Description
We will demonstrate how to enable traffic shaping to control YouTube application.
Solution
1. In version 5.4.X there are different ways to apply a shaper to the traffic.
2. In addition to the use of traffic shapping policy you can enable a traffic shaper at the application control profile level in this way the users that matches the App control profile will be affected by the shaper.
3. For this method We will proceed as follow:
4. You need to configure a firewall rule to allow the traffic through the Fortigate and in addition enable an application control profile on it.
#config firewall policy
edit 0
set name "internet"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set application-list "Appcontrol"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set application-list "Appcontrol"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
5. using the GUI interface place the rule in the proper order. This allows to match the right policy.
6. Try to visit the web site www.youtube.com , and take a look at the logs collected.
7. Using the debug flow tool you can get detailed information about the session, take a look at the fields corresponding to the shaper name and the application ID
origin-shaper=
reply-shaper=
serial=001d3095 tos=ff/ff app_list=2005 app=31077 url_cat=0
reply-shaper=
serial=001d3095 tos=ff/ff app_list=2005 app=31077 url_cat=0
for additional information:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882
8. Now We are going to create a traffic shaper, for the following steps you can use the GUI or the CLI, for the CLI will be as follow:
config firewall shaper traffic-shaper
edit "youtubeshaper"
set guaranteed-bandwidth 2048
set maximum-bandwidth 4096
set priority medium
next
end
edit "youtubeshaper"
set guaranteed-bandwidth 2048
set maximum-bandwidth 4096
set priority medium
next
end
9. Now you can apply the shaper to the Application profile, edit the application profile previously created and add the following configuration
config application list
edit "Appcontrol"
set other-application-log enable
config entries
edit 1
set category 5
set application 31077 3321 31076 33104 23397 30201 17396
set action pass
set shaper "youtubeshaper"
set shaper-reverse "youtubeshaper"
next
end
next
end
10. Try to watch some YouTube videos and then run the following command to evaluate the results .
#diagnose firewall shaper traffic-shaper
maximum-bandwidth 512 KB/sec
guaranteed-bandwidth 256 KB/sec
current-bandwidth 376 KB/sec
priority 3
policy 3
tos ff
packets dropped 123
bytes dropped 144122
maximum-bandwidth 512 KB/sec
guaranteed-bandwidth 256 KB/sec
current-bandwidth 376 KB/sec
priority 3
policy 3
tos ff
packets dropped 123
bytes dropped 144122
11. You can also take a look at the sessions through debug flow tool.
session info: proto=6 proto_state=01 duration=5 expire=3594 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=youtubeshaper prio=3 guarantee 262144Bps max 524288Bps traffic 290642Bps drops 0B
reply-shaper=youtubeshaper prio=3 guarantee 262144Bps max 524288Bps traffic 290642Bps drops 0B
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log ndr npu npd os rs none persistent
statistic(bytes/packets/allow_err): org=1164/10/1 reply=9605/11/1 tuples=3
speed(Bps/kbps): 1812/14
…….
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=001e501e tos=ff/ff app_list=2005 app=31077 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x000400
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: offload-denied redir-to-ips
12. this approach will give you the advantage to use the same application control profile in different firewall rules
Related Articles
