Configuring per-IP traffic shaping
Per-IP traffic shaping allows you to define traffic control on a more granular level by managing bandwidth use by user IP addresses. Traffic shaping by IP address allows you to apply traffic shaping to all source IP addresses in the security policy. In addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions. Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids having to create multiple policies for every user you want to apply a traffic shaper to.
Per-IP traffic shaping isn't supported over NP2 interfaces.
To configure per-IP traffic shaping, you create per-IP traffic shapers and then enable them within traffic shaping policies.
Creating a per-IP traffic shaper
Create a per-IP traffic shaper – GUI
- Go to Policy & Objects > Traffic Shapers.
- Select Create New.
- Set the Type field to Per-IP.
- In the Name field, enter a name for the traffic shaper.
- Set the following options:
GUI options
Description
Max Bandwidth
Enable this option and set the maximum bandwidth. The range is 1 to 16776000 Kbps.
The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.
You can use the FortiGate CLI to set this option to 0. Setting this option to 0 provides unlimited bandwidth.
Max Concurrent Connections
Enable this option and enter the maximum concurrent connections that you want to allow.
Forward DSCP
Enable this option and set the forward DSCP value.
You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.
Reverse DSCP
Enable this option and set the reverse DSCP value.
You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.
- Select OK.
Create a per-IP traffic shaper – CLI
config firewall shaper per-ip-shaper
edit <traffic_shaper_name>
set max-bandwidth <bandwidth>
set max-concurrent-session <number_of_sessions>
set diffserv-forward enable
set diffservcode-forward <binary_integer>
set diffserv-reverse enable
set diffservcode-rev <binary_integer>
next
next
end
Example: Configuring a per-IP traffic shaper
The following example shows how to create a per-IP traffic shaper, named Accounting, with a maximum traffic amount of 720,000 Kbps, and a maximum number of concurrent sessions of 200.
Example using the FortiGate GUI
- Go to Policy & Objects > Traffic Shapers.
- Select Create New.
- Set Type to Per-IP.
- Set Name to
Accounting
. - Enable Max Bandwidth and set the value to
720000
. - Enable Max Concurrent Sessions and set the value to
200
. - Select OK.
Example using the FortiGate CLI
config firewall shaper per-ip-shaper
edit Accounting
set max-bandwidth 720000
set max-concurrent-session 200
next
end