When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your Fortigate to limit the bandwidth for a specific IP address.
First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.
This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.
1. Enabling Traffic Shaping
Go to System > Config > Features and select the Show More button to view additional features. Select ON to enable Traffic Shaping and apply your changes.
2. Creating an Address Object
Go to Policy & Objects > Objects > Addresses and select Create New to define the address you would like to limit.
Set Category to Address and enter a name (in the example, limited_bandwidth).
Set Type to IP/Netmask. For the Subnet / IP Range, enter the internal IP address you wish to limit .
Lastly, set Interface to any and select Show in Address List.
3. Configuring a traffic shaper to limit bandwidth
Go to Policy & Objects > Objects > Traffic Shapers and select Create New to define a new Shared Traffic Shaper profile.
Set Type to Shared. Set Apply shaper to Per Policy.
Set Traffic Priority to Medium.
Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). Select Guaranteed Bandwidth and enter 100 kb/s (0.1 Mbps).
4. Creating a security policy
Go to Policy & Objects > Policy > IPv4 and create a new security policy to limit bandwidth for the IP address you configured in Step 2.
Set the Source Address to limited_bandwidth.
Enable Shared Shaper and Reverse Shaper and select limited-bandwith from the drop down menu. The Shared Shaper restricts the bandwidth for uploads and the Reverse Shaper restricts downloads.
For Logging Options, select All Sessions for testing purposes.
Order your policies so that your new security policy is above your general Internet access policies.
5. Results
When a computer with the IP you have specified, 10.1.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.
Go to System > FortiView > Sources to view traffic, and use the search field to filter your results by Source IP.
Go to Policy & Objects > Monitor > Traffic Shaper Monitor and set the Report By option to Current Bandwidth. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. In this example, you can see that the bandwidth does not exceed your set limit: 200kb/s.
You can also set Report By to Dropped Packets to get an idea of whether your traffic shaper settings need to be adjusted. For example, if there are very few dropped packets, you may need to set a higher Maximum Bandwidth in your shaper.