Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Danté
New Contributor

Traffic shaper - IPSEC Tunnel interface

Good Day,

Is it possible to put a traffic shaper for all traffic that goes over the IPSec interface?

 

I tried to do this and it does not seem to pick up all the traffic that goes through the tunnel or drop the excess packets.

Would appreciate some guidance as we have a WSUS that pushes updates to branches and would like to limit the whole tunnel.

 

Thanks

3 REPLIES 3
m0j0
New Contributor III

Are you running interface-mode or policy-mode tunnels?  Also, what version FortiOS are you running?

Danté
New Contributor

Hi,

 

I assume it is interface mode, using site to site setup between two FortiGates. 100E and 60E

 

Version is 5.6.5 

 

Many thanks

Toshi_Esumi
Esteemed Contributor III

If you're thinking and tried "outbandwidth" on the interface, it wouldn't work as you expect if it's off-loading to asic. We had a similar question but not to IPSec interface, instead to wan1 on 60D and tried "set outbandwidth <kbps>" to find it doesn't work. TAC told us we had to set a policy specifically and disable asic off-loading, which would drop performance significantly. I think this is depending on the type of NPU or model. But likely the same with some other NPUs(60D has NPU4Lite).

 

So only practical option is setting up shaping-policies to control the outgoing traffic toward the IPSec interface.

Labels
Top Kudoed Authors