Match IPsec traffic in Shaping Profile

Ambush4261 · ‎02-15-2024

Dear community,

We are using a shaping profile on wan1 to prioritize the traffic with shaping policies using 5 classes.

It's working fine but I have noticed that the IPSec tunnel under wan1 is not being classified.

In the policies, I cannot select the tunnel interface to make it classified as high priority.

Should I apply an outbound shaping profile to the tunnel interface ? or what is the best practice to classify the tunnel traffic ?

Thanks for support

Dhruvin_patel · ‎02-18-2024

Greetings,

A traffic shaping policy can be used for interface-based traffic shaping by organizing traffic into 30 class IDs.

In the traffic shaping policy, you can select the ipsec virtual tunnel interface to create policy.

I checked on fortios patch 7.2.7. What is your fortios version?

Document for the reference: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/647914/interface-based-traffic-shaping-...

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel

Ambush4261 · ‎02-19-2024

Hello,

I'm running 7.0.9.

I cannot see my VPN interface in the Source Interface list.
What I did now to make sur the tunnel does not go offline if there is heavy traffic is to prioritize the ipsec protocol like that :

Am I correct ?

Thanks for support

config firewall shaping-policy
edit 8
set name "HIGH_IPSEC"
set service "ESP" "IKE" "G-A-CAPWAP"
set dstintf "virtual-wan-link"
set class-id 9
set srcaddr "all"
set dstaddr "all"
next
end

edit 5
set class-id 9
set priority critical
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 100
next