Description | This article describes the configuration of traffic shaping for the web filter category to limit bandwidth usage. |
Scope | FortiGate. |
Solution |
In the campus, branch, and Internet of Things (IoT) networks, users are allowed to access the specific web categories, blocking the unnecessary web categories as per the company's network security policy.
In the allowed categories, there may be sites that are nonproductive websites, especially social media and entertainment sites, which companies want to have lesser bandwidth usage by these sites.
Configuration:
CLI:
config firewall shaper traffic-shaper To create a traffic shaping policy, go to the 'Traffic Shaping Policies' tab and select Create New.
Set the fields to match the user traffic. In the URL Category, select the specific web category to which traffic shaper needs to be applied. Apply the shapers for the traffic shaping policy.
CLI:
config firewall shaping-policy
Validation:
Check the session table for facebook.com public IP, to check whether Traffic Shaper applied when facebook.com is accessed.
chameleon-kvm06 (root) # diagnose sys session filter dst 157.240.202.35 chameleon-kvm06 (root) # diagnose sys session list
session info: proto=6 proto_state=11 duration=50 expire=3580 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
Web filter log:
date=2025-01-15 time=16:24:39 eventtime=1736954679494594136 tz="+0100" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policytype="policy" sessionid=569596 srcip=10.174.18.8 srcport=61686 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" dstip=157.240.202.35 dstport=443 dstcountry="France" dstintf="port1" dstintfrole="undefined" dstuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" proto=6 service="HTTPS" hostname="www.facebook.com" profile="user_profile" action="passthrough" reqtype="direct" url="https://www.facebook.com/" sentbyte=1969 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=37 catdesc="Social Networking"
Forward Traffic log:
date=2025-01-15 time=16:26:56 eventtime=1736954815361183257 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.174.18.8 srcport=61686 srcintf="port3" srcintfrole="undefined" dstip=157.240.202.35 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=569596 proto=6 action="accept" policyid=1 policytype="policy" poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policyname="internet" service="HTTPS" trandisp="snat" transip=10.5.133.6 transport=61686 duration=135 sentbyte=26015 rcvdbyte=298735 sentpkt=120 rcvdpkt=246 shapingpolicyid=1 shapingpolicyname="socialmedia_TS_policy" shapersentname="Socialmedia" shaperdropsentbyte=0 shaperrcvdname="Socialmedia" shaperdroprcvdbyte=0 appcat="unscanned" sentdelta=26015 rcvddelta=298735
Traffic Shaper is not applied on the fortinet.com access.
session info: proto=6 proto_state=11 duration=34 expire=3566 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
When overall bandwidth usage by the Social Networking category reaches the maximum-bandwidth of 10 Mbps, FortiGate starts dropping the packets till the bandwidth usage is reduced below 10 Mbps.
name Social media
Forward traffic logs show the below information when specific session traffic is dropped:
date=2025-01-15 time=16:44:26 eventtime=1736955865792525211 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.174.18.8 srcport=62293 srcintf="port3" srcintfrole="undefined" dstip=95.101.110.205 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=581221 proto=6 action="accept" policyid=1 policytype="policy" poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policyname="internet" service="HTTPS" trandisp="snat" transip=10.5.133.6 transport=62293 duration=771 sentbyte=2784419 rcvdbyte=361128401 sentpkt=62206 rcvdpkt=243265 shapingpolicyid=1 shapingpolicyname="socialmedia_TS_policy" shapersentname="Socialmedia" shaperdropsentbyte=247921 shaperrcvdname="Socialmedia" shaperdroprcvdbyte=98328646 appcat="unscanned" sentdelta=123 rcvddelta=156
Search Web filter log with the session id (sessionid=581221) to know which web access had drops:
date=2025-01-15 time=16:31:35 eventtime=1736955094542163456 tz="+0100" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policytype="policy" sessionid=581221 srcip=10.174.18.8 srcport=62293 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" dstip=95.101.110.205 dstport=443 dstcountry="France" dstintf="port1" dstintfrole="undefined" dstuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" proto=6 service="HTTPS" hostname="v16-web-prime.tiktokcdn.com" profile="user_profile" action="passthrough" reqtype="direct" url="https://v16-web-prime.tiktokcdn.com/" sentbyte=2152 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=37 catdesc="Social Networking" |