Technical Tip: Restrict Internet bandwidth for traffic coming from the SSL VPN tunnel

enguyen3467 · ‎12-01-2023

Description

This article describes the scenario when the network admin would like to restrict the Internet bandwidth for traffic from the SSL VPN tunnel. When disabling the split-tunneling for the tunnel-access in the SSL VPN portal, all traffic will be routed to the tunnel, which includes the Internet traffic:

Typically, traffic shaping policy will be utilized to restrict the bandwidth. However, the SSL VPN tunnel is not an option to select the source interface:

Scope

FortiGate.

Solution

There are 2 ways of doing so:

Since the source interface is not mandatory when configuring the traffic shaping policy, it is possible instead to specify the source IP to be the SSL VPN subnet, or the SSL VPN IP range:

Configure a firewall policy from the SSL VPN tunnel to the WAN interface with the destination set to the desired service to be restricted the Internet bandwidth on the GUI and make sure to move this policy above the less specific Internet policy from the SSL VPN tunnel:

Open the CLI and configure the traffic shaper and reverse traffic shaper:

config firewall policy
edit <id>
set traffic-shaper "<your-traffic-shaper>"
set traffic-shaper-reverse "<your-traffic-shaper>"
next

end

It should be as an option on the GUI:

Technical Tip: Restrict Internet bandwidth for traffic coming from the SSL VPN tunnel

You are leaving our website