FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asengar
Staff
Staff
Article Id 269909
Description This article describes how to apply a traffic shaper to SSL VPN traffic after connecting to FortiClient.
Scope FortiGate, FortiOS, FortiClient.
Solution
  • Configure SSL VPN settings under VPN -> SSL VPN Settings.
  • Create the portal configuration VPN -> SSL VPN Portals according to requirements.
  • Once the SSL VPN settings and portal configuration are set up, create a firewall policy for the ssl.root interface as the incoming interface. The outgoing interface will be the interface behind which the servers are present or, in the case of internet traffic, the outgoing interface will be the WAN interface.

Steps to apply the traffic shaper in SSL VPN traffic

  • Create a traffic shaper entry under Policies & Objects  -> Traffic Shaping  -> Traffic Shapers -> Create new.

shaper.png

 

  • Once the traffic shaper is configured, go the firewall policy created for the SSL VPN i.e. with the ssl.root interface as the incoming interface.

ssl-policy.png

 

  • In the policy, the traffic shaping option is visible. This option will only appear after applying the traffic shaper in the respected policy with the following CLI commands:

config firewall policy

edit <policy id number>

set traffic-shaper <> <- For upload.

set traffic-shaper-reverse <> <- For download.

end

 

Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.

 

NOTE: It is not possible to create a traffic shaping policy with the ssl.root interface as the source interface. It will return the following error:

 

error.png

 

  • It is necessary to apply the shaper in the running normal firewall policy for SSL VPN traffic. A separate traffic shaping policy cannot be created.
  • If multiple policies are in place for the SSL VPN, apply shapers on each policy as necessary.
  • The shaper applied can be different for each policy depending on requirements.

Related documents

Contributors