Traffic Shaping

Traffic shaping rules are used to limit the bandwidth for certain users, hosts, services, or applications.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The "Negate" checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

To create a traffic shaping rule, go to the Network policies ➜ Traffic shaping section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Bandwidth pools

Select one of the bandwidth pools. A bandwidth pool can optionally change the priority tags of DSCP traffic. For instructions on how to create more bandwidth pools, see the Bandwidth Pools section.

Scenario

The scenario that must be active for the rule to be triggered. For more details on how scenarios work, see the Scenarios section.

Important! A scenario is an additional condition. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • Log all network packets: every transmitted network packet will be logged. For this mode, it is recommended to enable the logging limit to prevent high device load.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The users or user groups to which this rule will be applied.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Service

The service type, such as HTTP, HTTPS or other.

Applications

The list of applications for which bandwidth needs to be limited.

Time

The time when this rule will be active.