Skip to main content
danteLive
danteLive
New Member
December 11, 2018
Question

Traffic shaper - IPSEC Tunnel interface

  • December 11, 2018
  • 1 reply
  • 6522 views

Good Day,

Is it possible to put a traffic shaper for all traffic that goes over the IPSec interface?

 

I tried to do this and it does not seem to pick up all the traffic that goes through the tunnel or drop the excess packets.

Would appreciate some guidance as we have a WSUS that pushes updates to branches and would like to limit the whole tunnel.

 

Thanks

    1 reply

    m0j0
    m0j0
    New Member
    December 11, 2018

    Are you running interface-mode or policy-mode tunnels?  Also, what version FortiOS are you running?

    danteLive
    danteLiveAuthor
    New Member
    December 11, 2018

    Hi,

     

    I assume it is interface mode, using site to site setup between two FortiGates. 100E and 60E

     

    Version is 5.6.5 

     

    Many thanks

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 11, 2018

    If you're thinking and tried "outbandwidth" on the interface, it wouldn't work as you expect if it's off-loading to asic. We had a similar question but not to IPSec interface, instead to wan1 on 60D and tried "set outbandwidth <kbps>" to find it doesn't work. TAC told us we had to set a policy specifically and disable asic off-loading, which would drop performance significantly. I think this is depending on the type of NPU or model. But likely the same with some other NPUs(60D has NPU4Lite).

     

    So only practical option is setting up shaping-policies to control the outgoing traffic toward the IPSec interface.

    Terms & ConditionsAccessibility statement