Limiting bandwidth with traffic shaping

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your Fortigate to limit the bandwidth for a specific IP address.

First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

 1. Enabling Traffic Shaping

Go to System > Config > Features and select the Show More button to view additional features. Select ON to enable Traffic Shaping and apply your changes.

 2. Creating an Address Object

Go to Policy & Objects > Objects > Addresses and select Create New to define the address you would like to limit.

Set Category to Address and enter a name (in the example, limited_bandwidth).

Set Type to IP/NetmaskFor the Subnet / IP Range, enter the internal IP address you wish to limit . 

Lastly, set Interface to any and select Show in Address List.

 

 3. Configuring a traffic shaper to limit bandwidth

Go to Policy & Objects > Objects > Traffic Shapers and select Create New to define a new Shared Traffic Shaper profile.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to Medium.

Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). Select Guaranteed Bandwidth and enter 100 kb/s (0.1 Mbps).

 
 

4. Creating a security policy

Go to Policy & Objects > Policy > IPv4 and create a new security policy to limit bandwidth for the IP address you configured in Step 2.

Set the Source Address to limited_bandwidth.

Enable Shared Shaper and Reverse Shaper and select limited-bandwith from the drop down menu. The Shared Shaper restricts the bandwidth for uploads and the Reverse Shaper restricts downloads.

For Logging Options, select All Sessions for testing purposes.

 

 

Order your policies so that your new security policy is above your general Internet access policies. 

 

 5. Results

When a computer with the IP you have specified, 10.1.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.

Go to System > FortiView > Sources to view traffic, and use the search field to filter your results by Source IP. 

Go to Policy & Objects > Monitor > Traffic Shaper Monitor and set the Report By option to Current Bandwidth. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. In this example, you can see that the bandwidth does not exceed your set limit: 200kb/s.

 

You can also set Report By to Dropped Packets to get an idea of whether your traffic shaper settings need to be adjusted. For example, if there are very few dropped packets, you may need to set a higher Maximum Bandwidth in your shaper.

 

For further reading, check out Traffic Shaping in the FortiOS 5.2 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Traffic shaping rules can now be applied to firewall policies.
In this example, 10.1.10.10/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 kb/s (0.2 Mbps) each.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Click on the far left of the column you want to move and drag it up or down to arrange it.
  • nirmal

    is possible for multiple user configured day and night with different bandwidth if yes how

  • Emerson

    Kayla,
    Can this settings be use with VIPS address?

  • Cesar Gonzalez

    Hi, I have a unit 90D, and I can´t see graphics in Traffic Shaper monitor, I have all logs in the policy. Some idea? Regards

    • Hi Cesar, Could you please reply with a bit more information (like what FortiOS build you are currently on and provide a screenshot). I would also recommend taking a look in the FortiView section, too. Otherwise you might need to reach out to Fortinet Support to figure out why you are getting that behaviour. The other thing I’ll mention is that traffic shaping only takes effect when the thresholds are reached, so unless you are maxing out your policies there wouldn’t be any traffic shown in the reports. You can find more info on contacting support here: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/. Hope that helps!