Description
This article describes how to impose data cap for web access for end users in FortiGate.
Solution
A data cap (bandwidth cap) is a service which imposes limit on the amount of data transferred by a user a given time period.
FortigGte supports traffic shaping to limit the bandwidth usage of source user/IP to avoid user from consuming too much bandwidth however this will not act as data cap to limit/restrict user to specific data usage.
FortiGate web filter profile provides a feature called Category Usage Quota.
Category Usage Quota will allow access for a specified allocated traffic, calculated separately for each user.
The quota is applied to each user/ip individually so the FortiGate must be able to identify each user/ip.
Configuration Example:
Let assume, we have group of users for whom we need to apply the Data Cap of 256MB per day.
1) Need to create the user and user group.
Refer to https://docs.fortinet.com/document/fortigate/6.0.0/handbook/518646/users-and-user-groups#Local_and_r...
2) Create a we bfilter profile for user group testgrp.
Go to Security profiles and select 'create new'.
Select the FortiGuard category which needs to be allowed and set the action to monitor.
Select the other FortiGuard category which needs to be blocked and set the action to block.
Under Category Usage Quota and select 'create new'.
Select all Category in the list.
Select Quota Type as Traffic and in Total quota mention the Data cap (in this example, 256MB).
3) Create a user policy for 'testgrp'.
4) Verify that the quota has been set correctly.
User will be prompted for authentication while accessing internet and post authentication, monitored category websites can be accessed. Once the bandwidth reaches quota then user can no longer access the resources listed in bandwidth consuming websites category.
To check the user and Remaining Quota, please use below command.
This article describes how to impose data cap for web access for end users in FortiGate.
Solution
A data cap (bandwidth cap) is a service which imposes limit on the amount of data transferred by a user a given time period.
FortigGte supports traffic shaping to limit the bandwidth usage of source user/IP to avoid user from consuming too much bandwidth however this will not act as data cap to limit/restrict user to specific data usage.
FortiGate web filter profile provides a feature called Category Usage Quota.
Category Usage Quota will allow access for a specified allocated traffic, calculated separately for each user.
The quota is applied to each user/ip individually so the FortiGate must be able to identify each user/ip.
Configuration Example:
Let assume, we have group of users for whom we need to apply the Data Cap of 256MB per day.
1) Need to create the user and user group.
# config user localTo create a user account and user group from GUI.
edit testusr1
set type password
set passwd 123456
next
edit testusr2
set type password
set passwd 123456
next
end
# config user group
edit testgrp
set member testusr1 testusr2
next
end
Refer to https://docs.fortinet.com/document/fortigate/6.0.0/handbook/518646/users-and-user-groups#Local_and_r...
2) Create a we bfilter profile for user group testgrp.
Go to Security profiles and select 'create new'.
Select the FortiGuard category which needs to be allowed and set the action to monitor.
Select the other FortiGuard category which needs to be blocked and set the action to block.
Under Category Usage Quota and select 'create new'.
Select all Category in the list.
Select Quota Type as Traffic and in Total quota mention the Data cap (in this example, 256MB).
3) Create a user policy for 'testgrp'.
4) Verify that the quota has been set correctly.
User will be prompted for authentication while accessing internet and post authentication, monitored category websites can be accessed. Once the bandwidth reaches quota then user can no longer access the resources listed in bandwidth consuming websites category.
To check the user and Remaining Quota, please use below command.
# dia webfilter quota list
VDOM User Web Filter Profile Quota ID Remaining Quota
root testusr1 testgroup_profile 1 268435456 Bytes
Total number of quotas: 1.
