FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 279728


This article describes that the user's outgoing traffic stops passing and is mostly unable to browse the internet when a traffic shaper is configured with limited bandwidth allocated.








  1. Run debug flow trace on the FortiGate and check the output:


diag debug enable

diag debug flow filter addr X.X.X.X <----- IP address of interesting traffic.
diag debug console timestamp enable
diag debug flow show iprope enable

diag debug flow show function-name enable
diag debug flow trace start 100 <----- This will display 100 packets for this flow.
diag debug enable


The output will look like what is displayed below:


2023-09-28 09:15:33 id=65308 trace_id=11 func=print_pkt_detail line=5779 msg="vd-root:0 received a packet(proto=1,> tun_id= from LAN Aggregate. type=8, code=0, id=1, seq=1527."
2023-09-28 09:15:33 id=65308 trace_id=11 func=init_ip_session_common line=5964 msg="allocate a new session-0adb8d22, tun_id="
2023-09-28 09:15:33 id=65308 trace_id=11 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2130837505: to via ifindex-34"
2023-09-28 09:15:33 id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw- via PeachNet-WAN"
2023-09-28 09:15:33 id=65308 trace_id=11 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=10"
2023-09-28 09:15:33 id=65308 trace_id=11 func=get_new_addr line=1231 msg="find SNAT: IP- IPPOOL), port-60418"
2023-09-28 09:15:33 id=65308 trace_id=11 func=fw_forward_handler line=990 msg="Allowed by Policy-9: SNAT"
2023-09-28 09:15:33 id=65308 trace_id=11 func=shaper_handler line=884 msg="
exceeded shaper limit, drop"


  1. Once the message indicates an exceeded shaper limit, drop, check the traffic shaping policy, and adjust the shaping policy to accommodate more bandwidth or disable the traffic shaping policy.


Related documents:

Technical Tip: How to configure and check which traffic shaper is used

Traffic shaping policies