FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gtapia_FTNT
Staff
Staff
Article Id 190712
Description
Radio streaming is part of the daily traffic load on the FortiGate.  The Internet has several sites where users can tune whichever radio station in the world; also customer has their own radio station to be monitoring

In order to listen to the radio station, the streaming is injected by HTTP.Segmented.Download (port 80), this streaming is pushed to user’s device.

The disadvantage of having traffic inspection on the FortiGate made several Radio station unable to cross the device to reach destination (users browsers). If the FortiGate is making inspection into this traffic some packets do not arrive on time to users and are discarded causing audio not to be received on the user’s device.

Scope
All FortiGate devices

Solution
1. Identify the Radio streaming source. It can be found using application control profile to monitor, it is usually found as HTTP.Segmented.Download or HTTP.Audio

gtapia_FD40899_tn_FD40899-1.jpg

gtapia_FD40899_tn_FD40899-2.jpg

2. Once identified, clone or create AV_Profile and WF_Profile in flow mode.  Once the profiles have been created, inspection mode has to be changed by CLI:

gtapia_FD40899_tn_FD40899-3.jpg

3. Create policy specifying just the source of the streaming and apply Streaming profiles with Flow-Based inspection:
config firewall policy
    edit 2
        set name "Streaming"
        set uuid 3ccdc06c-da46-51e7-d4a4-eada6df96b42
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "Streaming1" (81.95.4.70)
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set av-profile "Streaming"
        set webfilter-profile "Streaming"
        set application-list "default"
        set profile-protocol-options "default"
        set nat enable
    next
end

4. Once created, it has to be placed before the policy that is inspecting general user traffic.

Contributors