Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asengar
Staff
Staff

Created on ‎10-03-2023 02:52 AM

Article Id 277146

Technical Tip: How to apply the Both (One-time and recurring) Scheduler for the Traffic Shaping and Firewall policies at the same time

Description This article describes how the user can apply the recurring schedule for the traffic shaper applied for the users in the LAN and at the same time need to apply the one-time schedule for the firewall policy.
Scope

FortiGate.
Solution

Scenario:

If there is traffic shaping configured for the specific LAN users and it is needed for business hours (9-6) the bandwidth can be limited as per the shaper for example to 20MB and later on Bandwidth capping should be applied as 50MB.

 

The same also applies if the firewall policy responsible for the traffic should be disabled after 1 month or specific days.

 

This means that it is necessary to apply a one-time scheduler for the firewall policy and a recurring scheduler for the traffic shaping.

  • Applying both the scheduler will not work as expected.

  • In the scenario, apply the traffic shaper that users in Business hours should get 20MB and then 50MB so if both the schedulers are applied directly in the same firewall policy then each time users are getting 20MB only post the business hours also because of the one-time schedule in the same firewall policy it is not checking for the next policy.

  • Created on a one-time schedule and another recurring schedule, refer to the picture below:

22.png

  • Post creating the schedules, create a scheduled group, and call it in the firewall policy.

20.png

 

  • In this case when the scheduler is only applied in the firewall policies, after 9-6 as per the schedule still users will get the 20MB only not 50MB.

  • The reason is that since the one-time schedule is still active it will match the same policy instead of checking for the next available policies.

To overcome this issue, it is possible to apply the recurring shaper in the Traffic Shaping policy and One-Time on the firewall policy.

 

  • Now apply the recurring scheduler in the traffic-shaping policy, refer to the screenshot below:

21.png

 

  • In the firewall policies, only apply the one-time scheduler instead of the recurring scheduler.

  • So in this case the Bandwidth will be limited with the traffic shaping policies and the traffic will be allowed or denied from the firewall policy.

  • As per the recurring schedule, the shaping will be allowed, and the firewall normal policy will be disabled according to the one-time schedule.

23.png

 

  • Now verify the session of the user IP shaper will be applied based on the schedule.

  • In the case of the scheduler still not working as expected, raise the case with the TAC team with the configuration file.
290
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.