Fortinet Community

Danté · ‎12-10-2018

Good Day,

Is it possible to put a traffic shaper for all traffic that goes over the IPSec interface?

I tried to do this and it does not seem to pick up all the traffic that goes through the tunnel or drop the excess packets.

Would appreciate some guidance as we have a WSUS that pushes updates to branches and would like to limit the whole tunnel.

Thanks

m0j0 · ‎12-10-2018

Are you running interface-mode or policy-mode tunnels? Also, what version FortiOS are you running?

Danté · ‎12-10-2018

Hi,

I assume it is interface mode, using site to site setup between two FortiGates. 100E and 60E

Version is 5.6.5

Many thanks

Toshi_Esumi · ‎12-11-2018

If you're thinking and tried "outbandwidth" on the interface, it wouldn't work as you expect if it's off-loading to asic. We had a similar question but not to IPSec interface, instead to wan1 on 60D and tried "set outbandwidth <kbps>" to find it doesn't work. TAC told us we had to set a policy specifically and disable asic off-loading, which would drop performance significantly. I think this is depending on the type of NPU or model. But likely the same with some other NPUs(60D has NPU4Lite).

So only practical option is setting up shaping-policies to control the outgoing traffic toward the IPSec interface.

Fortinet Community

Traffic shaper - IPSEC Tunnel interface