This publish is to file Site visitors Shaping associated notes for Fortigate
Creating Site visitors Shaper for Particular Function
- Create a site visitors shaper entry below Insurance policies & Objects -> Site visitors Shaping -> Site visitors Shapers -> Create new.
Allow Site visitors Shaper for Sure SSL-VPN Firewall Rule
Principally, we will allow site visitors shaping coverage over a SSL VPN firewall coverage rule, which might make us to restrict sure consumer’s throughput.
config firewall coverage
edit
set traffic-shaper <> <- For add.
set traffic-shaper-reverse <> <- For obtain.
finish
As soon as the above adjustments have been accomplished from the CLI, the site visitors shaping possibility might be obtainable within the GUI in the identical coverage.
NETSEC-FGT # config firewall coverage
NETSEC-FGT (coverage) # edit 19
NETSEC-FGT (19) # present
config firewall coverage
edit 19
set identify "FortiClient-2-SJC"
set uuid 1c0c50be-279c-51ef-edd3-5eedaae960c9
set srcintf "ssl.root"
set dstintf "NETSEC-2-ATT-SJC"
set motion settle for
set srcaddr "all"
set dstaddr "NETSEC-2-ATT_remote"
set schedule "all the time"
set service "ALL"
set logtraffic all
set nat allow
set ippool allow
set poolname "sslvpn-pool"
set teams "Distant Customers"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
subsequent
finish
NETSEC-FGT (19) #
After enabled Site visitors Shaper Coverage, the Net GUI will appear to be this:
Checking Which Site visitors Shaper is Used
https://neighborhood.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-check-which-traffic-shaper-is/ta-p/197885
Configuration
#config firewall shaping-policy
edit 1
set service “ALL”
set dstintf “port1”
set traffic-shaper “shared-1M-pipe”
set traffic-shaper-reverse “shared-1M-pipe”
set srcaddr “all”
set dstaddr “all”
subsequent
finish
#config firewall coverage
edit 3
set identify “Permit Web”
set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “all”
set motion settle for
set schedule “all the time”
set service “ALL”
set logtraffic all
set fsso disable
set traffic-shaper “Shared 500 Kbps”
set traffic-shaper-reverse “Shared 500 Kbps”
set nat allow
subsequent
finish
Filter to confirm
#diagnose system session filter src 192.168.88.1
#diagnose system session filter dport 443
Then, to show the session, use following command :
#diagnose system session record
session information: proto=6 proto_state=01 period=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 assure 0Bps max 131072Bps site visitors 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 assure 0Bps max 131072Bps site visitors 364Bps drops 198404B
per_ip_shaper=
From the output, “shared-1M-pipe” shaper is used. Meaning this session might be successfully formed utilizing this shaper.
In conclusion, the Site visitors Shaping insurance policies takes priority over the site visitors shapers configured on a IPv4 Coverage.
