Description
This article explains how to apply Shared traffic shaper and Per-IP shaping directly within a firewall policy using the CLI.
Scope
FortiGate.
In v5.2, traffic shaping was configured over the firewall policy.
By default, if the intention was to apply traffic shaping, it was only necessary to create a shaper and direct it to a firewall policy.
From v5.6, there is no option to create a shaper for a firewall policy in the GUI. This can only be done through the CLI.
Solution
Traffic shaping in a firewall policy needs to be configured using the CLI. There is currently no method to enable traffic shaping in the GUI. After adding, it will be possible to modify the policy in the GUI.
If traffic shaping is removed through the GUI and the firewall policy has been saved, it will be necessary to use the CLI to create it again.
set traffic-shaper <shaper> <----- Command applies to the traffic from ingress to egress direction, meaning it will affect the upload speeds and outbound traffic.
set traffic-shaper-reverse <shaper> <----- Command applies to the traffic from egress to ingress direction, meaning it will affect the download speeds and the inbound traffic.
set per-ip-shaper <shaper> applies a Per-IP shaper, which limits bandwidth on a per-source IP basis.
Follow the steps below to create traffic shaping in a firewall policy:
Go to Policy&Objects -> IPv4 Policy, 'right-click' the policy for which traffic shaping will be configured, and select 'Edit in CLI'.
Configure the following inside the policy through the CLI: Applying Shared traffic shaper in a Firewall Policy:
set traffic-shaper <shaper name>
set traffic-shaper-reverse <shaper name>
end
Alternatively, go directly from CLI to the specific firewall policy and enable shared traffic shaper:
config firewall policy
edit <fw_policy_id>
set traffic-shaper <shaper name>
set traffic-shaper-reverse <shaper name>
end
edit <fw_policy_id>
set traffic-shaper <shaper name>
set traffic-shaper-reverse <shaper name>
end
end
Applying Per-IP Per-IP traffic shaper in a Firewall Policy
set per-ip-shaper <shaper name>
Alternatively, go directly from CLI to the specific firewall policy and enable Per-Ip shaping:
config firewall policy
edit <fw_policy_id>
set per-ip-shaper <shaper name>
end
edit <fw_policy_id>
set per-ip-shaper <shaper name>
end
end
Once configured, the traffic shaping configuration will be visible under the policy section in the GUI:
These steps must be completed for every individual policy to which shaping will be applied.
Note:
Traffic shaping profile cannot be applied to explicit proxy policy, configuring traffic shaping for explicit proxy can be done by explicit proxy listing interface level, refer to: Configure traffic shaping for explicit proxy
Related articles:
Technical Tip: How to configure and check which traffic shaper is used
Technical Tip: Monitoring 'Traffic Shaping'
