Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Grumman
New Contributor III

Application Control & Traffic Shaping not working!?

Hello,

 

I am having an issue with a Fortigate 200D (v5.2.3,build670 (GA)) as I can't traffic shape (and throttle down) Aspera application.

Let me be more specific and explain the situation.

 

I have a 200D which has a 100Mbps WAN connection and 4 VLANs in it.

I have individual policies for each VLAN that allows them to go to the WAN.

 

VLAN 983 has a traffic shaper in the WAN policy that allows a MAX bandwidth of 75Mbps

 

Now VLAN 983 is using an application called ASPERA which is a UDP file transfer tool.

When they create a session with the remote server and start a data transfer, the WHOLE 100Mbps of the WAN is used leaving all other VLANs without internet connection.

 

I have added an Application Control Policy on top of the existing WAN policy that gives ASPERA 45Mbps MAX but that does not seem to have any effect...

 

I can see the traffic from VLAN 983 is limited to ~42Mbps but the WAN traffic is still over 85Mbps...

All other VLANS combined used around 3Mbps bandwidth at the time of the screenshots.

 

In addition, FortiView shows that it has identified Aspera and the shaper is in effect but the WAN utilisation is at 85% +

 

 

Any suggestions on how to enforce the shaper on the WAN and actually use 45Mbps MAX when Aspera is in use?

 

Thank you in advance,

Thanasis

5 REPLIES 5
emnoc
Esteemed Contributor III

Sorry to inform you , "you can't traffic shape inbound traffic" Provide details of your TS and policies but it sounds like this is a internet download and your trying to TS inbound on WAN ( srcintf ).

 

 

PCNSE 

NSE 

StrongSwan  

Grumman
New Contributor III

emnoc wrote:

Sorry to inform you , "you can't traffic shape inbound traffic" Provide details of your TS and policies but it sounds like this is a internet download and your trying to TS inbound on WAN ( srcintf ).

Thank you for your reply!

 

Please find below the screenshot for the TS and Policy.

 

Aspera 45MAX TS

 

VLAN 983 75MAX TS

 

VLAN 983 -> WAN Policy

The shapers in the policy, aren't they supposed for one to throttle inbound and the other outbound (reverse)?

 

Thank you,

Thanasis

Ananth
New Contributor

Would like to know if you were successful in throttling Aspera, unfortunately we are also facing the same issue.

 

Thanks

Ananth

Fortigate 80C v5.2.8,build727

Fortigate 100A

Grumman
New Contributor III

anthrg wrote:

Would like to know if you were successful in throttling Aspera, unfortunately we are also facing the same issue.

 

Thanks

Ananth

Yes, we managed to throttle Aspera by upgrading the firewall to version 5.4.0 and creating a rule in application control for Aspera and not throttle it through the IPv4 Policy.

This way, instead of getting the TCP/UDP port that the Aspera Service is using, we are using the applications' signature and it seems to be working so far.

 

Hope this helps.

 

Regards,

Thanasis

Ananth
New Contributor

Thanks Thanasis, that was quick!, much appreciated for taking time to reply.

We are on 5.0, will upgrade soon.

 

regards

Ananth

Fortigate 80C v5.2.8,build727

Fortigate 100A