FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 244968

This article describes how to limit concurrent sessions from one source IP to a specific destination through a traffic shaper.

Scope FortiGate.

As per the config in this article, only one connection per source IP will be allowed to the destination IP 

Create a traffic shaper as shown in the below screenshot.


Here, the Max concurrent connection limit is set to 1 connection:




After creating a traffic shaper policy towards the destination to put limit the sessions and apply the traffic shaper.




In the above shaper policy, Port1 is the outgoing interface towards the destination, and 'test' is the per-IP traffic shaper. 

This traffic shaper will be applied based on the IPV4 policy that is allowing traffic to

To verify if the traffic shaper is applied properly, it is possible to filter the session table by the destination address and verify if the shaper is applied to the session.


# diagnose sys session filter dst

# diagnose sys session list


session info: proto=1 proto_state=00 duration=399 expire=1 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3




class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty per_ip

statistic(bytes/packets/allow_err): org=28728/342/1 reply=28728/342/1 tuples=2

tx speed(Bps/kbps): 71/0 rx speed(Bps/kbps): 71/0

orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=

hook=post dir=org act=snat>

hook=pre dir=reply act=dnat>

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

serial=000bdb29 tos=ff/ff app_list=0 app=0 url_cat=0

sdwan_mbr_seq=0 sdwan_service_id=0

rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a


total session 1


Flow debug output will show packets are dropped if more than one connection:


id=20085 trace_id=579 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1,> from port3. type=8, code=0, id=3328, seq=9."

id=20085 trace_id=579 func=init_ip_session_common line=5995 msg="allocate a new session-000ca285"

id=20085 trace_id=579 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw- via port1"

id=20085 trace_id=579 func=fw_forward_handler line=738 msg="Denied by quota check"


To verify traffic shaper stats run the below command:


# diagnose firewall shaper per-ip-shaper list


name test

maximum-bandwidth 0 KB/sec

maximum-concurrent-session 1

tos ff/ff

packets dropped 256

bytes dropped 21504