When a particular IP address uses too many resources, you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.
This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.
Go to System > Feature Select and under Additional Features enable Traffic Shaping. Two new traffic shaping menus, Traffic Shapers and Traffic Shaping Policy, will appear under Policy & Objects.
Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu.
Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. In this example, 192.168.10.10/32. Set Interface to Any.
Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile.
Set Type to Shared. Sharedshapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium. Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies using the same two interfaces. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Select Max Bandwidth and enter
200 kb/s (0.2 Mbps). If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.
By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.
Enter the following CLI commands:
set per-policy enable end
Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy. Now, each security policy using this shaper will have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 kb/s (0.2 Mbps) each.
Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing interface, Source and Destination.
If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.
Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority.
Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy.
Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.
Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit.
Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.
Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy. Click on the far left column of the policy and move it up or down to change the sequence order.
When a computer with the IP you have specified, 192.168.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.
Go to FortiView > Sources to view traffic, and use the search field to filter your results by the Source IP (192.168.10.10).
Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic.
The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (kbps).
You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.
You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.
For further reading, check out Traffic Shaping in the FortiOS 5.4 Handbook.