Skip to main content
ESCHAN_FTNT
Staff
ESCHAN_FTNT
Staff
August 6, 2015

Technical Tip: How to restrict Microsoft Windows updates from over-utilizing Internet Bandwidth

  • August 6, 2015
  • 0 replies
  • 11100 views

Description

 

This article describes how to use application control within Windows 10 to limit the maximum bandwidth used by Windows updates.
 
Scope
 
Windows 10, FortiGate, FortiWiFi.
 
Solution
 
When Windows 10 released in July 2015, more than 16 upgrades per second were performed worldwide. Due to this, many clients reported that their Internet bandwidth was fully utilized, thus causing Internet browsing experience to become slower than ever.
 
To limit bandwidth used by Windows updates, first configure a shared packet shaper with a maximum bandwidth of 2Mbps.
Windowsupdate1.PNG
 

In previous versions, it was necessary to go to application control to apply the traffic shapers, as well as in the firewall policy.

However, in versions 6.4 and above, it is possible to directly create a traffic shaper policy in the traffic shaping section.

 

There are three options to restrict, limit the bandwidth for Microsoft Update service (in all cases incoming, outgoing interfaces, source objects should be matching in both policies - firewall and traffic shaper policy):

  1. Using an ISDB as a destination address only in a traffic shaper policy (firewall policy's destination could be either all, or specified ISDB);
  2. Using application list in a traffic shaper policy, whilst firewall policy has application control UTM enabled;
  3. Using both ISDB address, and a specified application in the traffic shaper policy (firewall policy must have UTM enabled);

 

The screenshot below is for the second option. It means an 'Application Control' UTM Profile has to be enabled in an appropriate firewall policy.
widnowsupdate2.PNG

 

However, if the updates are on-going in an existing session, the changes will not be applied immediately. To clear all existing sessions, use the following command:
 
diagnose sys session filter clear
diagnose sys session filter policy <firewall-policy-ID>
diagnose sys session clear

This command will clear all existing sessions matching to that specific policy ID, causing slight network interruption. Other filters can be used, as described in Technical Tip: Using filters to clear sessions on a FortiGate in the CLI.
 
Related documents:
Technical Tip: Shaping-policy traffic shaping vs firewall-policy traffic shaping behavior in FortiGate

FortiGate / FortiOS 7.6.5 Administration Guide - Traffic shaping policies

Terms & ConditionsAccessibility statement