Description | This article describes the different behaviors when a traffic-shaping policy is configured via a shaping-policy compared to when traffic shaping is configured via a firewall-policy. |
Scope | FortiGate. |
Solution |
Note: The difference between shaping-policy and firewall-policy implementations of traffic shapers is mentioned in the case-study below.
In this case, shaping will be done for the 'Http-browser' and 'Netflix' applications only. If any other application traffic is seen (such as Gmail, Whatsapp, etc.) shaping will not be applied as they are not defined in the shaping policy.
config firewall shaping-policy edit 1 set name "test-shaping-policy" set status enable set service "ALL" set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER set dstintf "v147" set traffic-shaper "test-1-http" set srcaddr "all" set dstaddr "all" next end
A Firewall Matching Policy to allow the traffic is defined as below (it does not have 'set traffic-shaper xx' defined).
config firewall policy edit 1 set name "p1” set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all next
config firewall policy edit 1 set name "p1" set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all set traffic-shaper "test-1-http" end
config firewall shaping-policy edit 1 set name "test-shaping-policy" set status enable set service "ALL" set application 18155 15893 <------ 18155 = Netflix; 15893 = HTTP.BROWSER set dstintf "v147" set traffic-shaper "test-1-http" set srcaddr "all" set dstaddr "all" next end
config firewall policy edit 1 set name "p1” set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all set traffic-shaper "test-1-http" next
Note: within-session list table can identify which traffic shaper is applied to filtered traffic.
Example of session table entry:
diag sys session list session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
Related document: |