Description
Scope
Solution
Radio streaming is part of the daily traffic load on the FortiGate. The Internet has several sites where users can tune whichever radio station in the world; also customer has their own radio station to be monitoring
In order to listen to the radio station, the streaming is injected by HTTP.Segmented.Download (port 80), this streaming is pushed to user’s device.
The disadvantage of having traffic inspection on the FortiGate made several Radio station unable to cross the device to reach destination (users browsers). If the FortiGate is making inspection into this traffic some packets do not arrive on time to users and are discarded causing audio not to be received on the user’s device.
In order to listen to the radio station, the streaming is injected by HTTP.Segmented.Download (port 80), this streaming is pushed to user’s device.
The disadvantage of having traffic inspection on the FortiGate made several Radio station unable to cross the device to reach destination (users browsers). If the FortiGate is making inspection into this traffic some packets do not arrive on time to users and are discarded causing audio not to be received on the user’s device.
Scope
All FortiGate devices
Solution
1. Identify the Radio streaming source. It can be found using application control profile to monitor, it is usually found as HTTP.Segmented.Download or HTTP.Audio
2. Once identified, clone or create AV_Profile and WF_Profile in flow mode. Once the profiles have been created, inspection mode has to be changed by CLI:
3. Create policy specifying just the source of the streaming and apply Streaming profiles with Flow-Based inspection:
4. Once created, it has to be placed before the policy that is inspecting general user traffic.
2. Once identified, clone or create AV_Profile and WF_Profile in flow mode. Once the profiles have been created, inspection mode has to be changed by CLI:
3. Create policy specifying just the source of the streaming and apply Streaming profiles with Flow-Based inspection:
config firewall policy
edit 2
set name "Streaming"
set uuid 3ccdc06c-da46-51e7-d4a4-eada6df96b42
set srcintf "port3"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Streaming1" (81.95.4.70)
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set av-profile "Streaming"
set webfilter-profile "Streaming"
set application-list "default"
set profile-protocol-options "default"
set nat enable
next
end
4. Once created, it has to be placed before the policy that is inspecting general user traffic.
