It doesn' t *look* like you can... McFortiGate (24) # sh config firewall policy edit 24 set srcintf " web-proxy" set dstintf " wan1" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " proxy_all" next end McFortiGate (24) # set ? *srcintf Source interface name. *dstintf Destination interface name. srcaddr Source address name. dstaddr Destination address name. rtp-nat Enable/disable use of this policy for RTP NAT. action Policy action. status Enable/disable policy status. identity-based Enable/disable identity-based policy. schedule Schedule name. service Service name. utm-status Enable AV/web/ips protection profile. logtraffic Enable/disable policy log traffic. logtraffic-start Enable/disable policy log traffic start. webcache Enable/disable web cache. web-auth-cookie Enable/disable Web authentication cookie. comments comments block-notification Enable/disable block notification. webproxy-forward-server Web proxy forward server. tags Applied object tags. replacemsg-override-group Specify authentication replacement message override group. srcaddr-negate Enable/disable negated source address match. dstaddr-negate Enable/disable negated destination address match. service-negate Enable/disable negated service match. timeout-send-rst Enable/disable sending of RST packet upon TCP session expiration. McFortiGate (24) # end McFortiGate # You could set an inbandwidth or outbandwidth limit on the outgoing interface itself, or else route the proxy traffic through to a second VDOM and enable a shaper on the policy governing traffic through THAT VDOM, but AFAIK, that' s about it.