This post is to record Traffic Shaping related notes for Fortigate
- Technical Tip: How to apply traffic shaper for the SSL VPN Traffic
- https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/297431/traffic-shaping
Creating Traffic Shaper for Specific Purpose
- Create a traffic shaper entry under Policies & Objects -> Traffic Shaping -> Traffic Shapers -> Create new.
Enable Traffic Shaper for Certain SSL-VPN Firewall Rule
config firewall policy
edit <policy id number>
set traffic-shaper <> <- For upload.
set traffic-shaper-reverse <> <- For download.
end
Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.
NETSEC-FGT # config firewall policy
NETSEC-FGT (policy) # edit 19
NETSEC-FGT (19) # show
config firewall policy
edit 19
set name "FortiClient-2-SJC"
set uuid 1c0c50be-279c-51ef-edd3-5eedaae960c9
set srcintf "ssl.root"
set dstintf "NETSEC-2-ATT-SJC"
set action accept
set srcaddr "all"
set dstaddr "NETSEC-2-ATT_remote"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "sslvpn-pool"
set groups "Remote Users"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
next
end
NETSEC-FGT (19) #
After enabled Traffic Shaper Policy, the Web GUI will look like this:
Checking Which Traffic Shaper is Used
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-check-which-traffic-shaper-is/ta-p/197885
Configuration
#config firewall shaping-policy
edit 1
set service “ALL”
set dstintf “port1”
set traffic-shaper “shared-1M-pipe”
set traffic-shaper-reverse “shared-1M-pipe”
set srcaddr “all”
set dstaddr “all”
next
end
#config firewall policy
edit 3
set name “Allow Internet”
set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set logtraffic all
set fsso disable
set traffic-shaper “Shared 500 Kbps”
set traffic-shaper-reverse “Shared 500 Kbps”
set nat enable
next
end
Filter to verify
#diagnose system session filter src 192.168.88.1
#diagnose system session filter dport 443
Then, to display the session, use following command :
#diagnose system session list
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B
per_ip_shaper=
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.