Description
This article describes how to configure Per-IP shaper and to monitor it.
Scope
FortiOs 7.0.x.
Solution
Create a Per-IP shaper.
# config firewall shaper per-ip-shaper
edit "2M-Shaper"
set max-bandwidth 2000
set max-concurrent-session 10
set max-concurrent-tcp-session 5
set max-concurrent-udp-session 2
next
end
It will look like this on the GUI:
Policy & Objects -> Traffic Shaping, select 'Traffic Shaper Tab'.
Type:- Select Per IP Shaper.
Name:- Name for the shaper.
Bandwidth Unit:- Select the unit of measurement in terms of Kbps, Mbps, Gbps
Maximum bandwidth: - Max. BW cap for the shaper.
Max concurrent connections: - Maximum number of concurrent sessions for each user . If you select ‘0’ then there is no limit.
Max concurrent TCP connections:- Maximum number of concurrent TCP sessions for each user . If you select ‘0’ then there is no limit.
Max concurrent UDP connections:- Maximum number of concurrent UDP sessions for each user . If you select ‘0’ then there is no limit.
Forward DSCP:- DSCP (Differentiated Services Code Point) value for all packets accepted by the shaper in Original direction.
Reverse DSCP:- DSCP (Differentiated Services Code Point) value for all packets accepted by the shaper in Reply direction.
- Create a Traffic Shaping Policy.
# config firewall shaping-policy
edit 2
set name "2-M-Shaper-Policy"
set service "HTTPS"
set dstintf "port1"
set per-ip-shaper "2M-Shaper"
set srcaddr "all"
set dstaddr "all"
next
end
It will look like this on the GUI:
Policy & Objects -> Traffic Shaping, select 'Traffic Shaping Policies'.
Some useful command to check from the CLI:
In this article, we have a PC with IP address 10.40.48.5 who is accessing HTTPS site.
To view information for the Per-IP shaper.
# diagnose firewall shaper per-ip-shaper list
name 2M-Shaper
maximum-bandwidth 250 KB/sec
maximum-concurrent-session 10
tos ff/ff
packets dropped 0
bytes dropped 0
addr=10.40.48.5 status: bps=0 ses=2
Analysis from the Output:
It is possible to see the name of the shaper being in use and also check the status of Per-IP shaper. It is possible to see if any packets is getting dropped and the source address that are using the shaper.
Note that the Bandwidth shown in the CLI is measured in bytes and Bandwidth shown in GUI is measured in bits.
Session information with Per-IP shaper.
# diagnose sys session filter src 10.40.48.5
# diagnose sys session list
session info: proto=6 proto_state=01 duration=5 expire=3594 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=2M-Shaper
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
tx speed(Bps/kbps): 16/0 rx speed(Bps/kbps): 9/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.40.31.254/10.40.48.5
hook=post dir=org act=snat 10.40.48.5:56705->172.253.62.113:443(10.40.19.12:56705)
hook=pre dir=reply act=dnat 172.253.62.113:443->10.40.19.12:56705(10.40.48.5:56705)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14734 auth_info=0 chk_client_info=0 vd=0
serial=000bce26 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
total session 1
Analysis from the Output: Here from the session list, it is possible to find out which shaper the particular session is using and which traffic shaping policy it is matching.
Note:
If any traffic exceed the configured max. BandWidth threshold value of Per-IP shaper then 'exceeded shaper limt, drop message in the debug flow wll be visible.
If any traffic exceed the configured max. concurrent connection then, 'blocked by quota check, drop' message in the debug flow will be visible.
