Application control shaping
Traffic shaping is also possible for specific applications, too. Application control shaping works in conjunction with a Shared Shaper or Per-IP Shaper. You must create a shaper with the bandwidth settings you would like to enforce or edit one of the predefined shapers in the Policy & Objects > Traffic Shapers menu.
Traffic shaping policies allow you to enable these shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your shaper to by setting the Matching Criteria.You can create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.
For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy under Security Profiles.
Also, application control shaping will only affect applications that are set to pass in the Security Profiles > Application Control menu.
For more information on application control, see the FortiOS Chapter 22 – Security Profiles Guide.
Example
This example sets the traffic shaping definition for Facebook to a medium priority, a default traffic shaper.
To add traffic shaping for Facebook – web-based manager:
1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.
2. Select the Create New “Plus” icon in the upper right corner of the screen to create a new security policy (or edit an existing Internet access policy).
3. Set the following to enable application control within a security policy:
Name <Enter a descriptive name.>
Incoming Interface Internal
Source address All
Outgoing interface wan1
Destination address all
Schedule Always
Service Any
Action Accept
Application Control Under Security Profiles, enable Application Control and select the default application control profile.
4. Select OK.
5. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.
6. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:
Source all
Destination address all
Service ALL
Application Category Social.Media
Application Facebook
URL Category Social Networking
7. Under Apply shaper, set the following:
Outgoing interface any
(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)
Shared Shaper Enable Shared Shaper and select medium–priority from the drop down menu.
Reverse Shaper Enable Shared Shaper and select medium–priority from the drop down menu.
Enable this policy Enable this policy.
8. Select OK.
9. On the policy list page, move the facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.
To create a traffic shaping policy for Facebook – CLI:
config firewall shaping-policy
edit 1 <shaping policy ID number>
set srcaddr all set dstaddr all set service ALL
set application 15832
set app-category 23 <Social.Media>
set url-category 37 <Social Networking> set dstintf wan1 <outgoing interface> set traffic-shaper medium-priority
set reverse-traffic-shaper medium-priority end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!