Knowledge Search


×
 

[ScreenOS] How to configure ingress traffic policing

  [KB25916] Show Article Properties


Summary:

Is it possible to police the incoming traffic on ScreenOS devices?

Solution:

Ingress policing is used to control traffic at the ingress side of the security device. By constraining the flow of traffic at the point of ingress, traffic that exceeds the bandwidth setting is dropped with minimal processing, which conserves system resources. You can configure ingress policing at the interface level and in security policies.

You can configure ingress policing on an interface by setting a maximum bandwidth (using the mbw keyword). For example, the following command limits the bandwidth on the ethernet0/1 ingress interface to 22 Mbps:

set interface ethernet0/1 bandwidth ingress mbw 22000

The incoming traffic on ethernet0/1 that exceeds this bandwidth is dropped. If traffic shaping is set at the interface, you must also set traffic-shaping mode to on (set traffic-shaping mode on).

However, the application of ingress policing to a specific application requires a policy. The following command creates the my_ftp policy, which limits the FTP bandwidth on the ingress side of the security device to 10 Mbps:

set policy my_ftp from untrust to trust any any ftp permit traffic pbw 10000

The incoming FTP traffic that exceeds the configured policing bandwidth (using the pbw keyword) is dropped. You can also set mbw in the policy; but at the policy level, mbw is applicable to only the egress side of traffic flow. The traffic that exceeds the configured rate is still processed and is dropped only at the egress side. You can configure either mbw or pbw in a policy; but not both.

The configuration and enforcement of ingress policing on virtual interfaces is the same as on physical interfaces; with the exception that you can also configure guaranteed bandwidth (using the gbw keyword) on virtual interfaces. On physical interfaces, guaranteed bandwidth is the same as maximum bandwidth.

Note: Verify the traffic-shaping mode, before configuring the above policing rules.

By default, the traffic shaping is in auto mode (set traffic-shaping mode auto). In Auto mode, traffic shaping will be automatically enabled, only when there is a policy that has either ingress policing or traffic shaping enabled and turns off traffic shaping, when no traffic hits the device.

Use the set traffic-shaping mode on command to turn on traffic shaping. On mode means that the traffic shaping is enabled; regardless of the presence of a policy that has ingress policing or traffic shaping enabled.

You can turn off traffic shaping globally by using the set traffic-shaping mode off command. Off mode means that traffic shaping is not enabled, even if there is a policy that has either ingress policing or traffic shaping enabled. You can also change the Traffic shaping mode via the WebUI by going to Configuration > Advanced > Traffic Shaping.

Note: Ingress policing on tunnel interfaces is enforced, after the encrypted packets are decrypted by the VPN engine.

Modification History:
2019-05-25: Minor edit. Non-technical.
Related Links: