The Limit feature is a function of the APCL/URLF blades which typically inspect traffic to and from the Internet, so you must be matching traffic against an application or site object to use it. Not really applicable for your situation of trying to limit bandwidth consumed by a VPN tunnel, but I suppose you could create some custom application/site objects to match traffic in that tunnel and limit it in an APCL/URLF-capable layer. Here is some more info:
Applying APCL/URLF Bandwidth Limits
-
Bandwidth limits for APCL/URLF are applied directly by these features, and the full-fledged Quality of Service (QoS) feature does not need to be enabled by the firewall to use them.
-
Bandwidth guarantees cannot be specified; the full QoS blade is required for that functionality.
-
Upload bandwidth limits, download bandwidth limits, or both can be specified.
-
Note that any bandwidth limit enforced will be shared by all connections matching that particular rule; the limits are not per-connection or per-user. It is also not currently possible to enforce overall bandwidth limits over a certain timeframe (i.e. allow 1GByte of streaming data per 24-hour period and then no more until the next day when another 1GByte is allowed).
-
Packets in excess of the configured bandwidth limit are simply dropped by the firewall (this forcing TCP to slow its send rate); these packets are not queued or shaped by the firewall.
The QoS blade is probably more appropriate for what you are trying to do, and it is very easy to tag/match VPN traffic specifically when enforcing a QoS limit or guarantee by checking the checkbox in the QoS rule specifying the limit.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com