Traffic shaper Per IP

Silver · ‎10-28-2014

Hello,

Can someone tell me how the traffic shaper per ip work. if am not wrong its per source ip address.

Let say we configured the Per IP policy max bandwidth 512k and Max Concurrent connection 10

I apply it into a security policy from LAN to WAN and inside the LAN we are having 20 users so here what will happen

how the traffic shaper will work per IP does each user will get a maximum bandwidth of 512k or the 512 k will share between 20 users and maximum connection a user can do 10. if am wrong please correct me

i would like to know how exactly it work

Thank

norouzi · ‎10-28-2014

Per IP Traffic Shaper works on every IP address.If you have not any NAT inside LAN, it means every user.

In your senario, every IP address will have 512k traffic not more.

Carl_Wallmark · ‎10-28-2014

and only 10 sessions per IP

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Silver · ‎10-28-2014

Dear Both,

Thank you very much for your input. But the concurrent connection here mean per ip address it can do maximum 10 concurrent session mean it can browse to only 10 web pages not more

ede_pfau · ‎10-28-2014

I doubt that you can browse to any page on the web when only 10 connections are allowed. Imagine a web page with some pictures (on different sites), or ads or banners. These can easily amount to dozens of connections to different hosts.

I've seen a single user having 500+ sessions open only while browsing.

This doesn't mean all connections (sessions) are active at the same time or for all the time. But until they time out (e.g. after 600 seconds, the default) the user is not seeing any progress with loading a web page.

I'd stick to limiting bandwidth alone.

Ede Kernel panic: Aiee, killing interrupt handler!

Dave_Hall · ‎10-28-2014

I was going to post the very same, but wasn't sure how exactly the Fortigate would classify as concurrent connections as appose to say "total sessions"; to me concurrent sessions mean having multiple connections to the same site. (e.g. 8 sessions to site1, 7 sessions to site2, 6 sessions to site3, etc.) Had to recheck the CLI Reference manual -- description says max number of sessions.

But I agree with ede. 10 sessions is not enough. I suggest starting off with a semi-high value then work your way down to a more realistic range.

That said, having played around with this setting for a bit, I received nothing but grief from the site I tested this at -- in that case, as Ede stated -- a lot of sessions were open but idle.

ede_pfau wrote:
I doubt that you can browse to any page on the web when only 10 connections are allowed. Imagine a web page with some pictures (on different sites), or ads or banners. These can easily amount to dozens of connections to different hosts.
I've seen a single user having 500+ sessions open only while browsing. [...]

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Silver · ‎11-05-2014

when you mentioned every user ip address will get 512k not more mean if we are having 10 users using the same policy it mean that all the 10 will get 512k each in total 5120k so too much if we have a isp internet traffic for only 2MB so what will happen

Silver · ‎11-24-2014

Any update plz

Mark_Oakton · ‎11-25-2014

that is correct, unless you have a shared traffic shape policy for a group or a policy rule

Infosec Partners

Silver · ‎11-25-2014

Hello Mark,

Thanks for your reply. but it will be a problem if each user will get 512k so the bandwidth will be saturated if we have a pipe of 2 MB.