Technical Tip: Category based traffic shaping not working after reboot

This behavior is triggered when the SD-WAN configuration includes a PPPoE-based WAN connection.

An SD-WAN rule is configured to control WAN link selection using load balancing, allowing traffic to be distributed across the available links to optimize bandwidth utilization and overall network performance.

Sample setup:

config service
    edit 6
        set name "WAN"
        set load-balance enable
        set dst "all"
        set src "all"
        set priority-zone "virtual-wan-link"
    next
end

config firewall shaping-policy
    edit 1
        set name "Updates"
        set service "ALL"
        set app-category 17
        set srcintf "port4"
        set dstintf "virtual-wan-link"
        set traffic-shaper "Updates"
        set traffic-shaper-reverse "Updates"
        set srcaddr "all"
        set dstaddr "all"
    next
    edit 2
        set name "General"
        set service "ALL"
        set srcintf "port4"
        set dstintf "virtual-wan-link"
        set per-ip-shaper "10-Mbps"
        set srcaddr "all"
        set dstaddr "all"
    next
end

Application Control category-based traffic shaping is implemented to prioritize and manage network traffic based on specific application categories, ensuring optimal performance and efficient bandwidth utilization.

Before reboot:

diagnose firewall iprope list 100015

policy index=1 uuid_idx=15853 action=accept
flag (0):
schedule()
shapers: orig=Updates(4/750000/1875000) reply=Updates(4/750000/1875000)
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 6 -> zone(3): 3 4 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
app_id(48): 15951 16009 16171 16635 16637 16643 16648 16654 16669 16763 16983 16985 16986 17006 17010 17038 17
039 17040 17041 17042 17168 17174 17236 17409 17678 23345 23971 24265 25958 27508 27937 28887 30796 31989 3328
4 33759 35244 35297 36056 37738 38314 38768 38860 38944 39458 40565 41474 47020 <-- Before the reboot, the app_id is in place to apply the traffic shaping on the selected application category.

policy index=2 uuid_idx=15857 action=accept
flag (0):
schedule()
shapers: per-ip=10-Mbps
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 6 -> zone(3): 3 4 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

After reboot, app_id has been removed, causing all traffic to match on the catch-all policy on the traffic-shaping policy 2:

diagnose firewall iprope list 100015

policy index=1 uuid_idx=15853 action=accept
flag (0):
schedule()
shapers: orig=Updates(4/750000/1875000) reply=Updates(4/750000/1875000)
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 6 -> zone(3): 3 4 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

policy index=2 uuid_idx=15857 action=accept
flag (0):
schedule()
shapers: per-ip=10-Mbps
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 6 -> zone(3): 3 4 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

Workaround: Disabling and enabling the traffic shaping policy with application control.

Note: This behavior is expected to resolve in FortiOS version 8.0.0.