FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andreas77_FTNT
Description
This document describes how to check if traffic shaping is used on active sessions and also demonstrate which traffic shaper is taking precedence between policy based shaper or traffic shaping policy.

Solution
In this example, traffic shaping policy are used:
#config firewall shaping-policy
    edit 1
        set service "ALL"
        set dstintf "port1"
        set traffic-shaper "shared-1M-pipe"
        set traffic-shaper-reverse "shared-1M-pipe"
        set srcaddr "all"
        set dstaddr "all"
    next
end


There may be multiple traffic shaping policy applied and even traffic shaping configured on an IPv4 policy itself:
#config firewall policy
    edit 3
        set name "Allow Internet"
        set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
        set traffic-shaper "Shared 500 Kbps"
        set traffic-shaper-reverse "Shared 500 Kbps"
        set nat enable
    next
end
It will look like this on the GUI:



To find out which traffic shaper is used on the traffic itself, use 'diagnose system session list'.

In this example, we have a client with IP address 192.168.88.1 connecting to google.com website via HTTPS.
Use following filter to display sessions:
#diagnose system session filter src  192.168.88.1
#diagnose system session filter dport 443
Then, to display the session, use following command :
#diagnose system session list
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B

per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty os rs f00
statistic(bytes/packets/allow_err): org=7501/102/1 reply=348627/282/1 tuples=2
tx speed(Bps/kbps): 94/0 rx speed(Bps/kbps): 4401/35
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=192.168.174.254/192.168.88.1
hook=post dir=org act=snat 192.168.88.1:47322->172.217.21.228:443(192.168.174.5:47322)
hook=pre dir=reply act=dnat 172.217.21.228:443->192.168.174.5:47322(192.168.88.1:47322)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=0000993d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
From the output, “shared-1M-pipe” shaper is used. That means this session will be effectively shaped using this shaper.
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.


Contributors