Description
This article explains how to add a quota for bandwidth-consuming websites, which will limit users.
A quota will allow access for a specified allocated traffic, calculated separately for each user. Quotas are reset every day at midnight. Users must authenticate with the FortiGate unit. The quota is applied to each user individually, so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. The web filter profile that has been created should be applied in the FortiGuard Web Filter that has been configured, and the FortiGuard Web Filter quotas need to be applied to such a security policy.
Scope
FortiGate or VDOM in NAT mode.
Solution
There are two basic requirements for this solution:
- The device should have a valid web filtering license.
- User identity policy with web filter profile enabled.
Bandwidth consuming websites are allocated with some traffic volume per day. If traffic volume usage for bandwidth consuming websites crosses the limit set by the administrator then connection will be reset.
- Next, a new web filter profile or a clone of the default one can be used. In this example, the default web filter profile is used. In the default web filter profile, the action needs to be set as Monitor for the bandwidth-consuming category.
- The ID of the Bandwidth Consuming Category that is to be constrained should be first found. The command 'get webfilter categories' will show the ID of the categories. In this case, it is g04 (Bandwidth Consuming).
get webfilter categories
g01 Potentially Liable:
....
....
g02 Adult/Mature Content:
....
....
g04 Bandwidth Consuming:
19 Freeware and Software Downloads
24 File Sharing and Storage
25 Streaming Media and Download
72 Peer-to-peer file Sharing
75 Internet Radio and TV
76 Internet Telephony
g05 Security Risk:
....
....
- The following command shows how to add a quota of 10MB for bandwidth-consuming websites.
config webfilter profile
edit default
config ftgd-wf
config quota
edit 1
set category g04
set type traffic
set unit MB
set value 10
end
end
end
-
As a last step, the quota must be checked to ensure it has been set correctly.
This can be achieved by accessing any video streaming website and opening a video link. Once the bandwidth reaches the quota then the allocated user can no longer access the resources listed in bandwidth consuming websites category.
Note: On newer versions of the FortiGate, the option mentioned in this article is no longer present.
When trying to configure 'quota' under the Web Filter profile created for this traffic, either a Clone of the default one or a new one, after the first step 'config ftgd-wf', the available option is:
(ftgd-wf) # config
filters FortiGuard filters.
After selecting 'filters', the options are:
(filters) #
edit Add/edit a table value.
delete Delete a table value.
purge Clear all table values.
rename Rename a table entry.
get Get dynamic and system information.
show Show configuration.
end End and save last config.
In this case, the Category selected has been Shopping, and as per the Category IDs, this corresponds to Category 42.
First thing, adding a new custom entry:
(filters) # edit 35
set action monitor
And then show full:
(35) # show full-configuration
config filters
edit 35
set category 42
set action monitor
set log enable
next
end
As seen, the option to enable the bandwidth for each category is not available.
