Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff

Created on ‎10-31-2019 02:40 AM Edited on ‎11-27-2024 12:47 AM By Moderator

Article Id 191943

Technical Tip: How to apply traffic-shaping in a firewall policy

Description

 

This article explains how to apply traffic-shaping in a firewall policy.

 

Scope

 

Any supported version of FortiGate.

 

In FortiOS version 5.2, traffic shaping was configured over the firewall policy.

By default, if the intention was to apply traffic shaping, it was only necessary to create a shaper and direct it to a firewall policy.

 

From 5.6 FortiOS versions there is no option to create a shaper for a firewall policy in the GUI. This can only be done through the CLI.

 

Solution

 

Traffic shaping in a firewall policy needs to be configured using the CLI. There is currently no method to enable traffic shaping in the GUI. After adding, it will be possible to modify the policy in the GUI.

If traffic shaping is removed through the GUI and the firewall policy has been saved, it will be necessary to use the CLI to create it again.


set traffic-shaper <shaper> command applies to the traffic from ingress to egress direction, meaning it will affect the upload speeds and outbound traffic.

 

set traffic-shaper-reverse <shaper> command applies to the traffic from egress to ingress direction, meaning it will affect the download speeds and the inbound traffic.

 

Follow the steps below to create traffic shaping in a firewall policy:

 

  1. Go to Policy&Objects -> IPv4 Policy, 'right-click' the policy for which traffic shaping will be configured, and select 'Edit in CLI'.

 
  1. Configure the following inside the policy through the CLI:
     
        set traffic-shaper <shaper name>
        set reverse-traffic-shaper <shaper name>
    end
     
    Note: In recent versions of FortiGate, 'traffic-shaper-reverse' is used in place of 'reverse-traffic-shaper'. Try both if necessary.
     
    Alternatively, go directly from CLI to the specific firewall policy and enable traffic shaping:
     
    config firewall policy
        edit <fw_policy_id>
            set traffic-shaper <shaper name>
            set reverse-traffic-shaper <shaper name>
    end
    end
     
  2. Once configured, the traffic shaping configuration will be visible under the policy section in the GUI:
 
 
These steps must be completed for every individual policy to which shaping will be applied.
Special Note: Traffic shaping profile cannot be applied to explicit proxy policy, configuring traffic shaping for explicit proxy can be done by explicit proxy listing interface level, refer to: Configure traffic shaping for explicit proxy.
 

Related articles:

Technical Tip: How to configure and check which traffic shaper is used

Technical Tip: Monitoring 'Traffic Shaping'

Technical Tip: Application control based traffic shaper

Traffic shaping policies - FortiGate documentation

Labels:
25055
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.