|
Note: The difference between shaping-policy and firewall-policy implementations of traffic shapers is mentioned in the case-study below.
Case 1: When only a traffic shaping-policy is used.
- In this case, the traffic shaper is defined only under the traffic shaping-policy and not defined under firewall-policy.
- There should be a firewall-policy configured to allow the traffic.
- Any traffic matching this shaping-policy will be shaped as per the bandwidth configuration on the shaper.
- All parameters of the shaping-policy should match for shaping to take effect.
- If an application is selected in the shaping-policy, the matching firewall-policy should have application-control defined. If application control is not defined, the firewall will not check for the matching application signature in the traffic and shaping may not be applied as required.
For example: A Traffic Shaping-Policy is defined for applications 'HTTP-Browser' and 'Netflix' as shown below.
In this case, shaping will be done for the 'Http-browser' and 'Netflix' applications only. If any other application traffic is seen (such as gmail, Whatsapp, etc.) shaping will not be applied as they are not defined in the shaping policy.
config firewall shaping-policy
edit 1
set name "test-shaping-policy"
set status enable
set service "ALL"
set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER
set dstintf "v147"
set traffic-shaper "test-1-http"
set srcaddr "all"
set dstaddr "all"
next
end
A Firewall Matching Policy to allow the traffic is defined as below (it does not have 'set traffic-shaper xx' defined).
Application control should be defined in this matching firewall-policy in cases where the application is added to the shaping-policy, in order to ensure the firewall will check for the application signature for the traffic hitting the policy and shaping will be applied.
config firewall policy
edit 1
set name "p1”
set srcintf "v41"
set dstintf "v147"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
set logtraffic all
next
Case 2: When only a firewall policy with a shaper is used.
- In this case, 'set traffic-shaper xx' is defined under firewall-policy and there is no shaping-policy.
- When 'set traffic-shaper XX' or 'set traffic-shaper-reverse XX' is configured under firewall-policy and shaping-policy is not defined at all, all of the traffic matching that firewall-policy will be shaped as per the bandwidth configured in the shaper.
- For example: a shaper is defined under the firewall-policy as below. There is no shaping-policy configured at all.
- In this case, any traffic that matches this firewall-policy will be shaped as per the shaper bandwidth allocation.
- If there are more policies using the same shaper, the bandwidth will be shaped based on per-policy settings or the all-policies settings under traffic-shaper (set per-policy enable/disable).
config firewall policy
edit 1
set name "p1"
set srcintf "v41"
set dstintf "v147"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
set logtraffic all
set traffic-shaper "test-1-http"
end
Case 3: When both a shaping-policy and a firewall policy with traffic shapers are used.
- In this case, 'set traffic-shaper XX' is defined under firewall-policy and the shaping-policy is defined as well
- In this case, all of the traffic hitting the firewall policy with 'set traffic-shaper XX' will take precedence and the shaping-policy will not be considered.
- For examples like in case 1, where a traffic-shaping policy is defined only for the applications Http.Browser and Netflix: The firewall-policy is defined for any application with 'set traffic-shaper XX', meaning any traffic hitting this firewall-policy will take effect irrespective of the parameters defined in the shaping-policy. This means that any other applications like Gmail and Whatsapp (other than Http.browser or Netflix) will be shaped as per the shaper configured under firewall-policy.
- All traffic hitting the firewall-policy will be shaped irrespective of what is defined in the shaping-policy.
config firewall shaping-policy
edit 1
set name "test-shaping-policy"
set status enable
set service "ALL"
set application 18155 15893 <- 18155 = Netflix; 15893 = HTTP.BROWSER
set dstintf "v147"
set traffic-shaper "test-1-http"
set srcaddr "all"
set dstaddr "all"
next
end
config firewall policy
edit 1
set name "p1”
set srcintf "v41"
set dstintf "v147"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
set logtraffic all
set traffic-shaper "test-1-http"
next
Related document:
Traffic shaping policies - FortiGate administration guide.
|
