This post is to record Traffic Shaping related notes for Fortigate
Creating Traffic Shaper for Specific Purpose
- Create a traffic shaper entry under Policies & Objects -> Traffic Shaping -> Traffic Shapers -> Create new.
Enable Traffic Shaper for Certain SSL-VPN Firewall Rule
Basically, we will be able to enable traffic shaping policy over a SSL VPN firewall policy rule, which can make us to limit certain user’s throughput.
config firewall policy
edit <policy id number>
set traffic-shaper <> <- For upload.
set traffic-shaper-reverse <> <- For download.
Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.
NETSEC-FGT # config firewall policy
NETSEC-FGT (policy) # edit 19
NETSEC-FGT (19) # show
config firewall policy
edit 19
set name "FortiClient-2-SJC"
set uuid 1c0c50be-279c-51ef-edd3-5eedaae960c9
set srcintf "ssl.root"
set dstintf "NETSEC-2-ATT-SJC"
set action accept
set srcaddr "all"
set dstaddr "NETSEC-2-ATT_remote"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "sslvpn-pool"
set groups "Remote Users"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
After enabled Traffic Shaper Policy, the Web GUI will look like this:
Checking Which Traffic Shaper is Used
#config firewall shaping-policy
edit 1
set service “ALL”
set dstintf “port1”
set traffic-shaper “shared-1M-pipe”
set traffic-shaper-reverse “shared-1M-pipe”
set srcaddr “all”
set dstaddr “all”
#config firewall policy
edit 3
set name “Allow Internet”
set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set logtraffic all
set fsso disable
set traffic-shaper “Shared 500 Kbps”
set traffic-shaper-reverse “Shared 500 Kbps”
set nat enable
Filter to verify
#diagnose system session filter src
#diagnose system session filter dport 443
Then, to display the session, use following command :
#diagnose system session list
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B
From the output, “shared-1M-pipe” shaper is used. That means this session will be effectively shaped using this shaper.
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.