Fortinet white logo
Fortinet white logo

Administration Guide

Per-IP traffic shaper

Per-IP traffic shaper

With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations. Only traffic through forward traffic shapers will be included in FortiView; reverse and per-IP shapers are not included.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.

To configure a per-IP traffic shaper in the GUI:
  1. Create a firewall policy:

    1. Go to Policy & Objects > IPv4 Policy and click Create New.

    2. Set the Name to FTP Access.

    3. Set the Incoming Interface to port10.

    4. Set the Outgoing Interface to port9.

    5. Set the Source to all.

    6. Set the Destination to FTP_Server.

    7. Set the Schedule to always.

    8. Set the Service to ALL.

    9. Click OK.

  2. Create the per-IP traffic shaper:

    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.

    2. Set Type to Per IP Shaper.

    3. Enter the Name (FTP_Max_1M). This shaper is for VoIP traffic.

    4. Enable Max Bandwidth and enter 1000.

    5. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.

    6. Click OK.

  3. Create a firewall shaping policy:

    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.

    2. Enter the Name (FTP speed 1M).

    3. Set the Source to the addresses and users that require access to the FTP server.

    4. Set the Destination to FTP_Server.

    5. Set the Service to ALL.

    6. Set the Outgoing Interface to port9.

    7. Enable Per-IP shaper and select FTP_Max_1M.

    8. Click OK.

To configure a per-IP traffic shaper in the CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "FTP Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "FTP_Server"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the per-IP traffic shaper:

    config firewall shaper per-ip-shaper

    edit "FTP_Max_1M"

    set max-bandwidth 1000

    set max-concurrent-session 10

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "FTP speed 1M"

    set service "ALL"

    set dstintf "port9"

    set per-ip-shaper "FTP_Max_1M"

    set srcaddr "PC1" "WinPC" "PC2"

    set dstaddr "FTP_Server"

    next

    end

To troubleshoot per-IP traffic shapers:
  1. Check if specific traffic is attached to the correct traffic shaper. The example output shows the traffic attached to the FTP_Max_1M shaper:

    # diagnose firewall iprope list 100015

    policy index=3 uuid_idx=0 action=accept

    flag (0):

    shapers: per-ip=FTP_Max_1M

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=2 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32, 10.1.100.22-10.1.100.22, uuid_idx=31,

    dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89,

    service(1):

    [0:0x0:0/(0,65535)->(0,65535)] helper:auto

  2. Check if the correct traffic shaper is applied to the session. The example output shows that the FTP_Max_1M shaper is applied to the session:

    # diagnose sys session list

    session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

    origin-shaper=

    reply-shaper=

    per_ip_shaper=FTP_Max_1M

    class_id=0 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255

    state=may_dirty per_ip npu npd mif route_preserve

    statistic(bytes/packets/allow_err): org=506/9/1 reply=416/6/1 tuples=2

    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

    orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0

    hook=post dir=org act=snat 10.1.100.11:58275->172.16.200.55:21(172.16.200.1:58275)

    hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58275(10.1.100.11:58275)

    pos/(before,after) 0/(0,0), 0/(0,0)

    misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

    serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0

    sdwan_mbr_seq=0 sdwan_service_id=0

    rpdb_link_id = 00000000

    dd_type=0 dd_mode=0

    npu_state=0x100000

    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    no_ofld_reason: offload-denied helper

  3. Check the statuses of per-IP traffic shapers. The output should resemble the following:

    # diagnose firewall shaper per-ip-shaper list

    name FTP_Max_1M

    maximum-bandwidth 125 KB/sec

    maximum-concurrent-session 10

    tos ff/ff

    packets dropped 0

    bytes dropped 0

    addr=10.1.100.11 status: bps=0 ses=3

Per-IP traffic shaper

Per-IP traffic shaper

With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations. Only traffic through forward traffic shapers will be included in FortiView; reverse and per-IP shapers are not included.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.

To configure a per-IP traffic shaper in the GUI:
  1. Create a firewall policy:

    1. Go to Policy & Objects > IPv4 Policy and click Create New.

    2. Set the Name to FTP Access.

    3. Set the Incoming Interface to port10.

    4. Set the Outgoing Interface to port9.

    5. Set the Source to all.

    6. Set the Destination to FTP_Server.

    7. Set the Schedule to always.

    8. Set the Service to ALL.

    9. Click OK.

  2. Create the per-IP traffic shaper:

    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.

    2. Set Type to Per IP Shaper.

    3. Enter the Name (FTP_Max_1M). This shaper is for VoIP traffic.

    4. Enable Max Bandwidth and enter 1000.

    5. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.

    6. Click OK.

  3. Create a firewall shaping policy:

    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.

    2. Enter the Name (FTP speed 1M).

    3. Set the Source to the addresses and users that require access to the FTP server.

    4. Set the Destination to FTP_Server.

    5. Set the Service to ALL.

    6. Set the Outgoing Interface to port9.

    7. Enable Per-IP shaper and select FTP_Max_1M.

    8. Click OK.

To configure a per-IP traffic shaper in the CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "FTP Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "FTP_Server"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the per-IP traffic shaper:

    config firewall shaper per-ip-shaper

    edit "FTP_Max_1M"

    set max-bandwidth 1000

    set max-concurrent-session 10

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "FTP speed 1M"

    set service "ALL"

    set dstintf "port9"

    set per-ip-shaper "FTP_Max_1M"

    set srcaddr "PC1" "WinPC" "PC2"

    set dstaddr "FTP_Server"

    next

    end

To troubleshoot per-IP traffic shapers:
  1. Check if specific traffic is attached to the correct traffic shaper. The example output shows the traffic attached to the FTP_Max_1M shaper:

    # diagnose firewall iprope list 100015

    policy index=3 uuid_idx=0 action=accept

    flag (0):

    shapers: per-ip=FTP_Max_1M

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=2 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32, 10.1.100.22-10.1.100.22, uuid_idx=31,

    dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89,

    service(1):

    [0:0x0:0/(0,65535)->(0,65535)] helper:auto

  2. Check if the correct traffic shaper is applied to the session. The example output shows that the FTP_Max_1M shaper is applied to the session:

    # diagnose sys session list

    session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

    origin-shaper=

    reply-shaper=

    per_ip_shaper=FTP_Max_1M

    class_id=0 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255

    state=may_dirty per_ip npu npd mif route_preserve

    statistic(bytes/packets/allow_err): org=506/9/1 reply=416/6/1 tuples=2

    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

    orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0

    hook=post dir=org act=snat 10.1.100.11:58275->172.16.200.55:21(172.16.200.1:58275)

    hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58275(10.1.100.11:58275)

    pos/(before,after) 0/(0,0), 0/(0,0)

    misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

    serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0

    sdwan_mbr_seq=0 sdwan_service_id=0

    rpdb_link_id = 00000000

    dd_type=0 dd_mode=0

    npu_state=0x100000

    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    no_ofld_reason: offload-denied helper

  3. Check the statuses of per-IP traffic shapers. The output should resemble the following:

    # diagnose firewall shaper per-ip-shaper list

    name FTP_Max_1M

    maximum-bandwidth 125 KB/sec

    maximum-concurrent-session 10

    tos ff/ff

    packets dropped 0

    bytes dropped 0

    addr=10.1.100.11 status: bps=0 ses=3