<div>
Hi MichaelBalack<br />
<br />
You would only need one rule for traffic shaping and possibly another for access but that would just be so you can assign the traffic shaping policy.<br />
first though I would like to know a few things <br />
What AP are you using?<br />
Do your guests get different IP addresses to that of your staff users?
</div>


<div>
Hi Stolsie,<br />
<br />
Please see the answers:<br />
<br />
What AP are you using?<br />
<br />
ans: Cisco 1600 series<br />
<br />
Do your guests get different IP addresses to that of your staff users? <br />
<br />
ans: No, they are get the same subnet IP addresses
</div>


<div>
I would make sure guests get a different IP address to staff and your data network (have you put security in place?) <br />
then put in place QoS for your staff (do you have a VoIP solution? the staff will need to be one point lower) you only have a 5Mb internet line anyway so you wouldn't really want to throttle bandwidth.<br />
I would then put an extended ACL in place on the guest network Vlan (vACL) I would block traffic to all internal services and clients and only allow traffic out to the internet on ports 53,80 and 443. (53 only if you don't have internal DNS)
</div>


<div>
Is guest wireless access password protected?
</div>


<div>
Hi Greg,<br />
<br />
Yes, ap access password protected
</div>


Fortigate---Traffic-Shaping.docx

<div>
If it is possible, increase the bandwidth into the office. &nbsp;5Mbs for a business serving smartphones and business machines is not enough.<br />
<br />
If this is not possible, change the guest password and only give it to people that you know.
</div>


<div>
The suggestions and traffic shaping settings are working. In fact, after some monitoring, traffic for different groups are working accordingly,.
</div>


<div>
<div class="content wysiwyg-content">
This is a foritgate 80C firewall setup in a small clinic. We used 2 interfaces, WAN1 as untrusted and Switch (Internal) as trusted. Our Internet line is a 5 Mbps broadband. There is only one segment for internal for both wired and wireless. There is one Wireless AP deployed in the clinic, for quest access. Besides this, this AP also means for staff's handphone/laptop, and other wireless device Internet access. IPs would be allocated from a internal server.<br />
<br />
Recently, we found high traffic on Internet throughout the days. Most of the these traffic were resulted from anonymous/guest. In view of these, we are thinking of &quot;splitting&quot; these traffic into 2. The first one being the top priority traffic, such as, wired connections, and wireless connections for fixed laptop/PC, and staffs' handphones. The second being the least priority traffic for those guests via wireless. Does this mean I have to setup the 2 different traffic shaping rules with 2 firewall rules? Please show step-by-step on getting the thing done.<br />
<br />
<br />
thanks
</div>
</div>


This is a foritgate 80C firewall setup in a small clinic. We used 2 interfaces, WAN1 as untrusted and Switch (Internal) as trusted. Our Internet line is a 5 Mbps broadband. There is only one segment for internal for both wired and wireless. There is one Wireless AP deployed in the clinic, for quest access. Besides this, this AP also means for staff's handphone/laptop, and other wireless device Internet access. IPs would be allocated from a internal server.

Recently, we found high traffic on Internet throughout the days. Most of the these traffic were resulted from anonymous/guest. In view of these, we are thinking of "splitting" these traffic into 2. The first one being the top priority traffic, such as, wired connections, and wireless connections for fixed laptop/PC, and staffs' handphones. The second being the least priority traffic for those guests via wireless. Does this mean I have to setup the 2 different traffic shaping rules with 2 firewall rules? Please show step-by-step on getting the thing done.


thanks

How to use traffic shaping on firwall?

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Hardware Firewalls

Network Management involves issues that are independent of specific hardware or software, including email policies, upgrade planning, backup scheduling and working with managed service providers for Desktop-As-A-Service (DaaS), Software-As-A-Service (SaaS) and the like through the use of tools, coupled with manufacturer standards, best practice guidelines, policies and procedures plus all other relevant documentation. Network management also includes monitoring, alerting and reporting, management reporting, planning for device or service updates, the backup of configurations, the setting of key performance indicators and measures (KPIs/KPMs), associated service level agreements and problem records as part of the IT Service Management (ITSM) framework.