Description
This document describes how to check if traffic shaping is used on active sessions and also demonstrate which traffic shaper is taking precedence between policy based shaper or traffic shaping policy.
Solution
In this example, traffic shaping policy are used:
This document describes how to check if traffic shaping is used on active sessions and also demonstrate which traffic shaper is taking precedence between policy based shaper or traffic shaping policy.
Solution
In this example, traffic shaping policy are used:
#config firewall shaping-policy
edit 1
set service "ALL"
set dstintf "port1"
set traffic-shaper "shared-1M-pipe"
set traffic-shaper-reverse "shared-1M-pipe"
set srcaddr "all"
set dstaddr "all"
next
endThere may be multiple traffic shaping policy applied and even traffic shaping configured on an IPv4 policy itself:#config firewall policyIt will look like this on the GUI:
edit 3
set name "Allow Internet"
set uuid 602779c8-dad4-51e9-f897-36e313f6a3bc
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set traffic-shaper "Shared 500 Kbps"
set traffic-shaper-reverse "Shared 500 Kbps"
set nat enable
next
end
To find out which traffic shaper is used on the traffic itself, use 'diagnose system session list'.
In this example, we have a client with IP address 192.168.88.1 connecting to google.com website via HTTPS.
Use following filter to display sessions:
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.
In this example, we have a client with IP address 192.168.88.1 connecting to google.com website via HTTPS.
Use following filter to display sessions:
#diagnose system session filter src 192.168.88.1Then, to display the session, use following command :
#diagnose system session filter dport 443
#diagnose system session listFrom the output, “shared-1M-pipe” shaper is used. That means this session will be effectively shaped using this shaper.
session info: proto=6 proto_state=01 duration=79 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 520B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 131072Bps traffic 364Bps drops 198404B
per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty os rs f00
statistic(bytes/packets/allow_err): org=7501/102/1 reply=348627/282/1 tuples=2
tx speed(Bps/kbps): 94/0 rx speed(Bps/kbps): 4401/35
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=192.168.174.254/192.168.88.1
hook=post dir=org act=snat 192.168.88.1:47322->172.217.21.228:443(192.168.174.5:47322)
hook=pre dir=reply act=dnat 172.217.21.228:443->192.168.174.5:47322(192.168.88.1:47322)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=0000993d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
In conclusion, the Traffic Shaping policies takes precedence over the traffic shapers configured on a IPv4 Policy.
