Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Is there any way to match IPSEC packets in an interface egress shaping profile?

Greetings all,


  I have a FGT connected to an ISP on wan1 that also has a couple of IPSEC VPN tunnels homed to wan1.  I've put an egress shaping profile on wan1 to match the ISP's policer, and was wanting to prioritize some traffic classes over others.  What I'm finding (at least on FortiOS 6.4.X) is that I cannot seem to match any of the encrypted packets into a shaper policy/class-id.  Does anyone know if the encrypted packets are similar to self-originated traffic and literally cannot be matched? 


  While I think it would be possible to statically divide the egress bandwidth of the circuit between the VPNs and the Internet bound traffic by placing shaping policies on the VPN interfaces, this would prevent any sort of bandwidth "sharing" between the interfaces which might leave some congested and others empty.  Prioritization seems a better approach if there's any way to actually match the packets.


Thank you for any suggestions.



I recall interface based shaper and profiles have limitation when VPNs are in the mix and we abandoned it some time ago, and have been using shared shaper since then.



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors