Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Silver
New Contributor

Traffic shaper Per IP

Hello,

 

Can someone tell me how the traffic shaper per ip work. if am not wrong its per source ip address.

 

Let say we configured the Per IP policy max bandwidth 512k and Max Concurrent connection 10

 

I apply it into a security policy from LAN  to WAN and inside the LAN we are having 20 users so here what will happen

how the traffic shaper will work per IP does  each user will get a maximum bandwidth of 512k or the 512 k will share between 20 users and maximum connection a user can do 10. if am wrong please correct me

 

i would like to know how exactly it work

 

Thank 

 

11 REPLIES 11
norouzi
Contributor

Per IP Traffic Shaper works on every IP address.If you have not any NAT inside LAN, it means every user.

In your senario, every IP address will have 512k traffic not more.

Carl_Wallmark
Valued Contributor

and only 10 sessions per IP

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Silver
New Contributor

Dear Both,

 

Thank you very much for your input. But the concurrent connection here mean per ip address it can do maximum 10 concurrent session  mean it can browse to only 10 web pages not more

ede_pfau
SuperUser
SuperUser

I doubt that you can browse to any page on the web when only 10 connections are allowed. Imagine a web page with some pictures (on different sites), or ads or banners. These can easily amount to dozens of connections to different hosts.

I've seen a single user having 500+ sessions open only while browsing.

 

This doesn't mean all connections (sessions) are active at the same time or for all the time. But until they time out (e.g. after 600 seconds, the default) the user is not seeing any progress with loading a web page.

 

I'd stick to limiting bandwidth alone.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Dave_Hall
Honored Contributor

I was going to post the very same, but wasn't sure how exactly the Fortigate would classify as concurrent connections as appose to say "total sessions"; to me concurrent sessions mean having multiple connections to the same site. (e.g. 8 sessions to site1, 7 sessions to site2, 6 sessions to site3, etc.)  Had to recheck the CLI Reference manual -- description says max number of sessions.

 

 

But I agree with ede.  10 sessions is not enough.  I suggest starting off with a semi-high value then work your way down to a more realistic range.

 

That said, having played around with this setting for a bit, I received nothing but grief from the site I tested this at -- in that case, as Ede stated -- a lot of sessions were open but idle.

 

ede_pfau wrote:

I doubt that you can browse to any page on the web when only 10 connections are allowed. Imagine a web page with some pictures (on different sites), or ads or banners. These can easily amount to dozens of connections to different hosts.

I've seen a single user having 500+ sessions open only while browsing. [...]

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Silver
New Contributor

when you mentioned every user ip address will get 512k not more mean if we are having 10 users using the same policy it mean that all the 10 will get 512k each in total 5120k so too much if we have a isp internet traffic for only 2MB so what will happen

Silver
New Contributor

Any update plz

Mark_Oakton
Contributor

that is correct, unless you have a shared traffic shape policy for a group or a policy rule

Infosec Partners
Infosec Partners
Silver
New Contributor

Hello Mark,

Thanks for your reply. but it will be a problem if each user will get 512k so the bandwidth will be saturated if we have a pipe of 2 MB.

Labels
Top Kudoed Authors