Limiting bandwidth with traffic shaping

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

When a particular IP address uses too many resources, you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

Watch the video
Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Enabling Traffic Shaping

Go to System > Feature Select and under Additional Features enable Traffic Shaping.

2. Creating a firewall address

Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu.

Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. Set Interface to Any.

3. Configuring a traffic shaper to limit bandwidth

Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile.

Set Type to Shared.

Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium.

Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.

By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.

Enter the following CLI commands:

 set per-policy enable
end

Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy.

4. Verifying your Internet access security policy

Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing interface, Source and Destination.

If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.

 

5. Create two Traffic Shaping Policies

Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority.

Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy.

Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.

 

Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit.

Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.

Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy.

6. Results

When a computer with the IP you have specified, 192.168.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.

Go to FortiView > Sources to view traffic, and use the search field to filter your results by the Source IP (192.168.10.10).

Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic.

The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (kbps).

You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.

You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.

For further reading, check out Traffic Shaping in the FortiOS 5.4 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Two new traffic shaping menus, Traffic Shapers and Traffic Shaping Policy, will appear under Policy & Objects.
In this example, 192.168.10.10/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies using the same two interfaces. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Now, each security policy using this shaper will have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 kb/s (0.2 Mbps) each.
Click on the far left column of the policy and move it up or down to change the sequence order.
  • Luca Vidali

    Hi,
    I have a question. This is the scenario: I have a 50 Mbps internet connection (50up/50 down). I only need to guarantee 10 Mbps to an e-commerce server published (natted) by the fortigate. This 10 Mbps can be usable by everyone BUT if someone from the Internet needs to download something from the e-commerce server, this traffic must be prioritized. The question is: how the fortigate unit “knowns” the total available bandwitdh (50 Mpbs)in order to understand if it needs to apply shaping because the 50 Mbps throughput has been reached? (the interface is a Gbps interface)

  • Doug Barker

    great write up thanks

  • Gustavo Puente

    Hello, does Per-IP shapper also need a reverse shapper? If I want same download and upload speeds for single IPs

    • Hi Gustavo, a Per-IP shaper affects both uploads and downloads already, so a reverse shaper is not needed. You can find more information in our Traffic Shaping handbook chapter: http://docs.fortinet.com/fortigate/admin-guides.

      • Gustavo Puente

        Thank you for your answer Kayla, can I write you privately, because I have a very peculiar scenario that I need to implement and nobody (including the fortinet chat Support) seems to know how. It seems you are the only expert on traffic shapping. My email is gustavop@uhemisferios.edu.ec

        • Hi Gustavo, Feel free to send an email to techdoc@fortinet.com describing your scenario, but often Fortinet support is a better forum for complex scenarios – since they have more in field experience, and should be able to reach out to more channels. Thanks!

  • Theodor Craggs

    Hi Kayla,
    I am trying to shape youtube traffic for one of our clients to only use 4 Mb/s, this client does not use SSL deep inspection and I find that after I have setup the shaping policy to shape traffic for Youtube(application) that the users can still access the site(which is slow and what I expected) but as soon as the videos start to stream they can still stream at any speed including 4 K vids… Can you tell me if there is a way around this without enabling SSL Deep inspection?

    • Kayla Robinson

      Hi Theodor, Could you provide more details on what you are hoping to accomplish? There are definitely a bunch of options that come to mind – like using application control to create a bandwidth Quota for downloads, or blocking the URL category “Bandwidth Consuming – Streaming Media”. The specifics will also depend on whether you’re using FortiOS 5.4 or for example the FortiOS 5.6 Next Generation Firewall policy-based mode (which allows you to add Application Control and web filtering to policies without needing profiles). Google also provides an article on restricting YouTube content here: https://support.google.com/youtube/answer/6214622. These are just a few ideas that come to mind for your firewall policies, and then you would create matching traffic shaping policies. Also remember that traffic shaping is only applied when the available bandwidth is hitting the threshold limits, and your policies will have equal priority until then. Lastly, you may notice that your comment doesn’t appear on my recipe page anymore and that is only because we have just switched from a new comments platform back to Disqus. Hope that helps!

  • Rod

    Hello,

    I would like to know by enabling traffic sharpping without applying to any rule if by default it will be automatically applied to all trafic please?

    Kind Regards,

    • Hi Rod, If you enable traffic shaping (as shown in Step 1) it won’t be applied to your security policies until you create a traffic shaping policy (as shown in Step 4). The traffic shaping policy will then apply shaping to the security policies matching your set criteria. It should also be noted that to have traffic shaping take effect you must have some traffic set to different levels (i.e. some traffic set to high priority, and other traffic set to low priority). Furthermore, traffic shaping will not actually occur automatically, it is only applied to traffic when the policies are overloaded (or maxed out). If the bandwidth limits are never exceeded, then the traffic shaping priorities will not take effect. I hope this answers your question!

    • Rod

      Hi Kayla,

      Thank you for your prompt reply.
      Great job.

      Best Regards,
      Rod.

  • Marshall

    How would we configure traffic shaping when the WAN connection has ASYNCHRONOUS speed. Download speed is 50 Mbps but upload speed is only 6 Mbps.

  • Olopan

    Hello,

    Can i do traffic shaping to VPN Connection?

    • Hi Olopan, Yes, you can. When you set the matching criteria for your traffic shaping policy you can select the IPsec tunnel as a source of traffic, or any address that you’ve defined for a specific subnet under Policy & Objects > Addresses. Hope that helps!

  • Wooi Boon Tan

    Can I confirm that the traffic shapping only apply to source address instead of destination?

    • Hi,
      When you create a traffic shaping policy it will be applied to any security policies that match the criteria you enter (by Source, Destination, Service, Outgoing Interface). If you don’t want to specify a specific destination, you can set Destination to All. You can also find more detailed information in the FortiOS handbook: http://docs.fortinet.com/d/fortigate-traffic-shaping-4

      • Matt Peterson

        I just want to make sure I understand you. Scenario 1. I want the source and the destination to both talk to each other. By creating a shaper and a reverse shaper that means I don’t have to create two traffic shaping policies to accomplish the same thing, assuming I have the security policies in place. Correct? I think that’s what Wooi Boon Tan was wanting to know. So if we only want what’s listed in the source to talk to what’s listed in the destination of the actual shaper policy, then we don’t put in a reverse shaper.

        Now a more complicated scenario, which would have the same answer as above.
        Do I have to create two traffic shaping policies when I want Server A to be able to talk back and forth between Server B and C (i.e. one policy for Server A to upload to B and C, and another policy for B and C to upload to A? Note that B and C should only talk to A, not to each other) or does the “reverse shaper” accomplish the same thing without having to create two traffic shaping policies?

        I usually think of the fortigate looking at the Source IP and if it’s not listed in the “Source Address” field, then it just moves on to the next policy. However, with the “reverse shaper”, it appears that the fortigate could implement the policy if the source IP is in the “Destination” and the “Reverse Shaper” is set, which tells the fortigate to treat the destination as the source, even though the IP isn’t listed in the “Source Address” of the actual shaper policy. The destination IP of the packet used in the “Reverse Shaper” would have to be in the “Source Address” list. So essentially, it just reverses what’s written in the policy so that what was the source is now the destination and what was in the destination is now the source so that we don’t have to create two traffic shaping policies. We’re just assuming that the security policies allow for this as well (which in that case would require two security policies in order for A to talk to both B and C, and B and C to talk with A but not each other.). Is this correct?

        • Hi Matt, A shaper and reverse shaper should work in scenario one. And that’s correct that if your connection is just in one direction then you shouldn’t need a reverse shaper (since there is no reverse traffic in that scenario). Regarding your more complicated scenario, this has more to do with configuring the security policies and then matching the traffic shaping policies accordingly. I would recommend contacting Fortinet Support so that they can provide the correct advice for your setup after reviewing your configuration: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/.

  • INOX-AUSTRIA

    Hello,
    we have a problem with the “Bandwidth Utilization” in all fields. The system show me a download of 23 kbps but i download with 15 mbit/s. Have you a idea?

    BR

  • fg

    Even if we have activated Traffic Shaping as in Section 1, we can not see the options “Apply Shaper”, “Outgoing Interface” etc. in the picture from Section 4…

    • Hi, Could you please provide more details and a screenshot of the Traffic Shaping page? You might also want to check your FortiOS version, since a lot of these new traffic shaping features are new to FortiOS 5.4 GUI. This recipe is also available in FortiOS 5.2 and there is a FortiOS 5.4 video (see links in the introduction) which might be easier to make sure your GUI settings match up.

  • Damián Mendoza

    Great document, a question: Is Traffic Shapping by aplication control can be done without NGFW activated? I mean no anti-x licences activated?

    • Hi Damián, All you need is the FortiGuard IPS & Application Control license, which is included in the standard Fortinet subscription. First, you need to create a security policy with application control enabled. Then you can go to Policy & Objects > Traffic Shaping Policy and create shaping policy with application control. Options include setting the application category, application and URL category.

  • Rafael Rojas

    Hi, great article!. Can I apply a traffic shaping policy to a VPN IPsec host or subnet?. Thanks

    • Hi Rafael, Yes, when you set the matching criteria for your traffic shaping policy you can select the IPsec tunnel as a source of traffic, or any address that you’ve defined for a specific subnet under Policy & Objects > Addresses. Thanks for your comment!

  • Andrew Angelo Ang

    Hmm… seems like there are now two sections for the policies on 5.4 So there’s an “IPv4 Policy” and “Traffic Shaping Policy.” Which policy takes precedence? If say for example, on the IPv4 Policy, there was an entry that Denied the traffic, but on the Traffic Shaping Policy it has a guaranteed bandwidth.

    • Hi Andrew, The traffic shaping policies are applied to any matching IPv4 policies. Therefore the IPv4 policy will take precedence in that scenario and deny the traffic. The guaranteed bandwidth will only work if traffic is coming through the IPv4 policy.

  • Juan Francisco Martinez

    Can i use traffic shapping in explicit proxy policy?