Tag Archives: fortigate Application control shaping

Application control shaping

Application control shaping

Traffic shaping is also possible for specific applications, too. Application control shaping works in conjunction with a Shared Shaper or Per-IP Shaper. You must create a shaper with the bandwidth settings you would like to enforce or edit one of the predefined shapers in the Policy & Objects > Traffic Shapers menu.

Traffic shaping policies allow you to enable these shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your shaper to by setting the Matching Criteria.You can create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.

For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy under Security Profiles.

Also, application control shaping will only affect applications that are set to pass in the Security Profiles > Application Control menu.

For more information on application control, see the FortiOS Chapter 22 – Security Profiles Guide.

 

Example

This example sets the traffic shaping definition for Facebook to a medium priority, a default traffic shaper.

 

To add traffic shaping for Facebook – web-based manager:

1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.

2. Select the Create New “Plus” icon in the upper right corner of the screen to create a new security policy (or edit an existing Internet access policy).

3. Set the following to enable application control within a security policy:

Name                                         <Enter a descriptive name.>

Incoming Interface                     Internal

Source address                          All

Outgoing interface                     wan1

Destination address                 all

Schedule                                     Always

Service                                         Any

Action                                          Accept

Application Control                   Under Security Profiles, enable Application Control and select the default application control profile.

4. Select OK.

5. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

6. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                              all

Destination address                      all

Service                                              ALL

Application Category                     Social.Media

Application                                      Facebook

URL Category                                  Social Networking

7. Under Apply shaper, set the following:

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select mediumpriority from the drop down menu.

Reverse Shaper                          Enable Shared Shaper and select mediumpriority from the drop down menu.

Enable this policy                     Enable this policy.

8. Select OK.

9. On the policy list page, move the facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.

 

To create a traffic shaping policy for Facebook – CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 15832

set app-category 23 <Social.Media>

set url-category 37 <Social Networking> set dstintf wan1 <outgoing interface> set traffic-shaper medium-priority

set reverse-traffic-shaper medium-priority end