- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Slow Facebook down to " dial up speed"
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slow Facebook down to " dial up speed"
We have a FWF40c (v4.0, build4054,111202 (MR3)) , we don’t have any of the Fortiguard services. All internal IP’s are static and we are not running Active Directory, just simple Windows authentication.
There are a few people who are wasting time using Facebook during work hours.
We cannot block the Internet, as these folks have to use the Internet to perform their jobs. Furthermore the boss does not want to block FB entirely, he wants to slow it down to dial up speed so people will get frustrated on their own and just stop using it, his thoughts not mine, but he’s the boss.
So my mission is come up with a way to do this. Unfortunately I am a newbie in the networking world. Not sure where to start. My understanding is that Application Control only works with a subscription.
Therefore, I was thinking of creating an IP Pool of 128.10.0.[201-209] these are the offenders. Create a FW Object for Facebook.com as a FQDN, then create a policy to shape traffic associated with the FW Object. Am I on the right track?
Or can my boss’s assignment even be accomplished without subscriptions?
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Therefore, I was thinking of creating an IP Pool of 128.10.0.[201-209] these are the offenders. Create a FW Object for Facebook.com as a FQDN, then create a policy to shape traffic associated with the FW Object. Am I on the right track? Or can my boss’s assignment even be accomplished without subscriptions?This will work except you will need to create at least three FW FQDN objects (1) www.Facebook.com, 2) Facebook.com, 3) static.ak.fbcdn.net). (A Google seach or check the site info for a complete list of fqdns or IP block range that should be blocked.) For the traffic shaping, set the direction for both ways.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dave I haven’t blown you guys off I have been just swamped. Thanks for the direction.
Here’s where I’m at with the FQDN option… I set up the Facebook Firewall Objects as FB1= www.facebook.com, FB2=Facebook.com and FB3=static.ak.fbcdn.nett. then tried to add them as members of a group called Facebook in an attempt to minimize policies. I kept getting “Blank or incorrect address entry†so I went to plan B, use the IP ranges for FB vs the FQDN. However, I ran into syntax issues with that. I know how to range the last octet i.e. 128.10.0.[201-209] but not the last two octets. FB’s first of four IP ranges - 66.220.144.0 - 66.220.159.255. I couldn’t figure out what the os wanted for a proper syntax, I had to run before I could really figure that one out and I' m just now sitting down to try again.
Application control is the way to go in my situation or so I thought. I tried it, tested it with Per-IP in traffic shaping and my result was I slowed down internet access for all sites on that computer, not just FB. Maybe I hosed up the config. So I called my reseller rep and she told me that Application Control is part of a UTM bundle and the only way to use it was to buy the bundle. So I accepted that as gospel and started looking for another solution…again, not knowing if I had an invalid config because I am a rookie with security appliances or it simply doesn’t work with out a subscription.
I don’t know. But sure seems that app control would be the easiest way to go.
Status: I haven’t solved this yet. Any help with the syntax for an address range listed above would be most helpful.
And thanks again for trying to help the new kid
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion would be to use a policy based on application detection. That' s probably more reliable than FQDN.
E.g.
Source: Any
Destination: Any
App: Facebook
Action: Rate Limit
A Real World Fortinet Guide
Configuration Examples & Frequently Asked Questions
http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked
Questions http://firewallguru.blogspot.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: g3rman My suggestion would be to use a policy based on application detection. That' s probably more reliable than FQDN. E.g. Source: Any Destination: Any App: Facebook Action: Rate LimitDoesn' t this require a subscription? He doesn' t have one at this time, but I agree with your post.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I am aware App Control works without a subscription. AV/IPS is what you need to license, App Control is built into the OS itself. I' d say give it a shot and let us know :)
A Real World Fortinet Guide
Configuration Examples & Frequently Asked Questions
http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked
Questions http://firewallguru.blogspot.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem with the appliation filter was an error in the config i think.
You should not apply the traffic shaping on the firewall policy but in the application filter.
You can then shape the traffic for Facebook and not for all other applications.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can specify an address range by supplying a matching network mask in the address object.
66.220.144.0 - 66.220.159.255 will be covered by 66.220.144.0/20
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the input, I just got a chance to sit down and drink in the information you folks have kindly provided. So now to work on my problem some more…
Subnetting, /20 I knew that, Not! I have so much to learn. And I sucked at math, that’s why I just fixed pc’s I’m just a pc person tossed into Networking. I love it but so much to learn.
I will keep ya’ll posted – thanks again
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that this will cut my reputation a bit...but I confess I googled for " subnet calculator" and used the first web site that came up to determine the matching subnet mask. Practise over studying, I guess.
I' m glad that it makes sense to you. You' ll get it up working 100% soon.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 217 Views
- Dial-up IPsec tunnels with same source... 616 Views
- DID (Direct Inward Dialing) number override... 104 Views
- Extending Subnet Mask in Dial-Up VPN... 263 Views
- Dial Up Ipsec Tunnel goes down 287 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
332 -
FortiSwitch
331 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.