| Solution |
Traffic shapers can be configured in Firewall Policy or in Traffic Shaping Policy. With Traffic shaping policies, the Administrator will have more granular control of traffic shaping in FortiGate. In traffic shaping policy, the administrators have the option to configure the source interface, destination interface, source IP, destination IP, Service, Application, and URL category, which gives more granular control.
In the example below, a traffic shaping policy is configured in which shapers are assigned for specific Applications. The URL category is kept blank in the traffic shaping policy.
When traffic reaches the FortiGate, and it is identified as the Application mentioned in the traffic shaping policy, the traffic matches the above traffic shaping policy. As per the above snapshot, the URL category is not defined.
The FortiGate will match the above traffic shaping as the source interface, destination interface, source IP, destination IP, service, and Application matches. As there is no URL category mentioned in the traffic shaping policy, this information will not be there in the iprope table as well.
diagnose firewall iprope list 100015
policy index=1 uuid_idx=15850 action=accept
flag (0):
schedule()
shapers: orig=shared-1M-pipe(2/0/128000) reply=shared-1M-pipe(2/0/128000)
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 9 -> zone(1): 10
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
app_id(3): 45464 45465 52075
Session detail:
session info: proto=6 proto_state=11 duration=4 expire=3595 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 128000Bps traffic 523Bps drops 0B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 128000Bps traffic 523Bps drops 0B
per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty npu os rs f00 app_valid url_cat_valid
statistic(bytes/packets/allow_err): org=2088/6/1 reply=6724/9/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->10/10->9 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.110.19.33:59025->40.114.177.156:443(10.5.129.246:59025)
hook=pre dir=reply act=dnat 40.114.177.156:443->10.5.129.246:59025(10.110.19.33:59025)
hook=post dir=reply act=noop 40.114.177.156:443->10.110.19.33:59025(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15849 auth_info=0 chk_client_info=0 vd=0
serial=00553022 tos=ff/ff app_list=6000 app=45464 url_cat=41
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c08 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=129/128, ipid=128/129, vlan=0x0000/0x0000
vlifid=128/129, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=9/0, ha_divert=0/0
In the below snapshot URL category was added to the traffic shaping policy. However the URL category is not the correct URL category for the specific Application/URL.
FortiGate adds the URL category in the iprope table in the traffic shaping policy as it is added in the traffic shaping policy.
diagnose firewall iprope list 100015
policy index=1 uuid_idx=15850 action=accept
flag (0):
schedule()
shapers: orig=shared-1M-pipe(2/0/128000) reply=shared-1M-pipe(2/0/128000)
cos_fwd=255 cos_rev=255
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 9 -> zone(1): 10
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
app_id(3): 45464 45465 52075
url_cat_id(1): 52
However, the traffic shaping policy does not match as per the session detail. This is because the URL category is a parameter in the traffic shaping policy, and the configured value does not match with URL category of the traffic.
session info: proto=6 proto_state=11 duration=4 expire=3595 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty npu f00 app_valid
statistic(bytes/packets/allow_err): org=2088/6/1 reply=6724/9/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->10/10->9 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.110.19.33:57378->40.114.177.156:443(10.5.129.246:57378)
hook=pre dir=reply act=dnat 40.114.177.156:443->10.5.129.246:57378(10.110.19.33:57378)
hook=post dir=reply act=noop 40.114.177.156:443->10.110.19.33:57378(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15849 auth_info=0 chk_client_info=0 vd=0
serial=00558558 tos=ff/ff app_list=6000 app=45464 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c08 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=129/128, ipid=128/129, vlan=0x0000/0x0000
vlifid=128/129, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=9/0, ha_divert=0/0
Conclusion:
If the Administrator in FortiGate configures a traffic shaping policy with both the Application and URL categories defined, then traffic will only match if the Application AND URL category of that traffic matches the configured value:
- If either the Application or URL category identified by the FortiGate differs from the configured value, then it will not match the traffic shaping policy.
- If either Application or URL category is not specified in the traffic shaping policy, then FortiGate considers that specific parameter as ANY.
|
