Per-IP shaping

Per–IP shaping

Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the security policy. As well as controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.

Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth – it now is shared within a group equally. Using a per-IP shaper avoids having to create multiple policies for every user you want to apply a shaper. Per-IP traffic shaping is not supported over NP2 interfaces.

Per–IP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the Create New “Plus” sign.

Type                                            Select Per–IP.

Name                                           Enter a name for the per-IP traffic shaper.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Maximum Concurrent Con- nections

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

Enter the maximum allowed concurrent connection.
Forward DSCP Reverse DSCP

Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

Example

The following steps create a Per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kb/s, and the number of concurrent sessions of 200.

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.

2. Set the Type to Per–IP.

3. Enter the Name Accounting.

4. Enable the Maximum Bandwidth and enter the value 720000.

5. Enable the Maximum Concurrent Sessions and enter the value 200.

6. Select OK.

To create the shared shaper – CLI:

config firewall shaper per-ip-shaper edit Accounting

set max100-bandwidth 720000

set max-concurrent-session 200 end

Adding a Per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any Per-IP traffic shaper to an IPv6 security policy in the CLI.

Example

The following steps show you how to add an existing Per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a Per-IP traffic shaper under Policy & Objects > Traffic Shapers.

To add a Per-IP traffic shaper to an IPv6 security policy – web-based manager:

1. Go to Policy & Objects > IPv6 Policy and click the Create New “Plus” icon to create an internet access policy.

2. Set the following:

Name                                            Enter a descriptive name.

Incoming Interface                        Internal

Source address                              All

Outgoing interface                        wan1

Destination address                     all

Schedule                                         Always

Service                                            Any

Action                                              Accept

3. Select OK.

4. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                                 all

Destination address                         all

Service                                                ALL

Application Category                        –

Application                                         –

URL Category                                     –

6. Under Apply shaper, set the following:

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           –

Reverse Shaper                          –

Per–IP Shaper                             Enable Per–IP Shaper and select your shaper from the dropdown menu.

Enable this policy                     Enable this policy.

7. Select OK.

8. On the policy list page, move the Per-IP Shaper to the top of the list by clicking on the far left column to drag and drop it.

There are two methods to configure traffic shaping in the CLI. You can add a Per-IP shaper directly to an IPv6 security policy, or you can add a Per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in ALL policies using the same two interfaces.

To add a Per-IP traffic shaper to an IPv6 security policy- CLI:

config firewall policy6

edit <security policy ID number>

set per-ip-shaper <per IP shaper name>

end

To add a Per-IP traffic shaper to an IPv6 traffic shaping policy -CLI:

config firewall shaping-policy

edit 1 <security policy ID number>

set ip-version 6

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <outgoing interface>

set per-ip-shaper <per IP shaper name>

end