Limiting bandwidth with traffic shaping

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

When a particular IP address uses too many resources, you can prevent the device with that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Enabling Traffic Shaping

Go to System > Feature Select and under Additional Features enable Traffic Shaping.

 

2. Create a firewall address to limit

Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu.

Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. Set Interface to Any.

 

3. Configuring a traffic shaper to limit bandwidth

Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile.

Set Type to Shared.

Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium.

Select Max Bandwidth and enter 200 Kbps. If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.

 

By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.

 

Enter the following CLI commands:

config firewall shaper traffic-shaper
 edit "limited_bandwidth"
  set per-policy enable
 end

Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy.

4. Verifying your Internet access security policy

Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing Interface, Source and Destination.

If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.

 

 

5. Create two Traffic Shaping Policies

Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority.

Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy.

Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.

 

 

Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit.

Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.

 

Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy.

 

6. Results

When a computer with the IP you have specified, 192.168.1.2, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.

Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic.

The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200 Kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (Kbps).

 

You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.

 
 You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.  

For further reading, check out Traffic Shaping in the FortiOS 5.6 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Two new traffic shaping menus, Traffic Shapers and Traffic Shaping Policy, will appear under Policy & Objects.
In this example, 192.168.1.2/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies using the same two interfaces. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Now, each security policy using this shaper will have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 Kbps each.
Click on the far left column of the policy and move it up or down to change the sequence order.