Per-IP shaping

PerIP shaping

Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the security policy. As well as controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.

Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth – it now is shared within a group equally. Using a per-IP shaper avoids having to create multiple policies for every user you want to apply a shaper. Per-IP traffic shaping is not supported over NP2 interfaces.

 

PerIP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the CreatNew “Plus” sign.

Type                                            Select PerIP.

Name                                           Enter a name for the per-IP traffic shaper.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Maximum Concurrent Con- nections

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

Enter the maximum allowed concurrent connection.
Forward DSCP Reverse DSCP

Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Example

The following steps create a Per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kb/s, and the number of concurrent sessions of 200.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.

2. Set the Type to PerIP.

3. Enter the Name Accounting.

4. Enable the Maximum Bandwidth and enter the value 720000.

5. Enable the Maximum Concurrent Sessions and enter the value 200.

6. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper per-ip-shaper edit Accounting

set max100-bandwidth 720000

set max-concurrent-session 200 end

 

Adding a Per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any Per-IP traffic shaper to an IPv6 security policy in the CLI.

 

Example

The following steps show you how to add an existing Per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a Per-IP traffic shaper under Policy & Objects > Traffic Shapers.

 

To add a Per-IP traffic shaper to an IPv6 security policy – web-based manager:

1. Go to Policy & Objects > IPv6 Policy and click the Create New “Plus” icon to create an internet access policy.

2. Set the following:

 

Name                                            Enter a descriptive name.

Incoming Interface                        Internal

Source address                              All

Outgoing interface                        wan1

Destination address                     all

Schedule                                         Always

Service                                            Any

Action                                              Accept

3. Select OK.

4. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                                 all

Destination address                         all

Service                                                ALL

Application Category                        

Application                                         

URL Category                                     

6. Under Apply shaper, set the following:

 

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           

Reverse Shaper                          

PerIP Shaper                             Enable PerIP Shaper and select your shaper from the dropdown menu.

Enable this policy                     Enable this policy.

7. Select OK.

8. On the policy list page, move the Per-IP Shaper to the top of the list by clicking on the far left column to drag and drop it.

There are two methods to configure traffic shaping in the CLI. You can add a Per-IP shaper directly to an IPv6 security policy, or you can add a Per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in ALL policies using the same two interfaces.

 

To add a Per-IP traffic shaper to an IPv6 security policy- CLI:

config firewall policy6

edit <security policy ID number>

set per-ip-shaper <per IP shaper name>

end

 

To add a Per-IP traffic shaper to an IPv6 traffic shaping policy -CLI:

config firewall shaping-policy

edit 1 <security policy ID number>

set ip-version 6

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <outgoing interface>

set per-ip-shaper <per IP shaper name>

end

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “Per-IP shaping

  1. farouk

    i have 4Mo isp internet for 120 users , i can use per ip traffic shapin method , what is the ideal speed for use to this with ich user

    Reply
    1. Mike Post author

      What version of FortiOS? in 5.6 and 5.4 You can use a range in your Traffic Shaping Policy and apply per IP shaping to it. Per IP shaping is going to give you that bandwidth per IP though. If you want the whole range to share a certain sized pipe (created by the traffic shaping itself) you will want to use shared shaping.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.