Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asengar
Staff
Staff

Created on ‎08-23-2023 02:56 AM Edited on ‎01-14-2026 01:51 PM By Community Manager

Article Id 269909

Technical Tip: How to apply traffic shaper for the SSL VPN Traffic

Description This article describes how to apply a traffic shaper to SSL VPN traffic after connecting to FortiClient.
Scope FortiGate, FortiOS, FortiClient.
Solution
  • Configure SSL VPN settings under VPN -> SSL VPN Settings.
  • Create the portal configuration VPN -> SSL VPN Portals according to requirements.
  • Once the SSL VPN settings and portal configuration are set up, create a firewall policy for the ssl.root interface as the incoming interface. The outgoing interface will be the interface behind which the servers are present, or, in the case of internet traffic, the outgoing interface will be the WAN interface.

 

Steps to apply the traffic shaper to SSL VPN traffic.

  • Create a traffic shaper entry under Policies & Objects  -> Traffic Shaping  -> Traffic Shapers -> Create new.

 

shaper.png

 

  • Once the traffic shaper is configured, go to the firewall policy created for the SSL VPN, i.e., with the ssl.root interface as the incoming interface.

 

ssl-policy.png

 

  • In the policy, the traffic shaping option is visible. This option will only appear after applying the traffic shaper in the respective policy with the following CLI commands:

 

config firewall policy

    edit <policy id number>

        set traffic-shaper <> <- For upload.

        set traffic-shaper-reverse <> <- For download.

end

 

Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.

 

Note: It is not possible to create a traffic shaping policy with the ssl.root interface as the source interface. It will return the following error:

 

error.png

 

  • It is necessary to apply the shaper in the running normal firewall policy for SSL VPN traffic. A separate traffic shaping policy cannot be created.
  • If multiple policies are in place for the SSL VPN, apply shapers on each policy as necessary.
  • The shape applied can be different for each policy, depending on requirements.

 

Depending on how the shaping should be applied, it may be enough to set a bandwidth limit directly on the SSLVPN interface. This can be done through the CLI by setting both 'inbandwidth' and 'outbandwidth'.

Before:


config system interface
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 46
    next
end

 

After:


config system interface
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set inbandwidth 10000
        set outbandwidth 10000
        set alias "SSL VPN interface"
        set snmp-index 46
    next
end

 

NoteWhen traffic shaping is applied to SSL VPN, enabling DTLS can improve performance by avoiding TCP-over-TCP inefficiencies and allowing more efficient bandwidth control over UDP. Refer to this link: Technical Tip: Using DTLS to improve SSL VPN performance.

 

Related documents:
6076
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.