Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asengar
Staff
Staff

Created on ‎08-23-2023 02:56 AM

Article Id 269909

Technical Tip: How to apply traffic shaper for the SSL VPN Traffic

Description This article describes how to apply a traffic shaper to SSL VPN traffic after connecting to FortiClient.
Scope FortiGate, FortiOS, FortiClient.
Solution
  • Configure SSL VPN settings under VPN -> SSL VPN Settings.
  • Create the portal configuration VPN -> SSL VPN Portals according to requirements.
  • Once the SSL VPN settings and portal configuration are set up, create a firewall policy for the ssl.root interface as the incoming interface. The outgoing interface will be the interface behind which the servers are present or, in the case of internet traffic, the outgoing interface will be the WAN interface.

Steps to apply the traffic shaper in SSL VPN traffic

  • Create a traffic shaper entry under Policies & Objects  -> Traffic Shaping  -> Traffic Shapers -> Create new.

shaper.png

 

  • Once the traffic shaper is configured, go the firewall policy created for the SSL VPN i.e. with the ssl.root interface as the incoming interface.

ssl-policy.png

 

  • In the policy, the traffic shaping option is visible. This option will only appear after applying the traffic shaper in the respected policy with the following CLI commands:

config firewall policy

edit <policy id number>

set traffic-shaper <> <- For upload.

set traffic-shaper-reverse <> <- For download.

end

 

Once the above changes have been completed from the CLI, the traffic shaping option will be available in the GUI in the same policy.

 

NOTE: It is not possible to create a traffic shaping policy with the ssl.root interface as the source interface. It will return the following error:

 

error.png

 

  • It is necessary to apply the shaper in the running normal firewall policy for SSL VPN traffic. A separate traffic shaping policy cannot be created.
  • If multiple policies are in place for the SSL VPN, apply shapers on each policy as necessary.
  • The shaper applied can be different for each policy depending on requirements.

Related documents
1674
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.