Hi,
You could use a policer to rate limit http traffic . Example:
firewall {
family inet {
filter HTTP {
term HTTP {
from {
port [ http https ];
}
then {
policer HTTP;
count HTTP;
accept;
}
}
term ELSE {
then accept;
}
}
}
policer HTTP {
if-exceeding {
bandwidth-limit 3m;
burst-size-limit 30m;
}
then discard;
}
}The firewall filter could be applied as input to the ingress interfaces and as output too.
http/https is asymmetric with less upload traffic compared to download traffic and its the download traffic that you would want to rate-limit. Hopefully, the rate-limit working in conjuction with TCP window resize would bring down the traffic.
You can apply a lower bandwidth limit on the input if needed.
Can you share your policer config so we can see why its not being matched.
Cheers,
Ashvin