Fortinet 524 FortiWeb 5.0 Patch 6 Administration Guide
This is a big proportionate difference. While a low rate limit might seem generous to Tiny Treats,
Giant Gelato would be unhappy if you applied the same rate limit to its IP address.
Let’s say that both companies need access to the same ice cream inventory web application:
Tiny Treats buys from Giant Gelato. Each view in the application contains the page itself, but
also up to 15 images of ice cream, 3 external JavaScripts, and an external CSS style sheet, for
a total of 20 HTTP requests in order to produce each view.
40 requests per second then might be more than adequate for Tiny Treats: the clerk could page
through the inventory twice every second, if she wanted to.
But for Giant Gelato, its clients would frequently see completely or half-broken views: some
images or CSS would be missing, or page requests denied the first or second time, because
some other clients on Giant Gelato’s LAN had already consumed the 40 requests allowed to it
per second of time. Normal use would be impossible.
To be practical, then, you would not base your rate limiting solely on the source IP address of
requests. Instead, you would want dual thresholds:
a lower threshold for sources that are a single client
a higher threshold when multiple clients are behind the same source IP address
You could enable Shared IP so that FortiWeb could know to permit more requests per second
from Giant Gelato than from Tiny Treats. Because Giant Gelato’s ID fields would not usually be
continuous as a single client’s usually would be, FortiWeb could then apply a different, higher
limit.
See also
Advanced settings
Limiting the total HTTP request rate from an IP
Preventing brute force logins