This post is to record Traffic Shaping related notes for Fortigate
- Technical Tip: How to apply traffic shaper for the SSL VPN Traffic
- https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/297431/traffic-shaping
Creating Traffic Shaper for Specific Purpose
- Create a traffic shaper entry under Policies & Objects -> Traffic Shaping -> Traffic Shapers -> Create new.
Enable Traffic Shaper for Certain SSL-VPN Firewall Rule
Basically, we will be able to enable traffic shaping policy over a SSL VPN firewall policy rule, which can make us to limit certain user's throughput.
By default, in the firewall policy, the traffic shaping option is invisible. This option will only appear after applying the traffic shaper in the respected policy with the following CLI commands:
config firewall policy
edit <policy id number>
set traffic-shaper <> <- For upload.
set traffic-shaper-reverse <> <- For download.
end
Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.
NETSEC-FGT # config firewall policy
NETSEC-FGT (policy) # edit 19
NETSEC-FGT (19) # show
config firewall policy
edit 19
set name "FortiClient-2-SJC"
set uuid 1c0c50be-279c-51ef-edd3-5eedaae960c9
set srcintf "ssl.root"
set dstintf "NETSEC-2-ATT-SJC"
set action accept
set srcaddr "all"
set dstaddr "NETSEC-2-ATT_remote"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "sslvpn-pool"
set groups "Remote Users"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
next
end
NETSEC-FGT (19) # After enabled Traffic Shaper Policy, the Web GUI will look like this:
Checking Which Traffic Shaper is Used
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-check-which-traffic-shaper-is/ta-p/197885Configuration
traffic shaping policy are used:
#config firewall shaping-policy
edit 1
set service "ALL"
set dstintf "port1"
set traffic-shaper "shared-1M-pipe"
set traffic-shaper-reverse "shared-1M-pipe"
set srcaddr "all"
set dstaddr "all"
next
end
traffic shaping configured on an IPv4 policy itself:
#config firewall policy
edit 3
set name "Allow Internet"
set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set traffic-shaper "Shared 500 Kbps"
set traffic-shaper-reverse "Shared 500 Kbps"
set nat enable
next
end
Filter to verify
Use following filter to display sessions:
#diagnose system session filter src 192.168.88.1Then, to display the session, use following command :
#diagnose system session filter dport 443
#diagnose system session list
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B
per_ip_shaper=
From the output, “shared-1M-pipe” shaper is used. That means this session will be effectively shaped using this shaper.
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sCD5nMqcr3YPVJ6zfNG8XEQJxy2Dp9bKnMog86YVZaC4rNvznBIgDuX3QuIOf5p1zkLMscazdVsPlMNBJ4fy82PvW17_0tvB7V4iXlyRGpQw)
No comments:
Post a Comment