Description | This article describes the different behaviors when a traffic-shaping policy is configured via a shaping-policy compared to when traffic shaping is configured via a firewall-policy. |
Scope | FortiGate. |
Solution |
Note: The difference between shaping-policy and firewall-policy implementations of traffic shapers is mentioned in the case-study below.
In this case, shaping will be done for the 'Http-browser' and 'Netflix' applications only. If any other application traffic is seen (such as gmail, Whatsapp, etc.) shaping will not be applied as they are not defined in the shaping policy.
config firewall shaping-policy edit 1 set name "test-shaping-policy" set status enable set service "ALL" set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER set dstintf "v147" set traffic-shaper "test-1-http" set srcaddr "all" set dstaddr "all" next end
A Firewall Matching Policy to allow the traffic is defined as below (it does not have 'set traffic-shaper xx' defined).
config firewall policy edit 1 set name "p1” set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all next
config firewall policy edit 1 set name "p1" set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all set traffic-shaper "test-1-http" end
config firewall shaping-policy edit 1 set name "test-shaping-policy" set status enable set service "ALL" set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER set dstintf "v147" set traffic-shaper "test-1-http" set srcaddr "all" set dstaddr "all" next end
config firewall policy edit 1 set name "p1” set srcintf "v41" set dstintf "v147" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set logtraffic all set traffic-shaper "test-1-http" next
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.