Traffic Shaping Policies

This chapter describes new traffic shaping features added to FortiOS 5.4.

Traffic shaping policy IDs added to traffic logs (303802)

As of build 1013, traffic shaping policy IDs are now displayed in traffic logs and IP sessions. This allows you to easily identify which shaping policy is applied to traffic, even with multiple shaping policies configured. Look at the example below to see a sample log with the shapingpolicyid:

date=2016-01-29 time=15:35:25 logid=0000000013 type=traffic subtype=forward level=notice vd=vdom1 srcip=192.0.2.2 srcname="A" srcport=43041 srcintf="port3" dstip=203.0.113.55 dstport=80 dstintf="port11" poluuid=bcd3b008-c6bd-51e5-0e2c-2002e7a5774d sessionid=18364 proto=6 action=close policyid=2 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=192.0.2.2 transport=43041 service="HTTP" duration=205 sentbyte=747285 rcvdbyte=26382426 sentpkt=12887 rcvdpkt=17592 shapingpolicyid=1 shapersentname="shaper400" shaperdropsentbyte=0 shaperrcvdname="shaper200" shaperdroprcvdbyte=14065762 appcat="unscanned" devtype="Fortinet Device" osname="Fortinet OS" mastersrcmac=33:5b:0e:ca:dd:dc srcmac=33:5b:0e:ca:dd:dc

Traffic shaping GUI improvements (300055)- Not necessarily a "feature" but something to be aware of.

Traffic shaping GUI updates (290083) - I am not sure its worth documenting this change.

New Traffic Shaper Policy Configuration Method (269943)

Previously, traffic shapers were configured in Policy & Objects > Objects > Traffic Shapers and then applied in security policies under Policy & Objects > Policy > IPv4 . In FortiOS 5.4, traffic shapers are now configured in a new traffic shaping section in Policy & Objects > Traffic Shapers.

The way that traffic shapers are applied to policies has changed significantly in 5.4., because there is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. In the new traffic shaping policies, you must ensure that the Matching Criteria is the same as the security policy or policies you want to apply shaping to. The screen shot below shows the new 5.4 GUI interface:

 

 

There is also added Traffic Shaper support based on the following:

  • Source (Address, Local Users, Groups)
  • Destination (Address, FQDN, URL or category)
  • Service (General, Web Access, File Access, Email and Network services, Authentication, Remote Access, Tunneling, VoIP, Messaging and other Applications, Web Proxy)
  • Application
  • Application Category
  • URL Category

Creating Application Control Shapers

Application Control Shapers were previously configured in the Security Profiles > Application Control section, but for simplicity they are now consolidated in the same section as the other two types of traffic shapers: Shared and Per-IP.

To create an Application Control Shaper, you must first enable application control at the policy level, in Policy & Objects > Policy > [IPv4 or IPv6]. Then, you can create a matching application-based traffic shaping policy that will apply to it, in the new Traffic Shaping section under Policy & Objects > Traffic Shaping Policy.

New attributes added to "firewall shaping-policy" (277030) (275431)

The two new attributes are status and url-category. The status attribute verifies whether the policy is set to enabled or disabled. The url-category attribute applies the shaping-policy to sessions without a URL rating when set to 0, and no web filtering is applied.

Syntax:

config firewall shaping-policy

edit 1

set status enable

set url-category [category ID number]

New button added to "Clone" Shapers

You can now easily create a copy of an existing shaper by selecting the shaper and clicking the Clone button.