FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbaikadi
Staff
Staff
Article Id 283243
Description This article describes the different behaviors when a traffic-shaping policy is configured via a shaping-policy compared to when traffic shaping is configured via a firewall-policy.
Scope FortiGate.
Solution

Note:

The difference between shaping-policy and firewall-policy implementations of traffic shapers is mentioned in the case-study below.

Case 1: When only a traffic shaping-policy is used.

  • In this case, the traffic shaper is defined only under the traffic shaping-policy and not defined under firewall-policy.
  • There should be a firewall-policy configured to allow the traffic.
  • Any traffic matching this shaping-policy will be shaped as per the bandwidth configuration on the shaper.
  • All parameters of the shaping-policy should match for shaping to take effect.
  • If an application is selected in the shaping-policy, the matching firewall-policy should have application-control defined. If application control is not defined, the firewall will not check for the matching application signature in the traffic and shaping may not be applied as required.
    For example: A Traffic Shaping Policy is defined for applications 'HTTP-Browser' and 'Netflix' as shown below.

In this case, shaping will be done for the 'Http-browser' and 'Netflix' applications only. If any other application traffic is seen (such as Gmail, Whatsapp, etc.) shaping will not be applied as they are not defined in the shaping policy.

 

config firewall shaping-policy

edit 1

set name "test-shaping-policy"

set status enable

set service "ALL"

set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER

set dstintf "v147"

set traffic-shaper "test-1-http"

set srcaddr "all"

set dstaddr "all"

next

end

 

A Firewall Matching Policy to allow the traffic is defined as below (it does not have 'set traffic-shaper xx' defined).
Application control should be defined in this matching firewall-policy in cases where the application is added to the shaping-policy, in order to ensure the firewall will check for the application signature for the traffic hitting the policy and shaping will be applied.

 

config firewall policy

edit 1

set name "p1”

set srcintf "v41"

set dstintf "v147"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set application-list "g-default"

set logtraffic all

next


Case 2: When only a firewall policy with a shaper is used.

  • In this case, 'set traffic-shaper xx' is defined under firewall-policy and there is no shaping-policy.
  • When 'set traffic-shaper XX' or 'set traffic-shaper-reverse XX' is configured under firewall-policy and shaping-policy is not defined at all, all of the traffic matching that firewall-policy will be shaped as per the bandwidth configured in the shaper.
  • For example: a shaper is defined under the firewall-policy as below. There is no shaping-policy configured at all.
  • In this case, any traffic that matches this firewall-policy will be shaped as per the shaper bandwidth allocation.
  • If there are more policies using the same shaper, the bandwidth will be shaped based on per-policy settings or the all-policies settings under traffic-shaper (set per-policy enable/disable).

 

config firewall policy

edit 1

set name "p1"

set srcintf "v41"

set dstintf "v147"

set srcaddr "all"

set dstaddr "all"

set action accept

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set application-list "g-default"

set logtraffic all

set traffic-shaper "test-1-http"

end

 


Case 3: When both a shaping-policy and a firewall policy with traffic shapers are used.

  • In this case, 'set traffic-shaper XX' is defined under firewall-policy and the shaping-policy is defined as well
  • In this case, all of the traffic hitting the shaping-policy will take precedence over firewall policy with 'set traffic-shaper XX'.
  • For examples like in case 1, where a traffic-shaping policy is defined only for the applications 'HTTP.BROWSER' and 'Netflix': The firewall-policy is defined for any application with 'set traffic-shaper XX', meaning any 'HTTP.BROWSER' and 'Netflix' traffic hitting this firewall-policy will be matched according to the shaping-policy. Other applications like Gmail and Whatsapp (other than HTTP.BROWSER or Netflix) will be shaped as per the shaper configured under firewall-policy.

config firewall shaping-policy

edit 1

set name "test-shaping-policy"

set status enable

set service "ALL"

set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER

set dstintf "v147"

set traffic-shaper "test-1-http"

set srcaddr "all"

set dstaddr "all"

next

end

 

config firewall policy

edit 1

set name "p1”

set srcintf "v41"

set dstintf "v147"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set application-list "g-default"

set logtraffic all

set traffic-shaper "test-1-http"

next

 

Related document:

Traffic shaping policies - FortiGate administration guide.