This post is to record Traffic Shaping related notes for Fortigate

 

Creating Traffic Shaper for Specific Purpose

  • Create a traffic shaper entry under Policies & Objects  -> Traffic Shaping  -> Traffic Shapers -> Create new.

Config Fortigate Traffic Shaping




shaper.png

Enable Traffic Shaper for Certain SSL-VPN Firewall Rule


Basically, we will be able to enable traffic shaping policy over a SSL VPN firewall policy rule, which can make us to limit certain user’s throughput. 

By default, in the firewall policy, the traffic shaping option is invisible. This option will only appear after applying the traffic shaper in the respected policy with the following CLI commands:

config firewall policy

edit <policy id number>

set traffic-shaper <> <- For upload.

set traffic-shaper-reverse <> <- For download.

end

 

Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.


NETSEC-FGT # config firewall policy 

NETSEC-FGT (policy) # edit 19

NETSEC-FGT (19) # show
config firewall policy
    edit 19
        set name "FortiClient-2-SJC"
        set uuid 1c0c50be-279c-51ef-edd3-5eedaae960c9
        set srcintf "ssl.root"
        set dstintf "NETSEC-2-ATT-SJC"
        set action accept
        set srcaddr "all"
        set dstaddr "NETSEC-2-ATT_remote"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "sslvpn-pool"
        set groups "Remote Users"
        set traffic-shaper "low-priority"
        set traffic-shaper-reverse "low-priority"
    next
end

NETSEC-FGT (19) # 

After enabled Traffic Shaper Policy, the Web GUI will look like this:

Checking Which Traffic Shaper is Used

 https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-check-which-traffic-shaper-is/ta-p/197885

Configuration

 traffic shaping policy are used:

#config firewall shaping-policy
    edit 1
        set service “ALL”
        set dstintf “port1”
        set traffic-shaper “shared-1M-pipe”
        set traffic-shaper-reverse “shared-1M-pipe”
        set srcaddr “all”
        set dstaddr “all”
    next
end

 traffic shaping configured on an IPv4 policy itself:

#config firewall policy
    edit 3
        set name “Allow Internet”
        set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set logtraffic all
        set fsso disable
        set traffic-shaper “Shared 500 Kbps”
        set traffic-shaper-reverse “Shared 500 Kbps”
        set nat enable
    next
end

Filter to verify

Use following filter to display sessions:

#diagnose system session filter src  192.168.88.1
#diagnose system session filter dport 443

Then, to display the session, use following command :

#diagnose system session list
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B

per_ip_shaper=

From the output, “shared-1M-pipe” shaper is used. That means this session will be effectively shaped using this shaper.
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.

By netsec

Leave a Reply