Fortinet black logo

Handbook

Configuring per-IP traffic shaping

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:350790
Download PDF

Configuring per-IP traffic shaping

Per-IP traffic shaping allows you to define traffic control on a more granular level by managing bandwidth use by user IP addresses. Traffic shaping by IP address allows you to apply traffic shaping to all source IP addresses in the security policy. In addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions. Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids having to create multiple policies for every user you want to apply a traffic shaper to.

Per-IP traffic shaping isn't supported over NP2 interfaces.

To configure per-IP traffic shaping, you create per-IP traffic shapers and then enable them within traffic shaping policies.

Creating a per-IP traffic shaper

Create a per-IP traffic shaper – GUI
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Per-IP.
  4. In the Name field, enter a name for the traffic shaper.
  5. Set the following options:

    GUI options

    Description

    Max Bandwidth

    Enable this option and set the maximum bandwidth. The range is 1 to 16776000 Kbps.

    The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.

    You can use the FortiGate CLI to set this option to 0. Setting this option to 0 provides unlimited bandwidth.

    Max Concurrent Connections

    Enable this option and enter the maximum concurrent connections that you want to allow.

    Forward DSCP

    Enable this option and set the forward DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

    Reverse DSCP

    Enable this option and set the reverse DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

  6. Select OK.
Create a per-IP traffic shaper – CLI

config firewall shaper per-ip-shaper

edit <traffic_shaper_name>

set max-bandwidth <bandwidth>

set max-concurrent-session <number_of_sessions>

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

next

next

end

Example: Configuring a per-IP traffic shaper

The following example shows how to create a per-IP traffic shaper, named Accounting, with a maximum traffic amount of 720,000 Kbps, and a maximum number of concurrent sessions of 200.

Example using the FortiGate GUI
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set Type to Per-IP.
  4. Set Name to Accounting.
  5. Enable Max Bandwidth and set the value to 720000.
  6. Enable Max Concurrent Sessions and set the value to 200.
  7. Select OK.
Example using the FortiGate CLI

config firewall shaper per-ip-shaper

edit Accounting

set max-bandwidth 720000

set max-concurrent-session 200

next

end

Configuring per-IP traffic shaping

Per-IP traffic shaping allows you to define traffic control on a more granular level by managing bandwidth use by user IP addresses. Traffic shaping by IP address allows you to apply traffic shaping to all source IP addresses in the security policy. In addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions. Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids having to create multiple policies for every user you want to apply a traffic shaper to.

Per-IP traffic shaping isn't supported over NP2 interfaces.

To configure per-IP traffic shaping, you create per-IP traffic shapers and then enable them within traffic shaping policies.

Creating a per-IP traffic shaper

Create a per-IP traffic shaper – GUI
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Per-IP.
  4. In the Name field, enter a name for the traffic shaper.
  5. Set the following options:

    GUI options

    Description

    Max Bandwidth

    Enable this option and set the maximum bandwidth. The range is 1 to 16776000 Kbps.

    The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.

    You can use the FortiGate CLI to set this option to 0. Setting this option to 0 provides unlimited bandwidth.

    Max Concurrent Connections

    Enable this option and enter the maximum concurrent connections that you want to allow.

    Forward DSCP

    Enable this option and set the forward DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

    Reverse DSCP

    Enable this option and set the reverse DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

  6. Select OK.
Create a per-IP traffic shaper – CLI

config firewall shaper per-ip-shaper

edit <traffic_shaper_name>

set max-bandwidth <bandwidth>

set max-concurrent-session <number_of_sessions>

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

next

next

end

Example: Configuring a per-IP traffic shaper

The following example shows how to create a per-IP traffic shaper, named Accounting, with a maximum traffic amount of 720,000 Kbps, and a maximum number of concurrent sessions of 200.

Example using the FortiGate GUI
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set Type to Per-IP.
  4. Set Name to Accounting.
  5. Enable Max Bandwidth and set the value to 720000.
  6. Enable Max Concurrent Sessions and set the value to 200.
  7. Select OK.
Example using the FortiGate CLI

config firewall shaper per-ip-shaper

edit Accounting

set max-bandwidth 720000

set max-concurrent-session 200

next

end