Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Traffic Shaping Inbound/Outbound clarification

interested to get some clarification about Traffic Shaping regarding inbound and outboubound requests to a service:- Fortigate-100A 3.00,build0403,061106 scenario is: - webserver on internal, clients coming from wan1 - one policy added to wan1 ----> internal for service HTTP for the webservers virtual ip and traffic shaping added 32KB Max as the external clients requests come in on wan1 this should be the only rule needed, my question arises when I am unable to set traffic shaping separately for both incoming (client uploads a file) and outgoing (client downloads a file) requests. From what I can see, upload and download have to share this policy and the Traffic Shaping MAX, not only that but the downloads also hog the bandwidth suffocating any uploads. I see there are prdefined Services for FTP_PUT and FTP_GET, this is the same kind of concept but I don' t see how the Fortigate can actually differenciate between PUT and GET as there is no assignment for inbound and outbound. (I' m pretty sure FTP, FTP_PUT and FTP_GET are all the same rule in the Fortigate) cheers
6 REPLIES 6
Hracio
New Contributor

I think this answer your question " Traffic shaping which is applied to a firewall policy, is enforced for traffic which may flow in either direction. Therefore a session which may be setup by an internal host to an external one, via a Internal -> External policy, will have Traffic shaping applied even if the data stream is then coming from external to internal. For example, an FTP “get” or a SMTP server connecting to an external one, in order to retrieve email. " Take a look here: http://docs.forticare.com/fgt/techdocs/FortiGate_Administration_Guide_01-30005-0203-20070814.pdf Regards,
rwpatterson
Valued Contributor III

One workaround for this would be to create a separate policy with the update web sites defined and no shaping in it. This located above the shaped policy would permit software updates without bandwidth limitations (or a different set of limitations).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

none of the above really focus on this problem, how can we have two Traffic Shaping policies, one for uploading to the webserver and one downloading the webserver? External clients come under the wan1 --> internal policy section but the Fortigate knows nothing about whether its a file upload or a file download.
rwpatterson
Valued Contributor III

The policy is defined by the first corresponding connection to open it. Once it is opened, all matching criteria (both uploading and downloading) between these two entities will happen within it. To nip this in the bud, you' ll have to know who is going to upload/download, and then sculpt a policy for them alone. That' s kind of difficult.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Hracio
New Contributor

To focus on the problem, understanding how the device handles Traffic Shaping is needed. What i would do is Traffic Shaping policies based on the protocol,... i mean, how much total bandwidth you want to be used by ftps sessions, and configure the bandwidth services on the server side for uploading/downloading, for example, if its a ftp you can handle this by user/group of users, source/dest address. The problem I see (from the internal user view) as you says, there is no assignment for inbound and outbound in the case you want to assign asymmetric bandwidth for browsing purposes (lets say 640Kbps/128Kbps like adsl), so they don' t affect your servers up bandwidth. Regards, ..
jasonb_FTNT
Staff
Staff

See http://kc.forticare.com/default.asp?id=2081&SID=&Lang=1
Labels
Top Kudoed Authors