The quota time object allows you to define a quota time with budget per user/ip address/MAC address in your ACLs.
This feature is available on 2.19.082502 or above
To enable the feature, you need to use 2 steps:
- Create the quota time engine based on the identifier
- Create the quota rule in ACls
Create the Quota time engine.
- On the Proxy section, choose Quota objects link
- On the table, click on New Quota object
- Give your Quota object name.
- Select the identifier used to count the time quota:
You can use an IP Address, MAC Address, User name if connected to LDAP or Active Directory and Statistics Virtual Groups
- Define the pause Period: Pause period is given in seconds and defines
the period between two requests to be treated as part of the same session.
Pauses shorter than this value will be counted against the quota, longer ones ignored.
Default is 300 seconds (5 minutes ).
- Define the Proxy service TTL: Proxy service TTL in seconds for cached results. The proxy will not query the object for the same request in the TTL period.
- Your Quota object is now added.
- Choose Complete ACLs on the proxy section.
- In our example, we want to deny for a specific user if a quota exceed 4 hours per day.
- In the rule, we use the deny access action.
- On the Rule Items click on “New Proxy object“
- In the drop-down list, choose your Added Quota time object
- In the object, create item with the users you want to limit
Every entry must start with a user/ip/MAC (debends of the Quota object type ) followed by a time budget and a corresponding time period separated by a slash /.
Here is an example:
john 8h / 1d
melissa 24h / 1w
192.168.1.1 1h / 1d
00:0c:29:4d:89:ad 30m / 1w
You can use s for seconds, m for minutes, h for hours, d for days and w for weeks.
Numerical values can be given as integer values or with a fraction. E.g. 0.5h means 30 minutes.
In our example, we set a budget of 4H per day for dtouzeau user
- Note about Active Directory Groups ( v2.21x or above ).
If you want to use an Active Directory group, add the prefix AD: in the pattern field.
This is not a dynamic object, Artica will just find all users of the Active Directory group during the compilation parameters and auto-create the same rule for all users inside the group.
If you add a new user into your Active Directory group you have to re-compile again proxy parameters.
Notice: If Quota is not exceed then the object result is TRUE, If you using a deny rule with this object, use the reverse checkbox.