Traffic-Shaping Policy is active there.
Frequently Asked Questions
Does Application Traffic Shaping require a licence?
Why is there no noticeable difference despite Traffic Shaping?
Should Microsoft Teams or the entire Microsoft 365 be prioritised?
Does Traffic Shaping help with insufficient bandwidth?
Which is better: Rule-based or application-based Traffic Shaping?
Operation and Review
It is best to start with a few clear policies. Business-critical applications are prioritised, and traffic that really disrupts is specifically limited. Then, Log Viewer, application control logs, reports, and user feedback should be observed for several days before the values are expanded or tightened.
For operation, each productive policy should be briefly documented:
- Purpose of the policy: Later it is recognisable whether the policy is still needed or just historically grown.
- Affected firewall rule: In case of rule changes, you can immediately see if the shaping is still in the right place.
- Prioritised or limited application: Broad categories can unintentionally affect too many services.
- Planned bandwidth values: After a provider change or SD-WAN rebuild, the values must be reassessed.
- Review date and owner: Without responsibility, ineffective policies often remain active for years.
Traffic Shaping remains helpful only if it is regularly reviewed. New cloud applications, changed Microsoft 365 services, additional WAN lines, new backup processes, or other firewall rules can cause an old policy to no longer fit the operation. Good policies therefore have a purpose, an owner, a review date, and a clear rollback path if they no longer show effect.
A review should not only ask if the policy still exists. More importantly, does it still measurably help:
- Does the traffic still hit the same firewall rule?
- Is the application still reliably recognised?
- Are the entered bandwidth values still realistic?
- Are there new bottlenecks due to backup, cloud sync, guest network, or SD-WAN?
- Do users still report quality issues with Teams, VoIP, or other real-time services?
- Can a temporary limitation be removed or weakened again?
If no effect is visible anymore, the policy should not just remain as a legacy. A controlled rollback is better: disable or remove the policy, check the affected rule, observe for a few days, and document the result. This way, Traffic Shaping remains a conscious operational tool and does not become an invisible source of error.