Skip to main content
seastuff
seastuff
New Member
July 29, 2025
Question

FortiGate 40F: VPN throttling, and allowing a specific VPN provider through, whilst blocking others

  • July 29, 2025
  • 4 replies
  • 1325 views

Hello

 

I have a FortiGate 40F, I am completely new to this system.

 

Somewhere in it, it has VPN throttling set, but I don't know how that is configured, where it is, etc...

 

I want to do some testing and familiarisation, by first finding where the existing user VPN throttling is set, and then try allowing a specific VPN application for smartphones and laptops through, to better understand how it works, so I can learn how to tune the system to meet user requirements. I appreciate it's a bit lazy to rock up and just ask like this, but if anyone could give me a steer to start familiarising with VPN settings on the web interface, I would be extremely grateful. 

 

Thank you.

4 replies

fiesta
fiesta
New Member
July 30, 2025

Hi,

 

This throttling sounds like traffic shaper (limit bandwidth, kinda). [https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/673634/traffic-shaping-policies] is there any?

Is this VPN via webmode or tunnel mode?

Best regards.

FWD~

    seastuff
    seastuffAuthor
    New Member
    July 30, 2025

    Thank you for your reply.

    Mullvad is usually Wireguard, which ise tunnel mode. 

    Yes there's a traffic shaping entry that sets a max bandwidth, and shows a bandwidth utilization and quantity of dropped bytes, with a priority setting, and a refno. In policies it's just set to apply shaper to all, both fwd and rev. Per IP and schedule is blank. So I woinder, for the purposes of testing, can I leave the traffic shaping policy in place, and add an exception or a tunnel, perhaps by MAC or IP, or by making a profile? Imagine if I have to allow one service through, exclusively, but not any others. I'm also curious about setting limit parameters like schedule, so if I wanted to allow one host through for 1 hour per day to, for example, send or receive, or access some URL. How specific can we make it I wonder? Is it also a setting that could be saved and deployed across multiple instances remotely?

    There is an export button at the top RHS for CSV and JSON file downloads.

    fiesta
    fiesta
    New Member
    July 30, 2025

    Hi,

     

    You can make exception above current policy with specified IP, source/destination, schedule, service, etc with a different traffic shaper profile shaper/reverse.

     

    Best regards.

    FWD~

    seastuff
    seastuffAuthor
    New Member
    July 30, 2025

    Right, so is there a source showing how to do it, test it, and what it looks like please?

    filiaks1
    filiaks1
    Explorer III
    July 31, 2025

    Have you tested the internet service database Blocking Potential threats over Internet ... - Fortinet Community ?

    seastuff
    seastuffAuthor
    New Member
    August 1, 2025

    I notice that the webinterface has:

    SSL-VPN portals, settings, clients, as if you could add a profile for a given VPN application in SSL-VPN clients, rather than adding profiles in Traffic Shaping.  

    filiaks1
    filiaks1
    Explorer III
    August 4, 2025

    What do you mean?

    Terms & ConditionsAccessibility statement