Per–IP shaping
Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the security policy. As well as controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.
Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth – it now is shared within a group equally. Using a per-IP shaper avoids having to create multiple policies for every user you want to apply a shaper. Per-IP traffic shaping is not supported over NP2 interfaces.
Per–IP traffic shaping configuration settings
To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the Create New “Plus” sign.
Type Select Per–IP.
Name Enter a name for the per-IP traffic shaper.
Maximum Bandwidth The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.
Maximum Concurrent Con- nections
Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.
Enter the maximum allowed concurrent connection.
Forward DSCP Reverse DSCP
Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.
Example
The following steps create a Per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kb/s, and the number of concurrent sessions of 200.
To create the shared shaper – web-based manager:
1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.
2. Set the Type to Per–IP.
3. Enter the Name Accounting.
4. Enable the Maximum Bandwidth and enter the value 720000.
5. Enable the Maximum Concurrent Sessions and enter the value 200.
6. Select OK.
To create the shared shaper – CLI:
config firewall shaper per-ip-shaper edit Accounting
set max100-bandwidth 720000
set max-concurrent-session 200 end
Adding a Per-IP traffic shaper to a traffic shaping policy
Per-IP traffic shaping is supported by IPv6 security policies. You can add any Per-IP traffic shaper to an IPv6 security policy in the CLI.
Example
The following steps show you how to add an existing Per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a Per-IP traffic shaper under Policy & Objects > Traffic Shapers.
To add a Per-IP traffic shaper to an IPv6 security policy – web-based manager:
1. Go to Policy & Objects > IPv6 Policy and click the Create New “Plus” icon to create an internet access policy.
2. Set the following:
Name Enter a descriptive name.
Incoming Interface Internal
Source address All
Outgoing interface wan1
Destination address all
Schedule Always
Service Any
Action Accept
3. Select OK.
4. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.
5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:
Source all
Destination address all
Service ALL
Application Category –
Application –
URL Category –
6. Under Apply shaper, set the following:
Outgoing interface any
(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)
Shared Shaper –
Reverse Shaper –
Per–IP Shaper Enable Per–IP Shaper and select your shaper from the dropdown menu.
Enable this policy Enable this policy.
7. Select OK.
8. On the policy list page, move the Per-IP Shaper to the top of the list by clicking on the far left column to drag and drop it.
There are two methods to configure traffic shaping in the CLI. You can add a Per-IP shaper directly to an IPv6 security policy, or you can add a Per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in ALL policies using the same two interfaces.
To add a Per-IP traffic shaper to an IPv6 security policy- CLI:
config firewall policy6
edit <security policy ID number>
set per-ip-shaper <per IP shaper name>
end
To add a Per-IP traffic shaper to an IPv6 traffic shaping policy -CLI:
config firewall shaping-policy
edit 1 <security policy ID number>
set ip-version 6
set srcaddr <source address>
set dstaddr <destination address>
set service <service name>
set dstintf <outgoing interface>
set per-ip-shaper <per IP shaper name>
end
i have 4Mo isp internet for 120 users , i can use per ip traffic shapin method , what is the ideal speed for use to this with ich user
Can i use ip range like 10.18.32.0-10.18.47.0 in Per-IP shaper.??
What version of FortiOS? in 5.6 and 5.4 You can use a range in your Traffic Shaping Policy and apply per IP shaping to it. Per IP shaping is going to give you that bandwidth per IP though. If you want the whole range to share a certain sized pipe (created by the traffic shaping itself) you will want to use shared shaping.
an I set per-ip traffic shaping to download only? I see that the policy applies to both up and down.
*Can