Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Per-IP traffic shaper 7.2.4

Per-IP traffic shaper 7.2.4

With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiProxy allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiProxy allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations. Only traffic through forward traffic shapers will be included in FortiView; reverse and per-IP shapers are not included.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiProxy communicates with users using port10 and the FTP server using port9.

To configure a per-IP traffic shaper in the GUI:
  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy and click Create New.
    2. Set the Name to FTP Access.
    3. Set the Incoming Interface to port10.
    4. Set the Outgoing Interface to port9.
    5. Set the Source to all.
    6. Set the Destination to FTP_Server.
    7. Set the Schedule to always.
    8. Set the Service to ALL.
    9. Click OK.
  2. Create the per-IP traffic shaper:
    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
    2. Set Type to Per IP Shaper.
    3. Enter the Name (FTP_Max_1M). This shaper is for VoIP traffic.
    4. Enable Max Bandwidth and enter 1000.
    5. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.

    6. Click OK.
  3. Create a firewall shaping policy:
    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.
    2. Enter the Name (FTP speed 1M).
    3. Set the Source to the addresses and users that require access to the FTP server.
    4. Set the Destination to FTP_Server.
    5. Set the Service to ALL.
    6. Set the Outgoing Interface to port9.
    7. Enable Per-IP shaper and select FTP_Max_1M.
    8. Click OK.
To configure a per-IP traffic shaper in the CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "FTP Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "FTP_Server"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the per-IP traffic shaper:

    config firewall shaper per-ip-shaper

    edit "FTP_Max_1M"

    set max-bandwidth 1000

    set max-concurrent-session 10

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "FTP speed 1M"

    set service "ALL"

    set dstintf "port9"

    set per-ip-shaper "FTP_Max_1M"

    set srcaddr "PC1" "WinPC" "PC2"

    set dstaddr "FTP_Server"

    next

    end

To check the status of a per-IP traffic shaper:

# diagnose firewall shaper per-ip-shaper list

The output should resemble the following:

name FTP_Max_1M

maximum-bandwidth 125 KB/sec

maximum-concurrent-session 10

tos ff/ff

packets dropped 0

bytes dropped 0

addr=10.1.100.11 status: bps=0 ses=3

Previous
Next

Per-IP traffic shaper 7.2.4

With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiProxy allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiProxy allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations. Only traffic through forward traffic shapers will be included in FortiView; reverse and per-IP shapers are not included.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiProxy communicates with users using port10 and the FTP server using port9.

To configure a per-IP traffic shaper in the GUI:
  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy and click Create New.
    2. Set the Name to FTP Access.
    3. Set the Incoming Interface to port10.
    4. Set the Outgoing Interface to port9.
    5. Set the Source to all.
    6. Set the Destination to FTP_Server.
    7. Set the Schedule to always.
    8. Set the Service to ALL.
    9. Click OK.
  2. Create the per-IP traffic shaper:
    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
    2. Set Type to Per IP Shaper.
    3. Enter the Name (FTP_Max_1M). This shaper is for VoIP traffic.
    4. Enable Max Bandwidth and enter 1000.
    5. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.

    6. Click OK.
  3. Create a firewall shaping policy:
    1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.
    2. Enter the Name (FTP speed 1M).
    3. Set the Source to the addresses and users that require access to the FTP server.
    4. Set the Destination to FTP_Server.
    5. Set the Service to ALL.
    6. Set the Outgoing Interface to port9.
    7. Enable Per-IP shaper and select FTP_Max_1M.
    8. Click OK.
To configure a per-IP traffic shaper in the CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "FTP Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "FTP_Server"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the per-IP traffic shaper:

    config firewall shaper per-ip-shaper

    edit "FTP_Max_1M"

    set max-bandwidth 1000

    set max-concurrent-session 10

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "FTP speed 1M"

    set service "ALL"

    set dstintf "port9"

    set per-ip-shaper "FTP_Max_1M"

    set srcaddr "PC1" "WinPC" "PC2"

    set dstaddr "FTP_Server"

    next

    end

To check the status of a per-IP traffic shaper:

# diagnose firewall shaper per-ip-shaper list

The output should resemble the following:

name FTP_Max_1M

maximum-bandwidth 125 KB/sec

maximum-concurrent-session 10

tos ff/ff

packets dropped 0

bytes dropped 0

addr=10.1.100.11 status: bps=0 ses=3

Previous
Next