When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your Fortigate to limit the bandwidth for a specific IP address.
First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.
This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.
1. Enabling Traffic Shaping
|
Go to System > Config > Features and select the Show More button to view additional features. Select ON to enable Traffic Shaping and apply your changes.
|
|
2. Creating an Address Object
|
Go to Policy & Objects > Objects > Addresses and select Create New to define the address you would like to limit.
Set Category to Address and enter a name (in the example, limited_bandwidth).
Set Type to IP/Netmask. For the Subnet / IP Range, enter the internal IP address you wish to limit .
Lastly, set Interface to any and select Show in Address List.
|
|
3. Configuring a traffic shaper to limit bandwidth
|
Go to Policy & Objects > Objects > Traffic Shapers and select Create New to define a new Shared Traffic Shaper profile.
Set Type to Shared. Set Apply shaper to Per Policy.
Set Traffic Priority to Medium.
Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). Select Guaranteed Bandwidth and enter 100 kb/s (0.1 Mbps).
|
|
4. Creating a security policy
|
Go to Policy & Objects > Policy > IPv4 and create a new security policy to limit bandwidth for the IP address you configured in Step 2.
Set the Source Address to limited_bandwidth.
Enable Shared Shaper and Reverse Shaper and select limited-bandwith from the drop down menu. The Shared Shaper restricts the bandwidth for uploads and the Reverse Shaper restricts downloads.
For Logging Options, select All Sessions for testing purposes.
|
|
Order your policies so that your new security policy is above your general Internet access policies.
|
|
5. Results
|
When a computer with the IP you have specified, 10.1.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.
Go to System > FortiView > Sources to view traffic, and use the search field to filter your results by Source IP.
|
|
Go to Policy & Objects > Monitor > Traffic Shaper Monitor and set the Report By option to Current Bandwidth. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. In this example, you can see that the bandwidth does not exceed your set limit: 200kb/s.
|
|
You can also set Report By to Dropped Packets to get an idea of whether your traffic shaper settings need to be adjusted. For example, if there are very few dropped packets, you may need to set a higher Maximum Bandwidth in your shaper.
|
|
For further reading, check out Traffic Shaping in the FortiOS 5.2 Handbook.
Traffic shaping rules can now be applied to firewall policies.
In this example, 10.1.10.10/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 kb/s (0.2 Mbps) each.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Click on the far left of the column you want to move and drag it up or down to arrange it.
The post Applying traffic shaping to a specific IP address (5.2) appeared first on Fortinet Cookbook.