How do I configure traffic shaping for return RDP traffic?
Hello All, I am totally lost understanding this traffic shaping. I think I am lost because I have read the documentation and I am not at all clear on what the shaping parameters pertain to, in terms of where in the "sequence" they are matched.
Here is my scenario. We have a Fortigate 60E, v5.4.4, build7619. There is a ADSL connection attached to each WAN port (wan1, wan2). WAN load balancing is configured.
A number of our developers use simply RDP connections directly into our network for working from home (ie. no IPSEC etc) involved. We use different port numbers for each developer. For example, 23555 for Developer 1 and 23655 for Developer 2. We have "Virtual IPs" set up to map from these ad-hoc port numbers to 3389, which is the RDP port number of each developer's workstations.
Developers connect to these ports from home.
I want to set up traffic shaping so that when a developer's local machine inside the network sends RDP traffic back to the developer at home, that "outbound" or "reverse" traffic gets high priority.
For the life of me I cannot get this to work, or somehow it is working, and Fortiview isn't showing traffic shaping. I won't even attempt to describe all the attempts I have made.
As I understand it, I need to apply traffic shaping to the "return traffic" and hence I need to specify a reverse shaper. Am I right?
Here's the crux of my problem, when defining the traffic shaping policy. Let me start by presuming I only want to shape return traffic for a single PC.
- I am fairly comfortable that my "Source" should be "all".
- I don't know what my destination should be? My wan port address, or the PC address based on the Virtual IP?
- I don't know what service I should use "RDP" (which is the service I would have after the inbound port has been mapped), or eg, 23555 (ie. before mapping).
- I don't know what outbound interface to use, but I have tried "internal" and I have tried the "wan-load-balancer" interface.
I am assigning the built-in "high-priority" shaper for the moment.
I feel like I have literally tried every possible combination of the above with a reverse shaper and _never_ see shaped traffic in Fortiview under Traffic Shaping. I disconnect my test RDP session and reconnect after each firewall change.
I thought that maybe I won't see anything in Fortview under Traffic Shaping unless there is "actual" shaping going on (ie. there must be contention of bandwidth before I see shaping occur), so to test that I started a huge FTP upload from inside the network (ie. sending data out), but didn't see anything there, either. In hindsight this might not have been a good test since I can't guarantee what wan connection the FTP upload was using (ie. might have been on a different connection to the return traffic I am trying to shape).
I have read the documentation and looked at the examples, but I feel stuck because the docs don't seem to describe how the shaping parameters interact with the port translation/virtual IP mechanics (that I could see).
I am working in IT security profile and the First comment on your configuration is "It is not secure and not recommendation configuration. You must configure SSL VPN for your developer. If I am not wrong, security and flexibility are main aim to use of FortiGate device."
Now I am coming to your point.
Q: As I understand it, I need to apply traffic shaping to the "return traffic" and hence I need to specify a reverse shaper. Am I right?
As I am understood your concern, you want to apply the Traffic shaping on the VIP. So In the configuration parameters must be like:
Source: You LAN System IP
Destination: WAN Load Balancer (All)
Services: Custom (TCP port 23555)
Priority: High (If you want then you can reserve bandwidth also).
Finally, I hope below link can help you better than me:
RDP sessions are initiated out-to-in direction. You need to create a shaping-policy for out-to-in then you can set separate shapers for incoming direction "set traffic-shaper" and outgoing direction "set traffic-shaper-reverse". Or you can probably set only reverse shaper if your want, I think (I haven't tried it myself though).
But I strongly suggest you open a TAC case to get help. Traffic shaping/QoS is very difficult to troubleshoot without getting in the FGT with live traffic.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.