Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jr14
New Contributor III

TRAFFIC SHAPPING TO IPSEC TUNNEL

I have a site to site VPN, i want to apply a traffic shapping to specific traffic (sourc IP), but in the shaping policy it is not matching the traffic through the IPSEC tunnel. 
There are some configuration that works different for interface like wan and not for IPSEC tunnel ?

 

FortiGate 

1 Solution
Toshi_Esumi

Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.

Share us your shapers.

Toshi

View solution in original post

10 REPLIES 10
ozkanaltas
Valued Contributor III

Hello @jr14 ,

 

If you want to shape traffic from a remote site internal IPs. You need to configure the shaping policy with the ipsec interface. Normally, this configuration should work.

 

If it is possible, can you share your shaping policy?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
jr14
New Contributor III

I did it, i am reference the ipsec tunnel, but it never match the traffic that i want to limit

ozkanaltas
Valued Contributor III

Hello @jr14 ,

 

If it is possible, can you share your shaping policy? Also, Can you share sample logs for the traffic you want to apply shaper to?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
jr14
New Contributor III

something like this 

config firewall shaping-policy
edit 1
set uuid b90a13cc-138f-51ef-6025
set name "TEST"
set service "ALL"
set srcintf "LAN"
set dstintf "IPSEC"
set traffic-shaper "guarantee-100kbps"
set traffic-shaper-reverse "guarantee-100kbps"
set srcaddr "10.10.10.10"
set dstaddr "192.168.10.10"
next
end

ozkanaltas
Valued Contributor III

Hello @jr14 ,

 

When I examine the shaping policy, I see that it gives guaranteed bandwidth. I understood that you wanted to restrict it. If you want to restrict it, you must change this first.

 

Is the direction of traffic configured correctly? In this case, I see that the traffic you want to restrict starts from your local network and goes to the other side. This policy will not work if traffic starts from the opposite side.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
jr14
New Contributor III

Is just an example, i want to restrict the outgoing traffic through the IPSEC tunnel. 

 

thanks for you support

Toshi_Esumi

If you want to restrict outgoing traffic to a certain bandwidth, you need to create a shaper to set "maximum-bandwidth". Then use it in the shaping-policy. The unit is Kbps.

 

Toshi

jr14
New Contributor III

Yes, i know that. 
I know how to configure the traffic shapping, shapping policy and more. 
The problem is that i am doing for the IPSEC tunnel traffic not for the wan interface, and the traffic is not matching the shapper.

So i just asking if someone have done this before, apply shapping to the traffic passing through the IPSEC TUNNEL.

I just want to make sure that it is the same config.

Toshi_Esumi

Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.

Share us your shapers.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors