12.9.4. Configuring traffic shaping rules

You configure traffic shaping rules at the network-policy traffic-shaping level. For more details on the command structure, see Configuring rules using UPL.

To configure a traffic shaping rule, specify the following parameters:

Parameter

Description

PASS

OK

Action to create a rule using UPL.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Traffic shaping rule name.

Example: name("Traffic shaping rule example").

desc

A description of the rule.

Example: desc("The example of traffic shaping rule configured in CLI").

bandwidth_pool

Bandwidth pool, e.g. bandwidth_pool("1 Mbps").

For more details about creating and configuring bandwidth pools, see Configuring bandwidth pools.

scenario

Scenario that needs to be active for the rule to trigger.

To specify a scenario: scenario = "Example of a scenario".

For more details on configuring scenarios, see Configuring scenarios.

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): log all network packets without setting any limits. To set a limit, you need to specify the number of events to be logged per unit time (s: second; min: minute; h: hour; d: day; the minimum log limit is 5 packets per day) and the maximum number of packets logged per event. For example, rule_log(yes, "3/h", 5) enables logging with the following limits: 3 events per hour with a maximum number of packets per event of 5.

  • rule_log(session): log the start of the section.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about configuring zones using the CLI, see Zones.

src.ip

Add source IP address or domain lists.

Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

user

Users and user groups for which the traffic shaping rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors).

The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group):

user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc")

The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups.

dst.zone

Traffic destination zone.

Example: dst.zone = Untrusted.

For more details about configuring zones using the CLI, see Zones.

dst.ip

Add lists of destination IP addresses or domains.

To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

dst.geoip

Destination GeoIP. Specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a services group: service = lib.service(). Provide the services group name in parentheses.

application

List of applications to which this rule applies. You can specify:

  • All application groups: application = lib.category(All).

  • Application groups: application = lib.applicationgroup(). Provide the application group name in parentheses.

  • Application categories: application = lib.category(). Provide the application category name in parentheses.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets.