FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 370426
Description This article describes the configuration of traffic shaping for the web filter category to limit bandwidth usage.
Scope FortiGate.
Solution

In the campus, branch, and Internet of Things (IoT) networks, users are allowed to access the specific web categories, blocking the unnecessary web categories as per the company's network security policy.

 

In the allowed categories, there may be sites that are nonproductive websites, especially social media and entertainment sites, which companies want to have lesser bandwidth usage by these sites.

In such cases, a Traffic Shaping Policy can be implemented to limit the bandwidth usage by these specific URL categories.

 

Configuration:

 

  • Go to System -> Feature Visibility -> Enable Traffic Shaping and apply the settings


ts1.JPG

 

  • Go to Policy & Objects -> Traffic Shaper and select Create New to create a Traffic Shaper. Set the value as per the requirement. In this example, the total bandwidth allocated is 10Mbps.


ts4.JPG

 

CLI: 

 

config firewall shaper traffic-shaper
    edit "Socialmedia"
        set guaranteed-bandwidth 1
        set maximum-bandwidth 10 <--
        set bandwidth-unit mbps
    next
end

 

To create a traffic shaping policy, go to the 'Traffic Shaping Policies' tab and select Create New.

 

Set the fields to match the user traffic. In the URL Category, select the specific web category to which traffic shaper needs to be applied.

Apply the shapers for the traffic shaping policy.


ts5.JPG

 

CLI: 

 

config firewall shaping-policy
    edit 1
        set uuid 45f0be4e-d343-51ef-a110-f21e6c110c9f
        set name "socialmedia_TS_policy"
        set service "ALL"
        set url-category 37 <-- 37 Social Networking.
        set srcintf "port3"
        set dstintf "port1"
        set traffic-shaper "Socialmedia"
        set traffic-shaper-reverse "Socialmedia"
        set srcaddr "all"
        set dstaddr "all"
    next
end

  

Validation:

 

  • Access the social media website, such as facebook.com.

 

ts2.JPG

 

Check the session table for facebook.com public IP, to check whether Traffic Shaper applied when facebook.com is accessed.

 

chameleon-kvm06 (root) # diagnose sys session filter dst 157.240.202.35

chameleon-kvm06 (root) # diagnose sys session list

 

session info: proto=6 proto_state=11 duration=50 expire=3580 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=Socialmedia prio=2 guarantee 125000Bps max 1250000Bps traffic 2913Bps drops 0B
reply-shaper=Socialmedia prio=2 guarantee 125000Bps max 1250000Bps traffic 2913Bps drops 0B
per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty os rs f00 url_cat_valid log-start
statistic(bytes/packets/allow_err): org=24084/114/1 reply=297611/240/1 tuples=3
tx speed(Bps/kbps): 473/3 rx speed(Bps/kbps): 5849/46
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.174.18.8:61686->157.240.202.35:443(10.5.133.6:61686)
hook=pre dir=reply act=dnat 157.240.202.35:443->10.5.133.6:61686(10.174.18.8:61686)
hook=post dir=reply act=noop 157.240.202.35:443->10.174.18.8:61686(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15746 auth_info=0 chk_client_info=0 vd=0
serial=0008b0fc tos=ff/ff app_list=0 app=0 url_cat=37
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x001108
no_ofld_reason: npu-flag-off
total session 1

 

Web filter log:

 

date=2025-01-15 time=16:24:39 eventtime=1736954679494594136 tz="+0100" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policytype="policy" sessionid=569596 srcip=10.174.18.8 srcport=61686 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" dstip=157.240.202.35 dstport=443 dstcountry="France" dstintf="port1" dstintfrole="undefined" dstuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" proto=6 service="HTTPS" hostname="www.facebook.com" profile="user_profile" action="passthrough" reqtype="direct" url="https://www.facebook.com/" sentbyte=1969 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=37 catdesc="Social Networking"

 

Forward Traffic log:

 

date=2025-01-15 time=16:26:56 eventtime=1736954815361183257 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.174.18.8 srcport=61686 srcintf="port3" srcintfrole="undefined" dstip=157.240.202.35 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=569596 proto=6 action="accept" policyid=1 policytype="policy" poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policyname="internet" service="HTTPS" trandisp="snat" transip=10.5.133.6 transport=61686 duration=135 sentbyte=26015 rcvdbyte=298735 sentpkt=120 rcvdpkt=246 shapingpolicyid=1 shapingpolicyname="socialmedia_TS_policy" shapersentname="Socialmedia" shaperdropsentbyte=0 shaperrcvdname="Socialmedia" shaperdroprcvdbyte=0 appcat="unscanned" sentdelta=26015 rcvddelta=298735

 

  • Access other category websites such as fortinet.com:

ts3.JPG

 

Traffic Shaper is not applied on the fortinet.com access.

 

session info: proto=6 proto_state=11 duration=34 expire=3566 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 log-start
statistic(bytes/packets/allow_err): org=2889/9/1 reply=6116/11/1 tuples=3
tx speed(Bps/kbps): 83/0 rx speed(Bps/kbps): 177/1
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.174.18.8:61841->54.177.212.176:443(10.5.133.6:61841)
hook=pre dir=reply act=dnat 54.177.212.176:443->10.5.133.6:61841(10.174.18.8:61841)
hook=post dir=reply act=noop 54.177.212.176:443->10.174.18.8:61841(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15746 auth_info=0 chk_client_info=0 vd=0
serial=0008c051 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x001108
no_ofld_reason: npu-flag-off
total session 1

 

When overall bandwidth usage by the Social Networking category reaches the maximum-bandwidth of 10 Mbps, FortiGate starts dropping the packets till the bandwidth usage is reduced below 10 Mbps. 


chameleon-kvm06 (root) # diagnose firewall shaper traffic-shaper list

name Social media
maximum-bandwidth 1250 KB/sec <-- 10 Mbps.
guaranteed-bandwidth 125 KB/sec <-- 1 Mbp.
current-bandwidth 1240 KB/sec <-- Overall usage of bandwidth by Social Networking is around 10 Mbps.
priority 2
overhead 0
tos ff
packets dropped 4137 <-- Social Networking sites TCP packets are dropped due to the traffic shaper's maximum-bandwidth being reached.
bytes dropped 5255957

 

Forward traffic logs show the below information when specific session traffic is dropped:

 

date=2025-01-15 time=16:44:26 eventtime=1736955865792525211 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.174.18.8 srcport=62293 srcintf="port3" srcintfrole="undefined" dstip=95.101.110.205 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="France" sessionid=581221 proto=6 action="accept" policyid=1 policytype="policy" poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policyname="internet" service="HTTPS" trandisp="snat" transip=10.5.133.6 transport=62293 duration=771 sentbyte=2784419 rcvdbyte=361128401 sentpkt=62206 rcvdpkt=243265 shapingpolicyid=1 shapingpolicyname="socialmedia_TS_policy" shapersentname="Socialmedia" shaperdropsentbyte=247921 shaperrcvdname="Socialmedia" shaperdroprcvdbyte=98328646 appcat="unscanned" sentdelta=123 rcvddelta=156

 

Search Web filter log with the session id (sessionid=581221) to know which web access had drops:

 

date=2025-01-15 time=16:31:35 eventtime=1736955094542163456 tz="+0100" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="297da4c2-cce8-51ef-70a9-02a9233fe6ea" policytype="policy" sessionid=581221 srcip=10.174.18.8 srcport=62293 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" dstip=95.101.110.205 dstport=443 dstcountry="France" dstintf="port1" dstintfrole="undefined" dstuuid="0366ad7c-cce5-51ef-77eb-f81adf4d6c54" proto=6 service="HTTPS" hostname="v16-web-prime.tiktokcdn.com" profile="user_profile" action="passthrough" reqtype="direct" url="https://v16-web-prime.tiktokcdn.com/" sentbyte=2152 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=37 catdesc="Social Networking"