Good Day,
Is it possible to put a traffic shaper for all traffic that goes over the IPSec interface?
I tried to do this and it does not seem to pick up all the traffic that goes through the tunnel or drop the excess packets.
Would appreciate some guidance as we have a WSUS that pushes updates to branches and would like to limit the whole tunnel.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you running interface-mode or policy-mode tunnels? Also, what version FortiOS are you running?
Hi,
I assume it is interface mode, using site to site setup between two FortiGates. 100E and 60E
Version is 5.6.5
Many thanks
If you're thinking and tried "outbandwidth" on the interface, it wouldn't work as you expect if it's off-loading to asic. We had a similar question but not to IPSec interface, instead to wan1 on 60D and tried "set outbandwidth <kbps>" to find it doesn't work. TAC told us we had to set a policy specifically and disable asic off-loading, which would drop performance significantly. I think this is depending on the type of NPU or model. But likely the same with some other NPUs(60D has NPU4Lite).
So only practical option is setting up shaping-policies to control the outgoing traffic toward the IPSec interface.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.