Hi folks. I'm trying to figure out a good way to deal with an asynchronous connection. I'd love it if someone could read through this and make sure I have my head on straight.

We get 50Mbps down and 5Mbps up from our ISP. Upstream gets saturated frequently, which limits our effective downstream throughput (I've had a couple executives ask for new computers because their old ones were getting "slow." Try explaining to the CEO that a new computer isn't going to make Gmail any faster, and that funds would be better spent on a synchronous fiber connection...).

The only way I can think of to control this is to create two sets of traffic shapers -- one for upstream, one for downstream, and then try to apply them to very specific applications. For example, to keep dropbox from sucking all the air out of the room, I would have to apply a 3000Kbps max throughput traffic shaper very specifically to the application sensor signature, "Dropbox_File.Upload." It seems impractical and wasteful to do this for every single application signature. I know I could apply a traffic shaping policy to the reverse direction of the security policy, but my understanding is that bandwidth is already divided equitably among sessions in a policy. Since Fortigate doesn't have the ability to define policies around application lists, there's no way to use this effectively. Is there anything I'm missing here? I realize the real answer is "get moar bandwidth," and we're working on it, but in the meantime, is there another way to deal with this problem?

Thanks. Eric

Fortigate 60C

Firmware Version v5.2.7,build718 (GA)