- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Traffic shaping a static NAT'd policy.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic shaping a static NAT'd policy.
Hello,
Running into an issue with traffic shaping. It works fine on typical policies using outbound NAT etc. However we have a unique situation where shaper policies don't seem to apply at all to an inbound policy on our WAN2 with a static 1:1 NAT to a server host.
VIP setup -
Interface: WAN2
Type: Static NAT
External IP: x.x.x.x (Single IP in our external IP block)
Mapped IP: y.y.y.y (Internal LAN IP of the server receiving the static NAT. )
(No port forwarding or filters in place, 1:1 here only).
Policy setup using the above VIP -
Incoming interface - WAN2
Outgoing: Internal
Destination: <The VIP above>
Service: <single custom port>
NAT: Disabled (Static nat done on the VIP only).
What I see in Fortiview is:
Source: <1 of 20,000 external IP's connecting to us>, Destination: <x.x.x.x> (Our Nat'd external). (Repeat by 20K basically).
Fortiview sees little to no traffic to y.y.y.y which is the internal IP of the server pumping the TB's of upload through reverse inbound sessions (Think reverse SSH tunnel here), which makes sense due to the static 1:1 NAT. Per the above Fortiview observation it's basically seeing all this bandwidth consumed in 20,000 individual sessions which reads Source: WAN2 to Destination: WAN2....
Does shaping just not work with 1:1 NAT?
Should we try PNAT instead?
I suspect something simple, or with the given configuration shaping is not possible. I've tried various combinations of shaping policies from shared (preferred in this scenario) to per IP using the single Nat'd IP x.x.x.x, to getting desperate and just doing shaping policy reading "all to all, WAN2, <custom service port>" still does not seem to limit this.
We have shaping on other outbound items which workfine.
No SDWAN in this scenario.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think NAT(SNAT) or VIP(DNAT) would affect anything for traffic shaping as long as your shapers match the conditions the FGT can see. I'm not exactly following what you're describing about FortiView.
But the question is 1) what kind of shaper (per-ipshaper or traffic-shaper(poer-policy or shared)) you configured, then 2) what kind of conditions you set up with the shaping-policy (dstintf/src&dstaddr/service, etc).
Then if they're correct, I would keep checking "diag firewall shaper traffic-shapler list" while injecting the traffic looking for. If matching, you would see traffic under "current-bandwidth" like below.
# diag firewall shaper traffic-shaper list name GuestWiFiShaper maximum-bandwidth 1875 KB/sec guaranteed-bandwidth 500 KB/sec current-bandwidth 9 KB/sec priority 3 tos ff packets dropped 1328705 bytes dropped 1845480582
Related Posts
- Two different websites (domains) on two... 23 Views
- fortianalyser bug with old logging 72 Views
- Simple explanation enabling the LOGGING of... 167 Views
- ipv6 - internal lan interface cannot... 281 Views
- Connect Fortigate to internet with 2... 235 Views
Labels
-
FortiGate
6,498 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
105 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.