FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HatiUjja
Staff
Staff
Article Id 244968
Description

This article describes how to limit concurrent sessions from one source IP to a specific destination through a traffic shaper.

Scope FortiGate.
Solution

As per the config in this article, only one connection per source IP will be allowed to the destination IP 8.8.8.8 

Create a traffic shaper as shown in the below screenshot.

 

Here, the Max concurrent connection limit is set to 1 connection:

 

HatiUjja_0-1675771353829.png

 

After creating a traffic shaper policy towards the destination to put limit the sessions and apply the traffic shaper.

 

HatiUjja_1-1675771353837.png

 

In the above shaper policy, Port1 is the outgoing interface towards the destination  8.8.8.8, and 'test' is the per-IP traffic shaper. 

This traffic shaper will be applied based on the IPV4 policy that is allowing traffic to 8.8.8.8.

To verify if the traffic shaper is applied properly, it is possible to filter the session table by the destination address and verify if the shaper is applied to the session.

 

# diagnose sys session filter dst 8.8.8.8

# diagnose sys session list

 

session info: proto=1 proto_state=00 duration=399 expire=1 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=test

class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty per_ip

statistic(bytes/packets/allow_err): org=28728/342/1 reply=28728/342/1 tuples=2

tx speed(Bps/kbps): 71/0 rx speed(Bps/kbps): 71/0

orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=10.5.31.254/10.248.15.168

hook=post dir=org act=snat 10.248.15.168:256->8.8.8.8:8(10.5.21.173:60672)

hook=pre dir=reply act=dnat 8.8.8.8:60672->10.5.21.173:0(10.248.15.168:256)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

serial=000bdb29 tos=ff/ff app_list=0 app=0 url_cat=0

sdwan_mbr_seq=0 sdwan_service_id=0

rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a

npu_state=0x040000

total session 1

 

Flow debug output will show packets are dropped if more than one connection:

 

id=20085 trace_id=579 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.248.15.168:3328->8.8.8.8:2048) from port3. type=8, code=0, id=3328, seq=9."

id=20085 trace_id=579 func=init_ip_session_common line=5995 msg="allocate a new session-000ca285"

id=20085 trace_id=579 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.5.31.254 via port1"

id=20085 trace_id=579 func=fw_forward_handler line=738 msg="Denied by quota check"

 

To verify traffic shaper stats run the below command:

 

# diagnose firewall shaper per-ip-shaper list

 

name test

maximum-bandwidth 0 KB/sec

maximum-concurrent-session 1

tos ff/ff

packets dropped 256

bytes dropped 21504