FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 211405
Description

 

This article describes how to configure Per-IP shaper and to monitor it.

 

Scope

 

FortiOs 7.0.x.

 

Solution

 

Create a Per-IP shaper.

 

# config firewall shaper per-ip-shaper

   edit "2M-Shaper"
         set max-bandwidth 2000
         set max-concurrent-session 10
         set max-concurrent-tcp-session 5
         set max-concurrent-udp-session 2
   next
end

 

It will look like this on the GUI:

 

Policy & Objects -> Traffic Shaping, select 'Traffic Shaper Tab'.

 

Capture.PNG

 

Type:- Select Per IP Shaper.
Name:- Name for the shaper.
Bandwidth Unit:- Select the unit of measurement in terms of Kbps, Mbps, Gbps
Maximum bandwidth: - Max. BW cap for the shaper.
Max concurrent connections: - Maximum number of concurrent sessions for each user . If you select ‘0’ then there is no limit.
Max concurrent TCP connections:- Maximum number of concurrent TCP sessions for each user . If you select ‘0’ then there is no limit.
Max concurrent UDP connections:- Maximum number of concurrent UDP sessions for each user . If you select ‘0’ then there is no limit.
Forward DSCP:- DSCP (Differentiated Services Code Point) value for all packets accepted by the shaper in Original direction.
Reverse DSCP:- DSCP (Differentiated Services Code Point) value for all packets accepted by the shaper in Reply direction.

 

- Create a Traffic Shaping Policy.

 

# config firewall shaping-policy
   edit 2
           set name "2-M-Shaper-Policy"
           set service "HTTPS"
           set dstintf "port1"
           set per-ip-shaper "2M-Shaper"
           set srcaddr "all"
           set dstaddr "all"
  next
end

 

It will look like this on the GUI:

 

Policy & Objects -> Traffic Shaping, select 'Traffic Shaping Policies'.

 

2.PNG

 

Some useful command to check from the CLI:

 

In this article, we have a PC with IP address 10.40.48.5 who is accessing HTTPS site.

 

To view information for the Per-IP shaper.

 

# diagnose firewall shaper per-ip-shaper list

name 2M-Shaper

maximum-bandwidth 250 KB/sec

maximum-concurrent-session 10

tos ff/ff

packets dropped 0

bytes dropped 0

        addr=10.40.48.5 status: bps=0 ses=2

 

Analysis from the Output:

It is possible to see the name of the shaper being in use and also check the status of Per-IP shaper. It is possible to see if any packets is getting dropped and the source address that are using the shaper.

 

Note that the Bandwidth shown in the CLI is measured in bytes and Bandwidth shown in GUI is measured in bits.

 

Session information with Per-IP shaper.

 

# diagnose sys session filter src 10.40.48.5

# diagnose sys session list

 

session info: proto=6 proto_state=01 duration=5 expire=3594 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=2M-Shaper
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
tx speed(Bps/kbps): 16/0 rx speed(Bps/kbps): 9/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.40.31.254/10.40.48.5
hook=post dir=org act=snat 10.40.48.5:56705->172.253.62.113:443(10.40.19.12:56705)
hook=pre dir=reply act=dnat 172.253.62.113:443->10.40.19.12:56705(10.40.48.5:56705)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14734 auth_info=0 chk_client_info=0 vd=0
serial=000bce26 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
total session 1

 

Analysis from the Output: Here from the session list, it is possible to find out which shaper the particular session is using and which traffic shaping policy it is matching.

 

Note:

If any traffic exceed the configured max. BandWidth threshold value of Per-IP shaper then  'exceeded shaper limt, drop message in the debug flow wll be visible.

 

If any traffic exceed the configured max. concurrent connection then, 'blocked by quota check, drop' message in the debug flow will be visible.

Contributors