Long ago, you had two options when it came to usage quotas on the FortiGate; it was either based on data usage, or time usage. Fortinet then decided to remove the data usage quota and only have time based ones available. Recently Fortinet have decided to reintroduce the data based quotas (albeit it can only be configured via the CLI).
We'll go through creating a data usage quota on a web filtering profile, and some things you should know.
Lets go over a few caveats to begin with.
Firstly, both quotas (time and data) can only be used with a web filtering profile and need to be assigned to web categories. This means you are forced to restrict your users quotas only based on the category of websites they are visiting, and not the application they are using.
Secondly, the quotas are only available for 24 hour time periods. You can't configure the data quota to be reset on a monthly or weekly schedule, it has to be every 24 hours (it gets reset at 12 am every morning).
Lastly, the quotas are only able to restrict new sessions. This means if someone is downloading past their time/data quota and manage to keep their session active, then they will continue to be able to download until the session is gone. All new sessions created will be blocked.
With this in mind lets begin! I want to create a data based quota that will restrict my users to only be able to download 150MB per day when they access any website under the 'Bandwidth Consuming' category. This includes things like file sharing, internet radio and streaming sites.
For this configuration I'm going to be editing my default webfilter profile called 'default'. You can substitute default with the webfilter profile you're using.
In the CLI type the following:
config webfilter profile
edit default
config ftgd-wf
config quota
edit 0
set type traffic
With the unit, we have bytes, kilobytes, megabytes and gigabytes:
For the categories we need to use the category ID number. To get a list of all the categories and their matching ids just type '?' after 'set category' like below.
We'll go through creating a data usage quota on a web filtering profile, and some things you should know.
Lets go over a few caveats to begin with.
Firstly, both quotas (time and data) can only be used with a web filtering profile and need to be assigned to web categories. This means you are forced to restrict your users quotas only based on the category of websites they are visiting, and not the application they are using.
Secondly, the quotas are only available for 24 hour time periods. You can't configure the data quota to be reset on a monthly or weekly schedule, it has to be every 24 hours (it gets reset at 12 am every morning).
Lastly, the quotas are only able to restrict new sessions. This means if someone is downloading past their time/data quota and manage to keep their session active, then they will continue to be able to download until the session is gone. All new sessions created will be blocked.
With this in mind lets begin! I want to create a data based quota that will restrict my users to only be able to download 150MB per day when they access any website under the 'Bandwidth Consuming' category. This includes things like file sharing, internet radio and streaming sites.
For this configuration I'm going to be editing my default webfilter profile called 'default'. You can substitute default with the webfilter profile you're using.
In the CLI type the following:
config webfilter profile
edit default
config ftgd-wf
config quota
edit 0
set type traffic
set unit MB
set value 100
set category g04
end
end
end
For each of the 'set' commands (type, unit, value, category) you can type a question mark '?' after the line to see the available options.
With the type, there's either time based or traffic (data based):
For the categories we need to use the category ID number. To get a list of all the categories and their matching ids just type '?' after 'set category' like below.
The gXX numbers are category groups, while the individual number without a 'g' represent individual categories within the groups. For example, if I wanted to place a quota on the entire 'Potentially Liable' group that contains the subgroups like 'Drug Abuse', 'Hacking' etc, I would use g01. If I only wanted to place the quota on the 'Hacking' category only, then I would use the id of 3.
For my example I wanted to place the quota on the entire 'Bandwidth Consuming', so I scroll down until I see this category and use it's id: g04.
No comments:
Post a Comment