Limiting bandwidth with traffic shaping

When a particular IP address uses too many resources, you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

Watch the video
Find this recipe for other FortiOS versions
5.2 | 5.4

1. Enabling Traffic Shaping

Go to System > Feature Select and under Additional Features enable Traffic Shaping.

2. Creating a firewall address

Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu.

Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. Set Interface to Any.

3. Configuring a traffic shaper to limit bandwidth

Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile.

Set Type to Shared.

Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium.

Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.

By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.

Enter the following CLI commands:

 set per-policy enable
end

Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy.

4. Verifying your Internet access security policy

Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing interface, Source and Destination.

If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.

 

4. Create two Traffic Shaping Policies

Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority.

Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy.

Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.

 

Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit.

Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.

Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy.

5. Results

When a computer with the IP you have specified, 192.168.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.

Go to FortiView > Sources to view traffic, and use the search field to filter your results by the Source IP (192.168.10.10).

Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic.

The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (kbps).

You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.

You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Two new traffic shaping menus, Traffic Shapers and Traffic Shaping Policy, will appear under Policy & Objects.
In this example, 192.168.10.10/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies using the same two interfaces. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Now, each security policy using this shaper will have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 kb/s (0.2 Mbps) each.
Click on the far left column of the policy and move it up or down to change the sequence order.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Juan Francisco Martinez

    Can i use traffic shapping in explicit proxy policy?

  • Andrew Angelo Ang

    Hmm… seems like there are now two sections for the policies on 5.4 So there’s an “IPv4 Policy” and “Traffic Shaping Policy.” Which policy takes precedence? If say for example, on the IPv4 Policy, there was an entry that Denied the traffic, but on the Traffic Shaping Policy it has a guaranteed bandwidth.

    • Hi Andrew, The traffic shaping policies are applied to any matching IPv4 policies. Therefore the IPv4 policy will take precedence in that scenario and deny the traffic. The guaranteed bandwidth will only work if traffic is coming through the IPv4 policy.

  • Rafael Rojas

    Hi, great article!. Can I apply a traffic shaping policy to a VPN IPsec host or subnet?. Thanks

    • Hi Rafael, Yes, when you set the matching criteria for your traffic shaping policy you can select the IPsec tunnel as a source of traffic, or any address that you’ve defined for a specific subnet under Policy & Objects > Addresses. Thanks for your comment!

  • Damián Mendoza

    Great document, a question: Is Traffic Shapping by aplication control can be done without NGFW activated? I mean no anti-x licences activated?

    • Hi Damián, All you need is the FortiGuard IPS & Application Control license, which is included in the standard Fortinet subscription. First, you need to create a security policy with application control enabled. Then you can go to Policy & Objects > Traffic Shaping Policy and create shaping policy with application control. Options include setting the application category, application and URL category.

  • fg

    Even if we have activated Traffic Shaping as in Section 1, we can not see the options “Apply Shaper”, “Outgoing Interface” etc. in the picture from Section 4…

    • Hi, Could you please provide more details and a screenshot of the Traffic Shaping page? You might also want to check your FortiOS version, since a lot of these new traffic shaping features are new to FortiOS 5.4 GUI. This recipe is also available in FortiOS 5.2 and there is a FortiOS 5.4 video (see links in the introduction) which might be easier to make sure your GUI settings match up.

  • INOX-AUSTRIA

    Hello,
    we have a problem with the “Bandwidth Utilization” in all fields. The system show me a download of 23 kbps but i download with 15 mbit/s. Have you a idea?

    BR

  • Wooi Boon Tan

    Can I confirm that the traffic shapping only apply to source address instead of destination?

    • Hi,
      When you create a traffic shaping policy it will be applied to any security policies that match the criteria you enter (by Source, Destination, Service, Outgoing Interface). If you don’t want to specify a specific destination, you can set Destination to All. You can also find more detailed information in the FortiOS handbook: http://docs.fortinet.com/d/fortigate-traffic-shaping-4

      • Matt Peterson

        I just want to make sure I understand you. Scenario 1. I want the source and the destination to both talk to each other. By creating a shaper and a reverse shaper that means I don’t have to create two traffic shaping policies to accomplish the same thing, assuming I have the security policies in place. Correct? I think that’s what Wooi Boon Tan was wanting to know. So if we only want what’s listed in the source to talk to what’s listed in the destination of the actual shaper policy, then we don’t put in a reverse shaper.

        Now a more complicated scenario, which would have the same answer as above.
        Do I have to create two traffic shaping policies when I want Server A to be able to talk back and forth between Server B and C (i.e. one policy for Server A to upload to B and C, and another policy for B and C to upload to A? Note that B and C should only talk to A, not to each other) or does the “reverse shaper” accomplish the same thing without having to create two traffic shaping policies?

        I usually think of the fortigate looking at the Source IP and if it’s not listed in the “Source Address” field, then it just moves on to the next policy. However, with the “reverse shaper”, it appears that the fortigate could implement the policy if the source IP is in the “Destination” and the “Reverse Shaper” is set, which tells the fortigate to treat the destination as the source, even though the IP isn’t listed in the “Source Address” of the actual shaper policy. The destination IP of the packet used in the “Reverse Shaper” would have to be in the “Source Address” list. So essentially, it just reverses what’s written in the policy so that what was the source is now the destination and what was in the destination is now the source so that we don’t have to create two traffic shaping policies. We’re just assuming that the security policies allow for this as well (which in that case would require two security policies in order for A to talk to both B and C, and B and C to talk with A but not each other.). Is this correct?

        • Hi Matt, A shaper and reverse shaper should work in scenario one. And that’s correct that if your connection is just in one direction then you shouldn’t need a reverse shaper (since there is no reverse traffic in that scenario). Regarding your more complicated scenario, this has more to do with configuring the security policies and then matching the traffic shaping policies accordingly. I would recommend contacting Fortinet Support so that they can provide the correct advice for your setup after reviewing your configuration: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/.

  • Olopan

    Hello,

    Can i do traffic shaping to VPN Connection?

    • Hi Olopan, Yes, you can. When you set the matching criteria for your traffic shaping policy you can select the IPsec tunnel as a source of traffic, or any address that you’ve defined for a specific subnet under Policy & Objects > Addresses. Hope that helps!

  • Marshall

    How would we configure traffic shaping when the WAN connection has ASYNCHRONOUS speed. Download speed is 50 Mbps but upload speed is only 6 Mbps.