Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Created on ‎09-21-2023 08:47 AM

Bad configuration of reverse shapper?

Hi all,

 

I have fortigate with 7.0.12 FortiIOS

 

I have a server that causes problems in my network. The server has an IP from Vlan 100 network with an IP 10.0.4.x/32. I would like to limit his traffic to 250Mbps when it tryes to use more bandwitch more than that. I have only one traffic shapping policy.

 

I've observed than the reverse shapper not works well. Some computers, from another Vlan, have sent more than 250Mbps to the server and the shapper has not worked. Maybe I have configure it bad? I know than the reverse shapper doesn't appear in logs, but I'm sure the server has received more than 250Mbps...

 

I attach you some pictures. Could you help me? Thanks...one.JPGtwo.JPGtree.JPG

 

 

 

Labels:
746
0 Kudos
8 REPLIES 8
hbac
Staff
Staff

Created on ‎09-21-2023 10:56 AM

Hi @fortimaster

 

The configuration looks good. How did you test the speed? You can run the following commands to check the session details. It will show if shaper was applied or not. Please replace x.x.x.x with source and destination IP address accordingly. 

 

di sys session filter clear 

di sys session filter src x.x.x.x              

di sys session filter dst x.x.x.x

di sys session list 

 

Regards,

731
fortimaster
Contributor
In response to hbac

Created on ‎09-21-2023 11:58 AM Edited on ‎09-21-2023 11:59 AM

Thanks for your help... I'm not sure if the sessions still active. I had a problem yesterday cause that server received a lot of traffic from some computers at same time...

 

If I check now the sessions with the server IP dst I see empty the traffic shapper "field". 

If I check now the sessions with the server IP SRC I can see some times, sessions with "origin-shaper IP" and reverse shaper with data (and 0 dropped bytes).

 

shapper.JPG

716
0 Kudos
hbac
Staff
Staff
In response to fortimaster

Created on ‎09-21-2023 12:05 PM

@fortimaster,

 

Looks like the reply shaper is applied to the traffic which means the bandwidth of 10.0.4.125 will not exceed 250Mbps. You can run speed test to confirm. 

 

Regards, 

714
fortimaster
Contributor
In response to hbac

Created on ‎09-21-2023 12:20 PM Edited on ‎09-21-2023 12:27 PM

Thanks¡

 

I don't understand why yesterday my network was absolutly collapsed. When I search in that time which are causing these problems, I could see that it was that server.

Another strange think is that it is a Wsus server and it's receiving a lot of traffic from user computers and sending a very little traffic. My colleages sai it is impossible and the firewall represent bad the graffics, cause the WSUS sends and not receives.  If traffic shaper worked, I don't understand why my network was collapsed. I have 1Gbps and normally the interface is below 300/100 aprox...
I attach you some logs from that moment. The network stabilizes at 8:50

 

 

Captura5.JPGCaptura3.JPGgrafico.JPG

fortiview.JPG

709
0 Kudos
hbac
Staff
Staff
In response to fortimaster

Created on ‎09-22-2023 10:28 AM

@fortimaster,

 

What you are getting on FortiView are total sent and received bytes. The traffic shaper only restricts the bandwidth to 250Mbps (250 Megabit per second). It doesn't restrict the total bandwidth of the connection. 

 

Regards, 

689
0 Kudos
fortimaster
Contributor
In response to hbac

Created on ‎09-23-2023 01:57 AM Edited on ‎09-23-2023 02:00 AM

Thanks Hbac... I want than the shapper restricts to 250Mbps maximum speed the send or received bandwitch of that server... And the traffic from the computers to the server bypass the collapsed interface of the attached picture.

I think my network was collapsed, cause that server received more than 250Mbps of traffic during the problem and the shapper didn't work well. If the shapper had worked well I think the affected interface would not have collapsed...

Thanks.

662
0 Kudos
fortimaster
Contributor

Created on ‎09-28-2023 04:00 AM

Hi,

 

I have tryed an speed test and the reverse shapper didn't work. If I create a new policy (just the reverse policy) to limits the upload it works well. Now the problem it's solved, but I'll open a case so Fortinet can study a possible bug...

611
0 Kudos
fortimaster
Contributor

Created on ‎11-27-2023 03:16 AM

Thanks for your help. Shapper doesn't work cause a bug. The "receiving" traffic is not checked.

Regards.

456
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.